diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2022-04-04 07:17:20 -0700 |
|---|---|---|
| committer | Linux Build Service Account <lnxbuild@localhost> | 2022-04-04 07:17:20 -0700 |
| commit | d7b93dbd049c0eacfb7ad14677457836c79b38f6 (patch) | |
| tree | 8360f3dceba017c1d6aba28b7839899a5871191b | |
| parent | 299438410f9ae244e2127b597c4edd24c75e1f88 (diff) | |
| parent | 8702a47887f104074504c06c36be5ea18d94af38 (diff) | |
Merge 8702a47887f104074504c06c36be5ea18d94af38 on remote branch
Change-Id: I0f2db535407c740f631dff75369ef34435613be5
466 files changed, 47770 insertions, 13 deletions
diff --git a/Android.bp b/Android.bp index 3afa1d19a..05904702b 100644 --- a/Android.bp +++ b/Android.bp @@ -80,6 +80,13 @@ se_filegroup { } se_filegroup { + name: "31.0.board.compat.map", + srcs: [ + "compat/31.0/31.0.cil", + ], +} + +se_filegroup { name: "26.0.board.compat.cil", srcs: [ "compat/26.0/26.0.compat.cil", @@ -115,6 +122,13 @@ se_filegroup { } se_filegroup { + name: "31.0.board.compat.cil", + srcs: [ + "compat/31.0/31.0.compat.cil", + ], +} + +se_filegroup { name: "26.0.board.ignore.map", srcs: [ "compat/26.0/26.0.ignore.cil", @@ -149,6 +163,13 @@ se_filegroup { ], } +se_filegroup { + name: "31.0.board.ignore.map", + srcs: [ + "compat/31.0/31.0.ignore.cil", + ], +} + se_cil_compat_map { name: "plat_26.0.cil", stem: "26.0.cil", @@ -181,7 +202,14 @@ se_cil_compat_map { name: "plat_30.0.cil", stem: "30.0.cil", bottom_half: [":30.0.board.compat.map"], - // top_half: "plat_31.0.cil", + top_half: "plat_31.0.cil", +} + +se_cil_compat_map { + name: "plat_31.0.cil", + stem: "31.0.cil", + bottom_half: [":31.0.board.compat.map"], + // top_half: "plat_32.0.cil", } se_cil_compat_map { @@ -220,7 +248,15 @@ se_cil_compat_map { name: "system_ext_30.0.cil", stem: "30.0.cil", bottom_half: [":30.0.board.compat.map"], - // top_half: "system_ext_31.0.cil", + top_half: "system_ext_31.0.cil", + system_ext_specific: true, +} + +se_cil_compat_map { + name: "system_ext_31.0.cil", + stem: "31.0.cil", + bottom_half: [":31.0.board.compat.map"], + // top_half: "system_ext_32.0.cil", system_ext_specific: true, } @@ -260,7 +296,15 @@ se_cil_compat_map { name: "product_30.0.cil", stem: "30.0.cil", bottom_half: [":30.0.board.compat.map"], - // top_half: "product_31.0.cil", + top_half: "product_31.0.cil", + product_specific: true, +} + +se_cil_compat_map { + name: "product_31.0.cil", + stem: "31.0.cil", + bottom_half: [":31.0.board.compat.map"], + // top_half: "product_32.0.cil", product_specific: true, } @@ -291,20 +335,40 @@ se_cil_compat_map { se_cil_compat_map { name: "30.0.ignore.cil", bottom_half: [":30.0.board.ignore.map"], - // top_half: "31.0.ignore.cil", + top_half: "31.0.ignore.cil", +} + +se_cil_compat_map { + name: "31.0.ignore.cil", + bottom_half: [":31.0.board.ignore.map"], + // top_half: "32.0.ignore.cil", } se_cil_compat_map { name: "system_ext_30.0.ignore.cil", bottom_half: [":30.0.board.ignore.map"], - // top_half: "system_ext_31.0.ignore.cil", + top_half: "system_ext_31.0.ignore.cil", + system_ext_specific: true, +} + +se_cil_compat_map { + name: "system_ext_31.0.ignore.cil", + bottom_half: [":31.0.board.ignore.map"], + // top_half: "system_ext_32.0.ignore.cil", system_ext_specific: true, } se_cil_compat_map { name: "product_30.0.ignore.cil", bottom_half: [":30.0.board.ignore.map"], - // top_half: "product_31.0.ignore.cil", + top_half: "product_31.0.ignore.cil", + product_specific: true, +} + +se_cil_compat_map { + name: "product_31.0.ignore.cil", + bottom_half: [":31.0.board.ignore.map"], + // top_half: "product_32.0.ignore.cil", product_specific: true, } @@ -334,6 +398,11 @@ se_compat_cil { } se_compat_cil { + name: "31.0.compat.cil", + srcs: [":31.0.board.compat.cil"], +} + +se_compat_cil { name: "system_ext_26.0.compat.cil", srcs: [":26.0.board.compat.cil"], stem: "26.0.compat.cil", @@ -368,6 +437,13 @@ se_compat_cil { system_ext_specific: true, } +se_compat_cil { + name: "system_ext_31.0.compat.cil", + srcs: [":31.0.board.compat.cil"], + stem: "31.0.compat.cil", + system_ext_specific: true, +} + se_filegroup { name: "file_contexts_files", srcs: ["file_contexts"], @@ -714,6 +790,39 @@ se_policy_cil { src: ":userdebug_plat_sepolicy.conf", additional_cil_files: ["private/technical_debt.cil"], debug_ramdisk: true, + dist: { + targets: ["droidcore"], + }, +} + +// A copy of the userdebug_plat_policy in GSI. +soong_config_module_type { + name: "gsi_se_policy_cil", + module_type: "se_policy_cil", + config_namespace: "ANDROID", + bool_variables: [ + "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", + ], + properties: [ + "enabled", + "installable", + ], +} + +gsi_se_policy_cil { + name: "system_ext_userdebug_plat_sepolicy.cil", + stem: "userdebug_plat_sepolicy.cil", + src: ":userdebug_plat_sepolicy.conf", + additional_cil_files: ["private/technical_debt.cil"], + system_ext_specific: true, + enabled: false, + installable: false, + soong_config_variables: { + PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: { + enabled: true, + installable: true, + }, + }, } // system_ext_policy.conf - A combination of the private and public system_ext diff --git a/Android.mk b/Android.mk index d9c5b3c5d..4f595f54e 100644 --- a/Android.mk +++ b/Android.mk @@ -1517,6 +1517,8 @@ version_under_treble_tests := 29.0 include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk version_under_treble_tests := 30.0 include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk +version_under_treble_tests := 31.0 +include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk endif # PRODUCT_SEPOLICY_SPLIT version_under_treble_tests := 26.0 @@ -1529,6 +1531,8 @@ version_under_treble_tests := 29.0 include $(LOCAL_PATH)/compat.mk version_under_treble_tests := 30.0 include $(LOCAL_PATH)/compat.mk +version_under_treble_tests := 31.0 +include $(LOCAL_PATH)/compat.mk base_plat_policy.conf := base_plat_pub_policy.conf := diff --git a/prebuilts/api/29.0/private/adbd.te b/prebuilts/api/29.0/private/adbd.te index ec5c57eee..ea9fb1e5f 100644 --- a/prebuilts/api/29.0/private/adbd.te +++ b/prebuilts/api/29.0/private/adbd.te @@ -152,6 +152,9 @@ allow adbd sepolicy_file:file r_file_perms; # Allow pulling config.gz for CTS purposes allow adbd config_gz:file r_file_perms; +# For CTS listening ports test. +allow adbd proc_net_tcp_udp:file r_file_perms; + allow adbd gpu_service:service_manager find; allow adbd surfaceflinger_service:service_manager find; allow adbd bootchart_data_file:dir search; diff --git a/prebuilts/api/30.0/private/adbd.te b/prebuilts/api/30.0/private/adbd.te index be4f0f708..e81aac7de 100644 --- a/prebuilts/api/30.0/private/adbd.te +++ b/prebuilts/api/30.0/private/adbd.te @@ -158,6 +158,9 @@ allow adbd sepolicy_file:file r_file_perms; # Allow pulling config.gz for CTS purposes allow adbd config_gz:file r_file_perms; +# For CTS listening ports test. +allow adbd proc_net_tcp_udp:file r_file_perms; + allow adbd gpu_service:service_manager find; allow adbd surfaceflinger_service:service_manager find; allow adbd bootchart_data_file:dir search; diff --git a/prebuilts/api/31.0/plat_pub_versioned.cil b/prebuilts/api/31.0/plat_pub_versioned.cil new file mode 100644 index 000000000..9a086c502 --- /dev/null +++ b/prebuilts/api/31.0/plat_pub_versioned.cil @@ -0,0 +1,3301 @@ +(type DockObserver_service) +(type IProxyService_service) +(type aac_drc_prop) +(type aaudio_config_prop) +(type ab_update_gki_prop) +(type accessibility_service) +(type account_service) +(type activity_service) +(type activity_task_service) +(type adb_data_file) +(type adb_keys_file) +(type adb_service) +(type adbd) +(type adbd_config_prop) +(type adbd_exec) +(type adbd_socket) +(type aidl_lazy_test_server) +(type aidl_lazy_test_server_exec) +(type aidl_lazy_test_service) +(type alarm_service) +(type anr_data_file) +(type apc_service) +(type apex_appsearch_data_file) +(type apex_data_file) +(type apex_info_file) +(type apex_metadata_file) +(type apex_mnt_dir) +(type apex_module_data_file) +(type apex_ota_reserved_file) +(type apex_permission_data_file) +(type apex_rollback_data_file) +(type apex_scheduling_data_file) +(type apex_service) +(type apex_wifi_data_file) +(type apexd) +(type apexd_config_prop) +(type apexd_exec) +(type apexd_prop) +(type apk_data_file) +(type apk_private_data_file) +(type apk_private_tmp_file) +(type apk_tmp_file) +(type apk_verity_prop) +(type app_binding_service) +(type app_data_file) +(type app_fuse_file) +(type app_fusefs) +(type app_hibernation_service) +(type app_integrity_service) +(type app_prediction_service) +(type app_search_service) +(type app_zygote) +(type app_zygote_tmpfs) +(type appcompat_data_file) +(type appdomain_tmpfs) +(type appops_service) +(type appwidget_service) +(type arm64_memtag_prop) +(type art_apex_dir) +(type asec_apk_file) +(type asec_image_file) +(type asec_public_file) +(type ashmem_device) +(type ashmem_libcutils_device) +(type assetatlas_service) +(type atrace) +(type audio_config_prop) +(type audio_data_file) +(type audio_device) +(type audio_prop) +(type audio_service) +(type audiohal_data_file) +(type audioserver) +(type audioserver_data_file) +(type audioserver_service) +(type audioserver_tmpfs) +(type auth_service) +(type authorization_service) +(type autofill_service) +(type backup_data_file) +(type backup_service) +(type battery_service) +(type batteryproperties_service) +(type batterystats_service) +(type binder_cache_bluetooth_server_prop) +(type binder_cache_system_server_prop) +(type binder_cache_telephony_server_prop) +(type binder_calls_stats_service) +(type binder_device) +(type binderfs) +(type binderfs_logs) +(type binderfs_logs_proc) +(type binfmt_miscfs) +(type biometric_service) +(type blkid) +(type blkid_untrusted) +(type blob_store_service) +(type block_device) +(type bluetooth) +(type bluetooth_a2dp_offload_prop) +(type bluetooth_audio_hal_prop) +(type bluetooth_data_file) +(type bluetooth_efs_file) +(type bluetooth_logs_data_file) +(type bluetooth_manager_service) +(type bluetooth_prop) +(type bluetooth_service) +(type bluetooth_socket) +(type boot_block_device) +(type boot_status_prop) +(type bootanim) +(type bootanim_config_prop) +(type bootanim_exec) +(type bootanim_system_prop) +(type bootchart_data_file) +(type bootloader_boot_reason_prop) +(type bootloader_prop) +(type bootstat) +(type bootstat_data_file) +(type bootstat_exec) +(type boottime_prop) +(type boottime_public_prop) +(type boottrace_data_file) +(type bpf_progs_loaded_prop) +(type bq_config_prop) +(type broadcastradio_service) +(type bufferhubd) +(type bufferhubd_exec) +(type bugreport_service) +(type build_bootimage_prop) +(type build_config_prop) +(type build_odm_prop) +(type build_prop) +(type build_vendor_prop) +(type cache_backup_file) +(type cache_block_device) +(type cache_file) +(type cache_private_backup_file) +(type cache_recovery_file) +(type cacheinfo_service) +(type camera2_extensions_prop) +(type camera_calibration_prop) +(type camera_config_prop) +(type camera_data_file) +(type camera_device) +(type cameraproxy_service) +(type cameraserver) +(type cameraserver_exec) +(type cameraserver_service) +(type cameraserver_tmpfs) +(type camerax_extensions_prop) +(type cgroup) +(type cgroup_desc_api_file) +(type cgroup_desc_file) +(type cgroup_rc_file) +(type cgroup_v2) +(type charger) +(type charger_config_prop) +(type charger_exec) +(type charger_prop) +(type charger_status_prop) +(type clipboard_service) +(type codec2_config_prop) +(type cold_boot_done_prop) +(type color_display_service) +(type companion_device_service) +(type config_prop) +(type configfs) +(type connectivity_service) +(type connmetrics_service) +(type console_device) +(type consumer_ir_service) +(type content_capture_service) +(type content_service) +(type content_suggestions_service) +(type contexthub_service) +(type coredump_file) +(type country_detector_service) +(type coverage_service) +(type cppreopt_prop) +(type cpu_variant_prop) +(type cpuinfo_service) +(type crash_dump) +(type crash_dump_exec) +(type credstore) +(type credstore_data_file) +(type credstore_exec) +(type credstore_service) +(type crossprofileapps_service) +(type ctl_adbd_prop) +(type ctl_apexd_prop) +(type ctl_bootanim_prop) +(type ctl_bugreport_prop) +(type ctl_console_prop) +(type ctl_default_prop) +(type ctl_dumpstate_prop) +(type ctl_fuse_prop) +(type ctl_gsid_prop) +(type ctl_interface_restart_prop) +(type ctl_interface_start_prop) +(type ctl_interface_stop_prop) +(type ctl_mdnsd_prop) +(type ctl_restart_prop) +(type ctl_rildaemon_prop) +(type ctl_sigstop_prop) +(type ctl_start_prop) +(type ctl_stop_prop) +(type dalvik_config_prop) +(type dalvik_prop) +(type dalvik_runtime_prop) +(type dalvikcache_data_file) +(type dataloader_manager_service) +(type dbinfo_service) +(type dck_prop) +(type debug_prop) +(type debugfs) +(type debugfs_bootreceiver_tracing) +(type debugfs_kprobes) +(type debugfs_mm_events_tracing) +(type debugfs_mmc) +(type debugfs_restriction_prop) +(type debugfs_trace_marker) +(type debugfs_tracing) +(type debugfs_tracing_debug) +(type debugfs_tracing_instances) +(type debugfs_tracing_printk_formats) +(type debugfs_wakeup_sources) +(type debugfs_wifi_tracing) +(type debuggerd_prop) +(type default_android_hwservice) +(type default_android_service) +(type default_android_vndservice) +(type default_prop) +(type dev_cpu_variant) +(type device) +(type device_config_activity_manager_native_boot_prop) +(type device_config_boot_count_prop) +(type device_config_input_native_boot_prop) +(type device_config_media_native_prop) +(type device_config_netd_native_prop) +(type device_config_reset_performed_prop) +(type device_config_runtime_native_boot_prop) +(type device_config_runtime_native_prop) +(type device_config_service) +(type device_identifiers_service) +(type device_logging_prop) +(type device_policy_service) +(type device_state_service) +(type deviceidle_service) +(type devicestoragemonitor_service) +(type devpts) +(type dhcp) +(type dhcp_data_file) +(type dhcp_exec) +(type dhcp_prop) +(type diskstats_service) +(type display_service) +(type dm_device) +(type dm_user_device) +(type dmabuf_heap_device) +(type dmabuf_system_heap_device) +(type dmabuf_system_secure_heap_device) +(type dnsmasq) +(type dnsmasq_exec) +(type dnsproxyd_socket) +(type dnsresolver_service) +(type domain_verification_service) +(type dreams_service) +(type drm_data_file) +(type drm_service_config_prop) +(type drmserver) +(type drmserver_exec) +(type drmserver_service) +(type drmserver_socket) +(type dropbox_data_file) +(type dropbox_service) +(type dumpstate) +(type dumpstate_exec) +(type dumpstate_options_prop) +(type dumpstate_prop) +(type dumpstate_service) +(type dumpstate_socket) +(type dynamic_system_prop) +(type e2fs) +(type e2fs_exec) +(type efs_file) +(type emergency_affordance_service) +(type ephemeral_app) +(type ethernet_service) +(type exfat) +(type exported3_system_prop) +(type exported_bluetooth_prop) +(type exported_camera_prop) +(type exported_config_prop) +(type exported_default_prop) +(type exported_dumpstate_prop) +(type exported_overlay_prop) +(type exported_pm_prop) +(type exported_secure_prop) +(type exported_system_prop) +(type external_vibrator_service) +(type face_service) +(type face_vendor_data_file) +(type fastbootd) +(type ffs_config_prop) +(type ffs_control_prop) +(type file_contexts_file) +(type file_integrity_service) +(type fingerprint_prop) +(type fingerprint_service) +(type fingerprint_vendor_data_file) +(type fingerprintd) +(type fingerprintd_data_file) +(type fingerprintd_exec) +(type fingerprintd_service) +(type firstboot_prop) +(type flags_health_check) +(type flags_health_check_exec) +(type font_service) +(type framework_watchdog_config_prop) +(type frp_block_device) +(type fs_bpf) +(type fs_bpf_tethering) +(type fsck) +(type fsck_exec) +(type fsck_untrusted) +(type fscklogs) +(type functionfs) +(type fuse) +(type fuse_device) +(type fusectlfs) +(type fwk_automotive_display_hwservice) +(type fwk_bufferhub_hwservice) +(type fwk_camera_hwservice) +(type fwk_display_hwservice) +(type fwk_scheduler_hwservice) +(type fwk_sensor_hwservice) +(type fwk_stats_hwservice) +(type fwk_stats_service) +(type fwmarkd_socket) +(type game_service) +(type gatekeeper_data_file) +(type gatekeeper_service) +(type gatekeeperd) +(type gatekeeperd_exec) +(type gfxinfo_service) +(type gmscore_app) +(type gnss_device) +(type gnss_time_update_service) +(type gps_control) +(type gpu_device) +(type gpu_service) +(type gpuservice) +(type graphics_config_prop) +(type graphics_device) +(type graphicsstats_service) +(type gsi_data_file) +(type gsi_metadata_file) +(type gsi_public_metadata_file) +(type hal_atrace_hwservice) +(type hal_audio_hwservice) +(type hal_audio_service) +(type hal_audiocontrol_hwservice) +(type hal_audiocontrol_service) +(type hal_authsecret_hwservice) +(type hal_authsecret_service) +(type hal_bluetooth_hwservice) +(type hal_bootctl_hwservice) +(type hal_broadcastradio_hwservice) +(type hal_camera_hwservice) +(type hal_can_bus_hwservice) +(type hal_can_controller_hwservice) +(type hal_cas_hwservice) +(type hal_codec2_hwservice) +(type hal_configstore_ISurfaceFlingerConfigs) +(type hal_confirmationui_hwservice) +(type hal_contexthub_hwservice) +(type hal_drm_hwservice) +(type hal_dumpstate_config_prop) +(type hal_dumpstate_hwservice) +(type hal_evs_hwservice) +(type hal_face_hwservice) +(type hal_face_service) +(type hal_fingerprint_hwservice) +(type hal_fingerprint_service) +(type hal_gatekeeper_hwservice) +(type hal_gnss_hwservice) +(type hal_gnss_service) +(type hal_graphics_allocator_hwservice) +(type hal_graphics_composer_hwservice) +(type hal_graphics_composer_server_tmpfs) +(type hal_graphics_mapper_hwservice) +(type hal_health_hwservice) +(type hal_health_storage_hwservice) +(type hal_health_storage_service) +(type hal_identity_service) +(type hal_input_classifier_hwservice) +(type hal_instrumentation_prop) +(type hal_ir_hwservice) +(type hal_keymaster_hwservice) +(type hal_keymint_service) +(type hal_light_hwservice) +(type hal_light_service) +(type hal_lowpan_hwservice) +(type hal_memtrack_hwservice) +(type hal_memtrack_service) +(type hal_neuralnetworks_hwservice) +(type hal_neuralnetworks_service) +(type hal_nfc_hwservice) +(type hal_oemlock_hwservice) +(type hal_oemlock_service) +(type hal_omx_hwservice) +(type hal_power_hwservice) +(type hal_power_service) +(type hal_power_stats_hwservice) +(type hal_power_stats_service) +(type hal_rebootescrow_service) +(type hal_remotelyprovisionedcomponent_service) +(type hal_renderscript_hwservice) +(type hal_secure_element_hwservice) +(type hal_secureclock_service) +(type hal_sensors_hwservice) +(type hal_sharedsecret_service) +(type hal_telephony_hwservice) +(type hal_tetheroffload_hwservice) +(type hal_thermal_hwservice) +(type hal_tv_cec_hwservice) +(type hal_tv_input_hwservice) +(type hal_tv_tuner_hwservice) +(type hal_usb_gadget_hwservice) +(type hal_usb_hwservice) +(type hal_vehicle_hwservice) +(type hal_vibrator_hwservice) +(type hal_vibrator_service) +(type hal_vr_hwservice) +(type hal_weaver_hwservice) +(type hal_weaver_service) +(type hal_wifi_hostapd_hwservice) +(type hal_wifi_hwservice) +(type hal_wifi_supplicant_hwservice) +(type hardware_properties_service) +(type hardware_service) +(type hci_attach_dev) +(type hdmi_config_prop) +(type hdmi_control_service) +(type healthd) +(type healthd_exec) +(type heapdump_data_file) +(type heapprofd) +(type heapprofd_enabled_prop) +(type heapprofd_prop) +(type heapprofd_socket) +(type hidl_allocator_hwservice) +(type hidl_base_hwservice) +(type hidl_manager_hwservice) +(type hidl_memory_hwservice) +(type hidl_token_hwservice) +(type hint_service) +(type hw_random_device) +(type hw_timeout_multiplier_prop) +(type hwbinder_device) +(type hwservice_contexts_file) +(type hwservicemanager) +(type hwservicemanager_exec) +(type hwservicemanager_prop) +(type icon_file) +(type idmap) +(type idmap_exec) +(type idmap_service) +(type iio_device) +(type imms_service) +(type incident) +(type incident_data_file) +(type incident_helper) +(type incident_service) +(type incidentd) +(type incremental_control_file) +(type incremental_prop) +(type incremental_service) +(type init) +(type init_exec) +(type init_service_status_prop) +(type init_tmpfs) +(type inotify) +(type input_device) +(type input_method_service) +(type input_service) +(type inputflinger) +(type inputflinger_exec) +(type inputflinger_service) +(type install_data_file) +(type installd) +(type installd_exec) +(type installd_service) +(type ion_device) +(type iorap_inode2filename) +(type iorap_inode2filename_exec) +(type iorap_inode2filename_tmpfs) +(type iorap_prefetcherd) +(type iorap_prefetcherd_exec) +(type iorap_prefetcherd_tmpfs) +(type iorapd) +(type iorapd_data_file) +(type iorapd_exec) +(type iorapd_service) +(type iorapd_tmpfs) +(type ipsec_service) +(type iris_service) +(type iris_vendor_data_file) +(type isolated_app) +(type jobscheduler_service) +(type kernel) +(type keychain_data_file) +(type keychord_device) +(type keyguard_config_prop) +(type keystore) +(type keystore2_key_contexts_file) +(type keystore_compat_hal_service) +(type keystore_data_file) +(type keystore_exec) +(type keystore_maintenance_service) +(type keystore_metrics_service) +(type keystore_service) +(type kmsg_debug_device) +(type kmsg_device) +(type labeledfs) +(type launcherapps_service) +(type legacy_permission_service) +(type legacykeystore_service) +(type libc_debug_prop) +(type light_service) +(type linkerconfig_file) +(type llkd) +(type llkd_exec) +(type llkd_prop) +(type lmkd) +(type lmkd_config_prop) +(type lmkd_exec) +(type lmkd_prop) +(type lmkd_socket) +(type location_service) +(type location_time_zone_manager_service) +(type lock_settings_service) +(type log_prop) +(type log_tag_prop) +(type logcat_exec) +(type logd) +(type logd_exec) +(type logd_prop) +(type logd_socket) +(type logdr_socket) +(type logdw_socket) +(type logpersist) +(type logpersistd_logging_prop) +(type loop_control_device) +(type loop_device) +(type looper_stats_service) +(type lowpan_device) +(type lowpan_prop) +(type lowpan_service) +(type lpdump_service) +(type lpdumpd_prop) +(type mac_perms_file) +(type mdns_socket) +(type mdnsd) +(type mdnsd_socket) +(type media_communication_service) +(type media_config_prop) +(type media_data_file) +(type media_metrics_service) +(type media_projection_service) +(type media_router_service) +(type media_rw_data_file) +(type media_session_service) +(type media_variant_prop) +(type mediadrm_config_prop) +(type mediadrmserver) +(type mediadrmserver_exec) +(type mediadrmserver_service) +(type mediaextractor) +(type mediaextractor_exec) +(type mediaextractor_service) +(type mediaextractor_tmpfs) +(type mediametrics) +(type mediametrics_exec) +(type mediametrics_service) +(type mediaprovider) +(type mediaserver) +(type mediaserver_exec) +(type mediaserver_service) +(type mediaserver_tmpfs) +(type mediaswcodec) +(type mediaswcodec_exec) +(type mediatranscoding_service) +(type meminfo_service) +(type memtrackproxy_service) +(type metadata_block_device) +(type metadata_bootstat_file) +(type metadata_file) +(type method_trace_data_file) +(type midi_service) +(type mirror_data_file) +(type misc_block_device) +(type misc_logd_file) +(type misc_user_data_file) +(type mm_events_config_prop) +(type mmc_prop) +(type mnt_expand_file) +(type mnt_media_rw_file) +(type mnt_media_rw_stub_file) +(type mnt_pass_through_file) +(type mnt_product_file) +(type mnt_sdcard_file) +(type mnt_user_file) +(type mnt_vendor_file) +(type mock_ota_prop) +(type modprobe) +(type module_sdkextensions_prop) +(type mount_service) +(type mqueue) +(type mtp) +(type mtp_device) +(type mtp_exec) +(type mtpd_socket) +(type music_recognition_service) +(type nativetest_data_file) +(type net_data_file) +(type net_dns_prop) +(type net_radio_prop) +(type netd) +(type netd_exec) +(type netd_listener_service) +(type netd_service) +(type netif) +(type netpolicy_service) +(type netstats_service) +(type netutils_wrapper) +(type netutils_wrapper_exec) +(type network_management_service) +(type network_score_service) +(type network_stack) +(type network_stack_service) +(type network_time_update_service) +(type network_watchlist_data_file) +(type network_watchlist_service) +(type nfc) +(type nfc_data_file) +(type nfc_device) +(type nfc_logs_data_file) +(type nfc_prop) +(type nfc_service) +(type nnapi_ext_deny_product_prop) +(type node) +(type nonplat_service_contexts_file) +(type notification_service) +(type null_device) +(type oem_lock_service) +(type oem_unlock_prop) +(type oemfs) +(type ota_data_file) +(type ota_metadata_file) +(type ota_package_file) +(type ota_prop) +(type otadexopt_service) +(type otapreopt_chroot) +(type overlay_prop) +(type overlay_service) +(type overlayfs_file) +(type owntty_device) +(type pac_proxy_service) +(type package_native_service) +(type package_service) +(type packagemanager_config_prop) +(type packages_list_file) +(type pan_result_prop) +(type password_slot_metadata_file) +(type pdx_bufferhub_client_channel_socket) +(type pdx_bufferhub_client_endpoint_socket) +(type pdx_bufferhub_dir) +(type pdx_display_client_channel_socket) +(type pdx_display_client_endpoint_socket) +(type pdx_display_dir) +(type pdx_display_manager_channel_socket) +(type pdx_display_manager_endpoint_socket) +(type pdx_display_screenshot_channel_socket) +(type pdx_display_screenshot_endpoint_socket) +(type pdx_display_vsync_channel_socket) +(type pdx_display_vsync_endpoint_socket) +(type pdx_performance_client_channel_socket) +(type pdx_performance_client_endpoint_socket) +(type pdx_performance_dir) +(type people_service) +(type perfetto) +(type performanced) +(type performanced_exec) +(type permission_checker_service) +(type permission_service) +(type permissionmgr_service) +(type persist_debug_prop) +(type persist_vendor_debug_wifi_prop) +(type persistent_data_block_service) +(type persistent_properties_ready_prop) +(type pinner_service) +(type pipefs) +(type platform_app) +(type platform_compat_service) +(type pmsg_device) +(type port) +(type port_device) +(type postinstall) +(type postinstall_apex_mnt_dir) +(type postinstall_file) +(type postinstall_mnt_dir) +(type power_debug_prop) +(type power_service) +(type powerctl_prop) +(type powerstats_service) +(type ppp) +(type ppp_device) +(type ppp_exec) +(type preloads_data_file) +(type preloads_media_file) +(type prereboot_data_file) +(type print_service) +(type priv_app) +(type privapp_data_file) +(type proc) +(type proc_abi) +(type proc_asound) +(type proc_bluetooth_writable) +(type proc_bootconfig) +(type proc_buddyinfo) +(type proc_cmdline) +(type proc_cpuinfo) +(type proc_dirty) +(type proc_diskstats) +(type proc_drop_caches) +(type proc_extra_free_kbytes) +(type proc_filesystems) +(type proc_fs_verity) +(type proc_hostname) +(type proc_hung_task) +(type proc_interrupts) +(type proc_iomem) +(type proc_kallsyms) +(type proc_keys) +(type proc_kmsg) +(type proc_kpageflags) +(type proc_loadavg) +(type proc_locks) +(type proc_lowmemorykiller) +(type proc_max_map_count) +(type proc_meminfo) +(type proc_min_free_order_shift) +(type proc_misc) +(type proc_modules) +(type proc_mounts) +(type proc_net) +(type proc_net_tcp_udp) +(type proc_overcommit_memory) +(type proc_page_cluster) +(type proc_pagetypeinfo) +(type proc_panic) +(type proc_perf) +(type proc_pid_max) +(type proc_pipe_conf) +(type proc_pressure_cpu) +(type proc_pressure_io) +(type proc_pressure_mem) +(type proc_qtaguid_ctrl) +(type proc_qtaguid_stat) +(type proc_random) +(type proc_sched) +(type proc_security) +(type proc_slabinfo) +(type proc_stat) +(type proc_swaps) +(type proc_sysrq) +(type proc_timer) +(type proc_tty_drivers) +(type proc_uid_concurrent_active_time) +(type proc_uid_concurrent_policy_time) +(type proc_uid_cpupower) +(type proc_uid_cputime_removeuid) +(type proc_uid_cputime_showstat) +(type proc_uid_io_stats) +(type proc_uid_procstat_set) +(type proc_uid_time_in_state) +(type proc_uptime) +(type proc_vendor_sched) +(type proc_version) +(type proc_vmallocinfo) +(type proc_vmstat) +(type proc_zoneinfo) +(type processinfo_service) +(type procstats_service) +(type profman) +(type profman_dump_data_file) +(type profman_exec) +(type properties_device) +(type properties_serial) +(type property_contexts_file) +(type property_data_file) +(type property_info) +(type property_service_version_prop) +(type property_socket) +(type provisioned_prop) +(type pstorefs) +(type ptmx_device) +(type qemu_hw_prop) +(type qemu_sf_lcd_density_prop) +(type qtaguid_device) +(type racoon) +(type racoon_exec) +(type racoon_socket) +(type radio) +(type radio_control_prop) +(type radio_core_data_file) +(type radio_data_file) +(type radio_device) +(type radio_prop) +(type radio_service) +(type ram_device) +(type random_device) +(type reboot_readiness_service) +(type rebootescrow_hal_prop) +(type recovery) +(type recovery_block_device) +(type recovery_config_prop) +(type recovery_data_file) +(type recovery_persist) +(type recovery_persist_exec) +(type recovery_refresh) +(type recovery_refresh_exec) +(type recovery_service) +(type recovery_socket) +(type registry_service) +(type remoteprovisioning_service) +(type resourcecache_data_file) +(type restorecon_prop) +(type restrictions_service) +(type retaildemo_prop) +(type rild_debug_socket) +(type rild_socket) +(type ringtone_file) +(type role_service) +(type rollback_service) +(type root_block_device) +(type rootfs) +(type rpmsg_device) +(type rs) +(type rs_exec) +(type rss_hwm_reset) +(type rtc_device) +(type rttmanager_service) +(type runas) +(type runas_app) +(type runas_exec) +(type runtime_event_log_tags_file) +(type runtime_service) +(type safemode_prop) +(type same_process_hal_file) +(type samplingprofiler_service) +(type scheduling_policy_service) +(type sdcard_block_device) +(type sdcardd) +(type sdcardd_exec) +(type sdcardfs) +(type seapp_contexts_file) +(type search_service) +(type search_ui_service) +(type sec_key_att_app_id_provider_service) +(type secure_element) +(type secure_element_device) +(type secure_element_service) +(type securityfs) +(type selinuxfs) +(type sendbug_config_prop) +(type sensor_privacy_service) +(type sensors_device) +(type sensorservice_service) +(type sepolicy_file) +(type serial_device) +(type serial_service) +(type serialno_prop) +(type server_configurable_flags_data_file) +(type service_contexts_file) +(type service_manager_service) +(type service_manager_vndservice) +(type servicediscovery_service) +(type servicemanager) +(type servicemanager_exec) +(type settings_service) +(type sgdisk) +(type sgdisk_exec) +(type shared_relro) +(type shared_relro_file) +(type shell) +(type shell_data_file) +(type shell_exec) +(type shell_prop) +(type shell_test_data_file) +(type shm) +(type shortcut_manager_icons) +(type shortcut_service) +(type simpleperf) +(type simpleperf_app_runner) +(type simpleperf_app_runner_exec) +(type slice_service) +(type slideshow) +(type smartspace_service) +(type snapshotctl_log_data_file) +(type snapuserd_socket) +(type soc_prop) +(type socket_device) +(type socket_hook_prop) +(type sockfs) +(type sota_prop) +(type soundtrigger_middleware_service) +(type speech_recognition_service) +(type sqlite_log_prop) +(type staged_install_file) +(type staging_data_file) +(type stats_data_file) +(type statsd) +(type statsd_exec) +(type statsdw_socket) +(type statusbar_service) +(type storage_config_prop) +(type storage_file) +(type storage_stub_file) +(type storaged_service) +(type storagemanager_config_prop) +(type storagestats_service) +(type su) +(type su_exec) +(type super_block_device) +(type surfaceflinger) +(type surfaceflinger_color_prop) +(type surfaceflinger_display_prop) +(type surfaceflinger_prop) +(type surfaceflinger_service) +(type surfaceflinger_tmpfs) +(type suspend_prop) +(type swap_block_device) +(type sysfs) +(type sysfs_android_usb) +(type sysfs_batteryinfo) +(type sysfs_block) +(type sysfs_bluetooth_writable) +(type sysfs_devfreq_cur) +(type sysfs_devfreq_dir) +(type sysfs_devices_block) +(type sysfs_devices_cs_etm) +(type sysfs_devices_system_cpu) +(type sysfs_dm) +(type sysfs_dm_verity) +(type sysfs_dma_heap) +(type sysfs_dmabuf_stats) +(type sysfs_dt_firmware_android) +(type sysfs_extcon) +(type sysfs_fs_ext4_features) +(type sysfs_fs_f2fs) +(type sysfs_fs_incfs_features) +(type sysfs_fs_incfs_metrics) +(type sysfs_hwrandom) +(type sysfs_ion) +(type sysfs_ipv4) +(type sysfs_kernel_notes) +(type sysfs_leds) +(type sysfs_loop) +(type sysfs_lowmemorykiller) +(type sysfs_net) +(type sysfs_nfc_power_writable) +(type sysfs_power) +(type sysfs_rtc) +(type sysfs_suspend_stats) +(type sysfs_switch) +(type sysfs_thermal) +(type sysfs_transparent_hugepage) +(type sysfs_uhid) +(type sysfs_uio) +(type sysfs_usb) +(type sysfs_usermodehelper) +(type sysfs_vendor_sched) +(type sysfs_vibrator) +(type sysfs_wake_lock) +(type sysfs_wakeup) +(type sysfs_wakeup_reasons) +(type sysfs_wlan_fwpath) +(type sysfs_zram) +(type sysfs_zram_uevent) +(type system_app) +(type system_app_data_file) +(type system_app_service) +(type system_asan_options_file) +(type system_block_device) +(type system_boot_reason_prop) +(type system_bootstrap_lib_file) +(type system_config_service) +(type system_data_file) +(type system_data_root_file) +(type system_event_log_tags_file) +(type system_file) +(type system_group_file) +(type system_jvmti_agent_prop) +(type system_lib_file) +(type system_linker_config_file) +(type system_linker_exec) +(type system_lmk_prop) +(type system_ndebug_socket) +(type system_net_netd_hwservice) +(type system_passwd_file) +(type system_prop) +(type system_seccomp_policy_file) +(type system_security_cacerts_file) +(type system_server) +(type system_server_dumper_service) +(type system_server_tmpfs) +(type system_suspend_control_internal_service) +(type system_suspend_control_service) +(type system_suspend_hwservice) +(type system_trace_prop) +(type system_unsolzygote_socket) +(type system_update_service) +(type system_wifi_keystore_hwservice) +(type system_wpa_socket) +(type system_zoneinfo_file) +(type systemkeys_data_file) +(type systemsound_config_prop) +(type task_profiles_api_file) +(type task_profiles_file) +(type task_service) +(type tcpdump_exec) +(type tee) +(type tee_data_file) +(type tee_device) +(type telecom_service) +(type telephony_config_prop) +(type telephony_status_prop) +(type test_boot_reason_prop) +(type test_harness_prop) +(type testharness_service) +(type tethering_service) +(type textclassification_service) +(type textclassifier_data_file) +(type textservices_service) +(type texttospeech_service) +(type theme_prop) +(type thermal_service) +(type time_prop) +(type timedetector_service) +(type timezone_service) +(type timezonedetector_service) +(type tmpfs) +(type tombstone_config_prop) +(type tombstone_data_file) +(type tombstone_wifi_data_file) +(type tombstoned) +(type tombstoned_crash_socket) +(type tombstoned_exec) +(type tombstoned_intercept_socket) +(type tombstoned_java_trace_socket) +(type toolbox) +(type toolbox_exec) +(type trace_data_file) +(type traced) +(type traced_consumer_socket) +(type traced_enabled_prop) +(type traced_lazy_prop) +(type traced_perf) +(type traced_perf_socket) +(type traced_probes) +(type traced_producer_socket) +(type traced_tmpfs) +(type traceur_app) +(type translation_service) +(type trust_service) +(type tty_device) +(type tun_device) +(type tv_input_service) +(type tv_tuner_resource_mgr_service) +(type tzdatacheck) +(type tzdatacheck_exec) +(type ueventd) +(type ueventd_tmpfs) +(type uhid_device) +(type uimode_service) +(type uio_device) +(type uncrypt) +(type uncrypt_exec) +(type uncrypt_socket) +(type unencrypted_data_file) +(type unlabeled) +(type untrusted_app) +(type untrusted_app_25) +(type untrusted_app_27) +(type untrusted_app_29) +(type update_engine) +(type update_engine_data_file) +(type update_engine_exec) +(type update_engine_log_data_file) +(type update_engine_service) +(type update_engine_stable_service) +(type update_verifier) +(type update_verifier_exec) +(type updatelock_service) +(type uri_grants_service) +(type usagestats_service) +(type usb_config_prop) +(type usb_control_prop) +(type usb_device) +(type usb_prop) +(type usb_serial_device) +(type usb_service) +(type usbaccessory_device) +(type usbd) +(type usbd_exec) +(type usbfs) +(type use_memfd_prop) +(type user_profile_data_file) +(type user_profile_root_file) +(type user_service) +(type userdata_block_device) +(type userdata_sysdev) +(type usermodehelper) +(type userspace_reboot_config_prop) +(type userspace_reboot_exported_prop) +(type userspace_reboot_metadata_file) +(type uwb_service) +(type vcn_management_service) +(type vd_device) +(type vdc) +(type vdc_exec) +(type vehicle_hal_prop) +(type vendor_apex_file) +(type vendor_app_file) +(type vendor_cgroup_desc_file) +(type vendor_configs_file) +(type vendor_data_file) +(type vendor_default_prop) +(type vendor_file) +(type vendor_framework_file) +(type vendor_hal_file) +(type vendor_idc_file) +(type vendor_init) +(type vendor_kernel_modules) +(type vendor_keychars_file) +(type vendor_keylayout_file) +(type vendor_misc_writer) +(type vendor_misc_writer_exec) +(type vendor_modprobe) +(type vendor_overlay_file) +(type vendor_public_framework_file) +(type vendor_public_lib_file) +(type vendor_security_patch_level_prop) +(type vendor_service_contexts_file) +(type vendor_shell) +(type vendor_shell_exec) +(type vendor_socket_hook_prop) +(type vendor_task_profiles_file) +(type vendor_toolbox_exec) +(type vfat) +(type vibrator_manager_service) +(type vibrator_service) +(type video_device) +(type virtual_ab_prop) +(type virtual_touchpad) +(type virtual_touchpad_exec) +(type virtual_touchpad_service) +(type virtualization_service) +(type vndbinder_device) +(type vndk_prop) +(type vndk_sp_file) +(type vndservice_contexts_file) +(type vndservicemanager) +(type voiceinteraction_service) +(type vold) +(type vold_config_prop) +(type vold_data_file) +(type vold_device) +(type vold_exec) +(type vold_metadata_file) +(type vold_post_fs_data_prop) +(type vold_prepare_subdirs) +(type vold_prepare_subdirs_exec) +(type vold_prop) +(type vold_service) +(type vold_status_prop) +(type vpn_data_file) +(type vpn_management_service) +(type vr_hwc) +(type vr_hwc_exec) +(type vr_hwc_service) +(type vr_manager_service) +(type vrflinger_vsync_service) +(type vts_config_prop) +(type vts_status_prop) +(type wallpaper_file) +(type wallpaper_service) +(type watchdog_device) +(type watchdog_metadata_file) +(type watchdogd) +(type watchdogd_exec) +(type webview_zygote) +(type webview_zygote_exec) +(type webview_zygote_tmpfs) +(type webviewupdate_service) +(type wifi_config_prop) +(type wifi_data_file) +(type wifi_hal_prop) +(type wifi_key) +(type wifi_log_prop) +(type wifi_prop) +(type wifi_service) +(type wifiaware_service) +(type wificond) +(type wificond_exec) +(type wifinl80211_service) +(type wifip2p_service) +(type wifiscanner_service) +(type window_service) +(type wpa_socket) +(type wpantund) +(type wpantund_exec) +(type wpantund_service) +(type zero_device) +(type zoneinfo_data_file) +(type zram_config_prop) +(type zram_control_prop) +(type zygote) +(type zygote_config_prop) +(type zygote_exec) +(type zygote_socket) +(type zygote_tmpfs) +(typeattribute DockObserver_service_31_0) +(typeattribute IProxyService_service_31_0) +(typeattribute aac_drc_prop_31_0) +(typeattribute aaudio_config_prop_31_0) +(typeattribute ab_update_gki_prop_31_0) +(typeattribute accessibility_service_31_0) +(typeattribute account_service_31_0) +(typeattribute activity_service_31_0) +(typeattribute activity_task_service_31_0) +(typeattribute adb_data_file_31_0) +(typeattribute adb_keys_file_31_0) +(typeattribute adb_service_31_0) +(typeattribute adbd_31_0) +(typeattribute adbd_config_prop_31_0) +(typeattribute adbd_exec_31_0) +(typeattribute adbd_socket_31_0) +(typeattribute aidl_lazy_test_server_31_0) +(typeattribute aidl_lazy_test_server_exec_31_0) +(typeattribute aidl_lazy_test_service_31_0) +(typeattribute alarm_service_31_0) +(typeattribute anr_data_file_31_0) +(typeattribute apc_service_31_0) +(typeattribute apex_appsearch_data_file_31_0) +(typeattribute apex_data_file_31_0) +(typeattribute apex_info_file_31_0) +(typeattribute apex_metadata_file_31_0) +(typeattribute apex_mnt_dir_31_0) +(typeattribute apex_module_data_file_31_0) +(typeattribute apex_ota_reserved_file_31_0) +(typeattribute apex_permission_data_file_31_0) +(typeattribute apex_rollback_data_file_31_0) +(typeattribute apex_scheduling_data_file_31_0) +(typeattribute apex_service_31_0) +(typeattribute apex_wifi_data_file_31_0) +(typeattribute apexd_31_0) +(typeattribute apexd_config_prop_31_0) +(typeattribute apexd_exec_31_0) +(typeattribute apexd_prop_31_0) +(typeattribute apk_data_file_31_0) +(typeattribute apk_private_data_file_31_0) +(typeattribute apk_private_tmp_file_31_0) +(typeattribute apk_tmp_file_31_0) +(typeattribute apk_verity_prop_31_0) +(typeattribute app_api_service) +(typeattribute app_binding_service_31_0) +(typeattribute app_data_file_31_0) +(typeattribute app_data_file_type) +(typeattribute app_fuse_file_31_0) +(typeattribute app_fusefs_31_0) +(typeattribute app_hibernation_service_31_0) +(typeattribute app_integrity_service_31_0) +(typeattribute app_prediction_service_31_0) +(typeattribute app_search_service_31_0) +(typeattribute app_zygote_31_0) +(typeattribute app_zygote_tmpfs_31_0) +(typeattribute appcompat_data_file_31_0) +(typeattribute appdomain) +(typeattribute appdomain_tmpfs_31_0) +(typeattribute appops_service_31_0) +(typeattribute appwidget_service_31_0) +(typeattribute arm64_memtag_prop_31_0) +(typeattribute art_apex_dir_31_0) +(typeattribute asec_apk_file_31_0) +(typeattribute asec_image_file_31_0) +(typeattribute asec_public_file_31_0) +(typeattribute ashmem_device_31_0) +(typeattribute ashmem_libcutils_device_31_0) +(typeattribute assetatlas_service_31_0) +(typeattribute atrace_31_0) +(typeattribute audio_config_prop_31_0) +(typeattribute audio_data_file_31_0) +(typeattribute audio_device_31_0) +(typeattribute audio_prop_31_0) +(typeattribute audio_service_31_0) +(typeattribute audiohal_data_file_31_0) +(typeattribute audioserver_31_0) +(typeattribute audioserver_data_file_31_0) +(typeattribute audioserver_service_31_0) +(typeattribute audioserver_tmpfs_31_0) +(typeattribute auth_service_31_0) +(typeattribute authorization_service_31_0) +(typeattribute autofill_service_31_0) +(typeattribute automotive_display_service_server) +(typeattribute backup_data_file_31_0) +(typeattribute backup_service_31_0) +(typeattribute base_typeattr_100_31_0) +(typeattribute base_typeattr_101_31_0) +(typeattribute base_typeattr_102_31_0) +(typeattribute base_typeattr_103_31_0) +(typeattribute base_typeattr_104_31_0) +(typeattribute base_typeattr_105_31_0) +(typeattribute base_typeattr_106_31_0) +(typeattribute base_typeattr_107_31_0) +(typeattribute base_typeattr_108_31_0) +(typeattribute base_typeattr_109_31_0) +(typeattribute base_typeattr_10_31_0) +(typeattribute base_typeattr_110_31_0) +(typeattribute base_typeattr_111_31_0) +(typeattribute base_typeattr_112_31_0) +(typeattribute base_typeattr_113_31_0) +(typeattribute base_typeattr_114_31_0) +(typeattribute base_typeattr_115_31_0) +(typeattribute base_typeattr_116_31_0) +(typeattribute base_typeattr_117_31_0) +(typeattribute base_typeattr_118_31_0) +(typeattribute base_typeattr_119_31_0) +(typeattribute base_typeattr_11_31_0) +(typeattribute base_typeattr_120_31_0) +(typeattribute base_typeattr_121_31_0) +(typeattribute base_typeattr_122_31_0) +(typeattribute base_typeattr_123_31_0) +(typeattribute base_typeattr_124_31_0) +(typeattribute base_typeattr_125_31_0) +(typeattribute base_typeattr_126_31_0) +(typeattribute base_typeattr_127_31_0) +(typeattribute base_typeattr_128_31_0) +(typeattribute base_typeattr_129_31_0) +(typeattribute base_typeattr_12_31_0) +(typeattribute base_typeattr_130_31_0) +(typeattribute base_typeattr_131_31_0) +(typeattribute base_typeattr_132_31_0) +(typeattribute base_typeattr_133_31_0) +(typeattribute base_typeattr_134_31_0) +(typeattribute base_typeattr_135_31_0) +(typeattribute base_typeattr_136_31_0) +(typeattribute base_typeattr_137_31_0) +(typeattribute base_typeattr_138_31_0) +(typeattribute base_typeattr_139_31_0) +(typeattribute base_typeattr_13_31_0) +(typeattribute base_typeattr_140_31_0) +(typeattribute base_typeattr_141_31_0) +(typeattribute base_typeattr_142_31_0) +(typeattribute base_typeattr_143_31_0) +(typeattribute base_typeattr_144_31_0) +(typeattribute base_typeattr_145_31_0) +(typeattribute base_typeattr_146_31_0) +(typeattribute base_typeattr_147_31_0) +(typeattribute base_typeattr_148_31_0) +(typeattribute base_typeattr_149_31_0) +(typeattribute base_typeattr_14_31_0) +(typeattribute base_typeattr_150_31_0) +(typeattribute base_typeattr_151_31_0) +(typeattribute base_typeattr_152_31_0) +(typeattribute base_typeattr_153_31_0) +(typeattribute base_typeattr_154_31_0) +(typeattribute base_typeattr_155_31_0) +(typeattribute base_typeattr_156_31_0) +(typeattribute base_typeattr_157_31_0) +(typeattribute base_typeattr_158_31_0) +(typeattribute base_typeattr_159_31_0) +(typeattribute base_typeattr_15_31_0) +(typeattribute base_typeattr_160_31_0) +(typeattribute base_typeattr_161_31_0) +(typeattribute base_typeattr_162_31_0) +(typeattribute base_typeattr_163_31_0) +(typeattribute base_typeattr_164_31_0) +(typeattribute base_typeattr_165_31_0) +(typeattribute base_typeattr_166_31_0) +(typeattribute base_typeattr_167_31_0) +(typeattribute base_typeattr_168_31_0) +(typeattribute base_typeattr_169_31_0) +(typeattribute base_typeattr_16_31_0) +(typeattribute base_typeattr_170_31_0) +(typeattribute base_typeattr_171_31_0) +(typeattribute base_typeattr_172_31_0) +(typeattribute base_typeattr_173_31_0) +(typeattribute base_typeattr_174_31_0) +(typeattribute base_typeattr_175_31_0) +(typeattribute base_typeattr_176_31_0) +(typeattribute base_typeattr_177_31_0) +(typeattribute base_typeattr_178_31_0) +(typeattribute base_typeattr_179_31_0) +(typeattribute base_typeattr_17_31_0) +(typeattribute base_typeattr_180_31_0) +(typeattribute base_typeattr_181_31_0) +(typeattribute base_typeattr_182_31_0) +(typeattribute base_typeattr_183_31_0) +(typeattribute base_typeattr_184_31_0) +(typeattribute base_typeattr_185_31_0) +(typeattribute base_typeattr_186_31_0) +(typeattribute base_typeattr_187_31_0) +(typeattribute base_typeattr_188_31_0) +(typeattribute base_typeattr_189_31_0) +(typeattribute base_typeattr_18_31_0) +(typeattribute base_typeattr_190_31_0) +(typeattribute base_typeattr_191_31_0) +(typeattribute base_typeattr_192_31_0) +(typeattribute base_typeattr_193_31_0) +(typeattribute base_typeattr_194_31_0) +(typeattribute base_typeattr_195_31_0) +(typeattribute base_typeattr_196_31_0) +(typeattribute base_typeattr_197_31_0) +(typeattribute base_typeattr_198_31_0) +(typeattribute base_typeattr_199_31_0) +(typeattribute base_typeattr_19_31_0) +(typeattribute base_typeattr_1_31_0) +(typeattribute base_typeattr_200_31_0) +(typeattribute base_typeattr_201_31_0) +(typeattribute base_typeattr_202_31_0) +(typeattribute base_typeattr_203_31_0) +(typeattribute base_typeattr_204_31_0) +(typeattribute base_typeattr_205_31_0) +(typeattribute base_typeattr_206_31_0) +(typeattribute base_typeattr_207_31_0) +(typeattribute base_typeattr_208_31_0) +(typeattribute base_typeattr_209_31_0) +(typeattribute base_typeattr_20_31_0) +(typeattribute base_typeattr_210_31_0) +(typeattribute base_typeattr_211_31_0) +(typeattribute base_typeattr_212_31_0) +(typeattribute base_typeattr_213_31_0) +(typeattribute base_typeattr_214_31_0) +(typeattribute base_typeattr_215_31_0) +(typeattribute base_typeattr_216_31_0) +(typeattribute base_typeattr_217_31_0) +(typeattribute base_typeattr_218_31_0) +(typeattribute base_typeattr_219_31_0) +(typeattribute base_typeattr_21_31_0) +(typeattribute base_typeattr_220_31_0) +(typeattribute base_typeattr_221_31_0) +(typeattribute base_typeattr_222_31_0) +(typeattribute base_typeattr_223_31_0) +(typeattribute base_typeattr_224_31_0) +(typeattribute base_typeattr_225_31_0) +(typeattribute base_typeattr_226_31_0) +(typeattribute base_typeattr_227_31_0) +(typeattribute base_typeattr_228_31_0) +(typeattribute base_typeattr_229_31_0) +(typeattribute base_typeattr_22_31_0) +(typeattribute base_typeattr_230_31_0) +(typeattribute base_typeattr_231_31_0) +(typeattribute base_typeattr_232_31_0) +(typeattribute base_typeattr_233_31_0) +(typeattribute base_typeattr_234_31_0) +(typeattribute base_typeattr_235_31_0) +(typeattribute base_typeattr_236_31_0) +(typeattribute base_typeattr_237_31_0) +(typeattribute base_typeattr_238_31_0) +(typeattribute base_typeattr_239_31_0) +(typeattribute base_typeattr_23_31_0) +(typeattribute base_typeattr_240_31_0) +(typeattribute base_typeattr_241_31_0) +(typeattribute base_typeattr_242_31_0) +(typeattribute base_typeattr_243_31_0) +(typeattribute base_typeattr_244_31_0) +(typeattribute base_typeattr_245_31_0) +(typeattribute base_typeattr_246_31_0) +(typeattribute base_typeattr_247_31_0) +(typeattribute base_typeattr_248_31_0) +(typeattribute base_typeattr_249_31_0) +(typeattribute base_typeattr_24_31_0) +(typeattribute base_typeattr_250_31_0) +(typeattribute base_typeattr_251_31_0) +(typeattribute base_typeattr_252_31_0) +(typeattribute base_typeattr_253_31_0) +(typeattribute base_typeattr_254_31_0) +(typeattribute base_typeattr_255_31_0) +(typeattribute base_typeattr_256_31_0) +(typeattribute base_typeattr_257_31_0) +(typeattribute base_typeattr_258_31_0) +(typeattribute base_typeattr_259_31_0) +(typeattribute base_typeattr_25_31_0) +(typeattribute base_typeattr_260_31_0) +(typeattribute base_typeattr_261_31_0) +(typeattribute base_typeattr_262_31_0) +(typeattribute base_typeattr_263_31_0) +(typeattribute base_typeattr_264_31_0) +(typeattribute base_typeattr_265_31_0) +(typeattribute base_typeattr_266_31_0) +(typeattribute base_typeattr_267_31_0) +(typeattribute base_typeattr_268_31_0) +(typeattribute base_typeattr_269_31_0) +(typeattribute base_typeattr_26_31_0) +(typeattribute base_typeattr_270_31_0) +(typeattribute base_typeattr_271_31_0) +(typeattribute base_typeattr_272_31_0) +(typeattribute base_typeattr_273_31_0) +(typeattribute base_typeattr_274_31_0) +(typeattribute base_typeattr_275_31_0) +(typeattribute base_typeattr_276_31_0) +(typeattribute base_typeattr_277_31_0) +(typeattribute base_typeattr_278_31_0) +(typeattribute base_typeattr_279_31_0) +(typeattribute base_typeattr_27_31_0) +(typeattribute base_typeattr_280_31_0) +(typeattribute base_typeattr_281_31_0) +(typeattribute base_typeattr_282_31_0) +(typeattribute base_typeattr_283_31_0) +(typeattribute base_typeattr_284_31_0) +(typeattribute base_typeattr_285_31_0) +(typeattribute base_typeattr_286_31_0) +(typeattribute base_typeattr_287_31_0) +(typeattribute base_typeattr_288_31_0) +(typeattribute base_typeattr_289_31_0) +(typeattribute base_typeattr_28_31_0) +(typeattribute base_typeattr_290_31_0) +(typeattribute base_typeattr_291_31_0) +(typeattribute base_typeattr_292_31_0) +(typeattribute base_typeattr_293_31_0) +(typeattribute base_typeattr_294_31_0) +(typeattribute base_typeattr_295_31_0) +(typeattribute base_typeattr_296_31_0) +(typeattribute base_typeattr_297_31_0) +(typeattribute base_typeattr_298_31_0) +(typeattribute base_typeattr_299_31_0) +(typeattribute base_typeattr_29_31_0) +(typeattribute base_typeattr_2_31_0) +(typeattribute base_typeattr_300_31_0) +(typeattribute base_typeattr_301_31_0) +(typeattribute base_typeattr_302_31_0) +(typeattribute base_typeattr_303_31_0) +(typeattribute base_typeattr_304_31_0) +(typeattribute base_typeattr_305_31_0) +(typeattribute base_typeattr_306_31_0) +(typeattribute base_typeattr_307_31_0) +(typeattribute base_typeattr_308_31_0) +(typeattribute base_typeattr_309_31_0) +(typeattribute base_typeattr_30_31_0) +(typeattribute base_typeattr_310_31_0) +(typeattribute base_typeattr_311_31_0) +(typeattribute base_typeattr_312_31_0) +(typeattribute base_typeattr_313_31_0) +(typeattribute base_typeattr_314_31_0) +(typeattribute base_typeattr_315_31_0) +(typeattribute base_typeattr_316_31_0) +(typeattribute base_typeattr_317_31_0) +(typeattribute base_typeattr_318_31_0) +(typeattribute base_typeattr_319_31_0) +(typeattribute base_typeattr_31_31_0) +(typeattribute base_typeattr_320_31_0) +(typeattribute base_typeattr_321_31_0) +(typeattribute base_typeattr_322_31_0) +(typeattribute base_typeattr_323_31_0) +(typeattribute base_typeattr_324_31_0) +(typeattribute base_typeattr_325_31_0) +(typeattribute base_typeattr_326_31_0) +(typeattribute base_typeattr_327_31_0) +(typeattribute base_typeattr_328_31_0) +(typeattribute base_typeattr_329_31_0) +(typeattribute base_typeattr_32_31_0) +(typeattribute base_typeattr_330_31_0) +(typeattribute base_typeattr_331_31_0) +(typeattribute base_typeattr_332_31_0) +(typeattribute base_typeattr_333_31_0) +(typeattribute base_typeattr_334_31_0) +(typeattribute base_typeattr_335_31_0) +(typeattribute base_typeattr_336_31_0) +(typeattribute base_typeattr_337_31_0) +(typeattribute base_typeattr_338_31_0) +(typeattribute base_typeattr_339_31_0) +(typeattribute base_typeattr_33_31_0) +(typeattribute base_typeattr_340_31_0) +(typeattribute base_typeattr_341_31_0) +(typeattribute base_typeattr_342_31_0) +(typeattribute base_typeattr_343_31_0) +(typeattribute base_typeattr_344_31_0) +(typeattribute base_typeattr_345_31_0) +(typeattribute base_typeattr_346_31_0) +(typeattribute base_typeattr_347_31_0) +(typeattribute base_typeattr_348_31_0) +(typeattribute base_typeattr_349_31_0) +(typeattribute base_typeattr_34_31_0) +(typeattribute base_typeattr_350_31_0) +(typeattribute base_typeattr_351_31_0) +(typeattribute base_typeattr_352_31_0) +(typeattribute base_typeattr_353_31_0) +(typeattribute base_typeattr_354_31_0) +(typeattribute base_typeattr_355_31_0) +(typeattribute base_typeattr_356_31_0) +(typeattribute base_typeattr_357_31_0) +(typeattribute base_typeattr_358_31_0) +(typeattribute base_typeattr_359_31_0) +(typeattribute base_typeattr_35_31_0) +(typeattribute base_typeattr_360_31_0) +(typeattribute base_typeattr_361_31_0) +(typeattribute base_typeattr_362_31_0) +(typeattribute base_typeattr_363_31_0) +(typeattribute base_typeattr_364_31_0) +(typeattribute base_typeattr_365_31_0) +(typeattribute base_typeattr_366_31_0) +(typeattribute base_typeattr_367_31_0) +(typeattribute base_typeattr_368_31_0) +(typeattribute base_typeattr_369_31_0) +(typeattribute base_typeattr_36_31_0) +(typeattribute base_typeattr_370_31_0) +(typeattribute base_typeattr_371_31_0) +(typeattribute base_typeattr_372_31_0) +(typeattribute base_typeattr_373_31_0) +(typeattribute base_typeattr_374_31_0) +(typeattribute base_typeattr_375_31_0) +(typeattribute base_typeattr_376_31_0) +(typeattribute base_typeattr_377_31_0) +(typeattribute base_typeattr_378_31_0) +(typeattribute base_typeattr_379_31_0) +(typeattribute base_typeattr_37_31_0) +(typeattribute base_typeattr_380_31_0) +(typeattribute base_typeattr_381_31_0) +(typeattribute base_typeattr_382_31_0) +(typeattribute base_typeattr_383_31_0) +(typeattribute base_typeattr_384_31_0) +(typeattribute base_typeattr_385_31_0) +(typeattribute base_typeattr_386_31_0) +(typeattribute base_typeattr_387_31_0) +(typeattribute base_typeattr_388_31_0) +(typeattribute base_typeattr_389_31_0) +(typeattribute base_typeattr_38_31_0) +(typeattribute base_typeattr_390_31_0) +(typeattribute base_typeattr_391_31_0) +(typeattribute base_typeattr_392_31_0) +(typeattribute base_typeattr_393_31_0) +(typeattribute base_typeattr_394_31_0) +(typeattribute base_typeattr_395_31_0) +(typeattribute base_typeattr_396_31_0) +(typeattribute base_typeattr_397_31_0) +(typeattribute base_typeattr_398_31_0) +(typeattribute base_typeattr_399_31_0) +(typeattribute base_typeattr_39_31_0) +(typeattribute base_typeattr_3_31_0) +(typeattribute base_typeattr_400_31_0) +(typeattribute base_typeattr_401_31_0) +(typeattribute base_typeattr_402_31_0) +(typeattribute base_typeattr_403_31_0) +(typeattribute base_typeattr_404_31_0) +(typeattribute base_typeattr_405_31_0) +(typeattribute base_typeattr_406_31_0) +(typeattribute base_typeattr_407_31_0) +(typeattribute base_typeattr_408_31_0) +(typeattribute base_typeattr_409_31_0) +(typeattribute base_typeattr_40_31_0) +(typeattribute base_typeattr_410_31_0) +(typeattribute base_typeattr_411_31_0) +(typeattribute base_typeattr_412_31_0) +(typeattribute base_typeattr_413_31_0) +(typeattribute base_typeattr_414_31_0) +(typeattribute base_typeattr_415_31_0) +(typeattribute base_typeattr_416_31_0) +(typeattribute base_typeattr_417_31_0) +(typeattribute base_typeattr_418_31_0) +(typeattribute base_typeattr_419_31_0) +(typeattribute base_typeattr_41_31_0) +(typeattribute base_typeattr_420_31_0) +(typeattribute base_typeattr_421_31_0) +(typeattribute base_typeattr_422_31_0) +(typeattribute base_typeattr_423_31_0) +(typeattribute base_typeattr_424_31_0) +(typeattribute base_typeattr_425_31_0) +(typeattribute base_typeattr_426_31_0) +(typeattribute base_typeattr_427_31_0) +(typeattribute base_typeattr_428_31_0) +(typeattribute base_typeattr_429_31_0) +(typeattribute base_typeattr_42_31_0) +(typeattribute base_typeattr_430_31_0) +(typeattribute base_typeattr_431_31_0) +(typeattribute base_typeattr_432_31_0) +(typeattribute base_typeattr_433_31_0) +(typeattribute base_typeattr_434_31_0) +(typeattribute base_typeattr_435_31_0) +(typeattribute base_typeattr_436_31_0) +(typeattribute base_typeattr_437_31_0) +(typeattribute base_typeattr_438_31_0) +(typeattribute base_typeattr_439_31_0) +(typeattribute base_typeattr_43_31_0) +(typeattribute base_typeattr_440_31_0) +(typeattribute base_typeattr_441_31_0) +(typeattribute base_typeattr_442_31_0) +(typeattribute base_typeattr_443_31_0) +(typeattribute base_typeattr_444_31_0) +(typeattribute base_typeattr_445_31_0) +(typeattribute base_typeattr_446_31_0) +(typeattribute base_typeattr_447_31_0) +(typeattribute base_typeattr_448_31_0) +(typeattribute base_typeattr_449_31_0) +(typeattribute base_typeattr_44_31_0) +(typeattribute base_typeattr_450_31_0) +(typeattribute base_typeattr_451_31_0) +(typeattribute base_typeattr_452_31_0) +(typeattribute base_typeattr_453_31_0) +(typeattribute base_typeattr_454_31_0) +(typeattribute base_typeattr_455_31_0) +(typeattribute base_typeattr_456_31_0) +(typeattribute base_typeattr_457_31_0) +(typeattribute base_typeattr_458_31_0) +(typeattribute base_typeattr_459_31_0) +(typeattribute base_typeattr_45_31_0) +(typeattribute base_typeattr_460_31_0) +(typeattribute base_typeattr_461_31_0) +(typeattribute base_typeattr_462_31_0) +(typeattribute base_typeattr_463_31_0) +(typeattribute base_typeattr_464_31_0) +(typeattribute base_typeattr_465_31_0) +(typeattribute base_typeattr_466_31_0) +(typeattribute base_typeattr_467_31_0) +(typeattribute base_typeattr_468_31_0) +(typeattribute base_typeattr_469_31_0) +(typeattribute base_typeattr_46_31_0) +(typeattribute base_typeattr_470_31_0) +(typeattribute base_typeattr_471_31_0) +(typeattribute base_typeattr_472_31_0) +(typeattribute base_typeattr_473_31_0) +(typeattribute base_typeattr_474_31_0) +(typeattribute base_typeattr_475_31_0) +(typeattribute base_typeattr_476_31_0) +(typeattribute base_typeattr_477_31_0) +(typeattribute base_typeattr_478_31_0) +(typeattribute base_typeattr_479_31_0) +(typeattribute base_typeattr_47_31_0) +(typeattribute base_typeattr_480_31_0) +(typeattribute base_typeattr_481_31_0) +(typeattribute base_typeattr_482_31_0) +(typeattribute base_typeattr_483_31_0) +(typeattribute base_typeattr_484_31_0) +(typeattribute base_typeattr_485_31_0) +(typeattribute base_typeattr_486_31_0) +(typeattribute base_typeattr_487_31_0) +(typeattribute base_typeattr_488_31_0) +(typeattribute base_typeattr_489_31_0) +(typeattribute base_typeattr_48_31_0) +(typeattribute base_typeattr_490_31_0) +(typeattribute base_typeattr_491_31_0) +(typeattribute base_typeattr_492_31_0) +(typeattribute base_typeattr_493_31_0) +(typeattribute base_typeattr_494_31_0) +(typeattribute base_typeattr_495_31_0) +(typeattribute base_typeattr_496_31_0) +(typeattribute base_typeattr_497_31_0) +(typeattribute base_typeattr_498_31_0) +(typeattribute base_typeattr_499_31_0) +(typeattribute base_typeattr_49_31_0) +(typeattribute base_typeattr_4_31_0) +(typeattribute base_typeattr_500_31_0) +(typeattribute base_typeattr_501_31_0) +(typeattribute base_typeattr_502_31_0) +(typeattribute base_typeattr_503_31_0) +(typeattribute base_typeattr_504_31_0) +(typeattribute base_typeattr_505_31_0) +(typeattribute base_typeattr_506_31_0) +(typeattribute base_typeattr_507_31_0) +(typeattribute base_typeattr_508_31_0) +(typeattribute base_typeattr_509_31_0) +(typeattribute base_typeattr_50_31_0) +(typeattribute base_typeattr_510_31_0) +(typeattribute base_typeattr_511_31_0) +(typeattribute base_typeattr_512_31_0) +(typeattribute base_typeattr_513_31_0) +(typeattribute base_typeattr_514_31_0) +(typeattribute base_typeattr_515_31_0) +(typeattribute base_typeattr_516_31_0) +(typeattribute base_typeattr_517_31_0) +(typeattribute base_typeattr_518_31_0) +(typeattribute base_typeattr_519_31_0) +(typeattribute base_typeattr_51_31_0) +(typeattribute base_typeattr_520_31_0) +(typeattribute base_typeattr_521_31_0) +(typeattribute base_typeattr_522_31_0) +(typeattribute base_typeattr_523_31_0) +(typeattribute base_typeattr_524_31_0) +(typeattribute base_typeattr_525_31_0) +(typeattribute base_typeattr_526_31_0) +(typeattribute base_typeattr_527_31_0) +(typeattribute base_typeattr_528_31_0) +(typeattribute base_typeattr_529_31_0) +(typeattribute base_typeattr_52_31_0) +(typeattribute base_typeattr_530_31_0) +(typeattribute base_typeattr_531_31_0) +(typeattribute base_typeattr_532_31_0) +(typeattribute base_typeattr_533_31_0) +(typeattribute base_typeattr_534_31_0) +(typeattribute base_typeattr_535_31_0) +(typeattribute base_typeattr_536_31_0) +(typeattribute base_typeattr_537_31_0) +(typeattribute base_typeattr_538_31_0) +(typeattribute base_typeattr_539_31_0) +(typeattribute base_typeattr_53_31_0) +(typeattribute base_typeattr_54_31_0) +(typeattribute base_typeattr_55_31_0) +(typeattribute base_typeattr_56_31_0) +(typeattribute base_typeattr_57_31_0) +(typeattribute base_typeattr_58_31_0) +(typeattribute base_typeattr_59_31_0) +(typeattribute base_typeattr_5_31_0) +(typeattribute base_typeattr_60_31_0) +(typeattribute base_typeattr_61_31_0) +(typeattribute base_typeattr_62_31_0) +(typeattribute base_typeattr_63_31_0) +(typeattribute base_typeattr_64_31_0) +(typeattribute base_typeattr_65_31_0) +(typeattribute base_typeattr_66_31_0) +(typeattribute base_typeattr_67_31_0) +(typeattribute base_typeattr_68_31_0) +(typeattribute base_typeattr_69_31_0) +(typeattribute base_typeattr_6_31_0) +(typeattribute base_typeattr_70_31_0) +(typeattribute base_typeattr_71_31_0) +(typeattribute base_typeattr_72_31_0) +(typeattribute base_typeattr_73_31_0) +(typeattribute base_typeattr_74_31_0) +(typeattribute base_typeattr_75_31_0) +(typeattribute base_typeattr_76_31_0) +(typeattribute base_typeattr_77_31_0) +(typeattribute base_typeattr_78_31_0) +(typeattribute base_typeattr_79_31_0) +(typeattribute base_typeattr_7_31_0) +(typeattribute base_typeattr_80_31_0) +(typeattribute base_typeattr_81_31_0) +(typeattribute base_typeattr_82_31_0) +(typeattribute base_typeattr_83_31_0) +(typeattribute base_typeattr_84_31_0) +(typeattribute base_typeattr_85_31_0) +(typeattribute base_typeattr_86_31_0) +(typeattribute base_typeattr_87_31_0) +(typeattribute base_typeattr_88_31_0) +(typeattribute base_typeattr_89_31_0) +(typeattribute base_typeattr_8_31_0) +(typeattribute base_typeattr_90_31_0) +(typeattribute base_typeattr_91_31_0) +(typeattribute base_typeattr_92_31_0) +(typeattribute base_typeattr_93_31_0) +(typeattribute base_typeattr_94_31_0) +(typeattribute base_typeattr_95_31_0) +(typeattribute base_typeattr_96_31_0) +(typeattribute base_typeattr_97_31_0) +(typeattribute base_typeattr_98_31_0) +(typeattribute base_typeattr_99_31_0) +(typeattribute base_typeattr_9_31_0) +(typeattribute battery_service_31_0) +(typeattribute batteryproperties_service_31_0) +(typeattribute batterystats_service_31_0) +(typeattribute bdev_type) +(typeattribute binder_cache_bluetooth_server_prop_31_0) +(typeattribute binder_cache_system_server_prop_31_0) +(typeattribute binder_cache_telephony_server_prop_31_0) +(typeattribute binder_calls_stats_service_31_0) +(typeattribute binder_device_31_0) +(typeattribute binderfs_31_0) +(typeattribute binderfs_logs_31_0) +(typeattribute binderfs_logs_proc_31_0) +(typeattribute binderservicedomain) +(typeattribute binfmt_miscfs_31_0) +(typeattribute biometric_service_31_0) +(typeattribute blkid_31_0) +(typeattribute blkid_untrusted_31_0) +(typeattribute blob_store_service_31_0) +(typeattribute block_device_31_0) +(typeattribute bluetooth_31_0) +(typeattribute bluetooth_a2dp_offload_prop_31_0) +(typeattribute bluetooth_audio_hal_prop_31_0) +(typeattribute bluetooth_data_file_31_0) +(typeattribute bluetooth_efs_file_31_0) +(typeattribute bluetooth_logs_data_file_31_0) +(typeattribute bluetooth_manager_service_31_0) +(typeattribute bluetooth_prop_31_0) +(typeattribute bluetooth_service_31_0) +(typeattribute bluetooth_socket_31_0) +(typeattribute bluetoothdomain) +(typeattribute boot_block_device_31_0) +(typeattribute boot_status_prop_31_0) +(typeattribute bootanim_31_0) +(typeattribute bootanim_config_prop_31_0) +(typeattribute bootanim_exec_31_0) +(typeattribute bootanim_system_prop_31_0) +(typeattribute bootchart_data_file_31_0) +(typeattribute bootloader_boot_reason_prop_31_0) +(typeattribute bootloader_prop_31_0) +(typeattribute bootstat_31_0) +(typeattribute bootstat_data_file_31_0) +(typeattribute bootstat_exec_31_0) +(typeattribute boottime_prop_31_0) +(typeattribute boottime_public_prop_31_0) +(typeattribute boottrace_data_file_31_0) +(typeattribute bpf_progs_loaded_prop_31_0) +(typeattribute bq_config_prop_31_0) +(typeattribute broadcastradio_service_31_0) +(typeattribute bufferhubd_31_0) +(typeattribute bufferhubd_exec_31_0) +(typeattribute bugreport_service_31_0) +(typeattribute build_bootimage_prop_31_0) +(typeattribute build_config_prop_31_0) +(typeattribute build_odm_prop_31_0) +(typeattribute build_prop_31_0) +(typeattribute build_vendor_prop_31_0) +(typeattribute cache_backup_file_31_0) +(typeattribute cache_block_device_31_0) +(typeattribute cache_file_31_0) +(typeattribute cache_private_backup_file_31_0) +(typeattribute cache_recovery_file_31_0) +(typeattribute cacheinfo_service_31_0) +(typeattribute camera2_extensions_prop_31_0) +(typeattribute camera_calibration_prop_31_0) +(typeattribute camera_config_prop_31_0) +(typeattribute camera_data_file_31_0) +(typeattribute camera_device_31_0) +(typeattribute camera_service_server) +(typeattribute cameraproxy_service_31_0) +(typeattribute cameraserver_31_0) +(typeattribute cameraserver_exec_31_0) +(typeattribute cameraserver_service_31_0) +(typeattribute cameraserver_tmpfs_31_0) +(typeattribute camerax_extensions_prop_31_0) +(typeattribute cgroup_31_0) +(typeattribute cgroup_desc_api_file_31_0) +(typeattribute cgroup_desc_file_31_0) +(typeattribute cgroup_rc_file_31_0) +(typeattribute cgroup_v2_31_0) +(typeattribute charger_31_0) +(typeattribute charger_config_prop_31_0) +(typeattribute charger_exec_31_0) +(typeattribute charger_prop_31_0) +(typeattribute charger_status_prop_31_0) +(typeattribute clipboard_service_31_0) +(typeattribute codec2_config_prop_31_0) +(typeattribute cold_boot_done_prop_31_0) +(typeattribute color_display_service_31_0) +(typeattribute companion_device_service_31_0) +(typeattribute config_prop_31_0) +(typeattribute configfs_31_0) +(typeattribute connectivity_service_31_0) +(typeattribute connmetrics_service_31_0) +(typeattribute console_device_31_0) +(typeattribute consumer_ir_service_31_0) +(typeattribute content_capture_service_31_0) +(typeattribute content_service_31_0) +(typeattribute content_suggestions_service_31_0) +(typeattribute contexthub_service_31_0) +(typeattribute contextmount_type) +(typeattribute core_data_file_type) +(typeattribute core_property_type) +(typeattribute coredomain) +(typeattribute coredomain_hwservice) +(typeattribute coredomain_socket) +(typeattribute coredump_file_31_0) +(typeattribute country_detector_service_31_0) +(typeattribute coverage_service_31_0) +(typeattribute cppreopt_prop_31_0) +(typeattribute cpu_variant_prop_31_0) +(typeattribute cpuinfo_service_31_0) +(typeattribute crash_dump_31_0) +(typeattribute crash_dump_exec_31_0) +(typeattribute credstore_31_0) +(typeattribute credstore_data_file_31_0) +(typeattribute credstore_exec_31_0) +(typeattribute credstore_service_31_0) +(typeattribute crossprofileapps_service_31_0) +(typeattribute ctl_adbd_prop_31_0) +(typeattribute ctl_apexd_prop_31_0) +(typeattribute ctl_bootanim_prop_31_0) +(typeattribute ctl_bugreport_prop_31_0) +(typeattribute ctl_console_prop_31_0) +(typeattribute ctl_default_prop_31_0) +(typeattribute ctl_dumpstate_prop_31_0) +(typeattribute ctl_fuse_prop_31_0) +(typeattribute ctl_gsid_prop_31_0) +(typeattribute ctl_interface_restart_prop_31_0) +(typeattribute ctl_interface_start_prop_31_0) +(typeattribute ctl_interface_stop_prop_31_0) +(typeattribute ctl_mdnsd_prop_31_0) +(typeattribute ctl_restart_prop_31_0) +(typeattribute ctl_rildaemon_prop_31_0) +(typeattribute ctl_sigstop_prop_31_0) +(typeattribute ctl_start_prop_31_0) +(typeattribute ctl_stop_prop_31_0) +(typeattribute dalvik_config_prop_31_0) +(typeattribute dalvik_prop_31_0) +(typeattribute dalvik_runtime_prop_31_0) +(typeattribute dalvikcache_data_file_31_0) +(typeattribute data_between_core_and_vendor_violators) +(typeattribute data_file_type) +(typeattribute dataloader_manager_service_31_0) +(typeattribute dbinfo_service_31_0) +(typeattribute dck_prop_31_0) +(typeattribute debug_prop_31_0) +(typeattribute debugfs_31_0) +(typeattribute debugfs_bootreceiver_tracing_31_0) +(typeattribute debugfs_kprobes_31_0) +(typeattribute debugfs_mm_events_tracing_31_0) +(typeattribute debugfs_mmc_31_0) +(typeattribute debugfs_restriction_prop_31_0) +(typeattribute debugfs_trace_marker_31_0) +(typeattribute debugfs_tracing_31_0) +(typeattribute debugfs_tracing_debug_31_0) +(typeattribute debugfs_tracing_instances_31_0) +(typeattribute debugfs_tracing_printk_formats_31_0) +(typeattribute debugfs_type) +(typeattribute debugfs_wakeup_sources_31_0) +(typeattribute debugfs_wifi_tracing_31_0) +(typeattribute debuggerd_prop_31_0) +(typeattribute default_android_hwservice_31_0) +(typeattribute default_android_service_31_0) +(typeattribute default_android_vndservice_31_0) +(typeattribute default_prop_31_0) +(typeattribute dev_cpu_variant_31_0) +(typeattribute dev_type) +(typeattribute device_31_0) +(typeattribute device_config_activity_manager_native_boot_prop_31_0) +(typeattribute device_config_boot_count_prop_31_0) +(typeattribute device_config_input_native_boot_prop_31_0) +(typeattribute device_config_media_native_prop_31_0) +(typeattribute device_config_netd_native_prop_31_0) +(typeattribute device_config_reset_performed_prop_31_0) +(typeattribute device_config_runtime_native_boot_prop_31_0) +(typeattribute device_config_runtime_native_prop_31_0) +(typeattribute device_config_service_31_0) +(typeattribute device_identifiers_service_31_0) +(typeattribute device_logging_prop_31_0) +(typeattribute device_policy_service_31_0) +(typeattribute device_state_service_31_0) +(typeattribute deviceidle_service_31_0) +(typeattribute devicestoragemonitor_service_31_0) +(typeattribute devpts_31_0) +(typeattribute dhcp_31_0) +(typeattribute dhcp_data_file_31_0) +(typeattribute dhcp_exec_31_0) +(typeattribute dhcp_prop_31_0) +(typeattribute diskstats_service_31_0) +(typeattribute display_service_31_0) +(typeattribute display_service_server) +(typeattribute dm_device_31_0) +(typeattribute dm_user_device_31_0) +(typeattribute dmabuf_heap_device_31_0) +(typeattribute dmabuf_heap_device_type) +(typeattribute dmabuf_system_heap_device_31_0) +(typeattribute dmabuf_system_secure_heap_device_31_0) +(typeattribute dnsmasq_31_0) +(typeattribute dnsmasq_exec_31_0) +(typeattribute dnsproxyd_socket_31_0) +(typeattribute dnsresolver_service_31_0) +(typeattribute domain) +(typeattribute domain_verification_service_31_0) +(typeattribute dreams_service_31_0) +(typeattribute drm_data_file_31_0) +(typeattribute drm_service_config_prop_31_0) +(typeattribute drmserver_31_0) +(typeattribute drmserver_exec_31_0) +(typeattribute drmserver_service_31_0) +(typeattribute drmserver_socket_31_0) +(typeattribute dropbox_data_file_31_0) +(typeattribute dropbox_service_31_0) +(typeattribute dumpstate_31_0) +(typeattribute dumpstate_exec_31_0) +(typeattribute dumpstate_options_prop_31_0) +(typeattribute dumpstate_prop_31_0) +(typeattribute dumpstate_service_31_0) +(typeattribute dumpstate_socket_31_0) +(typeattribute dynamic_system_prop_31_0) +(typeattribute e2fs_31_0) +(typeattribute e2fs_exec_31_0) +(typeattribute efs_file_31_0) +(typeattribute emergency_affordance_service_31_0) +(typeattribute ephemeral_app_31_0) +(typeattribute ephemeral_app_api_service) +(typeattribute ethernet_service_31_0) +(typeattribute exec_type) +(typeattribute exfat_31_0) +(typeattribute exported3_system_prop_31_0) +(typeattribute exported_bluetooth_prop_31_0) +(typeattribute exported_camera_prop_31_0) +(typeattribute exported_config_prop_31_0) +(typeattribute exported_default_prop_31_0) +(typeattribute exported_dumpstate_prop_31_0) +(typeattribute exported_overlay_prop_31_0) +(typeattribute exported_pm_prop_31_0) +(typeattribute exported_secure_prop_31_0) +(typeattribute exported_system_prop_31_0) +(typeattribute extended_core_property_type) +(typeattribute external_vibrator_service_31_0) +(typeattribute face_service_31_0) +(typeattribute face_vendor_data_file_31_0) +(typeattribute fastbootd_31_0) +(typeattribute ffs_config_prop_31_0) +(typeattribute ffs_control_prop_31_0) +(typeattribute file_contexts_file_31_0) +(typeattribute file_integrity_service_31_0) +(typeattribute file_type) +(typeattribute fingerprint_prop_31_0) +(typeattribute fingerprint_service_31_0) +(typeattribute fingerprint_vendor_data_file_31_0) +(typeattribute fingerprintd_31_0) +(typeattribute fingerprintd_data_file_31_0) +(typeattribute fingerprintd_exec_31_0) +(typeattribute fingerprintd_service_31_0) +(typeattribute firstboot_prop_31_0) +(typeattribute flags_health_check_31_0) +(typeattribute flags_health_check_exec_31_0) +(typeattribute font_service_31_0) +(typeattribute framework_watchdog_config_prop_31_0) +(typeattribute frp_block_device_31_0) +(typeattribute fs_bpf_31_0) +(typeattribute fs_bpf_tethering_31_0) +(typeattribute fs_type) +(typeattribute fsck_31_0) +(typeattribute fsck_exec_31_0) +(typeattribute fsck_untrusted_31_0) +(typeattribute fscklogs_31_0) +(typeattribute functionfs_31_0) +(typeattribute fuse_31_0) +(typeattribute fuse_device_31_0) +(typeattribute fusectlfs_31_0) +(typeattribute fwk_automotive_display_hwservice_31_0) +(typeattribute fwk_bufferhub_hwservice_31_0) +(typeattribute fwk_camera_hwservice_31_0) +(typeattribute fwk_display_hwservice_31_0) +(typeattribute fwk_scheduler_hwservice_31_0) +(typeattribute fwk_sensor_hwservice_31_0) +(typeattribute fwk_stats_hwservice_31_0) +(typeattribute fwk_stats_service_31_0) +(typeattribute fwmarkd_socket_31_0) +(typeattribute game_service_31_0) +(typeattribute gatekeeper_data_file_31_0) +(typeattribute gatekeeper_service_31_0) +(typeattribute gatekeeperd_31_0) +(typeattribute gatekeeperd_exec_31_0) +(typeattribute gfxinfo_service_31_0) +(typeattribute gmscore_app_31_0) +(typeattribute gnss_device_31_0) +(typeattribute gnss_time_update_service_31_0) +(typeattribute gps_control_31_0) +(typeattribute gpu_device_31_0) +(typeattribute gpu_service_31_0) +(typeattribute gpuservice_31_0) +(typeattribute graphics_config_prop_31_0) +(typeattribute graphics_device_31_0) +(typeattribute graphicsstats_service_31_0) +(typeattribute gsi_data_file_31_0) +(typeattribute gsi_metadata_file_31_0) +(typeattribute gsi_metadata_file_type) +(typeattribute gsi_public_metadata_file_31_0) +(typeattribute hal_allocator) +(typeattribute hal_allocator_client) +(typeattribute hal_allocator_server) +(typeattribute hal_atrace) +(typeattribute hal_atrace_client) +(typeattribute hal_atrace_hwservice_31_0) +(typeattribute hal_atrace_server) +(typeattribute hal_audio) +(typeattribute hal_audio_client) +(typeattribute hal_audio_hwservice_31_0) +(typeattribute hal_audio_server) +(typeattribute hal_audio_service_31_0) +(typeattribute hal_audiocontrol) +(typeattribute hal_audiocontrol_client) +(typeattribute hal_audiocontrol_hwservice_31_0) +(typeattribute hal_audiocontrol_server) +(typeattribute hal_audiocontrol_service_31_0) +(typeattribute hal_authsecret) +(typeattribute hal_authsecret_client) +(typeattribute hal_authsecret_hwservice_31_0) +(typeattribute hal_authsecret_server) +(typeattribute hal_authsecret_service_31_0) +(typeattribute hal_automotive_socket_exemption) +(typeattribute hal_bluetooth) +(typeattribute hal_bluetooth_client) +(typeattribute hal_bluetooth_hwservice_31_0) +(typeattribute hal_bluetooth_server) +(typeattribute hal_bootctl) +(typeattribute hal_bootctl_client) +(typeattribute hal_bootctl_hwservice_31_0) +(typeattribute hal_bootctl_server) +(typeattribute hal_broadcastradio) +(typeattribute hal_broadcastradio_client) +(typeattribute hal_broadcastradio_hwservice_31_0) +(typeattribute hal_broadcastradio_server) +(typeattribute hal_bufferhub) +(typeattribute hal_bufferhub_client) +(typeattribute hal_bufferhub_server) +(typeattribute hal_camera) +(typeattribute hal_camera_client) +(typeattribute hal_camera_hwservice_31_0) +(typeattribute hal_camera_server) +(typeattribute hal_can_bus) +(typeattribute hal_can_bus_client) +(typeattribute hal_can_bus_hwservice_31_0) +(typeattribute hal_can_bus_server) +(typeattribute hal_can_controller) +(typeattribute hal_can_controller_client) +(typeattribute hal_can_controller_hwservice_31_0) +(typeattribute hal_can_controller_server) +(typeattribute hal_cas) +(typeattribute hal_cas_client) +(typeattribute hal_cas_hwservice_31_0) +(typeattribute hal_cas_server) +(typeattribute hal_codec2) +(typeattribute hal_codec2_client) +(typeattribute hal_codec2_hwservice_31_0) +(typeattribute hal_codec2_server) +(typeattribute hal_configstore) +(typeattribute hal_configstore_ISurfaceFlingerConfigs_31_0) +(typeattribute hal_configstore_client) +(typeattribute hal_configstore_server) +(typeattribute hal_confirmationui) +(typeattribute hal_confirmationui_client) +(typeattribute hal_confirmationui_hwservice_31_0) +(typeattribute hal_confirmationui_server) +(typeattribute hal_contexthub) +(typeattribute hal_contexthub_client) +(typeattribute hal_contexthub_hwservice_31_0) +(typeattribute hal_contexthub_server) +(typeattribute hal_drm) +(typeattribute hal_drm_client) +(typeattribute hal_drm_hwservice_31_0) +(typeattribute hal_drm_server) +(typeattribute hal_dumpstate) +(typeattribute hal_dumpstate_client) +(typeattribute hal_dumpstate_config_prop_31_0) +(typeattribute hal_dumpstate_hwservice_31_0) +(typeattribute hal_dumpstate_server) +(typeattribute hal_evs) +(typeattribute hal_evs_client) +(typeattribute hal_evs_hwservice_31_0) +(typeattribute hal_evs_server) +(typeattribute hal_face) +(typeattribute hal_face_client) +(typeattribute hal_face_hwservice_31_0) +(typeattribute hal_face_server) +(typeattribute hal_face_service_31_0) +(typeattribute hal_fingerprint) +(typeattribute hal_fingerprint_client) +(typeattribute hal_fingerprint_hwservice_31_0) +(typeattribute hal_fingerprint_server) +(typeattribute hal_fingerprint_service_31_0) +(typeattribute hal_gatekeeper) +(typeattribute hal_gatekeeper_client) +(typeattribute hal_gatekeeper_hwservice_31_0) +(typeattribute hal_gatekeeper_server) +(typeattribute hal_gnss) +(typeattribute hal_gnss_client) +(typeattribute hal_gnss_hwservice_31_0) +(typeattribute hal_gnss_server) +(typeattribute hal_gnss_service_31_0) +(typeattribute hal_graphics_allocator) +(typeattribute hal_graphics_allocator_client) +(typeattribute hal_graphics_allocator_hwservice_31_0) +(typeattribute hal_graphics_allocator_server) +(typeattribute hal_graphics_composer) +(typeattribute hal_graphics_composer_client) +(typeattribute hal_graphics_composer_client_tmpfs) +(typeattribute hal_graphics_composer_hwservice_31_0) +(typeattribute hal_graphics_composer_server) +(typeattribute hal_graphics_composer_server_tmpfs_31_0) +(typeattribute hal_graphics_mapper_hwservice_31_0) +(typeattribute hal_health) +(typeattribute hal_health_client) +(typeattribute hal_health_hwservice_31_0) +(typeattribute hal_health_server) +(typeattribute hal_health_storage) +(typeattribute hal_health_storage_client) +(typeattribute hal_health_storage_hwservice_31_0) +(typeattribute hal_health_storage_server) +(typeattribute hal_health_storage_service_31_0) +(typeattribute hal_identity) +(typeattribute hal_identity_client) +(typeattribute hal_identity_server) +(typeattribute hal_identity_service_31_0) +(typeattribute hal_input_classifier) +(typeattribute hal_input_classifier_client) +(typeattribute hal_input_classifier_hwservice_31_0) +(typeattribute hal_input_classifier_server) +(typeattribute hal_instrumentation_prop_31_0) +(typeattribute hal_ir) +(typeattribute hal_ir_client) +(typeattribute hal_ir_hwservice_31_0) +(typeattribute hal_ir_server) +(typeattribute hal_keymaster) +(typeattribute hal_keymaster_client) +(typeattribute hal_keymaster_hwservice_31_0) +(typeattribute hal_keymaster_server) +(typeattribute hal_keymint) +(typeattribute hal_keymint_client) +(typeattribute hal_keymint_server) +(typeattribute hal_keymint_service_31_0) +(typeattribute hal_light) +(typeattribute hal_light_client) +(typeattribute hal_light_hwservice_31_0) +(typeattribute hal_light_server) +(typeattribute hal_light_service_31_0) +(typeattribute hal_lowpan) +(typeattribute hal_lowpan_client) +(typeattribute hal_lowpan_hwservice_31_0) +(typeattribute hal_lowpan_server) +(typeattribute hal_memtrack) +(typeattribute hal_memtrack_client) +(typeattribute hal_memtrack_hwservice_31_0) +(typeattribute hal_memtrack_server) +(typeattribute hal_memtrack_service_31_0) +(typeattribute hal_neuralnetworks) +(typeattribute hal_neuralnetworks_client) +(typeattribute hal_neuralnetworks_hwservice_31_0) +(typeattribute hal_neuralnetworks_server) +(typeattribute hal_neuralnetworks_service_31_0) +(typeattribute hal_nfc) +(typeattribute hal_nfc_client) +(typeattribute hal_nfc_hwservice_31_0) +(typeattribute hal_nfc_server) +(typeattribute hal_oemlock) +(typeattribute hal_oemlock_client) +(typeattribute hal_oemlock_hwservice_31_0) +(typeattribute hal_oemlock_server) +(typeattribute hal_oemlock_service_31_0) +(typeattribute hal_omx) +(typeattribute hal_omx_client) +(typeattribute hal_omx_hwservice_31_0) +(typeattribute hal_omx_server) +(typeattribute hal_power) +(typeattribute hal_power_client) +(typeattribute hal_power_hwservice_31_0) +(typeattribute hal_power_server) +(typeattribute hal_power_service_31_0) +(typeattribute hal_power_stats) +(typeattribute hal_power_stats_client) +(typeattribute hal_power_stats_hwservice_31_0) +(typeattribute hal_power_stats_server) +(typeattribute hal_power_stats_service_31_0) +(typeattribute hal_rebootescrow) +(typeattribute hal_rebootescrow_client) +(typeattribute hal_rebootescrow_server) +(typeattribute hal_rebootescrow_service_31_0) +(typeattribute hal_remotelyprovisionedcomponent_service_31_0) +(typeattribute hal_renderscript_hwservice_31_0) +(typeattribute hal_secure_element) +(typeattribute hal_secure_element_client) +(typeattribute hal_secure_element_hwservice_31_0) +(typeattribute hal_secure_element_server) +(typeattribute hal_secureclock_service_31_0) +(typeattribute hal_sensors) +(typeattribute hal_sensors_client) +(typeattribute hal_sensors_hwservice_31_0) +(typeattribute hal_sensors_server) +(typeattribute hal_sharedsecret_service_31_0) +(typeattribute hal_telephony) +(typeattribute hal_telephony_client) +(typeattribute hal_telephony_hwservice_31_0) +(typeattribute hal_telephony_server) +(typeattribute hal_tetheroffload) +(typeattribute hal_tetheroffload_client) +(typeattribute hal_tetheroffload_hwservice_31_0) +(typeattribute hal_tetheroffload_server) +(typeattribute hal_thermal) +(typeattribute hal_thermal_client) +(typeattribute hal_thermal_hwservice_31_0) +(typeattribute hal_thermal_server) +(typeattribute hal_tv_cec) +(typeattribute hal_tv_cec_client) +(typeattribute hal_tv_cec_hwservice_31_0) +(typeattribute hal_tv_cec_server) +(typeattribute hal_tv_input) +(typeattribute hal_tv_input_client) +(typeattribute hal_tv_input_hwservice_31_0) +(typeattribute hal_tv_input_server) +(typeattribute hal_tv_tuner) +(typeattribute hal_tv_tuner_client) +(typeattribute hal_tv_tuner_hwservice_31_0) +(typeattribute hal_tv_tuner_server) +(typeattribute hal_usb) +(typeattribute hal_usb_client) +(typeattribute hal_usb_gadget) +(typeattribute hal_usb_gadget_client) +(typeattribute hal_usb_gadget_hwservice_31_0) +(typeattribute hal_usb_gadget_server) +(typeattribute hal_usb_hwservice_31_0) +(typeattribute hal_usb_server) +(typeattribute hal_uwb) +(typeattribute hal_uwb_client) +(typeattribute hal_uwb_server) +(typeattribute hal_vehicle) +(typeattribute hal_vehicle_client) +(typeattribute hal_vehicle_hwservice_31_0) +(typeattribute hal_vehicle_server) +(typeattribute hal_vibrator) +(typeattribute hal_vibrator_client) +(typeattribute hal_vibrator_hwservice_31_0) +(typeattribute hal_vibrator_server) +(typeattribute hal_vibrator_service_31_0) +(typeattribute hal_vr) +(typeattribute hal_vr_client) +(typeattribute hal_vr_hwservice_31_0) +(typeattribute hal_vr_server) +(typeattribute hal_weaver) +(typeattribute hal_weaver_client) +(typeattribute hal_weaver_hwservice_31_0) +(typeattribute hal_weaver_server) +(typeattribute hal_weaver_service_31_0) +(typeattribute hal_wifi) +(typeattribute hal_wifi_client) +(typeattribute hal_wifi_hostapd) +(typeattribute hal_wifi_hostapd_client) +(typeattribute hal_wifi_hostapd_hwservice_31_0) +(typeattribute hal_wifi_hostapd_server) +(typeattribute hal_wifi_hwservice_31_0) +(typeattribute hal_wifi_server) +(typeattribute hal_wifi_supplicant) +(typeattribute hal_wifi_supplicant_client) +(typeattribute hal_wifi_supplicant_hwservice_31_0) +(typeattribute hal_wifi_supplicant_server) +(typeattribute halclientdomain) +(typeattribute halserverdomain) +(typeattribute hardware_properties_service_31_0) +(typeattribute hardware_service_31_0) +(typeattribute hci_attach_dev_31_0) +(typeattribute hdmi_config_prop_31_0) +(typeattribute hdmi_control_service_31_0) +(typeattribute healthd_31_0) +(typeattribute healthd_exec_31_0) +(typeattribute heapdump_data_file_31_0) +(typeattribute heapprofd_31_0) +(typeattribute heapprofd_enabled_prop_31_0) +(typeattribute heapprofd_prop_31_0) +(typeattribute heapprofd_socket_31_0) +(typeattribute hidl_allocator_hwservice_31_0) +(typeattribute hidl_base_hwservice_31_0) +(typeattribute hidl_manager_hwservice_31_0) +(typeattribute hidl_memory_hwservice_31_0) +(typeattribute hidl_token_hwservice_31_0) +(typeattribute hint_service_31_0) +(typeattribute hw_random_device_31_0) +(typeattribute hw_timeout_multiplier_prop_31_0) +(typeattribute hwbinder_device_31_0) +(typeattribute hwservice_contexts_file_31_0) +(typeattribute hwservice_manager_type) +(typeattribute hwservicemanager_31_0) +(typeattribute hwservicemanager_exec_31_0) +(typeattribute hwservicemanager_prop_31_0) +(typeattribute icon_file_31_0) +(typeattribute idmap_31_0) +(typeattribute idmap_exec_31_0) +(typeattribute idmap_service_31_0) +(typeattribute iio_device_31_0) +(typeattribute imms_service_31_0) +(typeattribute incident_31_0) +(typeattribute incident_data_file_31_0) +(typeattribute incident_helper_31_0) +(typeattribute incident_service_31_0) +(typeattribute incidentd_31_0) +(typeattribute incremental_control_file_31_0) +(typeattribute incremental_prop_31_0) +(typeattribute incremental_service_31_0) +(typeattribute init_31_0) +(typeattribute init_exec_31_0) +(typeattribute init_service_status_prop_31_0) +(typeattribute init_tmpfs_31_0) +(typeattribute inotify_31_0) +(typeattribute input_device_31_0) +(typeattribute input_method_service_31_0) +(typeattribute input_service_31_0) +(typeattribute inputflinger_31_0) +(typeattribute inputflinger_exec_31_0) +(typeattribute inputflinger_service_31_0) +(typeattribute install_data_file_31_0) +(typeattribute installd_31_0) +(typeattribute installd_exec_31_0) +(typeattribute installd_service_31_0) +(typeattribute ion_device_31_0) +(typeattribute iorap_inode2filename_31_0) +(typeattribute iorap_inode2filename_exec_31_0) +(typeattribute iorap_inode2filename_tmpfs_31_0) +(typeattribute iorap_prefetcherd_31_0) +(typeattribute iorap_prefetcherd_exec_31_0) +(typeattribute iorap_prefetcherd_tmpfs_31_0) +(typeattribute iorapd_31_0) +(typeattribute iorapd_data_file_31_0) +(typeattribute iorapd_exec_31_0) +(typeattribute iorapd_service_31_0) +(typeattribute iorapd_tmpfs_31_0) +(typeattribute ipsec_service_31_0) +(typeattribute iris_service_31_0) +(typeattribute iris_vendor_data_file_31_0) +(typeattribute isolated_app_31_0) +(typeattribute jobscheduler_service_31_0) +(typeattribute kernel_31_0) +(typeattribute keychain_data_file_31_0) +(typeattribute keychord_device_31_0) +(typeattribute keyguard_config_prop_31_0) +(typeattribute keystore2_key_contexts_file_31_0) +(typeattribute keystore2_key_type) +(typeattribute keystore_31_0) +(typeattribute keystore_compat_hal_service_31_0) +(typeattribute keystore_data_file_31_0) +(typeattribute keystore_exec_31_0) +(typeattribute keystore_maintenance_service_31_0) +(typeattribute keystore_metrics_service_31_0) +(typeattribute keystore_service_31_0) +(typeattribute kmsg_debug_device_31_0) +(typeattribute kmsg_device_31_0) +(typeattribute labeledfs_31_0) +(typeattribute launcherapps_service_31_0) +(typeattribute legacy_permission_service_31_0) +(typeattribute legacykeystore_service_31_0) +(typeattribute libc_debug_prop_31_0) +(typeattribute light_service_31_0) +(typeattribute linkerconfig_file_31_0) +(typeattribute llkd_31_0) +(typeattribute llkd_exec_31_0) +(typeattribute llkd_prop_31_0) +(typeattribute lmkd_31_0) +(typeattribute lmkd_config_prop_31_0) +(typeattribute lmkd_exec_31_0) +(typeattribute lmkd_prop_31_0) +(typeattribute lmkd_socket_31_0) +(typeattribute location_service_31_0) +(typeattribute location_time_zone_manager_service_31_0) +(typeattribute lock_settings_service_31_0) +(typeattribute log_prop_31_0) +(typeattribute log_property_type) +(typeattribute log_tag_prop_31_0) +(typeattribute logcat_exec_31_0) +(typeattribute logd_31_0) +(typeattribute logd_exec_31_0) +(typeattribute logd_prop_31_0) +(typeattribute logd_socket_31_0) +(typeattribute logdr_socket_31_0) +(typeattribute logdw_socket_31_0) +(typeattribute logpersist_31_0) +(typeattribute logpersistd_logging_prop_31_0) +(typeattribute loop_control_device_31_0) +(typeattribute loop_device_31_0) +(typeattribute looper_stats_service_31_0) +(typeattribute lowpan_device_31_0) +(typeattribute lowpan_prop_31_0) +(typeattribute lowpan_service_31_0) +(typeattribute lpdump_service_31_0) +(typeattribute lpdumpd_prop_31_0) +(typeattribute mac_perms_file_31_0) +(typeattribute mdns_socket_31_0) +(typeattribute mdnsd_31_0) +(typeattribute mdnsd_socket_31_0) +(typeattribute media_communication_service_31_0) +(typeattribute media_config_prop_31_0) +(typeattribute media_data_file_31_0) +(typeattribute media_metrics_service_31_0) +(typeattribute media_projection_service_31_0) +(typeattribute media_router_service_31_0) +(typeattribute media_rw_data_file_31_0) +(typeattribute media_session_service_31_0) +(typeattribute media_variant_prop_31_0) +(typeattribute mediadrm_config_prop_31_0) +(typeattribute mediadrmserver_31_0) +(typeattribute mediadrmserver_exec_31_0) +(typeattribute mediadrmserver_service_31_0) +(typeattribute mediaextractor_31_0) +(typeattribute mediaextractor_exec_31_0) +(typeattribute mediaextractor_service_31_0) +(typeattribute mediaextractor_tmpfs_31_0) +(typeattribute mediametrics_31_0) +(typeattribute mediametrics_exec_31_0) +(typeattribute mediametrics_service_31_0) +(typeattribute mediaprovider_31_0) +(typeattribute mediaserver_31_0) +(typeattribute mediaserver_exec_31_0) +(typeattribute mediaserver_service_31_0) +(typeattribute mediaserver_tmpfs_31_0) +(typeattribute mediaswcodec_31_0) +(typeattribute mediaswcodec_exec_31_0) +(typeattribute mediatranscoding_service_31_0) +(typeattribute meminfo_service_31_0) +(typeattribute memtrackproxy_service_31_0) +(typeattribute metadata_block_device_31_0) +(typeattribute metadata_bootstat_file_31_0) +(typeattribute metadata_file_31_0) +(typeattribute method_trace_data_file_31_0) +(typeattribute midi_service_31_0) +(typeattribute mirror_data_file_31_0) +(typeattribute misc_block_device_31_0) +(typeattribute misc_logd_file_31_0) +(typeattribute misc_user_data_file_31_0) +(typeattribute mlstrustedobject) +(typeattribute mlstrustedsubject) +(typeattribute mm_events_config_prop_31_0) +(typeattribute mmc_prop_31_0) +(typeattribute mnt_expand_file_31_0) +(typeattribute mnt_media_rw_file_31_0) +(typeattribute mnt_media_rw_stub_file_31_0) +(typeattribute mnt_pass_through_file_31_0) +(typeattribute mnt_product_file_31_0) +(typeattribute mnt_sdcard_file_31_0) +(typeattribute mnt_user_file_31_0) +(typeattribute mnt_vendor_file_31_0) +(typeattribute mock_ota_prop_31_0) +(typeattribute modprobe_31_0) +(typeattribute module_sdkextensions_prop_31_0) +(typeattribute mount_service_31_0) +(typeattribute mqueue_31_0) +(typeattribute mtp_31_0) +(typeattribute mtp_device_31_0) +(typeattribute mtp_exec_31_0) +(typeattribute mtpd_socket_31_0) +(typeattribute music_recognition_service_31_0) +(typeattribute nativetest_data_file_31_0) +(typeattribute net_data_file_31_0) +(typeattribute net_dns_prop_31_0) +(typeattribute net_radio_prop_31_0) +(typeattribute netd_31_0) +(typeattribute netd_exec_31_0) +(typeattribute netd_listener_service_31_0) +(typeattribute netd_service_31_0) +(typeattribute netdomain) +(typeattribute netif_31_0) +(typeattribute netif_type) +(typeattribute netpolicy_service_31_0) +(typeattribute netstats_service_31_0) +(typeattribute netutils_wrapper_31_0) +(typeattribute netutils_wrapper_exec_31_0) +(typeattribute network_management_service_31_0) +(typeattribute network_score_service_31_0) +(typeattribute network_stack_31_0) +(typeattribute network_stack_service_31_0) +(typeattribute network_time_update_service_31_0) +(typeattribute network_watchlist_data_file_31_0) +(typeattribute network_watchlist_service_31_0) +(typeattribute nfc_31_0) +(typeattribute nfc_data_file_31_0) +(typeattribute nfc_device_31_0) +(typeattribute nfc_logs_data_file_31_0) +(typeattribute nfc_prop_31_0) +(typeattribute nfc_service_31_0) +(typeattribute nnapi_ext_deny_product_prop_31_0) +(typeattribute node_31_0) +(typeattribute node_type) +(typeattribute nonplat_service_contexts_file_31_0) +(typeattribute notification_service_31_0) +(typeattribute null_device_31_0) +(typeattribute oem_lock_service_31_0) +(typeattribute oem_unlock_prop_31_0) +(typeattribute oemfs_31_0) +(typeattribute ota_data_file_31_0) +(typeattribute ota_metadata_file_31_0) +(typeattribute ota_package_file_31_0) +(typeattribute ota_prop_31_0) +(typeattribute otadexopt_service_31_0) +(typeattribute otapreopt_chroot_31_0) +(typeattribute overlay_prop_31_0) +(typeattribute overlay_service_31_0) +(typeattribute overlayfs_file_31_0) +(typeattribute owntty_device_31_0) +(typeattribute pac_proxy_service_31_0) +(typeattribute package_native_service_31_0) +(typeattribute package_service_31_0) +(typeattribute packagemanager_config_prop_31_0) +(typeattribute packages_list_file_31_0) +(typeattribute pan_result_prop_31_0) +(typeattribute password_slot_metadata_file_31_0) +(typeattribute pdx_bufferhub_client_channel_socket_31_0) +(typeattribute pdx_bufferhub_client_channel_socket_type) +(typeattribute pdx_bufferhub_client_endpoint_dir_type) +(typeattribute pdx_bufferhub_client_endpoint_socket_31_0) +(typeattribute pdx_bufferhub_client_endpoint_socket_type) +(typeattribute pdx_bufferhub_client_server_type) +(typeattribute pdx_bufferhub_dir_31_0) +(typeattribute pdx_channel_socket_type) +(typeattribute pdx_display_client_channel_socket_31_0) +(typeattribute pdx_display_client_channel_socket_type) +(typeattribute pdx_display_client_endpoint_dir_type) +(typeattribute pdx_display_client_endpoint_socket_31_0) +(typeattribute pdx_display_client_endpoint_socket_type) +(typeattribute pdx_display_client_server_type) +(typeattribute pdx_display_dir_31_0) +(typeattribute pdx_display_manager_channel_socket_31_0) +(typeattribute pdx_display_manager_channel_socket_type) +(typeattribute pdx_display_manager_endpoint_dir_type) +(typeattribute pdx_display_manager_endpoint_socket_31_0) +(typeattribute pdx_display_manager_endpoint_socket_type) +(typeattribute pdx_display_manager_server_type) +(typeattribute pdx_display_screenshot_channel_socket_31_0) +(typeattribute pdx_display_screenshot_channel_socket_type) +(typeattribute pdx_display_screenshot_endpoint_dir_type) +(typeattribute pdx_display_screenshot_endpoint_socket_31_0) +(typeattribute pdx_display_screenshot_endpoint_socket_type) +(typeattribute pdx_display_screenshot_server_type) +(typeattribute pdx_display_vsync_channel_socket_31_0) +(typeattribute pdx_display_vsync_channel_socket_type) +(typeattribute pdx_display_vsync_endpoint_dir_type) +(typeattribute pdx_display_vsync_endpoint_socket_31_0) +(typeattribute pdx_display_vsync_endpoint_socket_type) +(typeattribute pdx_display_vsync_server_type) +(typeattribute pdx_endpoint_dir_type) +(typeattribute pdx_endpoint_socket_type) +(typeattribute pdx_performance_client_channel_socket_31_0) +(typeattribute pdx_performance_client_channel_socket_type) +(typeattribute pdx_performance_client_endpoint_dir_type) +(typeattribute pdx_performance_client_endpoint_socket_31_0) +(typeattribute pdx_performance_client_endpoint_socket_type) +(typeattribute pdx_performance_client_server_type) +(typeattribute pdx_performance_dir_31_0) +(typeattribute people_service_31_0) +(typeattribute perfetto_31_0) +(typeattribute performanced_31_0) +(typeattribute performanced_exec_31_0) +(typeattribute permission_checker_service_31_0) +(typeattribute permission_service_31_0) +(typeattribute permissionmgr_service_31_0) +(typeattribute persist_debug_prop_31_0) +(typeattribute persist_vendor_debug_wifi_prop_31_0) +(typeattribute persistent_data_block_service_31_0) +(typeattribute persistent_properties_ready_prop_31_0) +(typeattribute pinner_service_31_0) +(typeattribute pipefs_31_0) +(typeattribute platform_app_31_0) +(typeattribute platform_compat_service_31_0) +(typeattribute pmsg_device_31_0) +(typeattribute port_31_0) +(typeattribute port_device_31_0) +(typeattribute port_type) +(typeattribute postinstall_31_0) +(typeattribute postinstall_apex_mnt_dir_31_0) +(typeattribute postinstall_file_31_0) +(typeattribute postinstall_mnt_dir_31_0) +(typeattribute power_debug_prop_31_0) +(typeattribute power_service_31_0) +(typeattribute powerctl_prop_31_0) +(typeattribute powerstats_service_31_0) +(typeattribute ppp_31_0) +(typeattribute ppp_device_31_0) +(typeattribute ppp_exec_31_0) +(typeattribute preloads_data_file_31_0) +(typeattribute preloads_media_file_31_0) +(typeattribute prereboot_data_file_31_0) +(typeattribute print_service_31_0) +(typeattribute priv_app_31_0) +(typeattribute privapp_data_file_31_0) +(typeattribute proc_31_0) +(typeattribute proc_abi_31_0) +(typeattribute proc_asound_31_0) +(typeattribute proc_bluetooth_writable_31_0) +(typeattribute proc_bootconfig_31_0) +(typeattribute proc_buddyinfo_31_0) +(typeattribute proc_cmdline_31_0) +(typeattribute proc_cpuinfo_31_0) +(typeattribute proc_dirty_31_0) +(typeattribute proc_diskstats_31_0) +(typeattribute proc_drop_caches_31_0) +(typeattribute proc_extra_free_kbytes_31_0) +(typeattribute proc_filesystems_31_0) +(typeattribute proc_fs_verity_31_0) +(typeattribute proc_hostname_31_0) +(typeattribute proc_hung_task_31_0) +(typeattribute proc_interrupts_31_0) +(typeattribute proc_iomem_31_0) +(typeattribute proc_kallsyms_31_0) +(typeattribute proc_keys_31_0) +(typeattribute proc_kmsg_31_0) +(typeattribute proc_kpageflags_31_0) +(typeattribute proc_loadavg_31_0) +(typeattribute proc_locks_31_0) +(typeattribute proc_lowmemorykiller_31_0) +(typeattribute proc_max_map_count_31_0) +(typeattribute proc_meminfo_31_0) +(typeattribute proc_min_free_order_shift_31_0) +(typeattribute proc_misc_31_0) +(typeattribute proc_modules_31_0) +(typeattribute proc_mounts_31_0) +(typeattribute proc_net_31_0) +(typeattribute proc_net_tcp_udp_31_0) +(typeattribute proc_net_type) +(typeattribute proc_overcommit_memory_31_0) +(typeattribute proc_page_cluster_31_0) +(typeattribute proc_pagetypeinfo_31_0) +(typeattribute proc_panic_31_0) +(typeattribute proc_perf_31_0) +(typeattribute proc_pid_max_31_0) +(typeattribute proc_pipe_conf_31_0) +(typeattribute proc_pressure_cpu_31_0) +(typeattribute proc_pressure_io_31_0) +(typeattribute proc_pressure_mem_31_0) +(typeattribute proc_qtaguid_ctrl_31_0) +(typeattribute proc_qtaguid_stat_31_0) +(typeattribute proc_random_31_0) +(typeattribute proc_sched_31_0) +(typeattribute proc_security_31_0) +(typeattribute proc_slabinfo_31_0) +(typeattribute proc_stat_31_0) +(typeattribute proc_swaps_31_0) +(typeattribute proc_sysrq_31_0) +(typeattribute proc_timer_31_0) +(typeattribute proc_tty_drivers_31_0) +(typeattribute proc_type) +(typeattribute proc_uid_concurrent_active_time_31_0) +(typeattribute proc_uid_concurrent_policy_time_31_0) +(typeattribute proc_uid_cpupower_31_0) +(typeattribute proc_uid_cputime_removeuid_31_0) +(typeattribute proc_uid_cputime_showstat_31_0) +(typeattribute proc_uid_io_stats_31_0) +(typeattribute proc_uid_procstat_set_31_0) +(typeattribute proc_uid_time_in_state_31_0) +(typeattribute proc_uptime_31_0) +(typeattribute proc_vendor_sched_31_0) +(typeattribute proc_version_31_0) +(typeattribute proc_vmallocinfo_31_0) +(typeattribute proc_vmstat_31_0) +(typeattribute proc_zoneinfo_31_0) +(typeattribute processinfo_service_31_0) +(typeattribute procstats_service_31_0) +(typeattribute profman_31_0) +(typeattribute profman_dump_data_file_31_0) +(typeattribute profman_exec_31_0) +(typeattribute properties_device_31_0) +(typeattribute properties_serial_31_0) +(typeattribute property_contexts_file_31_0) +(typeattribute property_data_file_31_0) +(typeattribute property_info_31_0) +(typeattribute property_service_version_prop_31_0) +(typeattribute property_socket_31_0) +(typeattribute property_type) +(typeattribute protected_hwservice) +(typeattribute protected_service) +(typeattribute provisioned_prop_31_0) +(typeattribute pstorefs_31_0) +(typeattribute ptmx_device_31_0) +(typeattribute qemu_hw_prop_31_0) +(typeattribute qemu_sf_lcd_density_prop_31_0) +(typeattribute qtaguid_device_31_0) +(typeattribute racoon_31_0) +(typeattribute racoon_exec_31_0) +(typeattribute racoon_socket_31_0) +(typeattribute radio_31_0) +(typeattribute radio_control_prop_31_0) +(typeattribute radio_core_data_file_31_0) +(typeattribute radio_data_file_31_0) +(typeattribute radio_device_31_0) +(typeattribute radio_prop_31_0) +(typeattribute radio_service_31_0) +(typeattribute ram_device_31_0) +(typeattribute random_device_31_0) +(typeattribute reboot_readiness_service_31_0) +(typeattribute rebootescrow_hal_prop_31_0) +(typeattribute recovery_31_0) +(typeattribute recovery_block_device_31_0) +(typeattribute recovery_config_prop_31_0) +(typeattribute recovery_data_file_31_0) +(typeattribute recovery_persist_31_0) +(typeattribute recovery_persist_exec_31_0) +(typeattribute recovery_refresh_31_0) +(typeattribute recovery_refresh_exec_31_0) +(typeattribute recovery_service_31_0) +(typeattribute recovery_socket_31_0) +(typeattribute registry_service_31_0) +(typeattribute remoteprovisioning_service_31_0) +(typeattribute resourcecache_data_file_31_0) +(typeattribute restorecon_prop_31_0) +(typeattribute restrictions_service_31_0) +(typeattribute retaildemo_prop_31_0) +(typeattribute rild_debug_socket_31_0) +(typeattribute rild_socket_31_0) +(typeattribute ringtone_file_31_0) +(typeattribute role_service_31_0) +(typeattribute rollback_service_31_0) +(typeattribute root_block_device_31_0) +(typeattribute rootfs_31_0) +(typeattribute rpmsg_device_31_0) +(typeattribute rs_31_0) +(typeattribute rs_exec_31_0) +(typeattribute rss_hwm_reset_31_0) +(typeattribute rtc_device_31_0) +(typeattribute rttmanager_service_31_0) +(typeattribute runas_31_0) +(typeattribute runas_app_31_0) +(typeattribute runas_exec_31_0) +(typeattribute runtime_event_log_tags_file_31_0) +(typeattribute runtime_service_31_0) +(typeattribute safemode_prop_31_0) +(typeattribute same_process_hal_file_31_0) +(typeattribute same_process_hwservice) +(typeattribute samplingprofiler_service_31_0) +(typeattribute scheduler_service_server) +(typeattribute scheduling_policy_service_31_0) +(typeattribute sdcard_block_device_31_0) +(typeattribute sdcard_type) +(typeattribute sdcardd_31_0) +(typeattribute sdcardd_exec_31_0) +(typeattribute sdcardfs_31_0) +(typeattribute seapp_contexts_file_31_0) +(typeattribute search_service_31_0) +(typeattribute search_ui_service_31_0) +(typeattribute sec_key_att_app_id_provider_service_31_0) +(typeattribute secure_element_31_0) +(typeattribute secure_element_device_31_0) +(typeattribute secure_element_service_31_0) +(typeattribute securityfs_31_0) +(typeattribute selinuxfs_31_0) +(typeattribute sendbug_config_prop_31_0) +(typeattribute sensor_privacy_service_31_0) +(typeattribute sensor_service_server) +(typeattribute sensors_device_31_0) +(typeattribute sensorservice_service_31_0) +(typeattribute sepolicy_file_31_0) +(typeattribute serial_device_31_0) +(typeattribute serial_service_31_0) +(typeattribute serialno_prop_31_0) +(typeattribute server_configurable_flags_data_file_31_0) +(typeattribute service_contexts_file_31_0) +(typeattribute service_manager_service_31_0) +(typeattribute service_manager_type) +(typeattribute service_manager_vndservice_31_0) +(typeattribute servicediscovery_service_31_0) +(typeattribute servicemanager_31_0) +(typeattribute servicemanager_exec_31_0) +(typeattribute settings_service_31_0) +(typeattribute sgdisk_31_0) +(typeattribute sgdisk_exec_31_0) +(typeattribute shared_relro_31_0) +(typeattribute shared_relro_file_31_0) +(typeattribute shell_31_0) +(typeattribute shell_data_file_31_0) +(typeattribute shell_exec_31_0) +(typeattribute shell_prop_31_0) +(typeattribute shell_test_data_file_31_0) +(typeattribute shm_31_0) +(typeattribute shortcut_manager_icons_31_0) +(typeattribute shortcut_service_31_0) +(typeattribute simpleperf_31_0) +(typeattribute simpleperf_app_runner_31_0) +(typeattribute simpleperf_app_runner_exec_31_0) +(typeattribute slice_service_31_0) +(typeattribute slideshow_31_0) +(typeattribute smartspace_service_31_0) +(typeattribute snapshotctl_log_data_file_31_0) +(typeattribute snapuserd_socket_31_0) +(typeattribute soc_prop_31_0) +(typeattribute socket_between_core_and_vendor_violators) +(typeattribute socket_device_31_0) +(typeattribute socket_hook_prop_31_0) +(typeattribute sockfs_31_0) +(typeattribute sota_prop_31_0) +(typeattribute soundtrigger_middleware_service_31_0) +(typeattribute speech_recognition_service_31_0) +(typeattribute sqlite_log_prop_31_0) +(typeattribute staged_install_file_31_0) +(typeattribute staging_data_file_31_0) +(typeattribute stats_data_file_31_0) +(typeattribute stats_service_server) +(typeattribute statsd_31_0) +(typeattribute statsd_exec_31_0) +(typeattribute statsdw_socket_31_0) +(typeattribute statusbar_service_31_0) +(typeattribute storage_config_prop_31_0) +(typeattribute storage_file_31_0) +(typeattribute storage_stub_file_31_0) +(typeattribute storaged_service_31_0) +(typeattribute storagemanager_config_prop_31_0) +(typeattribute storagestats_service_31_0) +(typeattribute su_31_0) +(typeattribute su_exec_31_0) +(typeattribute super_block_device_31_0) +(typeattribute super_block_device_type) +(typeattribute surfaceflinger_31_0) +(typeattribute surfaceflinger_color_prop_31_0) +(typeattribute surfaceflinger_display_prop_31_0) +(typeattribute surfaceflinger_prop_31_0) +(typeattribute surfaceflinger_service_31_0) +(typeattribute surfaceflinger_tmpfs_31_0) +(typeattribute suspend_prop_31_0) +(typeattribute swap_block_device_31_0) +(typeattribute sysfs_31_0) +(typeattribute sysfs_android_usb_31_0) +(typeattribute sysfs_batteryinfo_31_0) +(typeattribute sysfs_block_31_0) +(typeattribute sysfs_block_type) +(typeattribute sysfs_bluetooth_writable_31_0) +(typeattribute sysfs_devfreq_cur_31_0) +(typeattribute sysfs_devfreq_dir_31_0) +(typeattribute sysfs_devices_block_31_0) +(typeattribute sysfs_devices_cs_etm_31_0) +(typeattribute sysfs_devices_system_cpu_31_0) +(typeattribute sysfs_dm_31_0) +(typeattribute sysfs_dm_verity_31_0) +(typeattribute sysfs_dma_heap_31_0) +(typeattribute sysfs_dmabuf_stats_31_0) +(typeattribute sysfs_dt_firmware_android_31_0) +(typeattribute sysfs_extcon_31_0) +(typeattribute sysfs_fs_ext4_features_31_0) +(typeattribute sysfs_fs_f2fs_31_0) +(typeattribute sysfs_fs_incfs_features_31_0) +(typeattribute sysfs_fs_incfs_metrics_31_0) +(typeattribute sysfs_hwrandom_31_0) +(typeattribute sysfs_ion_31_0) +(typeattribute sysfs_ipv4_31_0) +(typeattribute sysfs_kernel_notes_31_0) +(typeattribute sysfs_leds_31_0) +(typeattribute sysfs_loop_31_0) +(typeattribute sysfs_lowmemorykiller_31_0) +(typeattribute sysfs_net_31_0) +(typeattribute sysfs_nfc_power_writable_31_0) +(typeattribute sysfs_power_31_0) +(typeattribute sysfs_rtc_31_0) +(typeattribute sysfs_suspend_stats_31_0) +(typeattribute sysfs_switch_31_0) +(typeattribute sysfs_thermal_31_0) +(typeattribute sysfs_transparent_hugepage_31_0) +(typeattribute sysfs_type) +(typeattribute sysfs_uhid_31_0) +(typeattribute sysfs_uio_31_0) +(typeattribute sysfs_usb_31_0) +(typeattribute sysfs_usermodehelper_31_0) +(typeattribute sysfs_vendor_sched_31_0) +(typeattribute sysfs_vibrator_31_0) +(typeattribute sysfs_wake_lock_31_0) +(typeattribute sysfs_wakeup_31_0) +(typeattribute sysfs_wakeup_reasons_31_0) +(typeattribute sysfs_wlan_fwpath_31_0) +(typeattribute sysfs_zram_31_0) +(typeattribute sysfs_zram_uevent_31_0) +(typeattribute system_api_service) +(typeattribute system_app_31_0) +(typeattribute system_app_data_file_31_0) +(typeattribute system_app_service_31_0) +(typeattribute system_asan_options_file_31_0) +(typeattribute system_block_device_31_0) +(typeattribute system_boot_reason_prop_31_0) +(typeattribute system_bootstrap_lib_file_31_0) +(typeattribute system_config_service_31_0) +(typeattribute system_data_file_31_0) +(typeattribute system_data_root_file_31_0) +(typeattribute system_event_log_tags_file_31_0) +(typeattribute system_executes_vendor_violators) +(typeattribute system_file_31_0) +(typeattribute system_file_type) +(typeattribute system_group_file_31_0) +(typeattribute system_internal_property_type) +(typeattribute system_jvmti_agent_prop_31_0) +(typeattribute system_lib_file_31_0) +(typeattribute system_linker_config_file_31_0) +(typeattribute system_linker_exec_31_0) +(typeattribute system_lmk_prop_31_0) +(typeattribute system_ndebug_socket_31_0) +(typeattribute system_net_netd_hwservice_31_0) +(typeattribute system_passwd_file_31_0) +(typeattribute system_prop_31_0) +(typeattribute system_property_type) +(typeattribute system_public_property_type) +(typeattribute system_restricted_property_type) +(typeattribute system_seccomp_policy_file_31_0) +(typeattribute system_security_cacerts_file_31_0) +(typeattribute system_server_31_0) +(typeattribute system_server_dumper_service_31_0) +(typeattribute system_server_service) +(typeattribute system_server_tmpfs_31_0) +(typeattribute system_suspend_control_internal_service_31_0) +(typeattribute system_suspend_control_service_31_0) +(typeattribute system_suspend_hwservice_31_0) +(typeattribute system_suspend_internal_server) +(typeattribute system_suspend_server) +(typeattribute system_trace_prop_31_0) +(typeattribute system_unsolzygote_socket_31_0) +(typeattribute system_update_service_31_0) +(typeattribute system_wifi_keystore_hwservice_31_0) +(typeattribute system_wpa_socket_31_0) +(typeattribute system_writes_mnt_vendor_violators) +(typeattribute system_writes_vendor_properties_violators) +(typeattribute system_zoneinfo_file_31_0) +(typeattribute systemkeys_data_file_31_0) +(typeattribute systemsound_config_prop_31_0) +(typeattribute task_profiles_api_file_31_0) +(typeattribute task_profiles_file_31_0) +(typeattribute task_service_31_0) +(typeattribute tcpdump_exec_31_0) +(typeattribute tee_31_0) +(typeattribute tee_data_file_31_0) +(typeattribute tee_device_31_0) +(typeattribute telecom_service_31_0) +(typeattribute telephony_config_prop_31_0) +(typeattribute telephony_status_prop_31_0) +(typeattribute test_boot_reason_prop_31_0) +(typeattribute test_harness_prop_31_0) +(typeattribute testharness_service_31_0) +(typeattribute tethering_service_31_0) +(typeattribute textclassification_service_31_0) +(typeattribute textclassifier_data_file_31_0) +(typeattribute textservices_service_31_0) +(typeattribute texttospeech_service_31_0) +(typeattribute theme_prop_31_0) +(typeattribute thermal_service_31_0) +(typeattribute time_prop_31_0) +(typeattribute timedetector_service_31_0) +(typeattribute timezone_service_31_0) +(typeattribute timezonedetector_service_31_0) +(typeattribute tmpfs_31_0) +(typeattribute tombstone_config_prop_31_0) +(typeattribute tombstone_data_file_31_0) +(typeattribute tombstone_wifi_data_file_31_0) +(typeattribute tombstoned_31_0) +(typeattribute tombstoned_crash_socket_31_0) +(typeattribute tombstoned_exec_31_0) +(typeattribute tombstoned_intercept_socket_31_0) +(typeattribute tombstoned_java_trace_socket_31_0) +(typeattribute toolbox_31_0) +(typeattribute toolbox_exec_31_0) +(typeattribute trace_data_file_31_0) +(typeattribute traced_31_0) +(typeattribute traced_consumer_socket_31_0) +(typeattribute traced_enabled_prop_31_0) +(typeattribute traced_lazy_prop_31_0) +(typeattribute traced_perf_31_0) +(typeattribute traced_perf_socket_31_0) +(typeattribute traced_probes_31_0) +(typeattribute traced_producer_socket_31_0) +(typeattribute traced_tmpfs_31_0) +(typeattribute tracefs_type) +(typeattribute traceur_app_31_0) +(typeattribute translation_service_31_0) +(typeattribute trust_service_31_0) +(typeattribute tty_device_31_0) +(typeattribute tun_device_31_0) +(typeattribute tv_input_service_31_0) +(typeattribute tv_tuner_resource_mgr_service_31_0) +(typeattribute tzdatacheck_31_0) +(typeattribute tzdatacheck_exec_31_0) +(typeattribute ueventd_31_0) +(typeattribute ueventd_tmpfs_31_0) +(typeattribute uhid_device_31_0) +(typeattribute uimode_service_31_0) +(typeattribute uio_device_31_0) +(typeattribute uncrypt_31_0) +(typeattribute uncrypt_exec_31_0) +(typeattribute uncrypt_socket_31_0) +(typeattribute unencrypted_data_file_31_0) +(typeattribute unlabeled_31_0) +(typeattribute untrusted_app_25_31_0) +(typeattribute untrusted_app_27_31_0) +(typeattribute untrusted_app_29_31_0) +(typeattribute untrusted_app_31_0) +(typeattribute untrusted_app_all) +(typeattribute untrusted_app_visible_halserver_violators) +(typeattribute untrusted_app_visible_hwservice_violators) +(typeattribute update_engine_31_0) +(typeattribute update_engine_common) +(typeattribute update_engine_data_file_31_0) +(typeattribute update_engine_exec_31_0) +(typeattribute update_engine_log_data_file_31_0) +(typeattribute update_engine_service_31_0) +(typeattribute update_engine_stable_service_31_0) +(typeattribute update_verifier_31_0) +(typeattribute update_verifier_exec_31_0) +(typeattribute updatelock_service_31_0) +(typeattribute uri_grants_service_31_0) +(typeattribute usagestats_service_31_0) +(typeattribute usb_config_prop_31_0) +(typeattribute usb_control_prop_31_0) +(typeattribute usb_device_31_0) +(typeattribute usb_prop_31_0) +(typeattribute usb_serial_device_31_0) +(typeattribute usb_service_31_0) +(typeattribute usbaccessory_device_31_0) +(typeattribute usbd_31_0) +(typeattribute usbd_exec_31_0) +(typeattribute usbfs_31_0) +(typeattribute use_memfd_prop_31_0) +(typeattribute user_profile_data_file_31_0) +(typeattribute user_profile_root_file_31_0) +(typeattribute user_service_31_0) +(typeattribute userdata_block_device_31_0) +(typeattribute userdata_sysdev_31_0) +(typeattribute usermodehelper_31_0) +(typeattribute userspace_reboot_config_prop_31_0) +(typeattribute userspace_reboot_exported_prop_31_0) +(typeattribute userspace_reboot_metadata_file_31_0) +(typeattribute uwb_service_31_0) +(typeattribute vcn_management_service_31_0) +(typeattribute vd_device_31_0) +(typeattribute vdc_31_0) +(typeattribute vdc_exec_31_0) +(typeattribute vehicle_hal_prop_31_0) +(typeattribute vendor_apex_file_31_0) +(typeattribute vendor_app_file_31_0) +(typeattribute vendor_cgroup_desc_file_31_0) +(typeattribute vendor_configs_file_31_0) +(typeattribute vendor_data_file_31_0) +(typeattribute vendor_default_prop_31_0) +(typeattribute vendor_executes_system_violators) +(typeattribute vendor_file_31_0) +(typeattribute vendor_file_type) +(typeattribute vendor_framework_file_31_0) +(typeattribute vendor_hal_file_31_0) +(typeattribute vendor_hwservice_type) +(typeattribute vendor_idc_file_31_0) +(typeattribute vendor_init_31_0) +(typeattribute vendor_internal_property_type) +(typeattribute vendor_kernel_modules_31_0) +(typeattribute vendor_keychars_file_31_0) +(typeattribute vendor_keylayout_file_31_0) +(typeattribute vendor_misc_writer_31_0) +(typeattribute vendor_misc_writer_exec_31_0) +(typeattribute vendor_modprobe_31_0) +(typeattribute vendor_overlay_file_31_0) +(typeattribute vendor_property_type) +(typeattribute vendor_public_framework_file_31_0) +(typeattribute vendor_public_lib_file_31_0) +(typeattribute vendor_public_property_type) +(typeattribute vendor_restricted_property_type) +(typeattribute vendor_security_patch_level_prop_31_0) +(typeattribute vendor_service) +(typeattribute vendor_service_contexts_file_31_0) +(typeattribute vendor_shell_31_0) +(typeattribute vendor_shell_exec_31_0) +(typeattribute vendor_socket_hook_prop_31_0) +(typeattribute vendor_task_profiles_file_31_0) +(typeattribute vendor_toolbox_exec_31_0) +(typeattribute vfat_31_0) +(typeattribute vibrator_manager_service_31_0) +(typeattribute vibrator_service_31_0) +(typeattribute video_device_31_0) +(typeattribute virtual_ab_prop_31_0) +(typeattribute virtual_touchpad_31_0) +(typeattribute virtual_touchpad_exec_31_0) +(typeattribute virtual_touchpad_service_31_0) +(typeattribute virtualization_service_31_0) +(typeattribute vndbinder_device_31_0) +(typeattribute vndk_prop_31_0) +(typeattribute vndk_sp_file_31_0) +(typeattribute vndservice_contexts_file_31_0) +(typeattribute vndservice_manager_type) +(typeattribute vndservicemanager_31_0) +(typeattribute voiceinteraction_service_31_0) +(typeattribute vold_31_0) +(typeattribute vold_config_prop_31_0) +(typeattribute vold_data_file_31_0) +(typeattribute vold_device_31_0) +(typeattribute vold_exec_31_0) +(typeattribute vold_metadata_file_31_0) +(typeattribute vold_post_fs_data_prop_31_0) +(typeattribute vold_prepare_subdirs_31_0) +(typeattribute vold_prepare_subdirs_exec_31_0) +(typeattribute vold_prop_31_0) +(typeattribute vold_service_31_0) +(typeattribute vold_status_prop_31_0) +(typeattribute vpn_data_file_31_0) +(typeattribute vpn_management_service_31_0) +(typeattribute vr_hwc_31_0) +(typeattribute vr_hwc_exec_31_0) +(typeattribute vr_hwc_service_31_0) +(typeattribute vr_manager_service_31_0) +(typeattribute vrflinger_vsync_service_31_0) +(typeattribute vts_config_prop_31_0) +(typeattribute vts_status_prop_31_0) +(typeattribute wallpaper_file_31_0) +(typeattribute wallpaper_service_31_0) +(typeattribute watchdog_device_31_0) +(typeattribute watchdog_metadata_file_31_0) +(typeattribute watchdogd_31_0) +(typeattribute watchdogd_exec_31_0) +(typeattribute webview_zygote_31_0) +(typeattribute webview_zygote_exec_31_0) +(typeattribute webview_zygote_tmpfs_31_0) +(typeattribute webviewupdate_service_31_0) +(typeattribute wifi_config_prop_31_0) +(typeattribute wifi_data_file_31_0) +(typeattribute wifi_hal_prop_31_0) +(typeattribute wifi_key_31_0) +(typeattribute wifi_keystore_service_server) +(typeattribute wifi_log_prop_31_0) +(typeattribute wifi_prop_31_0) +(typeattribute wifi_service_31_0) +(typeattribute wifiaware_service_31_0) +(typeattribute wificond_31_0) +(typeattribute wificond_exec_31_0) +(typeattribute wifinl80211_service_31_0) +(typeattribute wifip2p_service_31_0) +(typeattribute wifiscanner_service_31_0) +(typeattribute window_service_31_0) +(typeattribute wpa_socket_31_0) +(typeattribute wpantund_31_0) +(typeattribute wpantund_exec_31_0) +(typeattribute wpantund_service_31_0) +(typeattribute zero_device_31_0) +(typeattribute zoneinfo_data_file_31_0) +(typeattribute zram_config_prop_31_0) +(typeattribute zram_control_prop_31_0) +(typeattribute zygote_31_0) +(typeattribute zygote_config_prop_31_0) +(typeattribute zygote_exec_31_0) +(typeattribute zygote_socket_31_0) +(typeattribute zygote_tmpfs_31_0) diff --git a/prebuilts/api/31.0/private/adbd.te b/prebuilts/api/31.0/private/adbd.te index c2c6164d0..42739957e 100644 --- a/prebuilts/api/31.0/private/adbd.te +++ b/prebuilts/api/31.0/private/adbd.te @@ -169,6 +169,9 @@ allow adbd sepolicy_file:file r_file_perms; # Allow pulling config.gz for CTS purposes allow adbd config_gz:file r_file_perms; +# For CTS listening ports test. +allow adbd proc_net_tcp_udp:file r_file_perms; + allow adbd gpu_service:service_manager find; allow adbd surfaceflinger_service:service_manager find; allow adbd bootchart_data_file:dir search; diff --git a/prebuilts/api/31.0/vendor_sepolicy.cil b/prebuilts/api/31.0/vendor_sepolicy.cil new file mode 100644 index 000000000..4a3aac3a7 --- /dev/null +++ b/prebuilts/api/31.0/vendor_sepolicy.cil @@ -0,0 +1 @@ +;; empty stub diff --git a/prebuilts/api/32.0/private/access_vectors b/prebuilts/api/32.0/private/access_vectors new file mode 100644 index 000000000..7496c65ca --- /dev/null +++ b/prebuilts/api/32.0/private/access_vectors @@ -0,0 +1,779 @@ +# +# Define common prefixes for access vectors +# +# common common_name { permission_name ... } + + +# +# Define a common prefix for file access vectors. +# + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + map + unlink + link + rename + execute + quotaon + mounton + audit_access + open + execmod + watch + watch_mount + watch_sb + watch_with_perm + watch_reads +} + + +# +# Define a common prefix for socket access vectors. +# + +common socket +{ +# inherited from file + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + map +# socket-specific + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + name_bind +} + +# +# Define a common prefix for ipc access vectors. +# + +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} + +# +# Define a common for capability access vectors. +# +common cap +{ + # The capabilities are defined in include/linux/capability.h + # Capabilities >= 32 are defined in the cap2 common. + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control + setfcap +} + +common cap2 +{ + mac_override # unused by SELinux + mac_admin + syslog + wake_alarm + block_suspend + audit_read + perfmon +} + +# +# Define the access vectors. +# +# class class_name [ inherits common_name ] { permission_name ... } + + +# +# Define the access vector interpretation for file-related objects. +# + +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + associate + quotamod + quotaget + watch +} + +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir +} + +class file +inherits file +{ + execute_no_trans + entrypoint +} + +class anon_inode +inherits file + +class lnk_file +inherits file + +class chr_file +inherits file +{ + execute_no_trans + entrypoint +} + +class blk_file +inherits file + +class sock_file +inherits file + +class fifo_file +inherits file + +class fd +{ + use +} + + +# +# Define the access vector interpretation for network-related objects. +# + +class socket +inherits socket + +class tcp_socket +inherits socket +{ + node_bind + name_connect +} + +class udp_socket +inherits socket +{ + node_bind +} + +class rawip_socket +inherits socket +{ + node_bind +} + +class node +{ + recvfrom + sendto +} + +class netif +{ + ingress + egress +} + +class netlink_socket +inherits socket + +class packet_socket +inherits socket + +class key_socket +inherits socket + +class unix_stream_socket +inherits socket +{ + connectto +} + +class unix_dgram_socket +inherits socket + +# +# Define the access vector interpretation for process-related objects +# + +class process +{ + fork + transition + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share + getattr + setexec + setfscreate + noatsecure + siginh + setrlimit + rlimitinh + dyntransition + setcurrent + execmem + execstack + execheap + setkeycreate + setsockcreate + getrlimit +} + +class process2 +{ + nnp_transition + nosuid_transition +} + +# +# Define the access vector interpretation for ipc-related objects +# + +class ipc +inherits ipc + +class sem +inherits ipc + +class msgq +inherits ipc +{ + enqueue +} + +class msg +{ + send + receive +} + +class shm +inherits ipc +{ + lock +} + + +# +# Define the access vector interpretation for the security server. +# + +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce # was avc_toggle in system class + setbool + setsecparam + setcheckreqprot + read_policy + validate_trans +} + + +# +# Define the access vector interpretation for system operations. +# + +class system +{ + ipc_info + syslog_read + syslog_mod + syslog_console + module_request + module_load +} + +# +# Define the access vector interpretation for controlling capabilities +# + +class capability +inherits cap + +class capability2 +inherits cap2 + +# +# Extended Netlink classes +# +class netlink_route_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_readpriv +} + +class netlink_tcpdiag_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_nflog_socket +inherits socket + +class netlink_xfrm_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_selinux_socket +inherits socket + +class netlink_audit_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_relay + nlmsg_readpriv + nlmsg_tty_audit +} + +class netlink_dnrt_socket +inherits socket + +# Define the access vector interpretation for controlling +# access to IPSec network data by association +# +class association +{ + sendto + recvfrom + setcontext + polmatch +} + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket +inherits socket + +class appletalk_socket +inherits socket + +class packet +{ + send + recv + relabelto + forward_in + forward_out +} + +class key +{ + view + read + write + search + link + setattr + create +} + +class dccp_socket +inherits socket +{ + node_bind + name_connect +} + +class memprotect +{ + mmap_zero +} + +# network peer labels +class peer +{ + recv +} + +class kernel_service +{ + use_as_override + create_files_as +} + +class tun_socket +inherits socket +{ + attach_queue +} + +class binder +{ + impersonate + call + set_context_mgr + transfer +} + +class netlink_iscsi_socket +inherits socket + +class netlink_fib_lookup_socket +inherits socket + +class netlink_connector_socket +inherits socket + +class netlink_netfilter_socket +inherits socket + +class netlink_generic_socket +inherits socket + +class netlink_scsitransport_socket +inherits socket + +class netlink_rdma_socket +inherits socket + +class netlink_crypto_socket +inherits socket + +class infiniband_pkey +{ + access +} + +class infiniband_endport +{ + manage_subnet +} + +# +# Define the access vector interpretation for controlling capabilities +# in user namespaces +# + +class cap_userns +inherits cap + +class cap2_userns +inherits cap2 + + +# +# Define the access vector interpretation for the new socket classes +# enabled by the extended_socket_class policy capability. +# + +# +# The next two classes were previously mapped to rawip_socket and therefore +# have the same definition as rawip_socket (until further permissions +# are defined). +# +class sctp_socket +inherits socket +{ + node_bind + name_connect + association +} + +class icmp_socket +inherits socket +{ + node_bind +} + +# +# The remaining network socket classes were previously +# mapped to the socket class and therefore have the +# same definition as socket. +# + +class ax25_socket +inherits socket + +class ipx_socket +inherits socket + +class netrom_socket +inherits socket + +class atmpvc_socket +inherits socket + +class x25_socket +inherits socket + +class rose_socket +inherits socket + +class decnet_socket +inherits socket + +class atmsvc_socket +inherits socket + +class rds_socket +inherits socket + +class irda_socket +inherits socket + +class pppox_socket +inherits socket + +class llc_socket +inherits socket + +class can_socket +inherits socket + +class tipc_socket +inherits socket + +class bluetooth_socket +inherits socket + +class iucv_socket +inherits socket + +class rxrpc_socket +inherits socket + +class isdn_socket +inherits socket + +class phonet_socket +inherits socket + +class ieee802154_socket +inherits socket + +class caif_socket +inherits socket + +class alg_socket +inherits socket + +class nfc_socket +inherits socket + +class vsock_socket +inherits socket + +class kcm_socket +inherits socket + +class qipcrtr_socket +inherits socket + +class smc_socket +inherits socket + +class bpf +{ + map_create + map_read + map_write + prog_load + prog_run +} + +class property_service +{ + set +} + +class service_manager +{ + add + find + list +} + +class hwservice_manager +{ + add + find + list +} + +class keystore_key +{ + get_state + get + insert + delete + exist + list + reset + password + lock + unlock + is_empty + sign + verify + grant + duplicate + clear_uid + add_auth + user_changed + gen_unique_id +} + +class keystore2 +{ + add_auth + change_password + change_user + clear_ns + clear_uid + early_boot_ended + get_auth_token + get_state + list + lock + pull_metrics + report_off_body + reset + unlock + delete_all_keys +} + +class keystore2_key +{ + convert_storage_key_to_ephemeral + delete + gen_unique_id + get_info + grant + manage_blob + rebind + req_forced_op + update + use + use_dev_id +} + +class drmservice { + consumeRights + setPlaybackStatus + openDecryptSession + closeDecryptSession + initializeDecryptUnit + decrypt + finalizeDecryptUnit + pread +} + +class xdp_socket +inherits socket + +class perf_event +{ + open + cpu + kernel + tracepoint + read + write +} + +class lockdown +{ + integrity + confidentiality +} diff --git a/prebuilts/api/32.0/private/adbd.te b/prebuilts/api/32.0/private/adbd.te new file mode 100644 index 000000000..42739957e --- /dev/null +++ b/prebuilts/api/32.0/private/adbd.te @@ -0,0 +1,234 @@ +### ADB daemon + +typeattribute adbd coredomain; +typeattribute adbd mlstrustedsubject; + +init_daemon_domain(adbd) + +domain_auto_trans(adbd, shell_exec, shell) + +userdebug_or_eng(` + allow adbd self:process setcurrent; + allow adbd su:process dyntransition; +') + +# When 'adb shell' is executed in recovery mode, adbd explicitly +# switches into shell domain using setcon() because the shell executable +# is not labeled as shell but as rootfs. +recovery_only(` + domain_trans(adbd, rootfs, shell) + allow adbd shell:process dyntransition; + + # Allows reboot fastboot to enter fastboot directly + unix_socket_connect(adbd, recovery, recovery) +') + +# Control Perfetto traced and obtain traces from it. +# Needed to allow port forwarding directly to traced. +unix_socket_connect(adbd, traced_consumer, traced) + +# Do not sanitize the environment or open fds of the shell. Allow signaling +# created processes. +allow adbd shell:process { noatsecure signal }; + +# Set UID and GID to shell. Set supplementary groups. +allow adbd self:global_capability_class_set { setuid setgid }; + +# Drop capabilities from bounding set on user builds. +allow adbd self:global_capability_class_set setpcap; + +# ignore spurious denials for adbd when disk space is low. +dontaudit adbd self:global_capability_class_set sys_resource; + +# adbd probes for vsock support. Do not generate denials when +# this occurs. (b/123569840) +dontaudit adbd self:{ socket vsock_socket } create; + +# Allow adbd inside vm to forward vm's vsock. +allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept }; + +# Create and use network sockets. +net_domain(adbd) + +# Access /dev/usb-ffs/adb/ep0 +allow adbd functionfs:dir search; +allow adbd functionfs:file rw_file_perms; +allowxperm adbd functionfs:file ioctl { + FUNCTIONFS_ENDPOINT_DESC + FUNCTIONFS_CLEAR_HALT +}; + +# Use a pseudo tty. +allow adbd devpts:chr_file rw_file_perms; + +# adb push/pull /data/local/tmp. +allow adbd shell_data_file:dir create_dir_perms; +allow adbd shell_data_file:file create_file_perms; + +# adb pull /data/local/traces/* +allow adbd trace_data_file:dir r_dir_perms; +allow adbd trace_data_file:file r_file_perms; + +# adb pull /data/misc/profman. +allow adbd profman_dump_data_file:dir r_dir_perms; +allow adbd profman_dump_data_file:file r_file_perms; + +# adb push/pull sdcard. +allow adbd tmpfs:dir search; +allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink +allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink +allow adbd sdcard_type:dir create_dir_perms; +allow adbd sdcard_type:file create_file_perms; + +# adb pull /data/anr/traces.txt +allow adbd anr_data_file:dir r_dir_perms; +allow adbd anr_data_file:file r_file_perms; + +# adb pull /vendor/framework/* +allow adbd vendor_framework_file:dir r_dir_perms; +allow adbd vendor_framework_file:file r_file_perms; + +# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. +set_prop(adbd, shell_prop) +set_prop(adbd, powerctl_prop) +get_prop(adbd, ffs_config_prop) +set_prop(adbd, ffs_control_prop) + +# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties +set_prop(adbd, adbd_prop) +set_prop(adbd, adbd_config_prop) + +# Allow adbd start/stop mdnsd via ctl.start +set_prop(adbd, ctl_mdnsd_prop) + +# Access device logging gating property +get_prop(adbd, device_logging_prop) + +# Read device's serial number from system properties +get_prop(adbd, serialno_prop) + +# Read whether or not Test Harness Mode is enabled +get_prop(adbd, test_harness_prop) + +# Read persist.adb.tls_server.enable property +get_prop(adbd, system_adbd_prop) + +# Read device's overlayfs related properties and files +userdebug_or_eng(` + get_prop(adbd, persistent_properties_ready_prop) + r_dir_file(adbd, sysfs_dt_firmware_android) +') + +# Run /system/bin/bu +allow adbd system_file:file rx_file_perms; + +# Perform binder IPC to surfaceflinger (screencap) +# XXX Run screencap in a separate domain? +binder_use(adbd) +binder_call(adbd, surfaceflinger) +binder_call(adbd, gpuservice) +# b/13188914 +allow adbd gpu_device:chr_file rw_file_perms; +allow adbd ion_device:chr_file rw_file_perms; +r_dir_file(adbd, system_file) + +# Needed for various screenshots +hal_client_domain(adbd, hal_graphics_allocator) + +# Read /data/misc/adb/adb_keys. +allow adbd adb_keys_file:dir search; +allow adbd adb_keys_file:file r_file_perms; + +userdebug_or_eng(` + # Write debugging information to /data/adb + # when persist.adb.trace_mask is set + # https://code.google.com/p/android/issues/detail?id=72895 + allow adbd adb_data_file:dir rw_dir_perms; + allow adbd adb_data_file:file create_file_perms; +') + +# ndk-gdb invokes adb forward to forward the gdbserver socket. +allow adbd app_data_file:dir search; +allow adbd app_data_file:sock_file write; +allow adbd appdomain:unix_stream_socket connectto; + +# ndk-gdb invokes adb pull of app_process, linker, and libc.so. +allow adbd zygote_exec:file r_file_perms; +allow adbd system_file:file r_file_perms; + +# Allow pulling the SELinux policy for CTS purposes +allow adbd selinuxfs:dir r_dir_perms; +allow adbd selinuxfs:file r_file_perms; +allow adbd kernel:security read_policy; +allow adbd service_contexts_file:file r_file_perms; +allow adbd file_contexts_file:file r_file_perms; +allow adbd seapp_contexts_file:file r_file_perms; +allow adbd property_contexts_file:file r_file_perms; +allow adbd sepolicy_file:file r_file_perms; + +# Allow pulling config.gz for CTS purposes +allow adbd config_gz:file r_file_perms; + +# For CTS listening ports test. +allow adbd proc_net_tcp_udp:file r_file_perms; + +allow adbd gpu_service:service_manager find; +allow adbd surfaceflinger_service:service_manager find; +allow adbd bootchart_data_file:dir search; +allow adbd bootchart_data_file:file r_file_perms; + +# Allow access to external storage; we have several visible mount points under /storage +# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary +allow adbd storage_file:dir r_dir_perms; +allow adbd storage_file:lnk_file r_file_perms; +allow adbd mnt_user_file:dir r_dir_perms; +allow adbd mnt_user_file:lnk_file r_file_perms; + +# Access to /data/media. +# This should be removed if sdcardfs is modified to alter the secontext for its +# accesses to the underlying FS. +allow adbd media_rw_data_file:dir create_dir_perms; +allow adbd media_rw_data_file:file create_file_perms; + +r_dir_file(adbd, apk_data_file) + +allow adbd rootfs:dir r_dir_perms; + +# Allow killing child "perfetto" binary processes, which auto-transition to +# their own domain. Allows propagating termination of "adb shell perfetto ..." +# invocations. +allow adbd perfetto:process signal; + +# Allow to pull Perfetto traces. +allow adbd perfetto_traces_data_file:file r_file_perms; +allow adbd perfetto_traces_data_file:dir r_dir_perms; + +# Allow to push and manage configs in /data/misc/perfetto-configs. +allow adbd perfetto_configs_data_file:dir rw_dir_perms; +allow adbd perfetto_configs_data_file:file create_file_perms; + +# Connect to shell and use a socket transferred from it. +# Used for e.g. abb. +allow adbd shell:unix_stream_socket { read write shutdown }; +allow adbd shell:fd use; + +# Allow pull /vendor/apex files for CTS tests +allow adbd vendor_apex_file:dir search; +allow adbd vendor_apex_file:file r_file_perms; + +# Allow adb pull of updated apex files in /data/apex/active. +allow adbd apex_data_file:dir search; +allow adbd staging_data_file:file r_file_perms; + +# Allow adbd to pull /apex/apex-info-list.xml for CTS tests. +allow adbd apex_info_file:file r_file_perms; + +### +### Neverallow rules +### + +# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever +# transitions to the shell domain (except when it crashes). In particular, we +# never want to see a transition from adbd to su (aka "adb root") +neverallow adbd { domain -crash_dump -shell }:process transition; +neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition; diff --git a/prebuilts/api/32.0/private/aidl_lazy_test_server.te b/prebuilts/api/32.0/private/aidl_lazy_test_server.te new file mode 100644 index 000000000..33efde06b --- /dev/null +++ b/prebuilts/api/32.0/private/aidl_lazy_test_server.te @@ -0,0 +1,5 @@ +userdebug_or_eng(` + typeattribute aidl_lazy_test_server coredomain; + + init_daemon_domain(aidl_lazy_test_server) +') diff --git a/prebuilts/api/32.0/private/apex_test_prepostinstall.te b/prebuilts/api/32.0/private/apex_test_prepostinstall.te new file mode 100644 index 000000000..f1bc2145e --- /dev/null +++ b/prebuilts/api/32.0/private/apex_test_prepostinstall.te @@ -0,0 +1,20 @@ +# APEX pre- & post-install test. +# +# Allow to run pre- and post-install hooks for APEX test modules +# in debuggable builds. + +type apex_test_prepostinstall, domain, coredomain; +type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type; + +userdebug_or_eng(` + # /dev/zero + allow apex_test_prepostinstall apexd:fd use; + # Logwrapper. + create_pty(apex_test_prepostinstall) + # Logwrapper executing sh. + allow apex_test_prepostinstall shell_exec:file rx_file_perms; + # Logwrapper exec. + allow apex_test_prepostinstall system_file:file execute_no_trans; + # Ls. + allow apex_test_prepostinstall toolbox_exec:file rx_file_perms; +') diff --git a/prebuilts/api/32.0/private/apexd.te b/prebuilts/api/32.0/private/apexd.te new file mode 100644 index 000000000..09799bd0a --- /dev/null +++ b/prebuilts/api/32.0/private/apexd.te @@ -0,0 +1,216 @@ +typeattribute apexd coredomain; + +init_daemon_domain(apexd) + +# Allow creating, reading and writing of APEX files/dirs in the APEX data dir +allow apexd apex_data_file:dir create_dir_perms; +allow apexd apex_data_file:file create_file_perms; +# Allow relabeling file created in /data/apex/decompressed +allow apexd apex_data_file:file relabelfrom; + +# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir +allow apexd metadata_file:dir search; +allow apexd apex_metadata_file:dir create_dir_perms; +allow apexd apex_metadata_file:file create_file_perms; + +# Allow reserving space on /data/apex/ota_reserved for apex decompression +allow apexd apex_ota_reserved_file:dir create_dir_perms; +allow apexd apex_ota_reserved_file:file create_file_perms; + +# Allow apexd to create files and directories for snapshots of apex data +allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto }; +allow apexd apex_appsearch_data_file:file { create_file_perms relabelto }; +allow apexd apex_art_data_file:dir { create_dir_perms relabelto }; +allow apexd apex_art_data_file:file { create_file_perms relabelto }; +allow apexd apex_permission_data_file:dir { create_dir_perms relabelto }; +allow apexd apex_permission_data_file:file { create_file_perms relabelto }; +allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom }; +allow apexd apex_module_data_file:file { create_file_perms relabelfrom }; +allow apexd apex_rollback_data_file:dir create_dir_perms; +allow apexd apex_rollback_data_file:file create_file_perms; +allow apexd apex_scheduling_data_file:dir { create_dir_perms relabelto }; +allow apexd apex_scheduling_data_file:file { create_file_perms relabelto }; +allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto }; +allow apexd apex_wifi_data_file:file { create_file_perms relabelto }; + +# Allow apexd to read directories under /data/misc_de in order to snapshot and +# restore apex data for all users. +allow apexd system_data_file:dir r_dir_perms; + +# allow apexd to create loop devices with /dev/loop-control +allow apexd loop_control_device:chr_file rw_file_perms; +# allow apexd to access loop devices +allow apexd loop_device:blk_file rw_file_perms; +allowxperm apexd loop_device:blk_file ioctl { + LOOP_GET_STATUS64 + LOOP_SET_STATUS64 + LOOP_SET_FD + LOOP_SET_BLOCK_SIZE + LOOP_SET_DIRECT_IO + LOOP_CLR_FD + BLKFLSBUF + LOOP_CONFIGURE +}; +# Allow apexd to access /dev/block +allow apexd bdev_type:dir r_dir_perms; +allow apexd bdev_type:blk_file getattr; + +#allow apexd to access virtual disks +allow apexd vd_device:blk_file r_file_perms; + +# allow apexd to access /dev/block/dm-* (device-mapper entries) +allow apexd dm_device:chr_file rw_file_perms; +allow apexd dm_device:blk_file rw_file_perms; + +# sys_admin is required to access the device-mapper and mount +# dac_override, chown, and fowner are needed for snapshot and restore +allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner }; + +# Note: fsetid is deliberately not included above. fsetid checks are +# triggered by chmod on a directory or file owned by a group other +# than one of the groups assigned to the current process to see if +# the setgid bit should be cleared, regardless of whether the setgid +# bit was even set. We do not appear to truly need this capability +# for apexd to operate. +dontaudit apexd self:global_capability_class_set fsetid; + +# allow apexd to create a mount point in /apex +allow apexd apex_mnt_dir:dir create_dir_perms; +# allow apexd to mount in /apex +allow apexd apex_mnt_dir:filesystem { mount unmount }; +allow apexd apex_mnt_dir:dir mounton; +# allow apexd to create symlinks in /apex +allow apexd apex_mnt_dir:lnk_file create_file_perms; +# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file +allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton }; +allow apexd apex_info_file:file relabelto; +# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update. +allow apexd apex_info_file:file rw_file_perms; + +# allow apexd to unlink apex files in /data/apex/active +# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX, +# because it doesn't have write permission for staging_data_file object. +allow apexd staging_data_file:file unlink; + +# allow apexd to read files from /data/app-staging and hardlink them to /data/apex. +allow apexd staging_data_file:dir r_dir_perms; +allow apexd staging_data_file:file { r_file_perms link }; +# # Allow relabeling file created in /data/apex/decompressed +allow apexd staging_data_file:file relabelto; + +# allow apexd to read files from /vendor/apex +allow apexd vendor_apex_file:dir r_dir_perms; +allow apexd vendor_apex_file:file r_file_perms; + +# Unmount and mount filesystems +allow apexd labeledfs:filesystem { mount unmount }; + +# /sys directory tree traversal +allow apexd sysfs_type:dir search; +allow apexd sysfs_block_type:dir r_dir_perms; +allow apexd sysfs_block_type:file r_file_perms; +# Configure read-ahead of dm-verity and loop devices +# for dm-X +allow apexd sysfs_dm:dir r_dir_perms; +allow apexd sysfs_dm:file rw_file_perms; +# for loopX +allow apexd sysfs_loop:dir r_dir_perms; +allow apexd sysfs_loop:file rw_file_perms; + +# Allow apexd to log to the kernel. +allow apexd kmsg_device:chr_file w_file_perms; + +# Allow apexd to reboot device. Required for rollbacks of apexes that are +# not covered by rollback manager. +set_prop(apexd, powerctl_prop) + +# Allow apexd to stop itself +set_prop(apexd, ctl_apexd_prop) + +# Find the vold service, and call into vold to manage FS checkpoints +allow apexd vold_service:service_manager find; +binder_call(apexd, vold) + +# Apex pre- & post-install permission. + +# Allow self-execute for the fork mount helper. +allow apexd apexd_exec:file execute_no_trans; + +# Unshare and make / private so that hooks cannot influence the +# running system. +allow apexd rootfs:dir mounton; + +# Allow to execute shell for pre- and postinstall scripts. A transition +# rule is required, thus restricted to execute and not execute_no_trans. +allow apexd shell_exec:file { r_file_perms execute }; + +# apexd is using bootstrap bionic +allow apexd system_bootstrap_lib_file:dir r_dir_perms; +allow apexd system_bootstrap_lib_file:file { execute read open getattr map }; + +# Allow transition to test APEX preinstall domain. +userdebug_or_eng(` + domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall) +') + +# Allow transition to GKI update pre/post install domain +domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall) + +# Allow apexd to be invoked with logwrapper from init during userspace reboot. +allow apexd devpts:chr_file { read write }; + +# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to +# other processes +create_pty(apexd) + +# Allow apexd to read file contexts when performing restorecon of snapshots. +allow apexd file_contexts_file:file r_file_perms; + +# Allow apexd to execute toybox for snapshot & restore +allow apexd toolbox_exec:file rx_file_perms; + +# Allow apexd to release compressed blocks in case /data is f2fs-compressed fs. +allowxperm apexd staging_data_file:file ioctl { + FS_IOC_GETFLAGS + F2FS_IOC_RELEASE_COMPRESS_BLOCKS +}; + +# Allow apexd to read ro.cold_boot_done prop. +# apexd uses it to decide whether it needs to keep retrying polling for loop device. +get_prop(apexd, cold_boot_done_prop) + +# Allow apexd to read per-device configuration properties. +get_prop(apexd, apexd_config_prop) + +neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms; +neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms; +neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms; +neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms; +neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms; + +neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms; +neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms; + +neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms; +neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms; + +# only apexd can set apexd sysprop +set_prop(apexd, apexd_prop) +neverallow { domain -apexd -init } apexd_prop:property_service set; + +# only apexd can write apex-info-list.xml +neverallow { domain -apexd } apex_info_file:file no_w_file_perms; + +# Only apexd and init should be allowed to manage /apex mounts +# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs, +# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies +# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below. +neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount }; +neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton }; + +# Allow for use in postinstall +allow apexd otapreopt_chroot:fd use; +allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton }; +allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom }; +allow apexd postinstall_apex_mnt_dir:lnk_file create; +allow apexd proc_filesystems:file r_file_perms; diff --git a/prebuilts/api/32.0/private/app.te b/prebuilts/api/32.0/private/app.te new file mode 100644 index 000000000..30c76d330 --- /dev/null +++ b/prebuilts/api/32.0/private/app.te @@ -0,0 +1,106 @@ +# Allow apps to read the Test Harness Mode property. This property is used in +# the implementation of ActivityManager.isDeviceInTestHarnessMode() +get_prop(appdomain, test_harness_prop) + +get_prop(appdomain, boot_status_prop) +get_prop(appdomain, dalvik_config_prop) +get_prop(appdomain, media_config_prop) +get_prop(appdomain, packagemanager_config_prop) +get_prop(appdomain, radio_control_prop) +get_prop(appdomain, surfaceflinger_color_prop) +get_prop(appdomain, systemsound_config_prop) +get_prop(appdomain, telephony_config_prop) +get_prop(appdomain, userspace_reboot_config_prop) +get_prop(appdomain, vold_config_prop) +get_prop(appdomain, adbd_config_prop) +get_prop(appdomain, dck_prop) + +# Allow ART to be configurable via device_config properties +# (ART "runs" inside the app process) +get_prop(appdomain, device_config_runtime_native_prop) +get_prop(appdomain, device_config_runtime_native_boot_prop) + +userdebug_or_eng(`perfetto_producer({ appdomain })') + +# Prevent apps from causing presubmit failures. +# Apps can cause selinux denials by accessing CE storage +# and/or external storage. In either case, the selinux denial is +# not the cause of the failure, but just a symptom that +# storage isn't ready. Many apps handle the failure appropriately. +# +# Apps cannot access external storage before it becomes available. +dontaudit appdomain storage_stub_file:dir getattr; +# Attempts to write to system_data_file is generally a sign +# that apps are attempting to access encrypted storage before +# the ACTION_USER_UNLOCKED intent is delivered. Apps are not +# allowed to write to CE storage before it's available. +# Attempting to do so will be blocked by both selinux and unix +# permissions. +dontaudit appdomain system_data_file:dir write; +# Apps should not be reading vendor-defined properties. +dontaudit appdomain vendor_default_prop:file read; + +# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid) +allow appdomain mnt_media_rw_file:dir search; + +neverallow appdomain system_server:udp_socket { + accept append bind create ioctl listen lock name_bind + relabelfrom relabelto setattr shutdown }; + +# Transition to a non-app domain. +# Exception for the shell and su domains, can transition to runas, etc. +# Exception for crash_dump to allow for app crash reporting. +# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc) +# to allow renderscript to create privileged executable files. +neverallow { appdomain -shell userdebug_or_eng(`-su') } + { domain -appdomain -crash_dump -rs }:process { transition }; +neverallow { appdomain -shell userdebug_or_eng(`-su') } + { domain -appdomain }:process { dyntransition }; + +# Don't allow regular apps access to storage configuration properties. +neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms; + +# Allow to read sendbug.preferred.domain +get_prop(appdomain, sendbug_config_prop) + +# Allow to read graphics related properties. +get_prop(appdomain, graphics_config_prop) + +# Allow to read persist.config.calibration_fac +get_prop(appdomain, camera_calibration_prop) + +# Allow to read db.log.detailed, db.log.slow_query_threshold* +get_prop(appdomain, sqlite_log_prop) + +# Allow font file read by apps. +allow appdomain font_data_file:file r_file_perms; +allow appdomain font_data_file:dir r_dir_perms; + +# Enter /data/misc/apexdata/ +allow appdomain apex_module_data_file:dir search; +# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts. +allow appdomain apex_art_data_file:dir r_dir_perms; +allow appdomain apex_art_data_file:file rx_file_perms; + +# Allow access to tombstones if an fd to one is given to you. +# This is restricted by unix permissions, so an app must go through system_server to get one. +allow appdomain tombstone_data_file:file { getattr read }; +neverallow appdomain tombstone_data_file:file ~{ getattr read }; + +# Sensitive app domains are not allowed to execute from /data +# to prevent persistence attacks and ensure all code is executed +# from read-only locations. +neverallow { + bluetooth + isolated_app + nfc + radio + shared_relro + system_app +} { + data_file_type + -apex_art_data_file + -dalvikcache_data_file + -system_data_file # shared libs in apks + -apk_data_file +}:file no_x_file_perms; diff --git a/prebuilts/api/32.0/private/app_neverallows.te b/prebuilts/api/32.0/private/app_neverallows.te new file mode 100644 index 000000000..c7fa4e8c5 --- /dev/null +++ b/prebuilts/api/32.0/private/app_neverallows.te @@ -0,0 +1,245 @@ +### +### neverallow rules for untrusted app domains +### + +define(`all_untrusted_apps',`{ + ephemeral_app + isolated_app + mediaprovider + mediaprovider_app + untrusted_app + untrusted_app_25 + untrusted_app_27 + untrusted_app_29 + untrusted_app_all +}') +# Receive or send uevent messages. +neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *; + +# Receive or send generic netlink messages +neverallow all_untrusted_apps domain:netlink_socket *; + +# Read or write kernel printk buffer +neverallow all_untrusted_apps kmsg_device:chr_file no_rw_file_perms; + +# Too much leaky information in debugfs. It's a security +# best practice to ensure these files aren't readable. +neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read; +neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read; + +# Do not allow untrusted apps to register services. +# Only trusted components of Android should be registering +# services. +neverallow all_untrusted_apps service_manager_type:service_manager add; + +# Do not allow untrusted apps to use VendorBinder +neverallow all_untrusted_apps vndbinder_device:chr_file *; +neverallow all_untrusted_apps vndservice_manager_type:service_manager *; + +# Do not allow untrusted apps to connect to the property service +# or set properties. b/10243159 +neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write; +neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto; +neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set; + +# net.dns properties are not a public API. Disallow untrusted apps from reading this property. +neverallow { all_untrusted_apps } net_dns_prop:file read; + +# radio_cdma_ecm_prop properties are not a public API. Disallow untrusted apps from reading this property. +neverallow { all_untrusted_apps } radio_cdma_ecm_prop:file read; + +# Shared libraries created by trusted components within an app home +# directory can be dlopen()ed. To maintain the W^X property, these files +# must never be writable to the app. +neverallow all_untrusted_apps app_exec_data_file:file + { append create link relabelfrom relabelto rename setattr write }; + +# Block calling execve() on files in an apps home directory. +# This is a W^X violation (loading executable code from a writable +# home directory). For compatibility, allow for targetApi <= 28. +# b/112357170 +neverallow { + all_untrusted_apps + -untrusted_app_25 + -untrusted_app_27 + -runas_app +} { app_data_file privapp_data_file }:file execute_no_trans; + +# Do not allow untrusted apps to invoke dex2oat. This was historically required +# by ART for compiling secondary dex files but has been removed in Q. +# Exempt legacy apps (targetApi<=28) for compatibility. +neverallow { + all_untrusted_apps + -untrusted_app_25 + -untrusted_app_27 +} dex2oat_exec:file no_x_file_perms; + +# Do not allow untrusted apps to be assigned mlstrustedsubject. +# This would undermine the per-user isolation model being +# enforced via levelFrom=user in seapp_contexts and the mls +# constraints. As there is no direct way to specify a neverallow +# on attribute assignment, this relies on the fact that fork +# permission only makes sense within a domain (hence should +# never be granted to any other domain within mlstrustedsubject) +# and an untrusted app is allowed fork permission to itself. +neverallow all_untrusted_apps mlstrustedsubject:process fork; + +# Do not allow untrusted apps to hard link to any files. +# In particular, if an untrusted app links to other app data +# files, installd will not be able to guarantee the deletion +# of the linked to file. Hard links also contribute to security +# bugs, so we want to ensure untrusted apps never have this +# capability. +neverallow all_untrusted_apps file_type:file link; + +# Do not allow untrusted apps to access network MAC address file +neverallow all_untrusted_apps sysfs_net:file no_rw_file_perms; + +# Do not allow any write access to files in /sys +neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms }; + +# Apps may never access the default sysfs label. +neverallow all_untrusted_apps sysfs:file no_rw_file_perms; + +# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the +# ioctl permission, or 3. disallow the socket class. +neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; +neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl; +neverallow all_untrusted_apps *:{ + socket netlink_socket packet_socket key_socket appletalk_socket + netlink_tcpdiag_socket netlink_nflog_socket + netlink_xfrm_socket netlink_audit_socket + netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket + netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket + netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket + netlink_rdma_socket netlink_crypto_socket sctp_socket + ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket + atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket + bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket + alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket +} *; + +# Disallow sending RTM_GETLINK messages on netlink sockets. +neverallow { + all_untrusted_apps + -untrusted_app_25 + -untrusted_app_27 + -untrusted_app_29 +} domain:netlink_route_socket { bind nlmsg_readpriv }; + +# Do not allow untrusted apps access to /cache +neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; +neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr }; + +# Do not allow untrusted apps to create/unlink files outside of its sandbox, +# internal storage or sdcard. +# World accessible data locations allow application to fill the device +# with unaccounted for data. This data will not get removed during +# application un-installation. +neverallow { all_untrusted_apps -mediaprovider } { + fs_type + -sdcard_type + file_type + -app_data_file # The apps sandbox itself + -privapp_data_file + -app_exec_data_file # stored within the app sandbox directory + -media_rw_data_file # Internal storage. Known that apps can + # leave artfacts here after uninstall. + -user_profile_data_file # Access to profile files + userdebug_or_eng(` + -method_trace_data_file # only on ro.debuggable=1 + -coredump_file # userdebug/eng only + ') +}:dir_file_class_set { create unlink }; + +# No untrusted component except mediaprovider_app should be touching /dev/fuse +neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *; + +# Do not allow untrusted apps to directly open the tun_device +neverallow all_untrusted_apps tun_device:chr_file open; +# The tun_device ioctls below are not allowed, to prove equivalence +# to the kernel patch at +# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21 +neverallowxperm all_untrusted_apps tun_device:chr_file ioctl ~{ FIOCLEX FIONCLEX TUNGETIFF }; + +# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) +neverallow all_untrusted_apps anr_data_file:file ~{ open append }; +neverallow all_untrusted_apps anr_data_file:dir ~search; + +# Avoid reads from generically labeled /proc files +# Create a more specific label if needed +neverallow all_untrusted_apps { + proc + proc_asound + proc_kmsg + proc_loadavg + proc_mounts + proc_pagetypeinfo + proc_slabinfo + proc_stat + proc_swaps + proc_uptime + proc_version + proc_vmallocinfo + proc_vmstat +}:file { no_rw_file_perms no_x_file_perms }; + +# /proc/filesystems is accessible to mediaprovider_app only since it handles +# external storage +neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms }; + +# Avoid all access to kernel configuration +neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms }; + +# Do not allow untrusted apps access to preloads data files +neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms; + +# Locking of files on /system could lead to denial of service attacks +# against privileged system components +neverallow all_untrusted_apps system_file:file lock; + +# Do not permit untrusted apps to perform actions on HwBinder service_manager +# other than find actions for services listed below +neverallow all_untrusted_apps *:hwservice_manager ~find; + +# Do not permit access from apps which host arbitrary code to the protected services +# The two main reasons for this are: +# 1. Protected HwBinder servers do not perform client authentication because +# vendor code does not have a way to understand apps or their relation to +# caller UID information and, even if it did, those services either operate +# at a level below that of apps (e.g., HALs) or must not rely on app identity +# for authorization. Thus, to be safe, the default assumption for all added +# vendor services is that they treat all their clients as equally authorized +# to perform operations offered by the service. +# 2. HAL servers contain code with higher incidence rate of security issues +# than system/core components and have access to lower layes of the stack +# (all the way down to hardware) thus increasing opportunities for bypassing +# the Android security model. +neverallow all_untrusted_apps protected_hwservice:hwservice_manager find; +neverallow all_untrusted_apps protected_service:service_manager find; + +# SELinux is not an API for untrusted apps to use +neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms; + +# Access to /proc/tty/drivers, to allow apps to determine if they +# are running in an emulated environment. +# b/33214085 b/33814662 b/33791054 b/33211769 +# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java +# This will go away in a future Android release +neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms; +neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms; + +# Untrusted apps are not allowed to use cgroups. +neverallow all_untrusted_apps cgroup:file *; +neverallow all_untrusted_apps cgroup_v2:file *; + +# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps +# must not use it. +neverallow { + all_untrusted_apps + -untrusted_app_25 + -untrusted_app_27 +} mnt_sdcard_file:lnk_file *; + +# Only privileged apps may find the incident service +neverallow all_untrusted_apps incident_service:service_manager find; diff --git a/prebuilts/api/32.0/private/app_zygote.te b/prebuilts/api/32.0/private/app_zygote.te new file mode 100644 index 000000000..004c10844 --- /dev/null +++ b/prebuilts/api/32.0/private/app_zygote.te @@ -0,0 +1,174 @@ +typeattribute app_zygote coredomain; + +###### +###### Policy below is different from regular zygote-spawned apps +###### + +# Allow access to temporary files, which is normally permitted through +# a domain macro. +tmpfs_domain(app_zygote); + +# Set the UID/GID of the process. +# This will be further limited to a range of isolated UIDs with seccomp. +allow app_zygote self:global_capability_class_set { setgid setuid }; +# Drop capabilities from bounding set. +allow app_zygote self:global_capability_class_set setpcap; +# Switch SELinux context to isolated app domain. +allow app_zygote self:process setcurrent; +allow app_zygote isolated_app:process dyntransition; + +# For JIT +allow app_zygote self:process execmem; + +# Allow app_zygote to stat the files that it opens. It must +# be able to inspect them so that it can reopen them on fork +# if necessary: b/30963384. +allow app_zygote debugfs_trace_marker:file getattr; + +# get system_server process group +allow app_zygote system_server:process getpgid; + +# Interaction between the app_zygote and its children. +allow app_zygote isolated_app:process setpgid; + +# TODO (b/63631799) fix this access +dontaudit app_zygote mnt_expand_file:dir getattr; + +# Get seapp_contexts +allow app_zygote seapp_contexts_file:file r_file_perms; +# Check validity of SELinux context before use. +selinux_check_context(app_zygote) +# Check SELinux permissions. +selinux_check_access(app_zygote) + +# Read and inspect temporary files managed by zygote. +allow app_zygote zygote_tmpfs:file { read getattr }; + +###### +###### Policy below is shared with regular zygote-spawned apps +###### + +# Child of zygote. +allow app_zygote zygote:fd use; +allow app_zygote zygote:process sigchld; + +# For ART (read /data/dalvik-cache). +r_dir_file(app_zygote, dalvikcache_data_file); +allow app_zygote dalvikcache_data_file:file execute; + +# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache). +allow app_zygote apex_module_data_file:dir search; +# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache). +r_dir_file(app_zygote, apex_art_data_file) + +# Allow reading/executing installed binaries to enable preloading +# application data +allow app_zygote apk_data_file:dir r_dir_perms; +allow app_zygote apk_data_file:file { r_file_perms execute }; + +# /oem accesses. +allow app_zygote oemfs:dir search; + +# Allow app_zygote access to /vendor/overlay +r_dir_file(app_zygote, vendor_overlay_file) + +allow app_zygote system_data_file:lnk_file r_file_perms; +allow app_zygote system_data_file:file { getattr read map }; + +# Send unsolicited message to system_server +unix_socket_send(app_zygote, system_unsolzygote, system_server) + +# Allow the app_zygote to access the runtime feature flag properties. +get_prop(app_zygote, device_config_runtime_native_prop) +get_prop(app_zygote, device_config_runtime_native_boot_prop) + +# Allow app_zygote to access odsign verification status +get_prop(app_zygote, odsign_prop) + +##### +##### Neverallow +##### + +# Only permit transition to isolated_app. +neverallow app_zygote { domain -isolated_app }:process dyntransition; + +# Only setcon() transitions, no exec() based transitions, except for crash_dump. +neverallow app_zygote { domain -crash_dump }:process transition; + +# Must not exec() a program without changing domains. +# Having said that, exec() above is not allowed. +neverallow app_zygote *:file execute_no_trans; + +# The only way to enter this domain is for the zygote to fork a new +# app_zygote child. +neverallow { domain -zygote } app_zygote:process dyntransition; + +# Disallow write access to properties. +neverallow app_zygote property_socket:sock_file write; +neverallow app_zygote property_type:property_service set; + +# Should not have any access to data files. +neverallow app_zygote app_data_file_type:file { rwx_file_perms }; + +neverallow app_zygote { + service_manager_type + -activity_service + -webviewupdate_service +}:service_manager find; + +# Isolated apps should not be able to access the driver directly. +neverallow app_zygote gpu_device:chr_file { rwx_file_perms }; + +# Do not allow app_zygote access to /cache. +neverallow app_zygote cache_file:dir ~{ r_dir_perms }; +neverallow app_zygote cache_file:file ~{ read getattr }; + +# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket, +# unix_stream_socket, and netlink_selinux_socket. +neverallow app_zygote domain:{ + socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket + appletalk_socket netlink_route_socket netlink_tcpdiag_socket + netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket + netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket + netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket + netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket + sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket + x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket + pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket + rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket + alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket +} *; + +# Only allow app_zygote to talk to the logd socket, and +# su/heapprofd/traced_perf on eng/userdebug. This is because +# cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS. +# Think twice before changing. +neverallow app_zygote { + domain + -app_zygote + -logd + -system_server + userdebug_or_eng(`-su') + userdebug_or_eng(`-heapprofd') + userdebug_or_eng(`-traced_perf') +}:unix_dgram_socket *; + +neverallow app_zygote { + domain + -app_zygote + userdebug_or_eng(`-su') + userdebug_or_eng(`-heapprofd') + userdebug_or_eng(`-traced_perf') +}:unix_stream_socket *; + +# Never allow ptrace +neverallow app_zygote *:process ptrace; + +# Do not allow access to Bluetooth-related system properties. +# neverallow rules for Bluetooth-related data files are listed above. +neverallow app_zygote { + bluetooth_a2dp_offload_prop + bluetooth_audio_hal_prop + bluetooth_prop + exported_bluetooth_prop +}:file create_file_perms; diff --git a/prebuilts/api/32.0/private/asan_extract.te b/prebuilts/api/32.0/private/asan_extract.te new file mode 100644 index 000000000..69bcd5010 --- /dev/null +++ b/prebuilts/api/32.0/private/asan_extract.te @@ -0,0 +1,11 @@ +# type_transition must be private policy the domain_trans rules could stay +# public, but conceptually should go with this +# Technically not a daemon but we do want the transition from init domain to +# asan_extract to occur. +with_asan(` + typeattribute asan_extract coredomain; + init_daemon_domain(asan_extract) + + # We need to signal a reboot when done. + set_prop(asan_extract, powerctl_prop) +') diff --git a/prebuilts/api/32.0/private/atrace.te b/prebuilts/api/32.0/private/atrace.te new file mode 100644 index 000000000..d9e351c49 --- /dev/null +++ b/prebuilts/api/32.0/private/atrace.te @@ -0,0 +1,80 @@ +# Domain for atrace process. +# It is spawned either by traced_probes or by init for the boottrace service. + +type atrace_exec, exec_type, file_type, system_file_type; + +# boottrace services uses /data/misc/boottrace/categories +allow atrace boottrace_data_file:dir search; +allow atrace boottrace_data_file:file r_file_perms; + +# Allow atrace to access tracefs. +allow atrace debugfs_tracing:dir r_dir_perms; +allow atrace debugfs_tracing:file rw_file_perms; +allow atrace debugfs_trace_marker:file getattr; + +# Allow atrace to write data when a pipe is used for stdout/stderr +# This is used by Perfetto to capture the output on error in atrace. +allow atrace traced_probes:fd use; +allow atrace traced_probes:fifo_file write; + +# atrace sets debug.atrace.* properties +set_prop(atrace, debug_prop) + +# atrace pokes all the binder-enabled processes at startup with a +# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties. + +# Allow discovery of binder services. +allow atrace { + service_manager_type + -apex_service + -dnsresolver_service + -dumpstate_service + -incident_service + -installd_service + -iorapd_service + -lpdump_service + -netd_service + -stats_service + -tracingproxy_service + -vold_service + -default_android_service +}:service_manager { find }; +allow atrace servicemanager:service_manager list; + +# Allow notifying the processes hosting specific binder services that +# trace-related system properties have changed. +binder_use(atrace) +allow atrace healthd:binder call; +allow atrace surfaceflinger:binder call; +allow atrace system_server:binder call; +allow atrace cameraserver:binder call; + +# Similarly, on debug builds, allow specific HALs to be notified that +# trace-related system properties have changed. +userdebug_or_eng(` + # List HAL interfaces. + allow atrace hwservicemanager:hwservice_manager list; + # Notify the camera HAL. + hal_client_domain(atrace, hal_camera) + hal_client_domain(atrace, hal_vibrator) +') + +# Remove logspam from notification attempts to non-allowlisted services. +dontaudit atrace hwservice_manager_type:hwservice_manager find; +dontaudit atrace service_manager_type:service_manager find; +dontaudit atrace domain:binder call; + +# atrace can call atrace HAL +hal_client_domain(atrace, hal_atrace) + +get_prop(atrace, hwservicemanager_prop) + +userdebug_or_eng(` + # atrace is generally invoked as a standalone binary from shell or perf + # daemons like Perfetto traced_probes. However, in userdebug builds, there is + # a further option to run atrace as an init daemon for boot tracing. + init_daemon_domain(atrace) + + allow atrace debugfs_tracing_debug:dir r_dir_perms; + allow atrace debugfs_tracing_debug:file rw_file_perms; +') diff --git a/prebuilts/api/32.0/private/attributes b/prebuilts/api/32.0/private/attributes new file mode 100644 index 000000000..991bac1d6 --- /dev/null +++ b/prebuilts/api/32.0/private/attributes @@ -0,0 +1,12 @@ +hal_attribute(lazy_test); + +# This is applied to apps on vendor images with SDK <=30 only, +# to exempt them from recent mls changes. It must not be applied +# to any domain on newer system or vendor image. +attribute mlsvendorcompat; + +# Attributes for property types having both system_property_type +# and vendor_property_type. Such types are ill-formed because +# property owner attributes must be exclusive. +attribute system_and_vendor_property_type; +expandattribute system_and_vendor_property_type false; diff --git a/prebuilts/api/32.0/private/audioserver.te b/prebuilts/api/32.0/private/audioserver.te new file mode 100644 index 000000000..2d0b46d7f --- /dev/null +++ b/prebuilts/api/32.0/private/audioserver.te @@ -0,0 +1,104 @@ +# audioserver - audio services daemon + +typeattribute audioserver coredomain; + +type audioserver_exec, exec_type, file_type, system_file_type; +init_daemon_domain(audioserver) +tmpfs_domain(audioserver) + +r_dir_file(audioserver, sdcard_type) + +binder_use(audioserver) +binder_call(audioserver, binderservicedomain) +binder_call(audioserver, appdomain) +binder_service(audioserver) + +hal_client_domain(audioserver, hal_allocator) +# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so +r_dir_file(audioserver, system_file) + +hal_client_domain(audioserver, hal_audio) + +userdebug_or_eng(` + # used for TEE sink - pcm capture for debug. + allow audioserver media_data_file:dir create_dir_perms; + allow audioserver audioserver_data_file:dir create_dir_perms; + allow audioserver audioserver_data_file:file create_file_perms; + + # ptrace to processes in the same domain for memory leak detection + allow audioserver self:process ptrace; +') + +add_service(audioserver, audioserver_service) +allow audioserver activity_service:service_manager find; +allow audioserver appops_service:service_manager find; +allow audioserver batterystats_service:service_manager find; +allow audioserver external_vibrator_service:service_manager find; +allow audioserver package_native_service:service_manager find; +allow audioserver permission_service:service_manager find; +allow audioserver permission_checker_service:service_manager find; +allow audioserver power_service:service_manager find; +allow audioserver scheduling_policy_service:service_manager find; +allow audioserver mediametrics_service:service_manager find; +allow audioserver sensor_privacy_service:service_manager find; +allow audioserver soundtrigger_middleware_service:service_manager find; + +# Allow read/write access to bluetooth-specific properties +set_prop(audioserver, bluetooth_a2dp_offload_prop) +set_prop(audioserver, bluetooth_audio_hal_prop) +set_prop(audioserver, bluetooth_prop) +set_prop(audioserver, exported_bluetooth_prop) + +# Grant access to audio files to audioserver +allow audioserver audio_data_file:dir ra_dir_perms; +allow audioserver audio_data_file:file create_file_perms; + +# allow access to ALSA MMAP FDs for AAudio API +allow audioserver audio_device:chr_file { read write }; + +not_full_treble(`allow audioserver audio_device:dir r_dir_perms;') +not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;') + +# For A2DP bridge which is loaded directly into audioserver +unix_socket_connect(audioserver, bluetooth, bluetooth) + +# Allow shell commands from ADB and shell for CTS testing/dumping +allow audioserver adbd:fd use; +allow audioserver adbd:unix_stream_socket { read write }; +allow audioserver shell:fifo_file { read write }; + +# Allow shell commands from ADB for CTS testing/dumping +userdebug_or_eng(` + allow audioserver su:fd use; + allow audioserver su:fifo_file { read write }; + allow audioserver su:unix_stream_socket { read write }; +') + +# Allow write access to log tag property +set_prop(audioserver, log_tag_prop); + +### +### neverallow rules +### + +# audioserver should never execute any executable without a +# domain transition +neverallow audioserver { file_type fs_type }:file execute_no_trans; + +# The goal of the mediaserver split is to place media processing code into +# restrictive sandboxes with limited responsibilities and thus limited +# permissions. Example: Audioserver is only responsible for controlling audio +# hardware and processing audio content. Cameraserver does the same for camera +# hardware/content. Etc. +# +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *; + +# Allow using wake locks +wakelock_use(audioserver) + +# Allow reading audio config props, e.g. af.fast_track_multiplier +get_prop(audioserver, audio_config_prop) diff --git a/prebuilts/api/32.0/private/auditctl.te b/prebuilts/api/32.0/private/auditctl.te new file mode 100644 index 000000000..f634d3d1d --- /dev/null +++ b/prebuilts/api/32.0/private/auditctl.te @@ -0,0 +1,18 @@ +# +# /system/bin/auditctl executed for logd +# +# Performs maintenance of the kernel auditing system, including +# setting rate limits on SELinux denials. +# + +type auditctl, domain, coredomain; +type auditctl_exec, file_type, system_file_type, exec_type; + +# Uncomment the line below to put this domain into permissive +# mode. This helps speed SELinux policy development. +# userdebug_or_eng(`permissive auditctl;') + +init_daemon_domain(auditctl) + +allow auditctl self:global_capability_class_set audit_control; +allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write }; diff --git a/prebuilts/api/32.0/private/automotive_display_service.te b/prebuilts/api/32.0/private/automotive_display_service.te new file mode 100644 index 000000000..d757a52e7 --- /dev/null +++ b/prebuilts/api/32.0/private/automotive_display_service.te @@ -0,0 +1,38 @@ +# Display proxy service for Automotive +type automotive_display_service, domain, coredomain; +type automotive_display_service_exec, system_file_type, exec_type, file_type; + +typeattribute automotive_display_service automotive_display_service_server; + +# Allow to add a display service to the manager +add_hwservice(automotive_display_service, fwk_automotive_display_hwservice); + +# Allow init to launch automotive display service +init_daemon_domain(automotive_display_service) + +# Allow to use Binder IPC for SurfaceFlinger. +binder_use(automotive_display_service) + +# Allow to use HwBinder IPC for HAL implementations. +hwbinder_use(automotive_display_service) +hal_client_domain(automotive_display_service, hal_graphics_composer) +hal_client_domain(automotive_display_service, hal_graphics_allocator) + +# Allow to read the target property. +get_prop(automotive_display_service, hwservicemanager_prop) + +# Allow to find SurfaceFlinger. +allow automotive_display_service surfaceflinger_service:service_manager find; + +# Allow client domain to do binder IPC to serverdomain. +binder_call(automotive_display_service, surfaceflinger) + +# Allow to use a graphics mapper +allow automotive_display_service hal_graphics_mapper_hwservice:hwservice_manager find; + +# Allow to use hidl token service +allow automotive_display_service hidl_token_hwservice:hwservice_manager find; + +# Allow to access EGL files +allow automotive_display_service gpu_device:chr_file rw_file_perms; +allow automotive_display_service gpu_device:dir search; diff --git a/prebuilts/api/32.0/private/binderservicedomain.te b/prebuilts/api/32.0/private/binderservicedomain.te new file mode 100644 index 000000000..7275954b2 --- /dev/null +++ b/prebuilts/api/32.0/private/binderservicedomain.te @@ -0,0 +1,24 @@ +# Rules common to all binder service domains + +# Allow dumpstate and incidentd to collect information from binder services +allow binderservicedomain { dumpstate incidentd }:fd use; +allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr }; +allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write }; +allow binderservicedomain shell_data_file:file { getattr write }; + +# Allow dumpsys to work from adb shell or the serial console +allow binderservicedomain devpts:chr_file rw_file_perms; +allow binderservicedomain console_device:chr_file rw_file_perms; + +# Receive and write to a pipe received over Binder from an app. +allow binderservicedomain appdomain:fd use; +allow binderservicedomain appdomain:fifo_file write; + +# allow all services to run permission checks +allow binderservicedomain permission_service:service_manager find; + +allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify }; +allow binderservicedomain keystore:keystore2 { get_state }; +allow binderservicedomain keystore:keystore2_key { delete get_info rebind use }; + +use_keystore(binderservicedomain) diff --git a/prebuilts/api/32.0/private/blank_screen.te b/prebuilts/api/32.0/private/blank_screen.te new file mode 100644 index 000000000..20d50cc57 --- /dev/null +++ b/prebuilts/api/32.0/private/blank_screen.te @@ -0,0 +1,7 @@ +type blank_screen, domain, coredomain; +type blank_screen_exec, exec_type, file_type, system_file_type; + +init_daemon_domain(blank_screen) + +# hal_light_client has access to hal_light_server +hal_client_domain(blank_screen, hal_light) diff --git a/prebuilts/api/32.0/private/blkid.te b/prebuilts/api/32.0/private/blkid.te new file mode 100644 index 000000000..4e972ab95 --- /dev/null +++ b/prebuilts/api/32.0/private/blkid.te @@ -0,0 +1,22 @@ +# blkid called from vold + +typeattribute blkid coredomain; + +type blkid_exec, system_file_type, exec_type, file_type; + +# Allowed read-only access to encrypted devices to extract UUID/label +allow blkid block_device:dir search; +allow blkid userdata_block_device:blk_file r_file_perms; +allow blkid dm_device:blk_file r_file_perms; + +# Allow stdin/out back to vold +allow blkid vold:fd use; +allow blkid vold:fifo_file { read write getattr }; + +# For blkid launched through popen() +allow blkid blkid_exec:file rx_file_perms; + +# Only allow entry from vold +neverallow { domain -vold } blkid:process transition; +neverallow * blkid:process dyntransition; +neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; diff --git a/prebuilts/api/32.0/private/blkid_untrusted.te b/prebuilts/api/32.0/private/blkid_untrusted.te new file mode 100644 index 000000000..125677157 --- /dev/null +++ b/prebuilts/api/32.0/private/blkid_untrusted.te @@ -0,0 +1,37 @@ +# blkid for untrusted block devices + +typeattribute blkid_untrusted coredomain; + +# Allowed read-only access to vold block devices to extract UUID/label +allow blkid_untrusted block_device:dir search; +allow blkid_untrusted vold_device:blk_file r_file_perms; + +# Allow stdin/out back to vold +allow blkid_untrusted vold:fd use; +allow blkid_untrusted vold:fifo_file { read write getattr }; + +# For blkid launched through popen() +allow blkid_untrusted blkid_exec:file rx_file_perms; + +### +### neverallow rules +### + +# Untrusted blkid should never be run on block devices holding sensitive data +neverallow blkid_untrusted { + boot_block_device + frp_block_device + metadata_block_device + recovery_block_device + root_block_device + swap_block_device + system_block_device + userdata_block_device + cache_block_device + dm_device +}:blk_file no_rw_file_perms; + +# Only allow entry from vold via blkid binary +neverallow { domain -vold } blkid_untrusted:process transition; +neverallow * blkid_untrusted:process dyntransition; +neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; diff --git a/prebuilts/api/32.0/private/bluetooth.te b/prebuilts/api/32.0/private/bluetooth.te new file mode 100644 index 000000000..8fc6d203e --- /dev/null +++ b/prebuilts/api/32.0/private/bluetooth.te @@ -0,0 +1,87 @@ +# bluetooth app + +typeattribute bluetooth coredomain, mlstrustedsubject; + +app_domain(bluetooth) +net_domain(bluetooth) + +# Socket creation under /data/misc/bluedroid. +type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; + +# Allow access to net_admin ioctls +allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls; + +wakelock_use(bluetooth); + +# Data file accesses. +allow bluetooth bluetooth_data_file:dir create_dir_perms; +allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms; +allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms; +allow bluetooth bluetooth_logs_data_file:file create_file_perms; + +# Socket creation under /data/misc/bluedroid. +allow bluetooth bluetooth_socket:sock_file create_file_perms; + +allow bluetooth self:global_capability_class_set net_admin; +allow bluetooth self:global_capability2_class_set wake_alarm; + +# tethering +allow bluetooth self:packet_socket create_socket_perms_no_ioctl; +allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service }; +allow bluetooth self:tun_socket create_socket_perms_no_ioctl; +allow bluetooth tun_device:chr_file rw_file_perms; +allowxperm bluetooth tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; +allow bluetooth efs_file:dir search; + +# allow Bluetooth to access uhid device for HID profile +allow bluetooth uhid_device:chr_file rw_file_perms; + +# proc access. +allow bluetooth proc_bluetooth_writable:file rw_file_perms; + +# Allow write access to bluetooth specific properties +set_prop(bluetooth, binder_cache_bluetooth_server_prop); +neverallow { domain -bluetooth -init } + binder_cache_bluetooth_server_prop:property_service set; +set_prop(bluetooth, bluetooth_a2dp_offload_prop) +set_prop(bluetooth, bluetooth_audio_hal_prop) +set_prop(bluetooth, bluetooth_prop) +set_prop(bluetooth, exported_bluetooth_prop) +set_prop(bluetooth, pan_result_prop) + +allow bluetooth audioserver_service:service_manager find; +allow bluetooth bluetooth_service:service_manager find; +allow bluetooth drmserver_service:service_manager find; +allow bluetooth mediaserver_service:service_manager find; +allow bluetooth radio_service:service_manager find; +allow bluetooth app_api_service:service_manager find; +allow bluetooth system_api_service:service_manager find; +allow bluetooth network_stack_service:service_manager find; +allow bluetooth system_suspend_control_service:service_manager find; + +# already open bugreport file descriptors may be shared with +# the bluetooth process, from a file in +# /data/data/com.android.shell/files/bugreports/bugreport-*. +allow bluetooth shell_data_file:file read; + +# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice +allow bluetooth self:global_capability_class_set sys_nice; + +hal_client_domain(bluetooth, hal_bluetooth) +hal_client_domain(bluetooth, hal_telephony) + +# Bluetooth A2DP offload requires binding with audio HAL +hal_client_domain(bluetooth, hal_audio) + +read_runtime_log_tags(bluetooth) + +### +### Neverallow rules +### +### These are things that the bluetooth app should NEVER be able to do +### + +# Superuser capabilities. +# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice. +neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice}; +neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend }; diff --git a/prebuilts/api/32.0/private/bluetoothdomain.te b/prebuilts/api/32.0/private/bluetoothdomain.te new file mode 100644 index 000000000..fe4f0e663 --- /dev/null +++ b/prebuilts/api/32.0/private/bluetoothdomain.te @@ -0,0 +1,2 @@ +# Allow clients to use a socket provided by the bluetooth app. +allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; diff --git a/prebuilts/api/32.0/private/bootanim.te b/prebuilts/api/32.0/private/bootanim.te new file mode 100644 index 000000000..855bc3dd5 --- /dev/null +++ b/prebuilts/api/32.0/private/bootanim.te @@ -0,0 +1,17 @@ +typeattribute bootanim coredomain; + +init_daemon_domain(bootanim) + +# b/68864350 +dontaudit bootanim unlabeled:dir search; + +# Bootanim should not be reading default vendor-defined properties. +dontaudit bootanim vendor_default_prop:file read; + +# Read ro.boot.bootreason b/30654343 +get_prop(bootanim, bootloader_boot_reason_prop) + +get_prop(bootanim, bootanim_config_prop) + +# Allow updating boot animation status. +set_prop(bootanim, bootanim_system_prop) diff --git a/prebuilts/api/32.0/private/bootstat.te b/prebuilts/api/32.0/private/bootstat.te new file mode 100644 index 000000000..016292ed3 --- /dev/null +++ b/prebuilts/api/32.0/private/bootstat.te @@ -0,0 +1,34 @@ +typeattribute bootstat coredomain; + +init_daemon_domain(bootstat) + +# Collect metrics on boot time created by init +get_prop(bootstat, boottime_prop) + +# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty) +set_prop(bootstat, bootloader_boot_reason_prop) +set_prop(bootstat, system_boot_reason_prop) +set_prop(bootstat, last_boot_reason_prop) + +neverallow { + domain + -bootanim + -bootstat + -dumpstate + userdebug_or_eng(`-incidentd') + -init + -recovery + -shell + -system_server +} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms; +# ... and refine, as these components should not set the last boot reason +neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms; + +neverallow { + domain + -bootstat + -init + -system_server +} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set; +# ... and refine ... for a ro propertly no less ... keep this _tight_ +neverallow system_server bootloader_boot_reason_prop:property_service set; diff --git a/prebuilts/api/32.0/private/boringssl_self_test.te b/prebuilts/api/32.0/private/boringssl_self_test.te new file mode 100644 index 000000000..50fc1fc1c --- /dev/null +++ b/prebuilts/api/32.0/private/boringssl_self_test.te @@ -0,0 +1,74 @@ +# System and vendor domains for BoringSSL self test binaries. +# +# For FIPS compliance, all processes linked against libcrypto perform a startup +# self test which computes a hash of the BoringSSL Crypto Module (BCM) and, at least once +# per device boot, also run a series of Known Answer Tests (KAT) to verify functionality. +# +# The KATs are expensive, and to ensure they are run as few times as possible, they +# are skipped if a marker file exists in /dev/boringssl/selftest whose name is +# the hash of the BCM that was computed earlier. The files are zero length and their contents +# should never be read or written. To avoid giving arbitrary processes access to /dev/boringssl +# to create these marker files, there are dedicated self test binaries which this policy +# gives access to and which are run during early-init. +# +# Due to build skew, the version of libcrypto in /vendor may have a different hash than +# the system one. To cater for this there are vendor variants of the self test binaries +# which also have permission to write to the same files in /dev/boringssl. In the case where +# vendor and system libcrypto have the same hash, there will be a race to create the file, +# but this is harmless. +# +# If the self tests fail, then the device should reboot into firmware and for this reason +# the system boringssl_self_test domain needs to be in coredomain. As vendor domains +# are not allowed in coredomain, this means that the vendor self tests cannot trigger a +# reboot. However every binary linked against the vendor libcrypto will abort on startup, +# so in practice the device will crash anyway in this unlikely scenario. + +# System boringssl_self_test domain +type boringssl_self_test, domain, coredomain; +type boringssl_self_test_exec, system_file_type, exec_type, file_type; + +# Vendor boringssl_self_test domain +type vendor_boringssl_self_test, domain; +type vendor_boringssl_self_test_exec, vendor_file_type, exec_type, file_type; + +# Switch to boringssl_self_test security domain when running boringssl_self_test_exec +init_daemon_domain(boringssl_self_test) + +# Switch to vendor_boringssl_self_test security domain when running vendor_boringssl_self_test_exec +init_daemon_domain(vendor_boringssl_self_test) + +# Marker files, common to both domains, indicating KAT have been performed on a particular libcrypto +# +# The files are zero length so there is no issue if both vendor and system code +# try to create the same file simultaneously. One will succeed and the other will fail +# silently, i.e. still indicate success. Similar harmless naming collisions will happen in the +# system domain e.g. when system and APEX copies of libcrypto are identical. +type boringssl_self_test_marker, file_type; + +# Allow self test binaries to create/check for the existence of boringssl_self_test_marker files +allow { boringssl_self_test vendor_boringssl_self_test } + boringssl_self_test_marker:file create_file_perms; +allow { boringssl_self_test vendor_boringssl_self_test } + boringssl_self_test_marker:dir ra_dir_perms; + +# Allow self test binaries to write their stdout/stderr messages to kmsg_debug +allow { boringssl_self_test vendor_boringssl_self_test } + kmsg_debug_device:chr_file { w_file_perms getattr ioctl }; + +# No other process should be able to create marker files because their existence causes the +# boringssl KAT to be skipped. +neverallow { + domain + -vendor_boringssl_self_test + -boringssl_self_test + -init + -vendor_init +} boringssl_self_test_marker:file no_rw_file_perms; + +neverallow { + domain + -vendor_boringssl_self_test + -boringssl_self_test + -init + -vendor_init +} boringssl_self_test_marker:dir write; diff --git a/prebuilts/api/32.0/private/bpfloader.te b/prebuilts/api/32.0/private/bpfloader.te new file mode 100644 index 000000000..343ec7ae8 --- /dev/null +++ b/prebuilts/api/32.0/private/bpfloader.te @@ -0,0 +1,43 @@ +# bpf program loader +type bpfloader, domain; +type bpfloader_exec, system_file_type, exec_type, file_type; +typeattribute bpfloader coredomain; + +# These permissions are required to pin ebpf maps & programs. +allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write }; +allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr }; +allow fs_bpf_tethering fs_bpf:filesystem associate; + +# Allow bpfloader to create bpf maps and programs. +allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run }; + +allow bpfloader self:capability { chown sys_admin net_admin }; + +set_prop(bpfloader, bpf_progs_loaded_prop) + +### +### Neverallow rules +### + +# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search +neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr }; +neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write }; +neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write }; + +# TODO: get rid of init & vendor_init +neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr }; +neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create; +neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read; +neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write; +neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write }; + +neverallow { domain -bpfloader } *:bpf { map_create prog_load }; +neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run; +neverallow { domain -bpfloader -gpuservice -lmkd -netd -network_stack -system_server } *:bpf { map_read map_write }; + +neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans }; + +neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *; + +# No domain should be allowed to ptrace bpfloader +neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace; diff --git a/prebuilts/api/32.0/private/bufferhubd.te b/prebuilts/api/32.0/private/bufferhubd.te new file mode 100644 index 000000000..012eb2027 --- /dev/null +++ b/prebuilts/api/32.0/private/bufferhubd.te @@ -0,0 +1,3 @@ +typeattribute bufferhubd coredomain; + +init_daemon_domain(bufferhubd) diff --git a/prebuilts/api/32.0/private/bug_map b/prebuilts/api/32.0/private/bug_map new file mode 100644 index 000000000..5b042ae4c --- /dev/null +++ b/prebuilts/api/32.0/private/bug_map @@ -0,0 +1,35 @@ +dnsmasq netd fifo_file b/77868789 +dnsmasq netd unix_stream_socket b/77868789 +gmscore_app system_data_file dir b/146166941 +init app_data_file file b/77873135 +init cache_file blk_file b/77873135 +init logpersist file b/77873135 +init nativetest_data_file dir b/77873135 +init pstorefs dir b/77873135 +init shell_data_file dir b/77873135 +init shell_data_file file b/77873135 +init shell_data_file lnk_file b/77873135 +init shell_data_file sock_file b/77873135 +init system_data_file chr_file b/77873135 +isolated_app privapp_data_file dir b/119596573 +isolated_app app_data_file dir b/120394782 +mediaextractor app_data_file file b/77923736 +mediaextractor radio_data_file file b/77923736 +mediaprovider cache_file blk_file b/77925342 +mediaprovider mnt_media_rw_file dir b/77925342 +mediaprovider shell_data_file dir b/77925342 +mediaswcodec ashmem_device chr_file b/142679232 +netd priv_app unix_stream_socket b/77870037 +netd untrusted_app unix_stream_socket b/77870037 +netd untrusted_app_25 unix_stream_socket b/77870037 +netd untrusted_app_27 unix_stream_socket b/77870037 +netd untrusted_app_29 unix_stream_socket b/77870037 +platform_app nfc_data_file dir b/74331887 +system_server crash_dump process b/73128755 +system_server overlayfs_file file b/142390309 +system_server sdcardfs file b/77856826 +system_server zygote process b/77856826 +untrusted_app untrusted_app netlink_route_socket b/155595000 +vold system_data_file file b/124108085 +zygote untrusted_app_25 process b/77925912 +zygote labeledfs filesystem b/170748799 diff --git a/prebuilts/api/32.0/private/cameraserver.te b/prebuilts/api/32.0/private/cameraserver.te new file mode 100644 index 000000000..2be3c9ea3 --- /dev/null +++ b/prebuilts/api/32.0/private/cameraserver.te @@ -0,0 +1,6 @@ +typeattribute cameraserver coredomain; + +typeattribute cameraserver camera_service_server; + +init_daemon_domain(cameraserver) +tmpfs_domain(cameraserver) diff --git a/prebuilts/api/32.0/private/canhalconfigurator.te b/prebuilts/api/32.0/private/canhalconfigurator.te new file mode 100644 index 000000000..9ba60ac13 --- /dev/null +++ b/prebuilts/api/32.0/private/canhalconfigurator.te @@ -0,0 +1,7 @@ +type canhalconfigurator, domain, coredomain; +type canhalconfigurator_exec, exec_type, system_file_type, file_type; +init_daemon_domain(canhalconfigurator) + +# This allows the configurator to look up the CAN HAL controller via +# hwservice_manager and communicate with it. +hal_client_domain(canhalconfigurator, hal_can_controller) diff --git a/prebuilts/api/32.0/private/charger.te b/prebuilts/api/32.0/private/charger.te new file mode 100644 index 000000000..8be113ffb --- /dev/null +++ b/prebuilts/api/32.0/private/charger.te @@ -0,0 +1,31 @@ +typeattribute charger coredomain; + +# charger needs to tell init to continue the boot +# process when running in charger mode. +set_prop(charger, system_prop) +set_prop(charger, exported_system_prop) +set_prop(charger, exported3_system_prop) +set_prop(charger, charger_status_prop) + +get_prop(charger, charger_prop) +get_prop(charger, charger_config_prop) + +# get minui properties +get_prop(charger, recovery_config_prop) + +compatible_property_only(` + neverallow { + domain + -init + -dumpstate + -charger + } charger_prop:file no_rw_file_perms; +') + +neverallow { + domain + -init + -dumpstate + -vendor_init + -charger +} { charger_config_prop charger_status_prop }:file no_rw_file_perms; diff --git a/prebuilts/api/32.0/private/clatd.te b/prebuilts/api/32.0/private/clatd.te new file mode 100644 index 000000000..0fa774a27 --- /dev/null +++ b/prebuilts/api/32.0/private/clatd.te @@ -0,0 +1,36 @@ +# 464xlat daemon +type clatd, domain, coredomain; +type clatd_exec, system_file_type, exec_type, file_type; + +net_domain(clatd) + +r_dir_file(clatd, proc_net_type) +userdebug_or_eng(` + auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read }; +') + +# Access objects inherited from netd. +allow clatd netd:fd use; +allow clatd netd:fifo_file { read write }; +# TODO: Check whether some or all of these sockets should be close-on-exec. +allow clatd netd:netlink_kobject_uevent_socket { read write }; +allow clatd netd:netlink_nflog_socket { read write }; +allow clatd netd:netlink_route_socket { read write }; +allow clatd netd:udp_socket { read write }; +allow clatd netd:unix_stream_socket { read write }; +allow clatd netd:unix_dgram_socket { read write }; + +allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid }; + +# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks +# capable(CAP_IPC_LOCK), and then checks to see the requested amount is +# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have +# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices +# so we permit any requests we see from clatd asking for this capability. +# See https://android-review.googlesource.com/127940 and +# https://b.corp.google.com/issues/21736319 +allow clatd self:global_capability_class_set ipc_lock; + +allow clatd self:netlink_route_socket nlmsg_write; +allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl; +allow clatd tun_device:chr_file rw_file_perms; diff --git a/prebuilts/api/32.0/private/compat/26.0/26.0.cil b/prebuilts/api/32.0/private/compat/26.0/26.0.cil new file mode 100644 index 000000000..498bca5a7 --- /dev/null +++ b/prebuilts/api/32.0/private/compat/26.0/26.0.cil @@ -0,0 +1,786 @@ +;; attributes removed from current policy +(typeattribute hal_wifi_keystore) +(typeattribute hal_wifi_keystore_client) +(typeattribute hal_wifi_keystore_server) +(typeattribute hal_wifi_offload) +(typeattribute hal_wifi_offload_client) +(typeattribute hal_wifi_offload_server) + +;; types removed from current policy +(type untrusted_v2_app) +(type asan_reboot_prop) +(type commontime_management_service) +(type hal_wifi_offload_hwservice) +(type log_device) +(type mediacasserver_service) +(type mediacodec) +(type mediacodec_exec) +(type qtaguid_proc) +(type reboot_data_file) +(type tracing_shell_writable) +(type tracing_shell_writable_debug) +(type vold_socket) +(type webview_zygote_socket) +(type rild) +(type netd_socket) + +(typeattributeset accessibility_service_26_0 (accessibility_service)) +(typeattributeset account_service_26_0 (account_service)) +(typeattributeset activity_service_26_0 (activity_service)) +(typeattributeset adbd_26_0 (adbd)) +(typeattributeset adb_data_file_26_0 (adb_data_file)) +(typeattributeset adbd_socket_26_0 (adbd_socket)) +(typeattributeset adb_keys_file_26_0 (adb_keys_file)) +(typeattributeset alarm_device_26_0 (alarm_device)) +(typeattributeset alarm_service_26_0 (alarm_service)) +(typeattributeset anr_data_file_26_0 (anr_data_file)) +(typeattributeset apk_data_file_26_0 (apk_data_file)) +(typeattributeset apk_private_data_file_26_0 (apk_private_data_file)) +(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file)) +(typeattributeset apk_tmp_file_26_0 (apk_tmp_file)) +(typeattributeset app_data_file_26_0 (app_data_file privapp_data_file)) +(typeattributeset app_fuse_file_26_0 (app_fuse_file)) +(typeattributeset app_fusefs_26_0 (app_fusefs)) +(typeattributeset appops_service_26_0 (appops_service)) +(typeattributeset appwidget_service_26_0 (appwidget_service)) +(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop)) +(typeattributeset asec_apk_file_26_0 (asec_apk_file)) +(typeattributeset asec_image_file_26_0 (asec_image_file)) +(typeattributeset asec_public_file_26_0 (asec_public_file)) +(typeattributeset ashmem_device_26_0 (ashmem_device)) +(typeattributeset assetatlas_service_26_0 (assetatlas_service)) +(typeattributeset audio_data_file_26_0 (audio_data_file)) +(typeattributeset audio_device_26_0 (audio_device)) +(typeattributeset audiohal_data_file_26_0 (audiohal_data_file)) +(typeattributeset audio_prop_26_0 (audio_prop)) +(typeattributeset audio_seq_device_26_0 (audio_seq_device)) +(typeattributeset audioserver_26_0 (audioserver)) +(typeattributeset audioserver_data_file_26_0 (audioserver_data_file)) +(typeattributeset audioserver_service_26_0 (audioserver_service)) +(typeattributeset audio_service_26_0 (audio_service)) +(typeattributeset audio_timer_device_26_0 (audio_timer_device)) +(typeattributeset autofill_service_26_0 (autofill_service)) +(typeattributeset backup_data_file_26_0 (backup_data_file)) +(typeattributeset backup_service_26_0 (backup_service)) +(typeattributeset batteryproperties_service_26_0 (batteryproperties_service)) +(typeattributeset battery_service_26_0 (battery_service)) +(typeattributeset batterystats_service_26_0 (batterystats_service)) +(typeattributeset binder_device_26_0 (binder_device)) +(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs)) +(typeattributeset blkid_26_0 (blkid)) +(typeattributeset blkid_untrusted_26_0 (blkid_untrusted)) +(typeattributeset block_device_26_0 (block_device)) +(typeattributeset bluetooth_26_0 (bluetooth)) +(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file)) +(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file)) +(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file)) +(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service)) +(typeattributeset bluetooth_prop_26_0 (bluetooth_prop)) +(typeattributeset bluetooth_service_26_0 (bluetooth_service)) +(typeattributeset bluetooth_socket_26_0 (bluetooth_socket)) +(typeattributeset bootanim_26_0 (bootanim)) +(typeattributeset bootanim_exec_26_0 (bootanim_exec)) +(typeattributeset boot_block_device_26_0 (boot_block_device)) +(typeattributeset bootchart_data_file_26_0 (bootchart_data_file)) +(typeattributeset bootstat_26_0 (bootstat)) +(typeattributeset bootstat_data_file_26_0 (bootstat_data_file)) +(typeattributeset bootstat_exec_26_0 (bootstat_exec)) +(typeattributeset boottime_prop_26_0 (boottime_prop)) +(typeattributeset boottrace_data_file_26_0 (boottrace_data_file)) +(typeattributeset bufferhubd_26_0 (bufferhubd)) +(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec)) +(typeattributeset cache_backup_file_26_0 (cache_backup_file)) +(typeattributeset cache_block_device_26_0 (cache_block_device)) +(typeattributeset cache_file_26_0 (cache_file)) +(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file)) +(typeattributeset cache_recovery_file_26_0 (cache_recovery_file)) +(typeattributeset camera_data_file_26_0 (camera_data_file)) +(typeattributeset camera_device_26_0 (camera_device)) +(typeattributeset cameraproxy_service_26_0 (cameraproxy_service)) +(typeattributeset cameraserver_26_0 (cameraserver)) +(typeattributeset cameraserver_exec_26_0 (cameraserver_exec)) +(typeattributeset cameraserver_service_26_0 (cameraserver_service)) +(typeattributeset cgroup_26_0 (cgroup)) +(typeattributeset charger_26_0 (charger)) +(typeattributeset clatd_26_0 (clatd)) +(typeattributeset clatd_exec_26_0 (clatd_exec)) +(typeattributeset clipboard_service_26_0 (clipboard_service)) +(typeattributeset commontime_management_service_26_0 (commontime_management_service)) +(typeattributeset companion_device_service_26_0 (companion_device_service)) +(typeattributeset configfs_26_0 (configfs)) +(typeattributeset config_prop_26_0 (config_prop)) +(typeattributeset connectivity_service_26_0 (connectivity_service)) +(typeattributeset connmetrics_service_26_0 (connmetrics_service)) +(typeattributeset console_device_26_0 (console_device)) +(typeattributeset consumer_ir_service_26_0 (consumer_ir_service)) +(typeattributeset content_service_26_0 (content_service)) +(typeattributeset contexthub_service_26_0 (contexthub_service)) +(typeattributeset coredump_file_26_0 (coredump_file)) +(typeattributeset country_detector_service_26_0 (country_detector_service)) +(typeattributeset coverage_service_26_0 (coverage_service)) +(typeattributeset cppreopt_prop_26_0 (cppreopt_prop)) +(typeattributeset cppreopts_26_0 (cppreopts)) +(typeattributeset cppreopts_exec_26_0 (cppreopts_exec)) +(typeattributeset cpuctl_device_26_0 (cpuctl_device)) +(typeattributeset cpuinfo_service_26_0 (cpuinfo_service)) +(typeattributeset crash_dump_26_0 (crash_dump)) +(typeattributeset crash_dump_exec_26_0 (crash_dump_exec)) +(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop)) +(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop)) +(typeattributeset ctl_console_prop_26_0 (ctl_console_prop)) +(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop)) +(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop)) +(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop)) +(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop)) +(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop)) +(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file)) +(typeattributeset dalvik_prop_26_0 (dalvik_prop)) +(typeattributeset dbinfo_service_26_0 (dbinfo_service)) +(typeattributeset debugfs_26_0 + ( debugfs + debugfs_wakeup_sources + )) +(typeattributeset debugfs_mmc_26_0 (debugfs_mmc)) +(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker)) +(typeattributeset debugfs_tracing_26_0 (debugfs_tracing)) +(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances)) +(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing)) +(typeattributeset debuggerd_prop_26_0 (debuggerd_prop)) +(typeattributeset debug_prop_26_0 (debug_prop)) +(typeattributeset default_android_hwservice_26_0 (default_android_hwservice)) +(typeattributeset default_android_service_26_0 (default_android_service)) +(typeattributeset default_android_vndservice_26_0 (default_android_vndservice)) +(typeattributeset default_prop_26_0 + ( default_prop pm_prop)) +(typeattributeset device_26_0 (device)) +(typeattributeset device_identifiers_service_26_0 (device_identifiers_service)) +(typeattributeset deviceidle_service_26_0 (deviceidle_service)) +(typeattributeset device_logging_prop_26_0 (device_logging_prop)) +(typeattributeset device_policy_service_26_0 (device_policy_service)) +(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service)) +(typeattributeset devpts_26_0 (devpts)) +(typeattributeset dex2oat_26_0 (dex2oat)) +(typeattributeset dex2oat_exec_26_0 (dex2oat_exec)) +(typeattributeset dhcp_26_0 (dhcp)) +(typeattributeset dhcp_data_file_26_0 (dhcp_data_file)) +(typeattributeset dhcp_exec_26_0 (dhcp_exec)) +(typeattributeset dhcp_prop_26_0 (dhcp_prop)) +(typeattributeset diskstats_service_26_0 (diskstats_service)) +(typeattributeset display_service_26_0 (display_service)) +(typeattributeset dm_device_26_0 (dm_device)) +(typeattributeset dnsmasq_26_0 (dnsmasq)) +(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec)) +(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket)) +(typeattributeset DockObserver_service_26_0 (DockObserver_service)) +(typeattributeset dreams_service_26_0 (dreams_service)) +(typeattributeset drm_data_file_26_0 (drm_data_file)) +(typeattributeset drmserver_26_0 (drmserver)) +(typeattributeset drmserver_exec_26_0 (drmserver_exec)) +(typeattributeset drmserver_service_26_0 (drmserver_service)) +(typeattributeset drmserver_socket_26_0 (drmserver_socket)) +(typeattributeset dropbox_service_26_0 (dropbox_service)) +(typeattributeset dumpstate_26_0 (dumpstate)) +(typeattributeset dumpstate_exec_26_0 (dumpstate_exec)) +(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop)) +(typeattributeset dumpstate_prop_26_0 (dumpstate_prop)) +(typeattributeset dumpstate_service_26_0 (dumpstate_service)) +(typeattributeset dumpstate_socket_26_0 (dumpstate_socket)) +(typeattributeset efs_file_26_0 (efs_file)) +(typeattributeset ephemeral_app_26_0 (ephemeral_app)) +(typeattributeset ethernet_service_26_0 (ethernet_service)) +(typeattributeset ffs_prop_26_0 (ffs_prop)) +(typeattributeset file_contexts_file_26_0 (file_contexts_file)) +(typeattributeset fingerprintd_26_0 (fingerprintd)) +(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file)) +(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec)) +(typeattributeset fingerprintd_service_26_0 (fingerprintd_service)) +(typeattributeset fingerprint_prop_26_0 (fingerprint_prop)) +(typeattributeset fingerprint_service_26_0 (fingerprint_service)) +(typeattributeset firstboot_prop_26_0 (firstboot_prop)) +(typeattributeset font_service_26_0 (font_service)) +(typeattributeset frp_block_device_26_0 (frp_block_device)) +(typeattributeset fsck_26_0 (fsck)) +(typeattributeset fsck_exec_26_0 (fsck_exec)) +(typeattributeset fscklogs_26_0 (fscklogs)) +(typeattributeset fsck_untrusted_26_0 (fsck_untrusted)) +(typeattributeset full_device_26_0 (full_device)) +(typeattributeset functionfs_26_0 (functionfs)) +(typeattributeset fuse_26_0 (fuse)) +(typeattributeset fuse_device_26_0 (fuse_device)) +(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice)) +(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice)) +(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice)) +(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket)) +(typeattributeset gatekeeperd_26_0 (gatekeeperd)) +(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file)) +(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec)) +(typeattributeset gatekeeper_service_26_0 (gatekeeper_service)) +(typeattributeset gfxinfo_service_26_0 (gfxinfo_service)) +(typeattributeset gps_control_26_0 (gps_control)) +(typeattributeset gpu_device_26_0 (gpu_device)) +(typeattributeset gpu_service_26_0 (gpu_service)) +(typeattributeset graphics_device_26_0 (graphics_device)) +(typeattributeset graphicsstats_service_26_0 (graphicsstats_service)) +(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice)) +(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice)) +(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice)) +(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice)) +(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs)) +(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice)) +(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice)) +(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice)) +(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice)) +(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service)) +(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice)) +(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice)) +(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice)) +(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice)) +(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice)) +(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice)) +(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice)) +(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice)) +(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice)) +(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice)) +(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice)) +(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice)) +(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice)) +(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice)) +(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice)) +(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice)) +(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice)) +(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice)) +(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice)) +(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice)) +(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice)) +(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice)) +(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice)) +(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice)) +(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice)) +(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice)) +(typeattributeset hardware_properties_service_26_0 (hardware_properties_service)) +(typeattributeset hardware_service_26_0 (hardware_service)) +(typeattributeset hci_attach_dev_26_0 (hci_attach_dev)) +(typeattributeset hdmi_control_service_26_0 (hdmi_control_service)) +(typeattributeset healthd_26_0 (healthd)) +(typeattributeset healthd_exec_26_0 (healthd_exec)) +(typeattributeset heapdump_data_file_26_0 (heapdump_data_file)) +(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice)) +(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice)) +(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice)) +(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice)) +(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice)) +(typeattributeset hwbinder_device_26_0 (hwbinder_device)) +(typeattributeset hw_random_device_26_0 (hw_random_device)) +(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file)) +(typeattributeset hwservicemanager_26_0 (hwservicemanager)) +(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec)) +(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop)) +(typeattributeset i2c_device_26_0 (i2c_device)) +(typeattributeset icon_file_26_0 (icon_file)) +(typeattributeset idmap_26_0 (idmap)) +(typeattributeset idmap_exec_26_0 (idmap_exec)) +(typeattributeset iio_device_26_0 (iio_device)) +(typeattributeset imms_service_26_0 (imms_service)) +(typeattributeset incident_26_0 (incident)) +(typeattributeset incidentd_26_0 (incidentd)) +(typeattributeset incident_data_file_26_0 (incident_data_file)) +(typeattributeset incident_service_26_0 (incident_service)) +(typeattributeset init_26_0 (init)) +(typeattributeset init_exec_26_0 (init_exec watchdogd_exec)) +(typeattributeset inotify_26_0 (inotify)) +(typeattributeset input_device_26_0 (input_device)) +(typeattributeset inputflinger_26_0 (inputflinger)) +(typeattributeset inputflinger_exec_26_0 (inputflinger_exec)) +(typeattributeset inputflinger_service_26_0 (inputflinger_service)) +(typeattributeset input_method_service_26_0 (input_method_service)) +(typeattributeset input_service_26_0 (input_service)) +(typeattributeset installd_26_0 (installd)) +(typeattributeset install_data_file_26_0 (install_data_file)) +(typeattributeset installd_exec_26_0 (installd_exec)) +(typeattributeset installd_service_26_0 (installd_service)) +(typeattributeset install_recovery_26_0 (install_recovery)) +(typeattributeset install_recovery_exec_26_0 (install_recovery_exec)) +(typeattributeset ion_device_26_0 (ion_device)) +(typeattributeset IProxyService_service_26_0 (IProxyService_service)) +(typeattributeset ipsec_service_26_0 (ipsec_service)) +(typeattributeset isolated_app_26_0 (isolated_app)) +(typeattributeset jobscheduler_service_26_0 (jobscheduler_service)) +(typeattributeset kernel_26_0 (kernel)) +(typeattributeset keychain_data_file_26_0 (keychain_data_file)) +(typeattributeset keychord_device_26_0 (keychord_device)) +(typeattributeset keystore_26_0 (keystore)) +(typeattributeset keystore_data_file_26_0 (keystore_data_file)) +(typeattributeset keystore_exec_26_0 (keystore_exec)) +(typeattributeset keystore_service_26_0 (keystore_service)) +(typeattributeset kmem_device_26_0 (kmem_device)) +(typeattributeset kmsg_device_26_0 (kmsg_device)) +(typeattributeset labeledfs_26_0 (labeledfs)) +(typeattributeset launcherapps_service_26_0 (launcherapps_service)) +(typeattributeset lmkd_26_0 (lmkd)) +(typeattributeset lmkd_exec_26_0 (lmkd_exec)) +(typeattributeset lmkd_socket_26_0 (lmkd_socket)) +(typeattributeset location_service_26_0 (location_service)) +(typeattributeset lock_settings_service_26_0 (lock_settings_service)) +(typeattributeset logcat_exec_26_0 (logcat_exec)) +(typeattributeset logd_26_0 (logd)) +(typeattributeset log_device_26_0 (log_device)) +(typeattributeset logd_exec_26_0 (logd_exec)) +(typeattributeset logd_prop_26_0 (logd_prop)) +(typeattributeset logdr_socket_26_0 (logdr_socket)) +(typeattributeset logd_socket_26_0 (logd_socket)) +(typeattributeset logdw_socket_26_0 (logdw_socket)) +(typeattributeset logpersist_26_0 (logpersist)) +(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop)) +(typeattributeset log_prop_26_0 (log_prop)) +(typeattributeset log_tag_prop_26_0 (log_tag_prop)) +(typeattributeset loop_control_device_26_0 (loop_control_device)) +(typeattributeset loop_device_26_0 (loop_device)) +(typeattributeset mac_perms_file_26_0 (mac_perms_file)) +(typeattributeset mdnsd_26_0 (mdnsd)) +(typeattributeset mdnsd_socket_26_0 (mdnsd_socket)) +(typeattributeset mdns_socket_26_0 (mdns_socket)) +(typeattributeset mediacasserver_service_26_0 (mediacasserver_service)) +(typeattributeset hal_omx_server (mediacodec_26_0)) +(typeattributeset mediacodec_26_0 (mediacodec)) +(typeattributeset mediacodec_exec_26_0 (mediacodec_exec)) +(typeattributeset mediacodec_service_26_0 (mediacodec_service)) +(typeattributeset media_data_file_26_0 (media_data_file)) +(typeattributeset mediadrmserver_26_0 (mediadrmserver)) +(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec)) +(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service)) +(typeattributeset mediaextractor_26_0 (mediaextractor)) +(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec)) +(typeattributeset mediaextractor_service_26_0 (mediaextractor_service)) +(typeattributeset mediametrics_26_0 (mediametrics)) +(typeattributeset mediametrics_exec_26_0 (mediametrics_exec)) +(typeattributeset mediametrics_service_26_0 (mediametrics_service)) +(typeattributeset media_projection_service_26_0 (media_projection_service)) +(typeattributeset media_router_service_26_0 (media_router_service)) +(typeattributeset media_rw_data_file_26_0 (media_rw_data_file)) +(typeattributeset mediaserver_26_0 (mediaserver)) +(typeattributeset mediaserver_exec_26_0 (mediaserver_exec)) +(typeattributeset mediaserver_service_26_0 (mediaserver_service)) +(typeattributeset media_session_service_26_0 (media_session_service)) +(typeattributeset meminfo_service_26_0 (meminfo_service)) +(typeattributeset metadata_block_device_26_0 (metadata_block_device)) +(typeattributeset method_trace_data_file_26_0 (method_trace_data_file)) +(typeattributeset midi_service_26_0 (midi_service)) +(typeattributeset misc_block_device_26_0 (misc_block_device)) +(typeattributeset misc_logd_file_26_0 (misc_logd_file)) +(typeattributeset misc_user_data_file_26_0 (misc_user_data_file)) +(typeattributeset mmc_prop_26_0 (mmc_prop)) +(typeattributeset mnt_expand_file_26_0 (mnt_expand_file)) +(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file)) +(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file)) +(typeattributeset mnt_user_file_26_0 (mnt_user_file)) +(typeattributeset modprobe_26_0 (modprobe)) +(typeattributeset mount_service_26_0 (mount_service)) +(typeattributeset mqueue_26_0 (mqueue)) +(typeattributeset mtd_device_26_0 (mtd_device)) +(typeattributeset mtp_26_0 (mtp)) +(typeattributeset mtp_device_26_0 (mtp_device)) +(typeattributeset mtpd_socket_26_0 (mtpd_socket)) +(typeattributeset mtp_exec_26_0 (mtp_exec)) +(typeattributeset nativetest_data_file_26_0 (nativetest_data_file)) +(typeattributeset netd_26_0 (netd)) +(typeattributeset net_data_file_26_0 (net_data_file)) +(typeattributeset netd_exec_26_0 (netd_exec)) +(typeattributeset netd_listener_service_26_0 (netd_listener_service)) +(typeattributeset net_dns_prop_26_0 (net_dns_prop)) +(typeattributeset netd_service_26_0 (netd_service)) +(typeattributeset netd_socket_26_0 (netd_socket)) +(typeattributeset netif_26_0 (netif)) +(typeattributeset netpolicy_service_26_0 (netpolicy_service)) +(typeattributeset net_radio_prop_26_0 (net_radio_prop)) +(typeattributeset netstats_service_26_0 (netstats_service)) +(typeattributeset netutils_wrapper_26_0 (netutils_wrapper)) +(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec)) +(typeattributeset network_management_service_26_0 (network_management_service)) +(typeattributeset network_score_service_26_0 (network_score_service)) +(typeattributeset network_time_update_service_26_0 (network_time_update_service)) +(typeattributeset nfc_26_0 (nfc)) +(typeattributeset nfc_data_file_26_0 (nfc_data_file)) +(typeattributeset nfc_device_26_0 (nfc_device)) +(typeattributeset nfc_prop_26_0 (nfc_prop)) +(typeattributeset nfc_service_26_0 (nfc_service)) +(typeattributeset node_26_0 (node)) +(typeattributeset notification_service_26_0 (notification_service)) +(typeattributeset null_device_26_0 (null_device)) +(typeattributeset oemfs_26_0 (oemfs)) +(typeattributeset oem_lock_service_26_0 (oem_lock_service)) +(typeattributeset ota_data_file_26_0 (ota_data_file)) +(typeattributeset otadexopt_service_26_0 (otadexopt_service)) +(typeattributeset ota_package_file_26_0 (ota_package_file)) +(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot)) +(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec)) +(typeattributeset otapreopt_slot_26_0 (otapreopt_slot)) +(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec)) +(typeattributeset overlay_prop_26_0 (overlay_prop)) +(typeattributeset overlay_service_26_0 (overlay_service)) +(typeattributeset owntty_device_26_0 (owntty_device)) +(typeattributeset package_service_26_0 (package_service)) +(typeattributeset pan_result_prop_26_0 (pan_result_prop)) +(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket)) +(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket)) +(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir)) +(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket)) +(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket)) +(typeattributeset pdx_display_dir_26_0 (pdx_display_dir)) +(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket)) +(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket)) +(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket)) +(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket)) +(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket)) +(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket)) +(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket)) +(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket)) +(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir)) +(typeattributeset performanced_26_0 (performanced)) +(typeattributeset performanced_exec_26_0 (performanced_exec)) +(typeattributeset permission_service_26_0 (permission_service)) +(typeattributeset persist_debug_prop_26_0 (persist_debug_prop)) +(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service)) +(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop)) +(typeattributeset pinner_service_26_0 (pinner_service)) +(typeattributeset pipefs_26_0 (pipefs)) +(typeattributeset platform_app_26_0 (platform_app)) +(typeattributeset pmsg_device_26_0 (pmsg_device)) +(typeattributeset port_26_0 (port)) +(typeattributeset port_device_26_0 (port_device)) +(typeattributeset postinstall_26_0 (postinstall)) +(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt)) +(typeattributeset postinstall_file_26_0 (postinstall_file)) +(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir)) +(typeattributeset powerctl_prop_26_0 (powerctl_prop)) +(typeattributeset power_service_26_0 (power_service)) +(typeattributeset ppp_26_0 (ppp)) +(typeattributeset ppp_device_26_0 (ppp_device)) +(typeattributeset ppp_exec_26_0 (ppp_exec)) +(typeattributeset preloads_data_file_26_0 (preloads_data_file)) +(typeattributeset preloads_media_file_26_0 (preloads_media_file)) +(typeattributeset preopt2cachename_26_0 (preopt2cachename)) +(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec)) +(typeattributeset print_service_26_0 (print_service)) +(typeattributeset priv_app_26_0 (mediaprovider priv_app)) +(typeattributeset proc_26_0 + ( proc + proc_abi + proc_asound + proc_buddyinfo + proc_cmdline + proc_dirty + proc_diskstats + proc_extra_free_kbytes + proc_filesystems + proc_hostname + proc_hung_task + proc_kmsg + proc_loadavg + proc_max_map_count + proc_min_free_order_shift + proc_mounts + proc_page_cluster + proc_pagetypeinfo + proc_panic + proc_pid_max + proc_pipe_conf + proc_random + proc_sched + proc_slabinfo + proc_swaps + proc_uid_time_in_state + proc_uid_concurrent_active_time + proc_uid_concurrent_policy_time + proc_uid_cpupower + proc_uptime + proc_version + proc_vmallocinfo + proc_vmstat)) +(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable)) +(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo)) +(typeattributeset proc_drop_caches_26_0 (proc_drop_caches)) +(typeattributeset processinfo_service_26_0 (processinfo_service)) +(typeattributeset proc_interrupts_26_0 (proc_interrupts)) +(typeattributeset proc_iomem_26_0 (proc_iomem)) +(typeattributeset proc_meminfo_26_0 (proc_meminfo)) +(typeattributeset proc_misc_26_0 (proc_misc)) +(typeattributeset proc_modules_26_0 (proc_modules)) +(typeattributeset proc_net_26_0 + ( proc_net + proc_net_tcp_udp + proc_qtaguid_stat)) +(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory)) +(typeattributeset proc_perf_26_0 (proc_perf)) +(typeattributeset proc_security_26_0 (proc_security)) +(typeattributeset proc_stat_26_0 (proc_stat)) +(typeattributeset procstats_service_26_0 (procstats_service)) +(typeattributeset proc_sysrq_26_0 (proc_sysrq)) +(typeattributeset proc_timer_26_0 (proc_timer)) +(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers)) +(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid)) +(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat)) +(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats)) +(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set)) +(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo)) +(typeattributeset profman_26_0 (profman)) +(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file)) +(typeattributeset profman_exec_26_0 (profman_exec)) +(typeattributeset properties_device_26_0 (properties_device)) +(typeattributeset properties_serial_26_0 (properties_serial)) +(typeattributeset property_contexts_file_26_0 (property_contexts_file)) +(typeattributeset property_data_file_26_0 (property_data_file)) +(typeattributeset property_socket_26_0 (property_socket)) +(typeattributeset pstorefs_26_0 (pstorefs)) +(typeattributeset ptmx_device_26_0 (ptmx_device)) +(typeattributeset qtaguid_device_26_0 (qtaguid_device)) +(typeattributeset qtaguid_proc_26_0 + ( qtaguid_proc + proc_qtaguid_ctrl)) +(typeattributeset racoon_26_0 (racoon)) +(typeattributeset racoon_exec_26_0 (racoon_exec)) +(typeattributeset racoon_socket_26_0 (racoon_socket)) +(typeattributeset radio_26_0 (radio)) +(typeattributeset radio_data_file_26_0 (radio_data_file)) +(typeattributeset radio_device_26_0 (radio_device)) +(typeattributeset radio_prop_26_0 (radio_prop)) +(typeattributeset radio_service_26_0 (radio_service)) +(typeattributeset ram_device_26_0 (ram_device)) +(typeattributeset random_device_26_0 (random_device)) +(typeattributeset reboot_data_file_26_0 (reboot_data_file)) +(typeattributeset recovery_26_0 (recovery)) +(typeattributeset recovery_block_device_26_0 (recovery_block_device)) +(typeattributeset recovery_data_file_26_0 (recovery_data_file)) +(typeattributeset recovery_persist_26_0 (recovery_persist)) +(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec)) +(typeattributeset recovery_refresh_26_0 (recovery_refresh)) +(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec)) +(typeattributeset recovery_service_26_0 (recovery_service)) +(typeattributeset registry_service_26_0 (registry_service)) +(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file)) +(typeattributeset restorecon_prop_26_0 (restorecon_prop)) +(typeattributeset restrictions_service_26_0 (restrictions_service)) +(typeattributeset rild_26_0 (rild)) +(typeattributeset rild_debug_socket_26_0 (rild_debug_socket)) +(typeattributeset rild_socket_26_0 (rild_socket)) +(typeattributeset ringtone_file_26_0 (ringtone_file)) +(typeattributeset root_block_device_26_0 (root_block_device)) +(typeattributeset rootfs_26_0 (rootfs)) +(typeattributeset rpmsg_device_26_0 (rpmsg_device)) +(typeattributeset rtc_device_26_0 (rtc_device)) +(typeattributeset rttmanager_service_26_0 (rttmanager_service)) +(typeattributeset runas_26_0 (runas)) +(typeattributeset runas_exec_26_0 (runas_exec)) +(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file)) +(typeattributeset safemode_prop_26_0 (safemode_prop)) +(typeattributeset same_process_hal_file_26_0 + ( same_process_hal_file + vendor_public_lib_file)) +(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service)) +(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service)) +(typeattributeset sdcardd_26_0 (sdcardd)) +(typeattributeset sdcardd_exec_26_0 (sdcardd_exec)) +(typeattributeset sdcardfs_26_0 (sdcardfs)) +(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file)) +(typeattributeset search_service_26_0 (search_service)) +(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service)) +(typeattributeset selinuxfs_26_0 (selinuxfs)) +(typeattributeset sensors_device_26_0 (sensors_device)) +(typeattributeset sensorservice_service_26_0 (sensorservice_service)) +(typeattributeset sepolicy_file_26_0 (sepolicy_file)) +(typeattributeset serial_device_26_0 (serial_device)) +(typeattributeset serialno_prop_26_0 (serialno_prop)) +(typeattributeset serial_service_26_0 (serial_service)) +(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file)) +(typeattributeset servicediscovery_service_26_0 (servicediscovery_service)) +(typeattributeset servicemanager_26_0 (servicemanager)) +(typeattributeset servicemanager_exec_26_0 (servicemanager_exec)) +(typeattributeset settings_service_26_0 (settings_service)) +(typeattributeset sgdisk_26_0 (sgdisk)) +(typeattributeset sgdisk_exec_26_0 (sgdisk_exec)) +(typeattributeset shared_relro_26_0 (shared_relro)) +(typeattributeset shared_relro_file_26_0 (shared_relro_file)) +(typeattributeset shell_26_0 (shell)) +(typeattributeset shell_data_file_26_0 (shell_data_file)) +(typeattributeset shell_exec_26_0 (shell_exec)) +(typeattributeset shell_prop_26_0 (shell_prop)) +(typeattributeset shm_26_0 (shm)) +(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons)) +(typeattributeset shortcut_service_26_0 (shortcut_service)) +(typeattributeset slideshow_26_0 (slideshow)) +(typeattributeset socket_device_26_0 (socket_device)) +(typeattributeset sockfs_26_0 (sockfs)) +(typeattributeset statusbar_service_26_0 (statusbar_service)) +(typeattributeset storaged_service_26_0 (storaged_service)) +(typeattributeset storage_file_26_0 (storage_file)) +(typeattributeset storagestats_service_26_0 (storagestats_service)) +(typeattributeset storage_stub_file_26_0 (storage_stub_file)) +(typeattributeset su_26_0 (su)) +(typeattributeset su_exec_26_0 (su_exec)) +(typeattributeset surfaceflinger_26_0 (surfaceflinger)) +(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service)) +(typeattributeset swap_block_device_26_0 (swap_block_device)) +(typeattributeset sysfs_26_0 + ( sysfs + sysfs_android_usb + sysfs_dm + sysfs_dt_firmware_android + sysfs_ipv4 + sysfs_kernel_notes + sysfs_loop + sysfs_net + sysfs_power + sysfs_rtc + sysfs_switch + sysfs_wakeup_reasons)) +(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo)) +(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable)) +(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu)) +(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom)) +(typeattributeset sysfs_leds_26_0 (sysfs_leds)) +(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller)) +(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address)) +(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable)) +(typeattributeset sysfs_thermal_26_0 (sysfs_thermal)) +(typeattributeset sysfs_uio_26_0 (sysfs_uio)) +(typeattributeset sysfs_usb_26_0 (sysfs_usb)) +(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator)) +(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock)) +(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath)) +(typeattributeset sysfs_zram_26_0 (sysfs_zram)) +(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent)) +(typeattributeset system_app_26_0 (system_app)) +(typeattributeset system_app_data_file_26_0 (system_app_data_file)) +(typeattributeset system_app_service_26_0 (system_app_service)) +(typeattributeset system_block_device_26_0 (system_block_device)) +(typeattributeset system_data_file_26_0 + ( system_data_file + dropbox_data_file + vendor_data_file)) +(typeattributeset system_file_26_0 + ( system_file + system_lib_file + system_linker_config_file + system_linker_exec + system_seccomp_policy_file + system_security_cacerts_file + system_zoneinfo_file +)) +(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file)) +(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket)) +(typeattributeset system_prop_26_0 (system_prop)) +(typeattributeset system_radio_prop_26_0 (system_radio_prop)) +(typeattributeset system_server_26_0 (system_server)) +(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice)) +(typeattributeset system_wpa_socket_26_0 (system_wpa_socket)) +(typeattributeset task_service_26_0 (task_service)) +(typeattributeset tee_26_0 (tee)) +(typeattributeset tee_data_file_26_0 (tee_data_file)) +(typeattributeset tee_device_26_0 (tee_device)) +(typeattributeset telecom_service_26_0 (telecom_service)) +(typeattributeset textclassification_service_26_0 (textclassification_service)) +(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file)) +(typeattributeset textservices_service_26_0 (textservices_service)) +(typeattributeset tmpfs_26_0 (tmpfs)) +(typeattributeset tombstoned_26_0 (tombstoned)) +(typeattributeset tombstone_data_file_26_0 (tombstone_data_file)) +(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket)) +(typeattributeset tombstoned_exec_26_0 (tombstoned_exec)) +(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket)) +(typeattributeset toolbox_26_0 (toolbox)) +(typeattributeset toolbox_exec_26_0 (toolbox_exec)) +(typeattributeset tracing_shell_writable_26_0 (debugfs_tracing tracing_shell_writable)) +(typeattributeset tracing_shell_writable_debug_26_0 (debugfs_tracing_debug tracing_shell_writable_debug)) +(typeattributeset trust_service_26_0 (trust_service)) +(typeattributeset tty_device_26_0 (tty_device)) +(typeattributeset tun_device_26_0 (tun_device)) +(typeattributeset tv_input_service_26_0 (tv_input_service)) +(typeattributeset tzdatacheck_26_0 (tzdatacheck)) +(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec)) +(typeattributeset ueventd_26_0 (ueventd)) +(typeattributeset uhid_device_26_0 (uhid_device)) +(typeattributeset uimode_service_26_0 (uimode_service)) +(typeattributeset uio_device_26_0 (uio_device)) +(typeattributeset uncrypt_26_0 (uncrypt)) +(typeattributeset uncrypt_exec_26_0 (uncrypt_exec)) +(typeattributeset uncrypt_socket_26_0 (uncrypt_socket)) +(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file)) +(typeattributeset unlabeled_26_0 (unlabeled)) +(typeattributeset untrusted_app_25_26_0 (untrusted_app_25)) +(typeattributeset untrusted_app_26_0 + ( untrusted_app + untrusted_app_27)) +(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app)) +(typeattributeset update_engine_26_0 (update_engine)) +(typeattributeset update_engine_data_file_26_0 (update_engine_data_file)) +(typeattributeset update_engine_exec_26_0 (update_engine_exec)) +(typeattributeset update_engine_service_26_0 (update_engine_service)) +(typeattributeset updatelock_service_26_0 (updatelock_service)) +(typeattributeset update_verifier_26_0 (update_verifier)) +(typeattributeset update_verifier_exec_26_0 (update_verifier_exec)) +(typeattributeset usagestats_service_26_0 (usagestats_service)) +(typeattributeset usbaccessory_device_26_0 (usbaccessory_device)) +(typeattributeset usb_device_26_0 (usb_device)) +(typeattributeset usbfs_26_0 (usbfs)) +(typeattributeset usb_service_26_0 (usb_service)) +(typeattributeset userdata_block_device_26_0 (userdata_block_device)) +(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper)) +(typeattributeset user_profile_data_file_26_0 (user_profile_data_file)) +(typeattributeset user_service_26_0 (user_service)) +(typeattributeset vcs_device_26_0 (vcs_device)) +(typeattributeset vdc_26_0 (vdc)) +(typeattributeset vdc_exec_26_0 (vdc_exec)) +(typeattributeset vendor_app_file_26_0 (vendor_app_file)) +(typeattributeset vendor_configs_file_26_0 (vendor_configs_file)) +(typeattributeset vendor_file_26_0 (vendor_file)) +(typeattributeset vendor_framework_file_26_0 (vendor_framework_file)) +(typeattributeset vendor_hal_file_26_0 (vendor_hal_file)) +(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file)) +(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec)) +(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec)) +(typeattributeset vfat_26_0 (vfat)) +(typeattributeset vibrator_service_26_0 (vibrator_service)) +(typeattributeset video_device_26_0 (video_device)) +(typeattributeset virtual_touchpad_26_0 (virtual_touchpad)) +(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec)) +(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service)) +(typeattributeset vndbinder_device_26_0 (vndbinder_device)) +(typeattributeset vndk_sp_file_26_0 (vndk_sp_file)) +(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file)) +(typeattributeset vndservicemanager_26_0 (vndservicemanager)) +(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service)) +(typeattributeset vold_26_0 (vold)) +(typeattributeset vold_data_file_26_0 (vold_data_file)) +(typeattributeset vold_device_26_0 (vold_device)) +(typeattributeset vold_exec_26_0 (vold_exec)) +(typeattributeset vold_prop_26_0 (vold_prop)) +(typeattributeset vold_socket_26_0 (vold_socket)) +(typeattributeset vpn_data_file_26_0 (vpn_data_file)) +(typeattributeset vr_hwc_26_0 (vr_hwc)) +(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec)) +(typeattributeset vr_hwc_service_26_0 (vr_hwc_service)) +(typeattributeset vr_manager_service_26_0 (vr_manager_service)) +(typeattributeset wallpaper_file_26_0 (wallpaper_file)) +(typeattributeset wallpaper_service_26_0 (wallpaper_service)) +(typeattributeset watchdogd_26_0 (watchdogd)) +(typeattributeset watchdog_device_26_0 (watchdog_device)) +(typeattributeset webviewupdate_service_26_0 (webviewupdate_service)) +(typeattributeset webview_zygote_26_0 (webview_zygote)) +(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec)) +(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket)) +(typeattributeset wifiaware_service_26_0 (wifiaware_service)) +(typeattributeset wificond_26_0 (wificond)) +(typeattributeset wificond_exec_26_0 (wificond_exec)) +(typeattributeset wificond_service_26_0 (wificond_service)) +(typeattributeset wifi_data_file_26_0 (wifi_data_file)) +(typeattributeset wifi_log_prop_26_0 (wifi_log_prop)) +(typeattributeset wifip2p_service_26_0 (wifip2p_service)) +(typeattributeset wifi_prop_26_0 (wifi_prop)) +(typeattributeset wifiscanner_service_26_0 (wifiscanner_service)) +(typeattributeset wifi_service_26_0 (wifi_service)) +(typeattributeset window_service_26_0 (window_service)) +(typeattributeset wpa_socket_26_0 (wpa_socket)) +(typeattributeset zero_device_26_0 (zero_device)) +(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file)) +(typeattributeset zygote_26_0 (zygote)) +(typeattributeset zygote_exec_26_0 (zygote_exec)) +(typeattributeset zygote_socket_26_0 (zygote_socket)) diff --git a/prebuilts/api/32.0/private/compat/26.0/26.0.compat.cil b/prebuilts/api/32.0/private/compat/26.0/26.0.compat.cil new file mode 100644 index 000000000..2e85b23fc --- /dev/null +++ b/prebuilts/api/32.0/private/compat/26.0/26.0.compat.cil @@ -0,0 +1,11 @@ +(typeattribute vendordomain) +(typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) +(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff)))) +(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff)))) +(allow vendordomain self (netlink_route_socket (nlmsg_readpriv))) + +(typeattributeset mlsvendorcompat (and appdomain vendordomain)) +(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) +(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) +(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) +(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) diff --git a/prebuilts/api/32.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/32.0/private/compat/26.0/26.0.ignore.cil new file mode 100644 index 000000000..98d5840f6 --- /dev/null +++ b/prebuilts/api/32.0/private/compat/26.0/26.0.ignore.cil @@ -0,0 +1,238 @@ +;; new_objects - a collection of types that have been introduced that have no +;; analogue in older policy. Thus, we do not need to map these types to +;; previous ones. Add here to pass checkapi tests. +(type new_objects) +(typeattribute new_objects) +(typeattributeset new_objects + ( new_objects + activity_task_service + adb_service + adbd_exec + app_binding_service + apex_data_file + apex_metadata_file + apex_mnt_dir + apex_service + apexd + apexd_exec + apexd_prop + apexd_tmpfs + app_zygote + audio_config_prop + atrace + binder_calls_stats_service + biometric_service + boot_status_prop + bootloader_boot_reason_prop + blank_screen + blank_screen_exec + blank_screen_tmpfs + bluetooth_a2dp_offload_prop + bpfloader + bpfloader_exec + broadcastradio_service + cgroup_bpf + charger_exec + color_display_service + content_capture_service + crossprofileapps_service + ctl_apexd_prop + ctl_interface_restart_prop + ctl_interface_start_prop + ctl_interface_stop_prop + ctl_sigstop_prop + dalvik_config_prop + device_config_boot_count_prop + device_config_reset_performed_prop + device_config_netd_native_prop + dnsresolver_service + e2fs + e2fs_exec + exfat + exported_audio_prop + exported_bluetooth_prop + exported_config_prop + exported_dalvik_prop + exported_default_prop + exported_dumpstate_prop + exported_ffs_prop + exported_fingerprint_prop + exported_overlay_prop + exported_pm_prop + exported_radio_prop + exported_secure_prop + exported_system_prop + exported_system_radio_prop + exported_vold_prop + exported_wifi_prop + exported2_config_prop + exported2_default_prop + exported2_radio_prop + exported2_system_prop + exported2_vold_prop + exported3_radio_prop + exported3_system_prop + fastbootd + fingerprint_vendor_data_file + flags_health_check + flags_health_check_exec + fs_bpf + fwk_stats_hwservice + hal_atrace_hwservice + hal_audiocontrol_hwservice + hal_authsecret_hwservice + hal_broadcastradio_hwservice + hal_cas_hwservice + hal_codec2_hwservice + hal_confirmationui_hwservice + hal_evs_hwservice + hal_health_storage_hwservice + hal_lowpan_hwservice + hal_neuralnetworks_hwservice + hal_secure_element_hwservice + hal_tetheroffload_hwservice + hal_wifi_hostapd_hwservice + hal_usb_gadget_hwservice + hal_vehicle_hwservice + hal_wifi_offload_hwservice + heapprofd + heapprofd_exec + heapprofd_socket + incident_helper + incident_helper_exec + iorapd + iorapd_data_file + iorapd_exec + iorapd_service + iorapd_tmpfs + kmsg_debug_device + last_boot_reason_prop + llkd + llkd_exec + llkd_prop + llkd_tmpfs + lmkd_config_prop + looper_stats_service + lowpan_device + lowpan_prop + lowpan_service + mediaswcodec + mediaswcodec_exec + mediaswcodec_tmpfs + mediaextractor_update_service + mediaprovider_tmpfs + metadata_bootstat_file + metadata_file + mnt_product_file + mnt_vendor_file + netd_stable_secret_prop + network_stack + network_stack_service + network_watchlist_data_file + network_watchlist_service + overlayfs_file + package_native_service + perfetto + perfetto_exec + perfetto_tmpfs + perfetto_traces_data_file + property_info + recovery_socket + role_service + runas_app + art_apex_dir + runtime_service + secure_element + secure_element_device + secure_element_tmpfs + secure_element_service + server_configurable_flags_data_file + simpleperf_app_runner + simpleperf_app_runner_exec + slice_service + socket_hook_prop + staging_data_file + stats + stats_data_file + stats_exec + stats_service + statsd + statsd_exec + statsd_tmpfs + statsdw + statsdw_socket + statscompanion_service + storaged_data_file + super_block_device + surfaceflinger_color_prop + surfaceflinger_prop + sysfs_fs_ext4_features + system_boot_reason_prop + system_bootstrap_lib_file + system_lmk_prop + system_net_netd_hwservice + system_update_service + systemsound_config_prop + test_boot_reason_prop + thermal_service + thermalcallback_hwservice + thermalserviced + thermalserviced_exec + thermalserviced_tmpfs + time_prop + timedetector_service + timezone_service + tombstoned_java_trace_socket + tombstone_wifi_data_file + trace_data_file + traceur_app + traceur_app_tmpfs + traced + traced_consumer_socket + traced_enabled_prop + traced_exec + traced_probes + traced_probes_exec + traced_probes_tmpfs + traced_producer_socket + traced_tmpfs + untrusted_app_all_devpts + update_engine_log_data_file + vendor_default_prop + vendor_security_patch_level_prop + uri_grants_service + usbd + usbd_exec + usbd_tmpfs + vendor_apex_file + vendor_init + vendor_shell + vendor_socket_hook_prop + vndk_prop + vold_config_prop + vold_metadata_file + vold_post_fs_data_prop + vold_prepare_subdirs + vold_prepare_subdirs_exec + vold_service + vold_status_prop + vrflinger_vsync_service + wait_for_keymaster + wait_for_keymaster_exec + wait_for_keymaster_tmpfs + watchdogd_tmpfs + wpantund + wpantund_exec + wpantund_service + wpantund_tmpfs + wm_trace_data_file)) + +;; private_objects - a collection of types that were labeled differently in +;; older policy, but that should not remain accessible to vendor policy. +;; Thus, these types are also not mapped, but recorded for checkapi tests +(type priv_objects) +(typeattribute priv_objects) +(typeattributeset priv_objects + ( priv_objects + adbd_tmpfs + untrusted_app_27_tmpfs)) diff --git a/prebuilts/api/32.0/private/compat/27.0/27.0.cil b/prebuilts/api/32.0/private/compat/27.0/27.0.cil new file mode 100644 index 000000000..0d883c0c7 --- /dev/null +++ b/prebuilts/api/32.0/private/compat/27.0/27.0.cil @@ -0,0 +1,1507 @@ +;; attributes removed from current policy +(typeattribute hal_wifi_offload) +(typeattribute hal_wifi_offload_client) +(typeattribute hal_wifi_offload_server) + +;; types removed from current policy +(type commontime_management_service) +(type hal_wifi_offload_hwservice) +(type mediacodec) +(type mediacodec_exec) +(type netd_socket) +(type qtaguid_proc) +(type reboot_data_file) +(type rild) +(type untrusted_v2_app) +(type webview_zygote_socket) +(type vold_socket) + +(expandtypeattribute (accessibility_service_27_0) true) +(expandtypeattribute (account_service_27_0) true) +(expandtypeattribute (activity_service_27_0) true) +(expandtypeattribute (adbd_27_0) true) +(expandtypeattribute (adb_data_file_27_0) true) +(expandtypeattribute (adbd_exec_27_0) true) +(expandtypeattribute (adbd_socket_27_0) true) +(expandtypeattribute (adb_keys_file_27_0) true) +(expandtypeattribute (alarm_device_27_0) true) +(expandtypeattribute (alarm_service_27_0) true) +(expandtypeattribute (anr_data_file_27_0) true) +(expandtypeattribute (apk_data_file_27_0) true) +(expandtypeattribute (apk_private_data_file_27_0) true) +(expandtypeattribute (apk_private_tmp_file_27_0) true) +(expandtypeattribute (apk_tmp_file_27_0) true) +(expandtypeattribute (app_data_file_27_0) true) +(expandtypeattribute (app_fuse_file_27_0) true) +(expandtypeattribute (app_fusefs_27_0) true) +(expandtypeattribute (appops_service_27_0) true) +(expandtypeattribute (appwidget_service_27_0) true) +(expandtypeattribute (asec_apk_file_27_0) true) +(expandtypeattribute (asec_image_file_27_0) true) +(expandtypeattribute (asec_public_file_27_0) true) +(expandtypeattribute (ashmem_device_27_0) true) +(expandtypeattribute (assetatlas_service_27_0) true) +(expandtypeattribute (audio_data_file_27_0) true) +(expandtypeattribute (audio_device_27_0) true) +(expandtypeattribute (audiohal_data_file_27_0) true) +(expandtypeattribute (audio_prop_27_0) true) +(expandtypeattribute (audio_seq_device_27_0) true) +(expandtypeattribute (audioserver_27_0) true) +(expandtypeattribute (audioserver_data_file_27_0) true) +(expandtypeattribute (audioserver_service_27_0) true) +(expandtypeattribute (audio_service_27_0) true) +(expandtypeattribute (audio_timer_device_27_0) true) +(expandtypeattribute (autofill_service_27_0) true) +(expandtypeattribute (backup_data_file_27_0) true) +(expandtypeattribute (backup_service_27_0) true) +(expandtypeattribute (batteryproperties_service_27_0) true) +(expandtypeattribute (battery_service_27_0) true) +(expandtypeattribute (batterystats_service_27_0) true) +(expandtypeattribute (binder_device_27_0) true) +(expandtypeattribute (binfmt_miscfs_27_0) true) +(expandtypeattribute (blkid_27_0) true) +(expandtypeattribute (blkid_untrusted_27_0) true) +(expandtypeattribute (block_device_27_0) true) +(expandtypeattribute (bluetooth_27_0) true) +(expandtypeattribute (bluetooth_data_file_27_0) true) +(expandtypeattribute (bluetooth_efs_file_27_0) true) +(expandtypeattribute (bluetooth_logs_data_file_27_0) true) +(expandtypeattribute (bluetooth_manager_service_27_0) true) +(expandtypeattribute (bluetooth_prop_27_0) true) +(expandtypeattribute (bluetooth_service_27_0) true) +(expandtypeattribute (bluetooth_socket_27_0) true) +(expandtypeattribute (bootanim_27_0) true) +(expandtypeattribute (bootanim_exec_27_0) true) +(expandtypeattribute (boot_block_device_27_0) true) +(expandtypeattribute (bootchart_data_file_27_0) true) +(expandtypeattribute (bootstat_27_0) true) +(expandtypeattribute (bootstat_data_file_27_0) true) +(expandtypeattribute (bootstat_exec_27_0) true) +(expandtypeattribute (boottime_prop_27_0) true) +(expandtypeattribute (boottrace_data_file_27_0) true) +(expandtypeattribute (broadcastradio_service_27_0) true) +(expandtypeattribute (bufferhubd_27_0) true) +(expandtypeattribute (bufferhubd_exec_27_0) true) +(expandtypeattribute (cache_backup_file_27_0) true) +(expandtypeattribute (cache_block_device_27_0) true) +(expandtypeattribute (cache_file_27_0) true) +(expandtypeattribute (cache_private_backup_file_27_0) true) +(expandtypeattribute (cache_recovery_file_27_0) true) +(expandtypeattribute (camera_data_file_27_0) true) +(expandtypeattribute (camera_device_27_0) true) +(expandtypeattribute (cameraproxy_service_27_0) true) +(expandtypeattribute (cameraserver_27_0) true) +(expandtypeattribute (cameraserver_exec_27_0) true) +(expandtypeattribute (cameraserver_service_27_0) true) +(expandtypeattribute (cgroup_27_0) true) +(expandtypeattribute (charger_27_0) true) +(expandtypeattribute (clatd_27_0) true) +(expandtypeattribute (clatd_exec_27_0) true) +(expandtypeattribute (clipboard_service_27_0) true) +(expandtypeattribute (commontime_management_service_27_0) true) +(expandtypeattribute (companion_device_service_27_0) true) +(expandtypeattribute (configfs_27_0) true) +(expandtypeattribute (config_prop_27_0) true) +(expandtypeattribute (connectivity_service_27_0) true) +(expandtypeattribute (connmetrics_service_27_0) true) +(expandtypeattribute (console_device_27_0) true) +(expandtypeattribute (consumer_ir_service_27_0) true) +(expandtypeattribute (content_service_27_0) true) +(expandtypeattribute (contexthub_service_27_0) true) +(expandtypeattribute (coredump_file_27_0) true) +(expandtypeattribute (country_detector_service_27_0) true) +(expandtypeattribute (coverage_service_27_0) true) +(expandtypeattribute (cppreopt_prop_27_0) true) +(expandtypeattribute (cppreopts_27_0) true) +(expandtypeattribute (cppreopts_exec_27_0) true) +(expandtypeattribute (cpuctl_device_27_0) true) +(expandtypeattribute (cpuinfo_service_27_0) true) +(expandtypeattribute (crash_dump_27_0) true) +(expandtypeattribute (crash_dump_exec_27_0) true) +(expandtypeattribute (ctl_bootanim_prop_27_0) true) +(expandtypeattribute (ctl_bugreport_prop_27_0) true) +(expandtypeattribute (ctl_console_prop_27_0) true) +(expandtypeattribute (ctl_default_prop_27_0) true) +(expandtypeattribute (ctl_dumpstate_prop_27_0) true) +(expandtypeattribute (ctl_fuse_prop_27_0) true) +(expandtypeattribute (ctl_mdnsd_prop_27_0) true) +(expandtypeattribute (ctl_rildaemon_prop_27_0) true) +(expandtypeattribute (dalvikcache_data_file_27_0) true) +(expandtypeattribute (dalvik_prop_27_0) true) +(expandtypeattribute (dbinfo_service_27_0) true) +(expandtypeattribute (debugfs_27_0) true) +(expandtypeattribute (debugfs_mmc_27_0) true) +(expandtypeattribute (debugfs_trace_marker_27_0) true) +(expandtypeattribute (debugfs_tracing_27_0) true) +(expandtypeattribute (debugfs_tracing_debug_27_0) true) +(expandtypeattribute (debugfs_tracing_instances_27_0) true) +(expandtypeattribute (debugfs_wifi_tracing_27_0) true) +(expandtypeattribute (debuggerd_prop_27_0) true) +(expandtypeattribute (debug_prop_27_0) true) +(expandtypeattribute (default_android_hwservice_27_0) true) +(expandtypeattribute (default_android_service_27_0) true) +(expandtypeattribute (default_android_vndservice_27_0) true) +(expandtypeattribute (default_prop_27_0) true) +(expandtypeattribute (device_27_0) true) +(expandtypeattribute (device_identifiers_service_27_0) true) +(expandtypeattribute (deviceidle_service_27_0) true) +(expandtypeattribute (device_logging_prop_27_0) true) +(expandtypeattribute (device_policy_service_27_0) true) +(expandtypeattribute (devicestoragemonitor_service_27_0) true) +(expandtypeattribute (devpts_27_0) true) +(expandtypeattribute (dex2oat_27_0) true) +(expandtypeattribute (dex2oat_exec_27_0) true) +(expandtypeattribute (dhcp_27_0) true) +(expandtypeattribute (dhcp_data_file_27_0) true) +(expandtypeattribute (dhcp_exec_27_0) true) +(expandtypeattribute (dhcp_prop_27_0) true) +(expandtypeattribute (diskstats_service_27_0) true) +(expandtypeattribute (display_service_27_0) true) +(expandtypeattribute (dm_device_27_0) true) +(expandtypeattribute (dnsmasq_27_0) true) +(expandtypeattribute (dnsmasq_exec_27_0) true) +(expandtypeattribute (dnsproxyd_socket_27_0) true) +(expandtypeattribute (DockObserver_service_27_0) true) +(expandtypeattribute (dreams_service_27_0) true) +(expandtypeattribute (drm_data_file_27_0) true) +(expandtypeattribute (drmserver_27_0) true) +(expandtypeattribute (drmserver_exec_27_0) true) +(expandtypeattribute (drmserver_service_27_0) true) +(expandtypeattribute (drmserver_socket_27_0) true) +(expandtypeattribute (dropbox_service_27_0) true) +(expandtypeattribute (dumpstate_27_0) true) +(expandtypeattribute (dumpstate_exec_27_0) true) +(expandtypeattribute (dumpstate_options_prop_27_0) true) +(expandtypeattribute (dumpstate_prop_27_0) true) +(expandtypeattribute (dumpstate_service_27_0) true) +(expandtypeattribute (dumpstate_socket_27_0) true) +(expandtypeattribute (e2fs_27_0) true) +(expandtypeattribute (e2fs_exec_27_0) true) +(expandtypeattribute (efs_file_27_0) true) +(expandtypeattribute (ephemeral_app_27_0) true) +(expandtypeattribute (ethernet_service_27_0) true) +(expandtypeattribute (ffs_prop_27_0) true) +(expandtypeattribute (file_contexts_file_27_0) true) +(expandtypeattribute (fingerprintd_27_0) true) +(expandtypeattribute (fingerprintd_data_file_27_0) true) +(expandtypeattribute (fingerprintd_exec_27_0) true) +(expandtypeattribute (fingerprintd_service_27_0) true) +(expandtypeattribute (fingerprint_prop_27_0) true) +(expandtypeattribute (fingerprint_service_27_0) true) +(expandtypeattribute (firstboot_prop_27_0) true) +(expandtypeattribute (font_service_27_0) true) +(expandtypeattribute (frp_block_device_27_0) true) +(expandtypeattribute (fsck_27_0) true) +(expandtypeattribute (fsck_exec_27_0) true) +(expandtypeattribute (fscklogs_27_0) true) +(expandtypeattribute (fsck_untrusted_27_0) true) +(expandtypeattribute (full_device_27_0) true) +(expandtypeattribute (functionfs_27_0) true) +(expandtypeattribute (fuse_27_0) true) +(expandtypeattribute (fuse_device_27_0) true) +(expandtypeattribute (fwk_display_hwservice_27_0) true) +(expandtypeattribute (fwk_scheduler_hwservice_27_0) true) +(expandtypeattribute (fwk_sensor_hwservice_27_0) true) +(expandtypeattribute (fwmarkd_socket_27_0) true) +(expandtypeattribute (gatekeeperd_27_0) true) +(expandtypeattribute (gatekeeper_data_file_27_0) true) +(expandtypeattribute (gatekeeperd_exec_27_0) true) +(expandtypeattribute (gatekeeper_service_27_0) true) +(expandtypeattribute (gfxinfo_service_27_0) true) +(expandtypeattribute (gps_control_27_0) true) +(expandtypeattribute (gpu_device_27_0) true) +(expandtypeattribute (gpu_service_27_0) true) +(expandtypeattribute (graphics_device_27_0) true) +(expandtypeattribute (graphicsstats_service_27_0) true) +(expandtypeattribute (hal_audio_hwservice_27_0) true) +(expandtypeattribute (hal_bluetooth_hwservice_27_0) true) +(expandtypeattribute (hal_bootctl_hwservice_27_0) true) +(expandtypeattribute (hal_broadcastradio_hwservice_27_0) true) +(expandtypeattribute (hal_camera_hwservice_27_0) true) +(expandtypeattribute (hal_cas_hwservice_27_0) true) +(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_27_0) true) +(expandtypeattribute (hal_contexthub_hwservice_27_0) true) +(expandtypeattribute (hal_drm_hwservice_27_0) true) +(expandtypeattribute (hal_dumpstate_hwservice_27_0) true) +(expandtypeattribute (hal_fingerprint_hwservice_27_0) true) +(expandtypeattribute (hal_fingerprint_service_27_0) true) +(expandtypeattribute (hal_gatekeeper_hwservice_27_0) true) +(expandtypeattribute (hal_gnss_hwservice_27_0) true) +(expandtypeattribute (hal_graphics_allocator_hwservice_27_0) true) +(expandtypeattribute (hal_graphics_composer_hwservice_27_0) true) +(expandtypeattribute (hal_graphics_mapper_hwservice_27_0) true) +(expandtypeattribute (hal_health_hwservice_27_0) true) +(expandtypeattribute (hal_ir_hwservice_27_0) true) +(expandtypeattribute (hal_keymaster_hwservice_27_0) true) +(expandtypeattribute (hal_light_hwservice_27_0) true) +(expandtypeattribute (hal_memtrack_hwservice_27_0) true) +(expandtypeattribute (hal_neuralnetworks_hwservice_27_0) true) +(expandtypeattribute (hal_nfc_hwservice_27_0) true) +(expandtypeattribute (hal_oemlock_hwservice_27_0) true) +(expandtypeattribute (hal_omx_hwservice_27_0) true) +(expandtypeattribute (hal_power_hwservice_27_0) true) +(expandtypeattribute (hal_renderscript_hwservice_27_0) true) +(expandtypeattribute (hal_sensors_hwservice_27_0) true) +(expandtypeattribute (hal_telephony_hwservice_27_0) true) +(expandtypeattribute (hal_tetheroffload_hwservice_27_0) true) +(expandtypeattribute (hal_thermal_hwservice_27_0) true) +(expandtypeattribute (hal_tv_cec_hwservice_27_0) true) +(expandtypeattribute (hal_tv_input_hwservice_27_0) true) +(expandtypeattribute (hal_usb_hwservice_27_0) true) +(expandtypeattribute (hal_vibrator_hwservice_27_0) true) +(expandtypeattribute (hal_vr_hwservice_27_0) true) +(expandtypeattribute (hal_weaver_hwservice_27_0) true) +(expandtypeattribute (hal_wifi_hwservice_27_0) true) +(expandtypeattribute (hal_wifi_offload_hwservice_27_0) true) +(expandtypeattribute (hal_wifi_supplicant_hwservice_27_0) true) +(expandtypeattribute (hardware_properties_service_27_0) true) +(expandtypeattribute (hardware_service_27_0) true) +(expandtypeattribute (hci_attach_dev_27_0) true) +(expandtypeattribute (hdmi_control_service_27_0) true) +(expandtypeattribute (healthd_27_0) true) +(expandtypeattribute (healthd_exec_27_0) true) +(expandtypeattribute (heapdump_data_file_27_0) true) +(expandtypeattribute (hidl_allocator_hwservice_27_0) true) +(expandtypeattribute (hidl_base_hwservice_27_0) true) +(expandtypeattribute (hidl_manager_hwservice_27_0) true) +(expandtypeattribute (hidl_memory_hwservice_27_0) true) +(expandtypeattribute (hidl_token_hwservice_27_0) true) +(expandtypeattribute (hwbinder_device_27_0) true) +(expandtypeattribute (hw_random_device_27_0) true) +(expandtypeattribute (hwservice_contexts_file_27_0) true) +(expandtypeattribute (hwservicemanager_27_0) true) +(expandtypeattribute (hwservicemanager_exec_27_0) true) +(expandtypeattribute (hwservicemanager_prop_27_0) true) +(expandtypeattribute (i2c_device_27_0) true) +(expandtypeattribute (icon_file_27_0) true) +(expandtypeattribute (idmap_27_0) true) +(expandtypeattribute (idmap_exec_27_0) true) +(expandtypeattribute (iio_device_27_0) true) +(expandtypeattribute (imms_service_27_0) true) +(expandtypeattribute (incident_27_0) true) +(expandtypeattribute (incidentd_27_0) true) +(expandtypeattribute (incident_data_file_27_0) true) +(expandtypeattribute (incident_service_27_0) true) +(expandtypeattribute (init_27_0) true) +(expandtypeattribute (init_exec_27_0) true) +(expandtypeattribute (inotify_27_0) true) +(expandtypeattribute (input_device_27_0) true) +(expandtypeattribute (inputflinger_27_0) true) +(expandtypeattribute (inputflinger_exec_27_0) true) +(expandtypeattribute (inputflinger_service_27_0) true) +(expandtypeattribute (input_method_service_27_0) true) +(expandtypeattribute (input_service_27_0) true) +(expandtypeattribute (installd_27_0) true) +(expandtypeattribute (install_data_file_27_0) true) +(expandtypeattribute (installd_exec_27_0) true) +(expandtypeattribute (installd_service_27_0) true) +(expandtypeattribute (install_recovery_27_0) true) +(expandtypeattribute (install_recovery_exec_27_0) true) +(expandtypeattribute (ion_device_27_0) true) +(expandtypeattribute (IProxyService_service_27_0) true) +(expandtypeattribute (ipsec_service_27_0) true) +(expandtypeattribute (isolated_app_27_0) true) +(expandtypeattribute (jobscheduler_service_27_0) true) +(expandtypeattribute (kernel_27_0) true) +(expandtypeattribute (keychain_data_file_27_0) true) +(expandtypeattribute (keychord_device_27_0) true) +(expandtypeattribute (keystore_27_0) true) +(expandtypeattribute (keystore_data_file_27_0) true) +(expandtypeattribute (keystore_exec_27_0) true) +(expandtypeattribute (keystore_service_27_0) true) +(expandtypeattribute (kmem_device_27_0) true) +(expandtypeattribute (kmsg_debug_device_27_0) true) +(expandtypeattribute (kmsg_device_27_0) true) +(expandtypeattribute (labeledfs_27_0) true) +(expandtypeattribute (launcherapps_service_27_0) true) +(expandtypeattribute (lmkd_27_0) true) +(expandtypeattribute (lmkd_exec_27_0) true) +(expandtypeattribute (lmkd_socket_27_0) true) +(expandtypeattribute (location_service_27_0) true) +(expandtypeattribute (lock_settings_service_27_0) true) +(expandtypeattribute (logcat_exec_27_0) true) +(expandtypeattribute (logd_27_0) true) +(expandtypeattribute (logd_exec_27_0) true) +(expandtypeattribute (logd_prop_27_0) true) +(expandtypeattribute (logdr_socket_27_0) true) +(expandtypeattribute (logd_socket_27_0) true) +(expandtypeattribute (logdw_socket_27_0) true) +(expandtypeattribute (logpersist_27_0) true) +(expandtypeattribute (logpersistd_logging_prop_27_0) true) +(expandtypeattribute (log_prop_27_0) true) +(expandtypeattribute (log_tag_prop_27_0) true) +(expandtypeattribute (loop_control_device_27_0) true) +(expandtypeattribute (loop_device_27_0) true) +(expandtypeattribute (mac_perms_file_27_0) true) +(expandtypeattribute (mdnsd_27_0) true) +(expandtypeattribute (mdnsd_socket_27_0) true) +(expandtypeattribute (mdns_socket_27_0) true) +(expandtypeattribute (mediacodec_27_0) true) +(expandtypeattribute (mediacodec_exec_27_0) true) +(expandtypeattribute (mediacodec_service_27_0) true) +(expandtypeattribute (media_data_file_27_0) true) +(expandtypeattribute (mediadrmserver_27_0) true) +(expandtypeattribute (mediadrmserver_exec_27_0) true) +(expandtypeattribute (mediadrmserver_service_27_0) true) +(expandtypeattribute (mediaextractor_27_0) true) +(expandtypeattribute (mediaextractor_exec_27_0) true) +(expandtypeattribute (mediaextractor_service_27_0) true) +(expandtypeattribute (mediametrics_27_0) true) +(expandtypeattribute (mediametrics_exec_27_0) true) +(expandtypeattribute (mediametrics_service_27_0) true) +(expandtypeattribute (media_projection_service_27_0) true) +(expandtypeattribute (mediaprovider_27_0) true) +(expandtypeattribute (media_router_service_27_0) true) +(expandtypeattribute (media_rw_data_file_27_0) true) +(expandtypeattribute (mediaserver_27_0) true) +(expandtypeattribute (mediaserver_exec_27_0) true) +(expandtypeattribute (mediaserver_service_27_0) true) +(expandtypeattribute (media_session_service_27_0) true) +(expandtypeattribute (meminfo_service_27_0) true) +(expandtypeattribute (metadata_block_device_27_0) true) +(expandtypeattribute (method_trace_data_file_27_0) true) +(expandtypeattribute (midi_service_27_0) true) +(expandtypeattribute (misc_block_device_27_0) true) +(expandtypeattribute (misc_logd_file_27_0) true) +(expandtypeattribute (misc_user_data_file_27_0) true) +(expandtypeattribute (mmc_prop_27_0) true) +(expandtypeattribute (mnt_expand_file_27_0) true) +(expandtypeattribute (mnt_media_rw_file_27_0) true) +(expandtypeattribute (mnt_media_rw_stub_file_27_0) true) +(expandtypeattribute (mnt_user_file_27_0) true) +(expandtypeattribute (modprobe_27_0) true) +(expandtypeattribute (mount_service_27_0) true) +(expandtypeattribute (mqueue_27_0) true) +(expandtypeattribute (mtd_device_27_0) true) +(expandtypeattribute (mtp_27_0) true) +(expandtypeattribute (mtp_device_27_0) true) +(expandtypeattribute (mtpd_socket_27_0) true) +(expandtypeattribute (mtp_exec_27_0) true) +(expandtypeattribute (nativetest_data_file_27_0) true) +(expandtypeattribute (netd_27_0) true) +(expandtypeattribute (net_data_file_27_0) true) +(expandtypeattribute (netd_exec_27_0) true) +(expandtypeattribute (netd_listener_service_27_0) true) +(expandtypeattribute (net_dns_prop_27_0) true) +(expandtypeattribute (netd_service_27_0) true) +(expandtypeattribute (netd_socket_27_0) true) +(expandtypeattribute (netd_stable_secret_prop_27_0) true) +(expandtypeattribute (netif_27_0) true) +(expandtypeattribute (netpolicy_service_27_0) true) +(expandtypeattribute (net_radio_prop_27_0) true) +(expandtypeattribute (netstats_service_27_0) true) +(expandtypeattribute (netutils_wrapper_27_0) true) +(expandtypeattribute (netutils_wrapper_exec_27_0) true) +(expandtypeattribute (network_management_service_27_0) true) +(expandtypeattribute (network_score_service_27_0) true) +(expandtypeattribute (network_time_update_service_27_0) true) +(expandtypeattribute (nfc_27_0) true) +(expandtypeattribute (nfc_data_file_27_0) true) +(expandtypeattribute (nfc_device_27_0) true) +(expandtypeattribute (nfc_prop_27_0) true) +(expandtypeattribute (nfc_service_27_0) true) +(expandtypeattribute (node_27_0) true) +(expandtypeattribute (nonplat_service_contexts_file_27_0) true) +(expandtypeattribute (notification_service_27_0) true) +(expandtypeattribute (null_device_27_0) true) +(expandtypeattribute (oemfs_27_0) true) +(expandtypeattribute (oem_lock_service_27_0) true) +(expandtypeattribute (ota_data_file_27_0) true) +(expandtypeattribute (otadexopt_service_27_0) true) +(expandtypeattribute (ota_package_file_27_0) true) +(expandtypeattribute (otapreopt_chroot_27_0) true) +(expandtypeattribute (otapreopt_chroot_exec_27_0) true) +(expandtypeattribute (otapreopt_slot_27_0) true) +(expandtypeattribute (otapreopt_slot_exec_27_0) true) +(expandtypeattribute (overlay_prop_27_0) true) +(expandtypeattribute (overlay_service_27_0) true) +(expandtypeattribute (owntty_device_27_0) true) +(expandtypeattribute (package_native_service_27_0) true) +(expandtypeattribute (package_service_27_0) true) +(expandtypeattribute (pan_result_prop_27_0) true) +(expandtypeattribute (pdx_bufferhub_client_channel_socket_27_0) true) +(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_27_0) true) +(expandtypeattribute (pdx_bufferhub_dir_27_0) true) +(expandtypeattribute (pdx_display_client_channel_socket_27_0) true) +(expandtypeattribute (pdx_display_client_endpoint_socket_27_0) true) +(expandtypeattribute (pdx_display_dir_27_0) true) +(expandtypeattribute (pdx_display_manager_channel_socket_27_0) true) +(expandtypeattribute (pdx_display_manager_endpoint_socket_27_0) true) +(expandtypeattribute (pdx_display_screenshot_channel_socket_27_0) true) +(expandtypeattribute (pdx_display_screenshot_endpoint_socket_27_0) true) +(expandtypeattribute (pdx_display_vsync_channel_socket_27_0) true) +(expandtypeattribute (pdx_display_vsync_endpoint_socket_27_0) true) +(expandtypeattribute (pdx_performance_client_channel_socket_27_0) true) +(expandtypeattribute (pdx_performance_client_endpoint_socket_27_0) true) +(expandtypeattribute (pdx_performance_dir_27_0) true) +(expandtypeattribute (performanced_27_0) true) +(expandtypeattribute (performanced_exec_27_0) true) +(expandtypeattribute (permission_service_27_0) true) +(expandtypeattribute (persist_debug_prop_27_0) true) +(expandtypeattribute (persistent_data_block_service_27_0) true) +(expandtypeattribute (persistent_properties_ready_prop_27_0) true) +(expandtypeattribute (pinner_service_27_0) true) +(expandtypeattribute (pipefs_27_0) true) +(expandtypeattribute (platform_app_27_0) true) +(expandtypeattribute (pmsg_device_27_0) true) +(expandtypeattribute (port_27_0) true) +(expandtypeattribute (port_device_27_0) true) +(expandtypeattribute (postinstall_27_0) true) +(expandtypeattribute (postinstall_dexopt_27_0) true) +(expandtypeattribute (postinstall_file_27_0) true) +(expandtypeattribute (postinstall_mnt_dir_27_0) true) +(expandtypeattribute (powerctl_prop_27_0) true) +(expandtypeattribute (power_service_27_0) true) +(expandtypeattribute (ppp_27_0) true) +(expandtypeattribute (ppp_device_27_0) true) +(expandtypeattribute (ppp_exec_27_0) true) +(expandtypeattribute (preloads_data_file_27_0) true) +(expandtypeattribute (preloads_media_file_27_0) true) +(expandtypeattribute (preopt2cachename_27_0) true) +(expandtypeattribute (preopt2cachename_exec_27_0) true) +(expandtypeattribute (print_service_27_0) true) +(expandtypeattribute (priv_app_27_0) true) +(expandtypeattribute (proc_27_0) true) +(expandtypeattribute (proc_bluetooth_writable_27_0) true) +(expandtypeattribute (proc_cpuinfo_27_0) true) +(expandtypeattribute (proc_drop_caches_27_0) true) +(expandtypeattribute (processinfo_service_27_0) true) +(expandtypeattribute (proc_interrupts_27_0) true) +(expandtypeattribute (proc_iomem_27_0) true) +(expandtypeattribute (proc_meminfo_27_0) true) +(expandtypeattribute (proc_misc_27_0) true) +(expandtypeattribute (proc_modules_27_0) true) +(expandtypeattribute (proc_net_27_0) true) +(expandtypeattribute (proc_overcommit_memory_27_0) true) +(expandtypeattribute (proc_perf_27_0) true) +(expandtypeattribute (proc_security_27_0) true) +(expandtypeattribute (proc_stat_27_0) true) +(expandtypeattribute (procstats_service_27_0) true) +(expandtypeattribute (proc_sysrq_27_0) true) +(expandtypeattribute (proc_timer_27_0) true) +(expandtypeattribute (proc_tty_drivers_27_0) true) +(expandtypeattribute (proc_uid_cputime_removeuid_27_0) true) +(expandtypeattribute (proc_uid_cputime_showstat_27_0) true) +(expandtypeattribute (proc_uid_io_stats_27_0) true) +(expandtypeattribute (proc_uid_procstat_set_27_0) true) +(expandtypeattribute (proc_uid_time_in_state_27_0) true) +(expandtypeattribute (proc_zoneinfo_27_0) true) +(expandtypeattribute (profman_27_0) true) +(expandtypeattribute (profman_dump_data_file_27_0) true) +(expandtypeattribute (profman_exec_27_0) true) +(expandtypeattribute (properties_device_27_0) true) +(expandtypeattribute (properties_serial_27_0) true) +(expandtypeattribute (property_contexts_file_27_0) true) +(expandtypeattribute (property_data_file_27_0) true) +(expandtypeattribute (property_socket_27_0) true) +(expandtypeattribute (pstorefs_27_0) true) +(expandtypeattribute (ptmx_device_27_0) true) +(expandtypeattribute (qtaguid_device_27_0) true) +(expandtypeattribute (qtaguid_proc_27_0) true) +(expandtypeattribute (racoon_27_0) true) +(expandtypeattribute (racoon_exec_27_0) true) +(expandtypeattribute (racoon_socket_27_0) true) +(expandtypeattribute (radio_27_0) true) +(expandtypeattribute (radio_data_file_27_0) true) +(expandtypeattribute (radio_device_27_0) true) +(expandtypeattribute (radio_prop_27_0) true) +(expandtypeattribute (radio_service_27_0) true) +(expandtypeattribute (ram_device_27_0) true) +(expandtypeattribute (random_device_27_0) true) +(expandtypeattribute (reboot_data_file_27_0) true) +(expandtypeattribute (recovery_27_0) true) +(expandtypeattribute (recovery_block_device_27_0) true) +(expandtypeattribute (recovery_data_file_27_0) true) +(expandtypeattribute (recovery_persist_27_0) true) +(expandtypeattribute (recovery_persist_exec_27_0) true) +(expandtypeattribute (recovery_refresh_27_0) true) +(expandtypeattribute (recovery_refresh_exec_27_0) true) +(expandtypeattribute (recovery_service_27_0) true) +(expandtypeattribute (registry_service_27_0) true) +(expandtypeattribute (resourcecache_data_file_27_0) true) +(expandtypeattribute (restorecon_prop_27_0) true) +(expandtypeattribute (restrictions_service_27_0) true) +(expandtypeattribute (rild_27_0) true) +(expandtypeattribute (rild_debug_socket_27_0) true) +(expandtypeattribute (rild_socket_27_0) true) +(expandtypeattribute (ringtone_file_27_0) true) +(expandtypeattribute (root_block_device_27_0) true) +(expandtypeattribute (rootfs_27_0) true) +(expandtypeattribute (rpmsg_device_27_0) true) +(expandtypeattribute (rtc_device_27_0) true) +(expandtypeattribute (rttmanager_service_27_0) true) +(expandtypeattribute (runas_27_0) true) +(expandtypeattribute (runas_exec_27_0) true) +(expandtypeattribute (runtime_event_log_tags_file_27_0) true) +(expandtypeattribute (safemode_prop_27_0) true) +(expandtypeattribute (same_process_hal_file_27_0) true) +(expandtypeattribute (samplingprofiler_service_27_0) true) +(expandtypeattribute (scheduling_policy_service_27_0) true) +(expandtypeattribute (sdcardd_27_0) true) +(expandtypeattribute (sdcardd_exec_27_0) true) +(expandtypeattribute (sdcardfs_27_0) true) +(expandtypeattribute (seapp_contexts_file_27_0) true) +(expandtypeattribute (search_service_27_0) true) +(expandtypeattribute (sec_key_att_app_id_provider_service_27_0) true) +(expandtypeattribute (selinuxfs_27_0) true) +(expandtypeattribute (sensors_device_27_0) true) +(expandtypeattribute (sensorservice_service_27_0) true) +(expandtypeattribute (sepolicy_file_27_0) true) +(expandtypeattribute (serial_device_27_0) true) +(expandtypeattribute (serialno_prop_27_0) true) +(expandtypeattribute (serial_service_27_0) true) +(expandtypeattribute (service_contexts_file_27_0) true) +(expandtypeattribute (servicediscovery_service_27_0) true) +(expandtypeattribute (servicemanager_27_0) true) +(expandtypeattribute (servicemanager_exec_27_0) true) +(expandtypeattribute (settings_service_27_0) true) +(expandtypeattribute (sgdisk_27_0) true) +(expandtypeattribute (sgdisk_exec_27_0) true) +(expandtypeattribute (shared_relro_27_0) true) +(expandtypeattribute (shared_relro_file_27_0) true) +(expandtypeattribute (shell_27_0) true) +(expandtypeattribute (shell_data_file_27_0) true) +(expandtypeattribute (shell_exec_27_0) true) +(expandtypeattribute (shell_prop_27_0) true) +(expandtypeattribute (shm_27_0) true) +(expandtypeattribute (shortcut_manager_icons_27_0) true) +(expandtypeattribute (shortcut_service_27_0) true) +(expandtypeattribute (slideshow_27_0) true) +(expandtypeattribute (socket_device_27_0) true) +(expandtypeattribute (sockfs_27_0) true) +(expandtypeattribute (statusbar_service_27_0) true) +(expandtypeattribute (storaged_service_27_0) true) +(expandtypeattribute (storage_file_27_0) true) +(expandtypeattribute (storagestats_service_27_0) true) +(expandtypeattribute (storage_stub_file_27_0) true) +(expandtypeattribute (su_27_0) true) +(expandtypeattribute (su_exec_27_0) true) +(expandtypeattribute (surfaceflinger_27_0) true) +(expandtypeattribute (surfaceflinger_service_27_0) true) +(expandtypeattribute (swap_block_device_27_0) true) +(expandtypeattribute (sysfs_27_0) true) +(expandtypeattribute (sysfs_batteryinfo_27_0) true) +(expandtypeattribute (sysfs_bluetooth_writable_27_0) true) +(expandtypeattribute (sysfs_devices_system_cpu_27_0) true) +(expandtypeattribute (sysfs_fs_ext4_features_27_0) true) +(expandtypeattribute (sysfs_hwrandom_27_0) true) +(expandtypeattribute (sysfs_leds_27_0) true) +(expandtypeattribute (sysfs_lowmemorykiller_27_0) true) +(expandtypeattribute (sysfs_mac_address_27_0) true) +(expandtypeattribute (sysfs_nfc_power_writable_27_0) true) +(expandtypeattribute (sysfs_thermal_27_0) true) +(expandtypeattribute (sysfs_uio_27_0) true) +(expandtypeattribute (sysfs_usb_27_0) true) +(expandtypeattribute (sysfs_usermodehelper_27_0) true) +(expandtypeattribute (sysfs_vibrator_27_0) true) +(expandtypeattribute (sysfs_wake_lock_27_0) true) +(expandtypeattribute (sysfs_wlan_fwpath_27_0) true) +(expandtypeattribute (sysfs_zram_27_0) true) +(expandtypeattribute (sysfs_zram_uevent_27_0) true) +(expandtypeattribute (system_app_27_0) true) +(expandtypeattribute (system_app_data_file_27_0) true) +(expandtypeattribute (system_app_service_27_0) true) +(expandtypeattribute (system_block_device_27_0) true) +(expandtypeattribute (system_data_file_27_0) true) +(expandtypeattribute (system_file_27_0) true) +(expandtypeattribute (systemkeys_data_file_27_0) true) +(expandtypeattribute (system_ndebug_socket_27_0) true) +(expandtypeattribute (system_net_netd_hwservice_27_0) true) +(expandtypeattribute (system_prop_27_0) true) +(expandtypeattribute (system_radio_prop_27_0) true) +(expandtypeattribute (system_server_27_0) true) +(expandtypeattribute (system_wifi_keystore_hwservice_27_0) true) +(expandtypeattribute (system_wpa_socket_27_0) true) +(expandtypeattribute (task_service_27_0) true) +(expandtypeattribute (tee_27_0) true) +(expandtypeattribute (tee_data_file_27_0) true) +(expandtypeattribute (tee_device_27_0) true) +(expandtypeattribute (telecom_service_27_0) true) +(expandtypeattribute (textclassification_service_27_0) true) +(expandtypeattribute (textclassifier_data_file_27_0) true) +(expandtypeattribute (textservices_service_27_0) true) +(expandtypeattribute (thermalcallback_hwservice_27_0) true) +(expandtypeattribute (thermal_service_27_0) true) +(expandtypeattribute (thermalserviced_27_0) true) +(expandtypeattribute (thermalserviced_exec_27_0) true) +(expandtypeattribute (timezone_service_27_0) true) +(expandtypeattribute (tmpfs_27_0) true) +(expandtypeattribute (tombstoned_27_0) true) +(expandtypeattribute (tombstone_data_file_27_0) true) +(expandtypeattribute (tombstoned_crash_socket_27_0) true) +(expandtypeattribute (tombstoned_exec_27_0) true) +(expandtypeattribute (tombstoned_intercept_socket_27_0) true) +(expandtypeattribute (tombstoned_java_trace_socket_27_0) true) +(expandtypeattribute (toolbox_27_0) true) +(expandtypeattribute (toolbox_exec_27_0) true) +(expandtypeattribute (trust_service_27_0) true) +(expandtypeattribute (tty_device_27_0) true) +(expandtypeattribute (tun_device_27_0) true) +(expandtypeattribute (tv_input_service_27_0) true) +(expandtypeattribute (tzdatacheck_27_0) true) +(expandtypeattribute (tzdatacheck_exec_27_0) true) +(expandtypeattribute (ueventd_27_0) true) +(expandtypeattribute (uhid_device_27_0) true) +(expandtypeattribute (uimode_service_27_0) true) +(expandtypeattribute (uio_device_27_0) true) +(expandtypeattribute (uncrypt_27_0) true) +(expandtypeattribute (uncrypt_exec_27_0) true) +(expandtypeattribute (uncrypt_socket_27_0) true) +(expandtypeattribute (unencrypted_data_file_27_0) true) +(expandtypeattribute (unlabeled_27_0) true) +(expandtypeattribute (untrusted_app_25_27_0) true) +(expandtypeattribute (untrusted_app_27_0) true) +(expandtypeattribute (untrusted_v2_app_27_0) true) +(expandtypeattribute (update_engine_27_0) true) +(expandtypeattribute (update_engine_data_file_27_0) true) +(expandtypeattribute (update_engine_exec_27_0) true) +(expandtypeattribute (update_engine_service_27_0) true) +(expandtypeattribute (updatelock_service_27_0) true) +(expandtypeattribute (update_verifier_27_0) true) +(expandtypeattribute (update_verifier_exec_27_0) true) +(expandtypeattribute (usagestats_service_27_0) true) +(expandtypeattribute (usbaccessory_device_27_0) true) +(expandtypeattribute (usb_device_27_0) true) +(expandtypeattribute (usbfs_27_0) true) +(expandtypeattribute (usb_service_27_0) true) +(expandtypeattribute (userdata_block_device_27_0) true) +(expandtypeattribute (usermodehelper_27_0) true) +(expandtypeattribute (user_profile_data_file_27_0) true) +(expandtypeattribute (user_service_27_0) true) +(expandtypeattribute (vcs_device_27_0) true) +(expandtypeattribute (vdc_27_0) true) +(expandtypeattribute (vdc_exec_27_0) true) +(expandtypeattribute (vendor_app_file_27_0) true) +(expandtypeattribute (vendor_configs_file_27_0) true) +(expandtypeattribute (vendor_file_27_0) true) +(expandtypeattribute (vendor_framework_file_27_0) true) +(expandtypeattribute (vendor_hal_file_27_0) true) +(expandtypeattribute (vendor_overlay_file_27_0) true) +(expandtypeattribute (vendor_shell_exec_27_0) true) +(expandtypeattribute (vendor_toolbox_exec_27_0) true) +(expandtypeattribute (vfat_27_0) true) +(expandtypeattribute (vibrator_service_27_0) true) +(expandtypeattribute (video_device_27_0) true) +(expandtypeattribute (virtual_touchpad_27_0) true) +(expandtypeattribute (virtual_touchpad_exec_27_0) true) +(expandtypeattribute (virtual_touchpad_service_27_0) true) +(expandtypeattribute (vndbinder_device_27_0) true) +(expandtypeattribute (vndk_sp_file_27_0) true) +(expandtypeattribute (vndservice_contexts_file_27_0) true) +(expandtypeattribute (vndservicemanager_27_0) true) +(expandtypeattribute (voiceinteraction_service_27_0) true) +(expandtypeattribute (vold_27_0) true) +(expandtypeattribute (vold_data_file_27_0) true) +(expandtypeattribute (vold_device_27_0) true) +(expandtypeattribute (vold_exec_27_0) true) +(expandtypeattribute (vold_prop_27_0) true) +(expandtypeattribute (vold_socket_27_0) true) +(expandtypeattribute (vpn_data_file_27_0) true) +(expandtypeattribute (vr_hwc_27_0) true) +(expandtypeattribute (vr_hwc_exec_27_0) true) +(expandtypeattribute (vr_hwc_service_27_0) true) +(expandtypeattribute (vr_manager_service_27_0) true) +(expandtypeattribute (wallpaper_file_27_0) true) +(expandtypeattribute (wallpaper_service_27_0) true) +(expandtypeattribute (watchdogd_27_0) true) +(expandtypeattribute (watchdog_device_27_0) true) +(expandtypeattribute (webviewupdate_service_27_0) true) +(expandtypeattribute (webview_zygote_27_0) true) +(expandtypeattribute (webview_zygote_exec_27_0) true) +(expandtypeattribute (webview_zygote_socket_27_0) true) +(expandtypeattribute (wifiaware_service_27_0) true) +(expandtypeattribute (wificond_27_0) true) +(expandtypeattribute (wificond_exec_27_0) true) +(expandtypeattribute (wificond_service_27_0) true) +(expandtypeattribute (wifi_data_file_27_0) true) +(expandtypeattribute (wifi_log_prop_27_0) true) +(expandtypeattribute (wifip2p_service_27_0) true) +(expandtypeattribute (wifi_prop_27_0) true) +(expandtypeattribute (wifiscanner_service_27_0) true) +(expandtypeattribute (wifi_service_27_0) true) +(expandtypeattribute (window_service_27_0) true) +(expandtypeattribute (wpa_socket_27_0) true) +(expandtypeattribute (zero_device_27_0) true) +(expandtypeattribute (zoneinfo_data_file_27_0) true) +(expandtypeattribute (zygote_27_0) true) +(expandtypeattribute (zygote_exec_27_0) true) +(expandtypeattribute (zygote_socket_27_0) true) +(typeattributeset accessibility_service_27_0 (accessibility_service)) +(typeattributeset account_service_27_0 (account_service)) +(typeattributeset activity_service_27_0 (activity_service)) +(typeattributeset adbd_27_0 (adbd)) +(typeattributeset adb_data_file_27_0 (adb_data_file)) +(typeattributeset adbd_exec_27_0 (adbd_exec)) +(typeattributeset adbd_socket_27_0 (adbd_socket)) +(typeattributeset adb_keys_file_27_0 (adb_keys_file)) +(typeattributeset alarm_device_27_0 (alarm_device)) +(typeattributeset alarm_service_27_0 (alarm_service)) +(typeattributeset anr_data_file_27_0 (anr_data_file)) +(typeattributeset apk_data_file_27_0 (apk_data_file)) +(typeattributeset apk_private_data_file_27_0 (apk_private_data_file)) +(typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file)) +(typeattributeset apk_tmp_file_27_0 (apk_tmp_file)) +(typeattributeset app_data_file_27_0 (app_data_file privapp_data_file)) +(typeattributeset app_fuse_file_27_0 (app_fuse_file)) +(typeattributeset app_fusefs_27_0 (app_fusefs)) +(typeattributeset appops_service_27_0 (appops_service)) +(typeattributeset appwidget_service_27_0 (appwidget_service)) +(typeattributeset asec_apk_file_27_0 (asec_apk_file)) +(typeattributeset asec_image_file_27_0 (asec_image_file)) +(typeattributeset asec_public_file_27_0 (asec_public_file)) +(typeattributeset ashmem_device_27_0 (ashmem_device)) +(typeattributeset assetatlas_service_27_0 (assetatlas_service)) +(typeattributeset audio_data_file_27_0 (audio_data_file)) +(typeattributeset audio_device_27_0 (audio_device)) +(typeattributeset audiohal_data_file_27_0 (audiohal_data_file)) +(typeattributeset audio_prop_27_0 (audio_prop)) +(typeattributeset audio_seq_device_27_0 (audio_seq_device)) +(typeattributeset audioserver_27_0 (audioserver)) +(typeattributeset audioserver_data_file_27_0 (audioserver_data_file)) +(typeattributeset audioserver_service_27_0 (audioserver_service)) +(typeattributeset audio_service_27_0 (audio_service)) +(typeattributeset audio_timer_device_27_0 (audio_timer_device)) +(typeattributeset autofill_service_27_0 (autofill_service)) +(typeattributeset backup_data_file_27_0 (backup_data_file)) +(typeattributeset backup_service_27_0 (backup_service)) +(typeattributeset batteryproperties_service_27_0 (batteryproperties_service)) +(typeattributeset battery_service_27_0 (battery_service)) +(typeattributeset batterystats_service_27_0 (batterystats_service)) +(typeattributeset binder_device_27_0 (binder_device)) +(typeattributeset binfmt_miscfs_27_0 (binfmt_miscfs)) +(typeattributeset blkid_27_0 (blkid)) +(typeattributeset blkid_untrusted_27_0 (blkid_untrusted)) +(typeattributeset block_device_27_0 (block_device)) +(typeattributeset bluetooth_27_0 (bluetooth)) +(typeattributeset bluetooth_data_file_27_0 (bluetooth_data_file)) +(typeattributeset bluetooth_efs_file_27_0 (bluetooth_efs_file)) +(typeattributeset bluetooth_logs_data_file_27_0 (bluetooth_logs_data_file)) +(typeattributeset bluetooth_manager_service_27_0 (bluetooth_manager_service)) +(typeattributeset bluetooth_prop_27_0 (bluetooth_prop)) +(typeattributeset bluetooth_service_27_0 (bluetooth_service)) +(typeattributeset bluetooth_socket_27_0 (bluetooth_socket)) +(typeattributeset bootanim_27_0 (bootanim)) +(typeattributeset bootanim_exec_27_0 (bootanim_exec)) +(typeattributeset boot_block_device_27_0 (boot_block_device)) +(typeattributeset bootchart_data_file_27_0 (bootchart_data_file)) +(typeattributeset bootstat_27_0 (bootstat)) +(typeattributeset bootstat_data_file_27_0 (bootstat_data_file)) +(typeattributeset bootstat_exec_27_0 (bootstat_exec)) +(typeattributeset boottime_prop_27_0 (boottime_prop)) +(typeattributeset boottrace_data_file_27_0 (boottrace_data_file)) +(typeattributeset broadcastradio_service_27_0 (broadcastradio_service)) +(typeattributeset bufferhubd_27_0 (bufferhubd)) +(typeattributeset bufferhubd_exec_27_0 (bufferhubd_exec)) +(typeattributeset cache_backup_file_27_0 (cache_backup_file)) +(typeattributeset cache_block_device_27_0 (cache_block_device)) +(typeattributeset cache_file_27_0 (cache_file)) +(typeattributeset cache_private_backup_file_27_0 (cache_private_backup_file)) +(typeattributeset cache_recovery_file_27_0 (cache_recovery_file)) +(typeattributeset camera_data_file_27_0 (camera_data_file)) +(typeattributeset camera_device_27_0 (camera_device)) +(typeattributeset cameraproxy_service_27_0 (cameraproxy_service)) +(typeattributeset cameraserver_27_0 (cameraserver)) +(typeattributeset cameraserver_exec_27_0 (cameraserver_exec)) +(typeattributeset cameraserver_service_27_0 (cameraserver_service)) +(typeattributeset cgroup_27_0 (cgroup)) +(typeattributeset charger_27_0 (charger)) +(typeattributeset clatd_27_0 (clatd)) +(typeattributeset clatd_exec_27_0 (clatd_exec)) +(typeattributeset clipboard_service_27_0 (clipboard_service)) +(typeattributeset commontime_management_service_27_0 (commontime_management_service)) +(typeattributeset companion_device_service_27_0 (companion_device_service)) +(typeattributeset configfs_27_0 (configfs)) +(typeattributeset config_prop_27_0 (config_prop)) +(typeattributeset connectivity_service_27_0 (connectivity_service)) +(typeattributeset connmetrics_service_27_0 (connmetrics_service)) +(typeattributeset console_device_27_0 (console_device)) +(typeattributeset consumer_ir_service_27_0 (consumer_ir_service)) +(typeattributeset content_service_27_0 (content_service)) +(typeattributeset contexthub_service_27_0 (contexthub_service)) +(typeattributeset coredump_file_27_0 (coredump_file)) +(typeattributeset country_detector_service_27_0 (country_detector_service)) +(typeattributeset coverage_service_27_0 (coverage_service)) +(typeattributeset cppreopt_prop_27_0 (cppreopt_prop)) +(typeattributeset cppreopts_27_0 (cppreopts)) +(typeattributeset cppreopts_exec_27_0 (cppreopts_exec)) +(typeattributeset cpuctl_device_27_0 (cpuctl_device)) +(typeattributeset cpuinfo_service_27_0 (cpuinfo_service)) +(typeattributeset crash_dump_27_0 (crash_dump)) +(typeattributeset crash_dump_exec_27_0 (crash_dump_exec)) +(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop)) +(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop)) +(typeattributeset ctl_console_prop_27_0 (ctl_console_prop)) +(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop)) +(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop)) +(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop)) +(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop)) +(typeattributeset ctl_rildaemon_prop_27_0 (ctl_rildaemon_prop)) +(typeattributeset dalvikcache_data_file_27_0 (dalvikcache_data_file)) +(typeattributeset dalvik_prop_27_0 (dalvik_prop)) +(typeattributeset dbinfo_service_27_0 (dbinfo_service)) +(typeattributeset debugfs_27_0 + ( debugfs + debugfs_wakeup_sources)) +(typeattributeset debugfs_mmc_27_0 (debugfs_mmc)) +(typeattributeset debugfs_trace_marker_27_0 (debugfs_trace_marker)) +(typeattributeset debugfs_tracing_27_0 (debugfs_tracing)) +(typeattributeset debugfs_tracing_debug_27_0 (debugfs_tracing_debug)) +(typeattributeset debugfs_tracing_instances_27_0 (debugfs_tracing_instances)) +(typeattributeset debugfs_wifi_tracing_27_0 (debugfs_wifi_tracing)) +(typeattributeset debuggerd_prop_27_0 (debuggerd_prop)) +(typeattributeset debug_prop_27_0 (debug_prop)) +(typeattributeset default_android_hwservice_27_0 (default_android_hwservice)) +(typeattributeset default_android_service_27_0 (default_android_service)) +(typeattributeset default_android_vndservice_27_0 (default_android_vndservice)) +(typeattributeset default_prop_27_0 + ( default_prop + pm_prop)) +(typeattributeset device_27_0 (device)) +(typeattributeset device_identifiers_service_27_0 (device_identifiers_service)) +(typeattributeset deviceidle_service_27_0 (deviceidle_service)) +(typeattributeset device_logging_prop_27_0 (device_logging_prop)) +(typeattributeset device_policy_service_27_0 (device_policy_service)) +(typeattributeset devicestoragemonitor_service_27_0 (devicestoragemonitor_service)) +(typeattributeset devpts_27_0 (devpts)) +(typeattributeset dex2oat_27_0 (dex2oat)) +(typeattributeset dex2oat_exec_27_0 (dex2oat_exec)) +(typeattributeset dhcp_27_0 (dhcp)) +(typeattributeset dhcp_data_file_27_0 (dhcp_data_file)) +(typeattributeset dhcp_exec_27_0 (dhcp_exec)) +(typeattributeset dhcp_prop_27_0 (dhcp_prop)) +(typeattributeset diskstats_service_27_0 (diskstats_service)) +(typeattributeset display_service_27_0 (display_service)) +(typeattributeset dm_device_27_0 (dm_device)) +(typeattributeset dnsmasq_27_0 (dnsmasq)) +(typeattributeset dnsmasq_exec_27_0 (dnsmasq_exec)) +(typeattributeset dnsproxyd_socket_27_0 (dnsproxyd_socket)) +(typeattributeset DockObserver_service_27_0 (DockObserver_service)) +(typeattributeset dreams_service_27_0 (dreams_service)) +(typeattributeset drm_data_file_27_0 (drm_data_file)) +(typeattributeset drmserver_27_0 (drmserver)) +(typeattributeset drmserver_exec_27_0 (drmserver_exec)) +(typeattributeset drmserver_service_27_0 (drmserver_service)) +(typeattributeset drmserver_socket_27_0 (drmserver_socket)) +(typeattributeset dropbox_service_27_0 (dropbox_service)) +(typeattributeset dumpstate_27_0 (dumpstate)) +(typeattributeset dumpstate_exec_27_0 (dumpstate_exec)) +(typeattributeset dumpstate_options_prop_27_0 (dumpstate_options_prop)) +(typeattributeset dumpstate_prop_27_0 (dumpstate_prop)) +(typeattributeset dumpstate_service_27_0 (dumpstate_service)) +(typeattributeset dumpstate_socket_27_0 (dumpstate_socket)) +(typeattributeset e2fs_27_0 (e2fs)) +(typeattributeset e2fs_exec_27_0 (e2fs_exec)) +(typeattributeset efs_file_27_0 (efs_file)) +(typeattributeset ephemeral_app_27_0 (ephemeral_app)) +(typeattributeset ethernet_service_27_0 (ethernet_service)) +(typeattributeset ffs_prop_27_0 (ffs_prop)) +(typeattributeset file_contexts_file_27_0 (file_contexts_file)) +(typeattributeset fingerprintd_27_0 (fingerprintd)) +(typeattributeset fingerprintd_data_file_27_0 (fingerprintd_data_file)) +(typeattributeset fingerprintd_exec_27_0 (fingerprintd_exec)) +(typeattributeset fingerprintd_service_27_0 (fingerprintd_service)) +(typeattributeset fingerprint_prop_27_0 (fingerprint_prop)) +(typeattributeset fingerprint_service_27_0 (fingerprint_service)) +(typeattributeset firstboot_prop_27_0 (firstboot_prop)) +(typeattributeset font_service_27_0 (font_service)) +(typeattributeset frp_block_device_27_0 (frp_block_device)) +(typeattributeset fsck_27_0 (fsck)) +(typeattributeset fsck_exec_27_0 (fsck_exec)) +(typeattributeset fscklogs_27_0 (fscklogs)) +(typeattributeset fsck_untrusted_27_0 (fsck_untrusted)) +(typeattributeset full_device_27_0 (full_device)) +(typeattributeset functionfs_27_0 (functionfs)) +(typeattributeset fuse_27_0 (fuse)) +(typeattributeset fuse_device_27_0 (fuse_device)) +(typeattributeset fwk_display_hwservice_27_0 (fwk_display_hwservice)) +(typeattributeset fwk_scheduler_hwservice_27_0 (fwk_scheduler_hwservice)) +(typeattributeset fwk_sensor_hwservice_27_0 (fwk_sensor_hwservice)) +(typeattributeset fwmarkd_socket_27_0 (fwmarkd_socket)) +(typeattributeset gatekeeperd_27_0 (gatekeeperd)) +(typeattributeset gatekeeper_data_file_27_0 (gatekeeper_data_file)) +(typeattributeset gatekeeperd_exec_27_0 (gatekeeperd_exec)) +(typeattributeset gatekeeper_service_27_0 (gatekeeper_service)) +(typeattributeset gfxinfo_service_27_0 (gfxinfo_service)) +(typeattributeset gps_control_27_0 (gps_control)) +(typeattributeset gpu_device_27_0 (gpu_device)) +(typeattributeset gpu_service_27_0 (gpu_service)) +(typeattributeset graphics_device_27_0 (graphics_device)) +(typeattributeset graphicsstats_service_27_0 (graphicsstats_service)) +(typeattributeset hal_audio_hwservice_27_0 (hal_audio_hwservice)) +(typeattributeset hal_bluetooth_hwservice_27_0 (hal_bluetooth_hwservice)) +(typeattributeset hal_bootctl_hwservice_27_0 (hal_bootctl_hwservice)) +(typeattributeset hal_broadcastradio_hwservice_27_0 (hal_broadcastradio_hwservice)) +(typeattributeset hal_camera_hwservice_27_0 (hal_camera_hwservice)) +(typeattributeset hal_cas_hwservice_27_0 (hal_cas_hwservice)) +(typeattributeset hal_configstore_ISurfaceFlingerConfigs_27_0 (hal_configstore_ISurfaceFlingerConfigs)) +(typeattributeset hal_contexthub_hwservice_27_0 (hal_contexthub_hwservice)) +(typeattributeset hal_drm_hwservice_27_0 (hal_drm_hwservice)) +(typeattributeset hal_dumpstate_hwservice_27_0 (hal_dumpstate_hwservice)) +(typeattributeset hal_fingerprint_hwservice_27_0 (hal_fingerprint_hwservice)) +(typeattributeset hal_fingerprint_service_27_0 (hal_fingerprint_service)) +(typeattributeset hal_gatekeeper_hwservice_27_0 (hal_gatekeeper_hwservice)) +(typeattributeset hal_gnss_hwservice_27_0 (hal_gnss_hwservice)) +(typeattributeset hal_graphics_allocator_hwservice_27_0 (hal_graphics_allocator_hwservice)) +(typeattributeset hal_graphics_composer_hwservice_27_0 (hal_graphics_composer_hwservice)) +(typeattributeset hal_graphics_mapper_hwservice_27_0 (hal_graphics_mapper_hwservice)) +(typeattributeset hal_health_hwservice_27_0 (hal_health_hwservice)) +(typeattributeset hal_ir_hwservice_27_0 (hal_ir_hwservice)) +(typeattributeset hal_keymaster_hwservice_27_0 (hal_keymaster_hwservice)) +(typeattributeset hal_light_hwservice_27_0 (hal_light_hwservice)) +(typeattributeset hal_memtrack_hwservice_27_0 (hal_memtrack_hwservice)) +(typeattributeset hal_neuralnetworks_hwservice_27_0 (hal_neuralnetworks_hwservice)) +(typeattributeset hal_nfc_hwservice_27_0 (hal_nfc_hwservice)) +(typeattributeset hal_oemlock_hwservice_27_0 (hal_oemlock_hwservice)) +(typeattributeset hal_omx_hwservice_27_0 (hal_omx_hwservice)) +(typeattributeset hal_power_hwservice_27_0 (hal_power_hwservice)) +(typeattributeset hal_renderscript_hwservice_27_0 (hal_renderscript_hwservice)) +(typeattributeset hal_sensors_hwservice_27_0 (hal_sensors_hwservice)) +(typeattributeset hal_telephony_hwservice_27_0 (hal_telephony_hwservice)) +(typeattributeset hal_tetheroffload_hwservice_27_0 (hal_tetheroffload_hwservice)) +(typeattributeset hal_thermal_hwservice_27_0 (hal_thermal_hwservice)) +(typeattributeset hal_tv_cec_hwservice_27_0 (hal_tv_cec_hwservice)) +(typeattributeset hal_tv_input_hwservice_27_0 (hal_tv_input_hwservice)) +(typeattributeset hal_usb_hwservice_27_0 (hal_usb_hwservice)) +(typeattributeset hal_vibrator_hwservice_27_0 (hal_vibrator_hwservice)) +(typeattributeset hal_vr_hwservice_27_0 (hal_vr_hwservice)) +(typeattributeset hal_weaver_hwservice_27_0 (hal_weaver_hwservice)) +(typeattributeset hal_wifi_hwservice_27_0 (hal_wifi_hwservice)) +(typeattributeset hal_wifi_offload_hwservice_27_0 (hal_wifi_offload_hwservice)) +(typeattributeset hal_wifi_supplicant_hwservice_27_0 (hal_wifi_supplicant_hwservice)) +(typeattributeset hardware_properties_service_27_0 (hardware_properties_service)) +(typeattributeset hardware_service_27_0 (hardware_service)) +(typeattributeset hci_attach_dev_27_0 (hci_attach_dev)) +(typeattributeset hdmi_control_service_27_0 (hdmi_control_service)) +(typeattributeset healthd_27_0 (healthd)) +(typeattributeset healthd_exec_27_0 (healthd_exec)) +(typeattributeset heapdump_data_file_27_0 (heapdump_data_file)) +(typeattributeset hidl_allocator_hwservice_27_0 (hidl_allocator_hwservice)) +(typeattributeset hidl_base_hwservice_27_0 (hidl_base_hwservice)) +(typeattributeset hidl_manager_hwservice_27_0 (hidl_manager_hwservice)) +(typeattributeset hidl_memory_hwservice_27_0 (hidl_memory_hwservice)) +(typeattributeset hidl_token_hwservice_27_0 (hidl_token_hwservice)) +(typeattributeset hwbinder_device_27_0 (hwbinder_device)) +(typeattributeset hw_random_device_27_0 (hw_random_device)) +(typeattributeset hwservice_contexts_file_27_0 (hwservice_contexts_file)) +(typeattributeset hwservicemanager_27_0 (hwservicemanager)) +(typeattributeset hwservicemanager_exec_27_0 (hwservicemanager_exec)) +(typeattributeset hwservicemanager_prop_27_0 (hwservicemanager_prop)) +(typeattributeset i2c_device_27_0 (i2c_device)) +(typeattributeset icon_file_27_0 (icon_file)) +(typeattributeset idmap_27_0 (idmap)) +(typeattributeset idmap_exec_27_0 (idmap_exec)) +(typeattributeset iio_device_27_0 (iio_device)) +(typeattributeset imms_service_27_0 (imms_service)) +(typeattributeset incident_27_0 (incident)) +(typeattributeset incidentd_27_0 (incidentd)) +(typeattributeset incident_data_file_27_0 (incident_data_file)) +(typeattributeset incident_service_27_0 (incident_service)) +(typeattributeset init_27_0 (init)) +(typeattributeset init_exec_27_0 (init_exec watchdogd_exec)) +(typeattributeset inotify_27_0 (inotify)) +(typeattributeset input_device_27_0 (input_device)) +(typeattributeset inputflinger_27_0 (inputflinger)) +(typeattributeset inputflinger_exec_27_0 (inputflinger_exec)) +(typeattributeset inputflinger_service_27_0 (inputflinger_service)) +(typeattributeset input_method_service_27_0 (input_method_service)) +(typeattributeset input_service_27_0 (input_service)) +(typeattributeset installd_27_0 (installd)) +(typeattributeset install_data_file_27_0 (install_data_file)) +(typeattributeset installd_exec_27_0 (installd_exec)) +(typeattributeset installd_service_27_0 (installd_service)) +(typeattributeset install_recovery_27_0 (install_recovery)) +(typeattributeset install_recovery_exec_27_0 (install_recovery_exec)) +(typeattributeset ion_device_27_0 (ion_device)) +(typeattributeset IProxyService_service_27_0 (IProxyService_service)) +(typeattributeset ipsec_service_27_0 (ipsec_service)) +(typeattributeset isolated_app_27_0 (isolated_app)) +(typeattributeset jobscheduler_service_27_0 (jobscheduler_service)) +(typeattributeset kernel_27_0 (kernel)) +(typeattributeset keychain_data_file_27_0 (keychain_data_file)) +(typeattributeset keychord_device_27_0 (keychord_device)) +(typeattributeset keystore_27_0 (keystore)) +(typeattributeset keystore_data_file_27_0 (keystore_data_file)) +(typeattributeset keystore_exec_27_0 (keystore_exec)) +(typeattributeset keystore_service_27_0 (keystore_service)) +(typeattributeset kmem_device_27_0 (kmem_device)) +(typeattributeset kmsg_debug_device_27_0 (kmsg_debug_device)) +(typeattributeset kmsg_device_27_0 (kmsg_device)) +(typeattributeset labeledfs_27_0 (labeledfs)) +(typeattributeset launcherapps_service_27_0 (launcherapps_service)) +(typeattributeset lmkd_27_0 (lmkd)) +(typeattributeset lmkd_exec_27_0 (lmkd_exec)) +(typeattributeset lmkd_socket_27_0 (lmkd_socket)) +(typeattributeset location_service_27_0 (location_service)) +(typeattributeset lock_settings_service_27_0 (lock_settings_service)) +(typeattributeset logcat_exec_27_0 (logcat_exec)) +(typeattributeset logd_27_0 (logd)) +(typeattributeset logd_exec_27_0 (logd_exec)) +(typeattributeset logd_prop_27_0 (logd_prop)) +(typeattributeset logdr_socket_27_0 (logdr_socket)) +(typeattributeset logd_socket_27_0 (logd_socket)) +(typeattributeset logdw_socket_27_0 (logdw_socket)) +(typeattributeset logpersist_27_0 (logpersist)) +(typeattributeset logpersistd_logging_prop_27_0 (logpersistd_logging_prop)) +(typeattributeset log_prop_27_0 (log_prop)) +(typeattributeset log_tag_prop_27_0 (log_tag_prop)) +(typeattributeset loop_control_device_27_0 (loop_control_device)) +(typeattributeset loop_device_27_0 (loop_device)) +(typeattributeset mac_perms_file_27_0 (mac_perms_file)) +(typeattributeset mdnsd_27_0 (mdnsd)) +(typeattributeset mdnsd_socket_27_0 (mdnsd_socket)) +(typeattributeset mdns_socket_27_0 (mdns_socket)) +(typeattributeset hal_omx_server (mediacodec_27_0)) +(typeattributeset mediacodec_27_0 (mediacodec)) +(typeattributeset mediacodec_exec_27_0 (mediacodec_exec)) +(typeattributeset mediacodec_service_27_0 (mediacodec_service)) +(typeattributeset media_data_file_27_0 (media_data_file)) +(typeattributeset mediadrmserver_27_0 (mediadrmserver)) +(typeattributeset mediadrmserver_exec_27_0 (mediadrmserver_exec)) +(typeattributeset mediadrmserver_service_27_0 (mediadrmserver_service)) +(typeattributeset mediaextractor_27_0 (mediaextractor)) +(typeattributeset mediaextractor_exec_27_0 (mediaextractor_exec)) +(typeattributeset mediaextractor_service_27_0 (mediaextractor_service)) +(typeattributeset mediametrics_27_0 (mediametrics)) +(typeattributeset mediametrics_exec_27_0 (mediametrics_exec)) +(typeattributeset mediametrics_service_27_0 (mediametrics_service)) +(typeattributeset media_projection_service_27_0 (media_projection_service)) +(typeattributeset mediaprovider_27_0 (mediaprovider)) +(typeattributeset media_router_service_27_0 (media_router_service)) +(typeattributeset media_rw_data_file_27_0 (media_rw_data_file)) +(typeattributeset mediaserver_27_0 (mediaserver)) +(typeattributeset mediaserver_exec_27_0 (mediaserver_exec)) +(typeattributeset mediaserver_service_27_0 (mediaserver_service)) +(typeattributeset media_session_service_27_0 (media_session_service)) +(typeattributeset meminfo_service_27_0 (meminfo_service)) +(typeattributeset metadata_block_device_27_0 (metadata_block_device)) +(typeattributeset method_trace_data_file_27_0 (method_trace_data_file)) +(typeattributeset midi_service_27_0 (midi_service)) +(typeattributeset misc_block_device_27_0 (misc_block_device)) +(typeattributeset misc_logd_file_27_0 (misc_logd_file)) +(typeattributeset misc_user_data_file_27_0 (misc_user_data_file)) +(typeattributeset mmc_prop_27_0 (mmc_prop)) +(typeattributeset mnt_expand_file_27_0 (mnt_expand_file)) +(typeattributeset mnt_media_rw_file_27_0 (mnt_media_rw_file)) +(typeattributeset mnt_media_rw_stub_file_27_0 (mnt_media_rw_stub_file)) +(typeattributeset mnt_user_file_27_0 (mnt_user_file)) +(typeattributeset modprobe_27_0 (modprobe)) +(typeattributeset mount_service_27_0 (mount_service)) +(typeattributeset mqueue_27_0 (mqueue)) +(typeattributeset mtd_device_27_0 (mtd_device)) +(typeattributeset mtp_27_0 (mtp)) +(typeattributeset mtp_device_27_0 (mtp_device)) +(typeattributeset mtpd_socket_27_0 (mtpd_socket)) +(typeattributeset mtp_exec_27_0 (mtp_exec)) +(typeattributeset nativetest_data_file_27_0 (nativetest_data_file)) +(typeattributeset netd_27_0 (netd)) +(typeattributeset net_data_file_27_0 (net_data_file)) +(typeattributeset netd_exec_27_0 (netd_exec)) +(typeattributeset netd_listener_service_27_0 (netd_listener_service)) +(typeattributeset net_dns_prop_27_0 (net_dns_prop)) +(typeattributeset netd_service_27_0 (netd_service)) +(typeattributeset netd_socket_27_0 (netd_socket)) +(typeattributeset netd_stable_secret_prop_27_0 (netd_stable_secret_prop)) +(typeattributeset netif_27_0 (netif)) +(typeattributeset netpolicy_service_27_0 (netpolicy_service)) +(typeattributeset net_radio_prop_27_0 (net_radio_prop)) +(typeattributeset netstats_service_27_0 (netstats_service)) +(typeattributeset netutils_wrapper_27_0 (netutils_wrapper)) +(typeattributeset netutils_wrapper_exec_27_0 (netutils_wrapper_exec)) +(typeattributeset network_management_service_27_0 (network_management_service)) +(typeattributeset network_score_service_27_0 (network_score_service)) +(typeattributeset network_time_update_service_27_0 (network_time_update_service)) +(typeattributeset nfc_27_0 (nfc)) +(typeattributeset nfc_data_file_27_0 (nfc_data_file)) +(typeattributeset nfc_device_27_0 (nfc_device)) +(typeattributeset nfc_prop_27_0 (nfc_prop)) +(typeattributeset nfc_service_27_0 (nfc_service)) +(typeattributeset node_27_0 (node)) +(typeattributeset nonplat_service_contexts_file_27_0 (nonplat_service_contexts_file)) +(typeattributeset notification_service_27_0 (notification_service)) +(typeattributeset null_device_27_0 (null_device)) +(typeattributeset oemfs_27_0 (oemfs)) +(typeattributeset oem_lock_service_27_0 (oem_lock_service)) +(typeattributeset ota_data_file_27_0 (ota_data_file)) +(typeattributeset otadexopt_service_27_0 (otadexopt_service)) +(typeattributeset ota_package_file_27_0 (ota_package_file)) +(typeattributeset otapreopt_chroot_27_0 (otapreopt_chroot)) +(typeattributeset otapreopt_chroot_exec_27_0 (otapreopt_chroot_exec)) +(typeattributeset otapreopt_slot_27_0 (otapreopt_slot)) +(typeattributeset otapreopt_slot_exec_27_0 (otapreopt_slot_exec)) +(typeattributeset overlay_prop_27_0 (overlay_prop)) +(typeattributeset overlay_service_27_0 (overlay_service)) +(typeattributeset owntty_device_27_0 (owntty_device)) +(typeattributeset package_native_service_27_0 (package_native_service)) +(typeattributeset package_service_27_0 (package_service)) +(typeattributeset pan_result_prop_27_0 (pan_result_prop)) +(typeattributeset pdx_bufferhub_client_channel_socket_27_0 (pdx_bufferhub_client_channel_socket)) +(typeattributeset pdx_bufferhub_client_endpoint_socket_27_0 (pdx_bufferhub_client_endpoint_socket)) +(typeattributeset pdx_bufferhub_dir_27_0 (pdx_bufferhub_dir)) +(typeattributeset pdx_display_client_channel_socket_27_0 (pdx_display_client_channel_socket)) +(typeattributeset pdx_display_client_endpoint_socket_27_0 (pdx_display_client_endpoint_socket)) +(typeattributeset pdx_display_dir_27_0 (pdx_display_dir)) +(typeattributeset pdx_display_manager_channel_socket_27_0 (pdx_display_manager_channel_socket)) +(typeattributeset pdx_display_manager_endpoint_socket_27_0 (pdx_display_manager_endpoint_socket)) +(typeattributeset pdx_display_screenshot_channel_socket_27_0 (pdx_display_screenshot_channel_socket)) +(typeattributeset pdx_display_screenshot_endpoint_socket_27_0 (pdx_display_screenshot_endpoint_socket)) +(typeattributeset pdx_display_vsync_channel_socket_27_0 (pdx_display_vsync_channel_socket)) +(typeattributeset pdx_display_vsync_endpoint_socket_27_0 (pdx_display_vsync_endpoint_socket)) +(typeattributeset pdx_performance_client_channel_socket_27_0 (pdx_performance_client_channel_socket)) +(typeattributeset pdx_performance_client_endpoint_socket_27_0 (pdx_performance_client_endpoint_socket)) +(typeattributeset pdx_performance_dir_27_0 (pdx_performance_dir)) +(typeattributeset performanced_27_0 (performanced)) +(typeattributeset performanced_exec_27_0 (performanced_exec)) +(typeattributeset permission_service_27_0 (permission_service)) +(typeattributeset persist_debug_prop_27_0 (persist_debug_prop)) +(typeattributeset persistent_data_block_service_27_0 (persistent_data_block_service)) +(typeattributeset persistent_properties_ready_prop_27_0 (persistent_properties_ready_prop)) +(typeattributeset pinner_service_27_0 (pinner_service)) +(typeattributeset pipefs_27_0 (pipefs)) +(typeattributeset platform_app_27_0 (platform_app)) +(typeattributeset pmsg_device_27_0 (pmsg_device)) +(typeattributeset port_27_0 (port)) +(typeattributeset port_device_27_0 (port_device)) +(typeattributeset postinstall_27_0 (postinstall)) +(typeattributeset postinstall_dexopt_27_0 (postinstall_dexopt)) +(typeattributeset postinstall_file_27_0 (postinstall_file)) +(typeattributeset postinstall_mnt_dir_27_0 (postinstall_mnt_dir)) +(typeattributeset powerctl_prop_27_0 (powerctl_prop)) +(typeattributeset power_service_27_0 (power_service)) +(typeattributeset ppp_27_0 (ppp)) +(typeattributeset ppp_device_27_0 (ppp_device)) +(typeattributeset ppp_exec_27_0 (ppp_exec)) +(typeattributeset preloads_data_file_27_0 (preloads_data_file)) +(typeattributeset preloads_media_file_27_0 (preloads_media_file)) +(typeattributeset preopt2cachename_27_0 (preopt2cachename)) +(typeattributeset preopt2cachename_exec_27_0 (preopt2cachename_exec)) +(typeattributeset print_service_27_0 (print_service)) +(typeattributeset priv_app_27_0 (priv_app)) +(typeattributeset proc_27_0 + ( proc + proc_abi + proc_asound + proc_buddyinfo + proc_cmdline + proc_dirty + proc_diskstats + proc_extra_free_kbytes + proc_filesystems + proc_hostname + proc_hung_task + proc_kmsg + proc_loadavg + proc_max_map_count + proc_min_free_order_shift + proc_mounts + proc_page_cluster + proc_pagetypeinfo + proc_panic + proc_pid_max + proc_pipe_conf + proc_random + proc_sched + proc_slabinfo + proc_swaps + proc_uid_concurrent_active_time + proc_uid_concurrent_policy_time + proc_uid_cpupower + proc_uptime + proc_version + proc_vmallocinfo + proc_vmstat)) +(typeattributeset proc_bluetooth_writable_27_0 (proc_bluetooth_writable)) +(typeattributeset proc_cpuinfo_27_0 (proc_cpuinfo)) +(typeattributeset proc_drop_caches_27_0 (proc_drop_caches)) +(typeattributeset processinfo_service_27_0 (processinfo_service)) +(typeattributeset proc_interrupts_27_0 (proc_interrupts)) +(typeattributeset proc_iomem_27_0 (proc_iomem)) +(typeattributeset proc_meminfo_27_0 (proc_meminfo)) +(typeattributeset proc_misc_27_0 (proc_misc)) +(typeattributeset proc_modules_27_0 (proc_modules)) +(typeattributeset proc_net_27_0 + ( proc_net + proc_net_tcp_udp + proc_qtaguid_stat)) +(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory)) +(typeattributeset proc_perf_27_0 (proc_perf)) +(typeattributeset proc_security_27_0 (proc_security)) +(typeattributeset proc_stat_27_0 (proc_stat)) +(typeattributeset procstats_service_27_0 (procstats_service)) +(typeattributeset proc_sysrq_27_0 (proc_sysrq)) +(typeattributeset proc_timer_27_0 (proc_timer)) +(typeattributeset proc_tty_drivers_27_0 (proc_tty_drivers)) +(typeattributeset proc_uid_cputime_removeuid_27_0 (proc_uid_cputime_removeuid)) +(typeattributeset proc_uid_cputime_showstat_27_0 (proc_uid_cputime_showstat)) +(typeattributeset proc_uid_io_stats_27_0 (proc_uid_io_stats)) +(typeattributeset proc_uid_procstat_set_27_0 (proc_uid_procstat_set)) +(typeattributeset proc_uid_time_in_state_27_0 (proc_uid_time_in_state)) +(typeattributeset proc_zoneinfo_27_0 (proc_zoneinfo)) +(typeattributeset profman_27_0 (profman)) +(typeattributeset profman_dump_data_file_27_0 (profman_dump_data_file)) +(typeattributeset profman_exec_27_0 (profman_exec)) +(typeattributeset properties_device_27_0 (properties_device)) +(typeattributeset properties_serial_27_0 (properties_serial)) +(typeattributeset property_contexts_file_27_0 (property_contexts_file)) +(typeattributeset property_data_file_27_0 (property_data_file)) +(typeattributeset property_socket_27_0 (property_socket)) +(typeattributeset pstorefs_27_0 (pstorefs)) +(typeattributeset ptmx_device_27_0 (ptmx_device)) +(typeattributeset qtaguid_device_27_0 (qtaguid_device)) +(typeattributeset qtaguid_proc_27_0 + ( proc_qtaguid_ctrl + qtaguid_proc)) +(typeattributeset racoon_27_0 (racoon)) +(typeattributeset racoon_exec_27_0 (racoon_exec)) +(typeattributeset racoon_socket_27_0 (racoon_socket)) +(typeattributeset radio_27_0 (radio)) +(typeattributeset radio_data_file_27_0 (radio_data_file)) +(typeattributeset radio_device_27_0 (radio_device)) +(typeattributeset radio_prop_27_0 (radio_prop)) +(typeattributeset radio_service_27_0 (radio_service)) +(typeattributeset ram_device_27_0 (ram_device)) +(typeattributeset random_device_27_0 (random_device)) +(typeattributeset reboot_data_file_27_0 (reboot_data_file)) +(typeattributeset recovery_27_0 (recovery)) +(typeattributeset recovery_block_device_27_0 (recovery_block_device)) +(typeattributeset recovery_data_file_27_0 (recovery_data_file)) +(typeattributeset recovery_persist_27_0 (recovery_persist)) +(typeattributeset recovery_persist_exec_27_0 (recovery_persist_exec)) +(typeattributeset recovery_refresh_27_0 (recovery_refresh)) +(typeattributeset recovery_refresh_exec_27_0 (recovery_refresh_exec)) +(typeattributeset recovery_service_27_0 (recovery_service)) +(typeattributeset registry_service_27_0 (registry_service)) +(typeattributeset resourcecache_data_file_27_0 (resourcecache_data_file)) +(typeattributeset restorecon_prop_27_0 (restorecon_prop)) +(typeattributeset restrictions_service_27_0 (restrictions_service)) +(typeattributeset rild_27_0 (rild)) +(typeattributeset rild_debug_socket_27_0 (rild_debug_socket)) +(typeattributeset rild_socket_27_0 (rild_socket)) +(typeattributeset ringtone_file_27_0 (ringtone_file)) +(typeattributeset root_block_device_27_0 (root_block_device)) +(typeattributeset rootfs_27_0 (rootfs)) +(typeattributeset rpmsg_device_27_0 (rpmsg_device)) +(typeattributeset rtc_device_27_0 (rtc_device)) +(typeattributeset rttmanager_service_27_0 (rttmanager_service)) +(typeattributeset runas_27_0 (runas)) +(typeattributeset runas_exec_27_0 (runas_exec)) +(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file)) +(typeattributeset safemode_prop_27_0 (safemode_prop)) +(typeattributeset same_process_hal_file_27_0 + ( same_process_hal_file + vendor_public_lib_file)) +(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service)) +(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service)) +(typeattributeset sdcardd_27_0 (sdcardd)) +(typeattributeset sdcardd_exec_27_0 (sdcardd_exec)) +(typeattributeset sdcardfs_27_0 (sdcardfs)) +(typeattributeset seapp_contexts_file_27_0 (seapp_contexts_file)) +(typeattributeset search_service_27_0 (search_service)) +(typeattributeset sec_key_att_app_id_provider_service_27_0 (sec_key_att_app_id_provider_service)) +(typeattributeset selinuxfs_27_0 (selinuxfs)) +(typeattributeset sensors_device_27_0 (sensors_device)) +(typeattributeset sensorservice_service_27_0 (sensorservice_service)) +(typeattributeset sepolicy_file_27_0 (sepolicy_file)) +(typeattributeset serial_device_27_0 (serial_device)) +(typeattributeset serialno_prop_27_0 (serialno_prop)) +(typeattributeset serial_service_27_0 (serial_service)) +(typeattributeset service_contexts_file_27_0 (service_contexts_file)) +(typeattributeset servicediscovery_service_27_0 (servicediscovery_service)) +(typeattributeset servicemanager_27_0 (servicemanager)) +(typeattributeset servicemanager_exec_27_0 (servicemanager_exec)) +(typeattributeset settings_service_27_0 (settings_service)) +(typeattributeset sgdisk_27_0 (sgdisk)) +(typeattributeset sgdisk_exec_27_0 (sgdisk_exec)) +(typeattributeset shared_relro_27_0 (shared_relro)) +(typeattributeset shared_relro_file_27_0 (shared_relro_file)) +(typeattributeset shell_27_0 (shell)) +(typeattributeset shell_data_file_27_0 (shell_data_file)) +(typeattributeset shell_exec_27_0 (shell_exec)) +(typeattributeset shell_prop_27_0 (shell_prop)) +(typeattributeset shm_27_0 (shm)) +(typeattributeset shortcut_manager_icons_27_0 (shortcut_manager_icons)) +(typeattributeset shortcut_service_27_0 (shortcut_service)) +(typeattributeset slideshow_27_0 (slideshow)) +(typeattributeset socket_device_27_0 (socket_device)) +(typeattributeset sockfs_27_0 (sockfs)) +(typeattributeset statusbar_service_27_0 (statusbar_service)) +(typeattributeset storaged_service_27_0 (storaged_service)) +(typeattributeset storage_file_27_0 (storage_file)) +(typeattributeset storagestats_service_27_0 (storagestats_service)) +(typeattributeset storage_stub_file_27_0 (storage_stub_file)) +(typeattributeset su_27_0 (su)) +(typeattributeset su_exec_27_0 (su_exec)) +(typeattributeset surfaceflinger_27_0 (surfaceflinger)) +(typeattributeset surfaceflinger_service_27_0 (surfaceflinger_service)) +(typeattributeset swap_block_device_27_0 (swap_block_device)) +(typeattributeset sysfs_27_0 + ( sysfs + sysfs_android_usb + sysfs_dm + sysfs_dt_firmware_android + sysfs_ipv4 + sysfs_kernel_notes + sysfs_loop + sysfs_net + sysfs_power + sysfs_rtc + sysfs_switch + sysfs_wakeup_reasons)) +(typeattributeset sysfs_batteryinfo_27_0 (sysfs_batteryinfo)) +(typeattributeset sysfs_bluetooth_writable_27_0 (sysfs_bluetooth_writable)) +(typeattributeset sysfs_devices_system_cpu_27_0 (sysfs_devices_system_cpu)) +(typeattributeset sysfs_fs_ext4_features_27_0 (sysfs_fs_ext4_features)) +(typeattributeset sysfs_hwrandom_27_0 (sysfs_hwrandom)) +(typeattributeset sysfs_leds_27_0 (sysfs_leds)) +(typeattributeset sysfs_lowmemorykiller_27_0 (sysfs_lowmemorykiller)) +(typeattributeset sysfs_mac_address_27_0 (sysfs_mac_address)) +(typeattributeset sysfs_nfc_power_writable_27_0 (sysfs_nfc_power_writable)) +(typeattributeset sysfs_thermal_27_0 (sysfs_thermal)) +(typeattributeset sysfs_uio_27_0 (sysfs_uio)) +(typeattributeset sysfs_usb_27_0 (sysfs_usb)) +(typeattributeset sysfs_usermodehelper_27_0 (sysfs_usermodehelper)) +(typeattributeset sysfs_vibrator_27_0 (sysfs_vibrator)) +(typeattributeset sysfs_wake_lock_27_0 (sysfs_wake_lock)) +(typeattributeset sysfs_wlan_fwpath_27_0 (sysfs_wlan_fwpath)) +(typeattributeset sysfs_zram_27_0 (sysfs_zram)) +(typeattributeset sysfs_zram_uevent_27_0 (sysfs_zram_uevent)) +(typeattributeset system_app_27_0 (system_app)) +(typeattributeset system_app_data_file_27_0 (system_app_data_file)) +(typeattributeset system_app_service_27_0 (system_app_service)) +(typeattributeset system_block_device_27_0 (system_block_device)) +(typeattributeset system_data_file_27_0 + ( system_data_file + dropbox_data_file + vendor_data_file)) +(typeattributeset system_file_27_0 + ( system_file + system_lib_file + system_linker_config_file + system_linker_exec + system_seccomp_policy_file + system_security_cacerts_file + system_zoneinfo_file +)) +(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file)) +(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket)) +(typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice)) +(typeattributeset system_prop_27_0 (system_prop)) +(typeattributeset system_radio_prop_27_0 (system_radio_prop)) +(typeattributeset system_server_27_0 (system_server)) +(typeattributeset system_wifi_keystore_hwservice_27_0 (system_wifi_keystore_hwservice)) +(typeattributeset system_wpa_socket_27_0 (system_wpa_socket)) +(typeattributeset task_service_27_0 (task_service)) +(typeattributeset tee_27_0 (tee)) +(typeattributeset tee_data_file_27_0 (tee_data_file)) +(typeattributeset tee_device_27_0 (tee_device)) +(typeattributeset telecom_service_27_0 (telecom_service)) +(typeattributeset textclassification_service_27_0 (textclassification_service)) +(typeattributeset textclassifier_data_file_27_0 (textclassifier_data_file)) +(typeattributeset textservices_service_27_0 (textservices_service)) +(typeattributeset thermalcallback_hwservice_27_0 (thermalcallback_hwservice)) +(typeattributeset thermal_service_27_0 (thermal_service)) +(typeattributeset thermalserviced_27_0 (thermalserviced)) +(typeattributeset thermalserviced_exec_27_0 (thermalserviced_exec)) +(typeattributeset timezone_service_27_0 (timezone_service)) +(typeattributeset tmpfs_27_0 (tmpfs)) +(typeattributeset tombstoned_27_0 (tombstoned)) +(typeattributeset tombstone_data_file_27_0 (tombstone_data_file)) +(typeattributeset tombstoned_crash_socket_27_0 (tombstoned_crash_socket)) +(typeattributeset tombstoned_exec_27_0 (tombstoned_exec)) +(typeattributeset tombstoned_intercept_socket_27_0 (tombstoned_intercept_socket)) +(typeattributeset tombstoned_java_trace_socket_27_0 (tombstoned_java_trace_socket)) +(typeattributeset toolbox_27_0 (toolbox)) +(typeattributeset toolbox_exec_27_0 (toolbox_exec)) +(typeattributeset trust_service_27_0 (trust_service)) +(typeattributeset tty_device_27_0 (tty_device)) +(typeattributeset tun_device_27_0 (tun_device)) +(typeattributeset tv_input_service_27_0 (tv_input_service)) +(typeattributeset tzdatacheck_27_0 (tzdatacheck)) +(typeattributeset tzdatacheck_exec_27_0 (tzdatacheck_exec)) +(typeattributeset ueventd_27_0 (ueventd)) +(typeattributeset uhid_device_27_0 (uhid_device)) +(typeattributeset uimode_service_27_0 (uimode_service)) +(typeattributeset uio_device_27_0 (uio_device)) +(typeattributeset uncrypt_27_0 (uncrypt)) +(typeattributeset uncrypt_exec_27_0 (uncrypt_exec)) +(typeattributeset uncrypt_socket_27_0 (uncrypt_socket)) +(typeattributeset unencrypted_data_file_27_0 (unencrypted_data_file)) +(typeattributeset unlabeled_27_0 (unlabeled)) +(typeattributeset untrusted_app_25_27_0 (untrusted_app_25)) +(typeattributeset untrusted_app_27_0 + ( untrusted_app + untrusted_app_27)) +(typeattributeset untrusted_v2_app_27_0 (untrusted_v2_app)) +(typeattributeset update_engine_27_0 (update_engine)) +(typeattributeset update_engine_data_file_27_0 (update_engine_data_file)) +(typeattributeset update_engine_exec_27_0 (update_engine_exec)) +(typeattributeset update_engine_service_27_0 (update_engine_service)) +(typeattributeset updatelock_service_27_0 (updatelock_service)) +(typeattributeset update_verifier_27_0 (update_verifier)) +(typeattributeset update_verifier_exec_27_0 (update_verifier_exec)) +(typeattributeset usagestats_service_27_0 (usagestats_service)) +(typeattributeset usbaccessory_device_27_0 (usbaccessory_device)) +(typeattributeset usb_device_27_0 (usb_device)) +(typeattributeset usbfs_27_0 (usbfs)) +(typeattributeset usb_service_27_0 (usb_service)) +(typeattributeset userdata_block_device_27_0 (userdata_block_device)) +(typeattributeset usermodehelper_27_0 (usermodehelper)) +(typeattributeset user_profile_data_file_27_0 (user_profile_data_file)) +(typeattributeset user_service_27_0 (user_service)) +(typeattributeset vcs_device_27_0 (vcs_device)) +(typeattributeset vdc_27_0 (vdc)) +(typeattributeset vdc_exec_27_0 (vdc_exec)) +(typeattributeset vendor_app_file_27_0 (vendor_app_file)) +(typeattributeset vendor_configs_file_27_0 (vendor_configs_file)) +(typeattributeset vendor_file_27_0 (vendor_file)) +(typeattributeset vendor_framework_file_27_0 (vendor_framework_file)) +(typeattributeset vendor_hal_file_27_0 (vendor_hal_file)) +(typeattributeset vendor_overlay_file_27_0 (vendor_overlay_file)) +(typeattributeset vendor_shell_exec_27_0 (vendor_shell_exec)) +(typeattributeset vendor_toolbox_exec_27_0 (vendor_toolbox_exec)) +(typeattributeset vfat_27_0 (vfat)) +(typeattributeset vibrator_service_27_0 (vibrator_service)) +(typeattributeset video_device_27_0 (video_device)) +(typeattributeset virtual_touchpad_27_0 (virtual_touchpad)) +(typeattributeset virtual_touchpad_exec_27_0 (virtual_touchpad_exec)) +(typeattributeset virtual_touchpad_service_27_0 (virtual_touchpad_service)) +(typeattributeset vndbinder_device_27_0 (vndbinder_device)) +(typeattributeset vndk_sp_file_27_0 (vndk_sp_file)) +(typeattributeset vndservice_contexts_file_27_0 (vndservice_contexts_file)) +(typeattributeset vndservicemanager_27_0 (vndservicemanager)) +(typeattributeset voiceinteraction_service_27_0 (voiceinteraction_service)) +(typeattributeset vold_27_0 (vold)) +(typeattributeset vold_data_file_27_0 (vold_data_file)) +(typeattributeset vold_device_27_0 (vold_device)) +(typeattributeset vold_exec_27_0 (vold_exec)) +(typeattributeset vold_prop_27_0 (vold_prop)) +(typeattributeset vold_socket_27_0 (vold_socket)) +(typeattributeset vpn_data_file_27_0 (vpn_data_file)) +(typeattributeset vr_hwc_27_0 (vr_hwc)) +(typeattributeset vr_hwc_exec_27_0 (vr_hwc_exec)) +(typeattributeset vr_hwc_service_27_0 (vr_hwc_service)) +(typeattributeset vr_manager_service_27_0 (vr_manager_service)) +(typeattributeset wallpaper_file_27_0 (wallpaper_file)) +(typeattributeset wallpaper_service_27_0 (wallpaper_service)) +(typeattributeset watchdogd_27_0 (watchdogd)) +(typeattributeset watchdog_device_27_0 (watchdog_device)) +(typeattributeset webviewupdate_service_27_0 (webviewupdate_service)) +(typeattributeset webview_zygote_27_0 (webview_zygote)) +(typeattributeset webview_zygote_exec_27_0 (webview_zygote_exec)) +(typeattributeset webview_zygote_socket_27_0 (webview_zygote_socket)) +(typeattributeset wifiaware_service_27_0 (wifiaware_service)) +(typeattributeset wificond_27_0 (wificond)) +(typeattributeset wificond_exec_27_0 (wificond_exec)) +(typeattributeset wificond_service_27_0 (wificond_service)) +(typeattributeset wifi_data_file_27_0 (wifi_data_file)) +(typeattributeset wifi_log_prop_27_0 (wifi_log_prop)) +(typeattributeset wifip2p_service_27_0 (wifip2p_service)) +(typeattributeset wifi_prop_27_0 (wifi_prop)) +(typeattributeset wifiscanner_service_27_0 (wifiscanner_service)) +(typeattributeset wifi_service_27_0 (wifi_service)) +(typeattributeset window_service_27_0 (window_service)) +(typeattributeset wpa_socket_27_0 (wpa_socket)) +(typeattributeset zero_device_27_0 (zero_device)) +(typeattributeset zoneinfo_data_file_27_0 (zoneinfo_data_file)) +(typeattributeset zygote_27_0 (zygote)) +(typeattributeset zygote_exec_27_0 (zygote_exec)) +(typeattributeset zygote_socket_27_0 (zygote_socket)) diff --git a/prebuilts/api/32.0/private/compat/27.0/27.0.compat.cil b/prebuilts/api/32.0/private/compat/27.0/27.0.compat.cil new file mode 100644 index 000000000..2e85b23fc --- /dev/null +++ b/prebuilts/api/32.0/private/compat/27.0/27.0.compat.cil @@ -0,0 +1,11 @@ +(typeattribute vendordomain) +(typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) +(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff)))) +(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff)))) +(allow vendordomain self (netlink_route_socket (nlmsg_readpriv))) + +(typeattributeset mlsvendorcompat (and appdomain vendordomain)) +(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) +(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) +(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) +(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) diff --git a/prebuilts/api/32.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/32.0/private/compat/27.0/27.0.ignore.cil new file mode 100644 index 000000000..427f4d4d1 --- /dev/null +++ b/prebuilts/api/32.0/private/compat/27.0/27.0.ignore.cil @@ -0,0 +1,260 @@ +;; new_objects - a collection of types that have been introduced that have no +;; analogue in older policy. Thus, we do not need to map these types to +;; previous ones. Add here to pass checkapi tests. +(type new_objects) +(typeattribute new_objects) +(typeattributeset new_objects + ( new_objects + aac_drc_prop + aaudio_config_prop + activity_task_service + adb_service + app_binding_service + apex_data_file + apex_metadata_file + apex_mnt_dir + apex_service + apexd + apexd_exec + apexd_prop + apexd_tmpfs + app_zygote + art_apex_dir + atrace + audio_config_prop + binder_calls_stats_service + biometric_service + blank_screen + blank_screen_exec + blank_screen_tmpfs + boot_status_prop + bootanim_system_prop + bootloader_boot_reason_prop + bootloader_prop + bluetooth_a2dp_offload_prop + bpfloader + bpfloader_exec + build_bootimage_prop + build_odm_prop + build_prop + build_vendor_prop + camera_calibration_prop + camera_config_prop + cgroup_bpf + charger_config_prop + charger_exec + charger_status_prop + color_display_service + content_capture_service + crossprofileapps_service + ctl_apexd_prop + ctl_interface_restart_prop + ctl_interface_start_prop + ctl_interface_stop_prop + ctl_sigstop_prop + dalvik_config_prop + dalvik_runtime_prop + device_config_boot_count_prop + device_config_reset_performed_prop + device_config_netd_native_prop + dnsresolver_service + drm_service_config_prop + exfat + exported2_config_prop + exported2_default_prop + exported2_radio_prop + exported2_system_prop + exported2_vold_prop + exported3_default_prop + exported3_radio_prop + exported3_system_prop + exported_audio_prop + exported_bluetooth_prop + exported_config_prop + exported_dalvik_prop + exported_default_prop + exported_dumpstate_prop + exported_ffs_prop + exported_fingerprint_prop + exported_overlay_prop + exported_pm_prop + exported_radio_prop + exported_secure_prop + exported_system_prop + exported_system_radio_prop + exported_vold_prop + exported_wifi_prop + fastbootd + ffs_config_prop + ffs_control_prop + flags_health_check + flags_health_check_exec + fingerprint_vendor_data_file + fs_bpf + fwk_stats_hwservice + hal_atrace_hwservice + hal_audiocontrol_hwservice + hal_authsecret_hwservice + hal_codec2_hwservice + hal_confirmationui_hwservice + hal_evs_hwservice + hal_health_storage_hwservice + hal_instrumentation_prop + hal_lowpan_hwservice + hal_secure_element_hwservice + hal_usb_gadget_hwservice + hal_vehicle_hwservice + hal_wifi_hostapd_hwservice + hdmi_config_prop + heapprofd + heapprofd_exec + heapprofd_socket + incident_helper + incident_helper_exec + init_service_status_private_prop + init_service_status_prop + iorapd + iorapd_data_file + iorapd_exec + iorapd_service + iorapd_tmpfs + keyguard_config_prop + last_boot_reason_prop + libc_debug_prop + llkd + llkd_exec + llkd_prop + llkd_tmpfs + lmkd_config_prop + looper_stats_service + lowpan_device + lowpan_prop + lowpan_service + media_config_prop + mediadrm_config_prop + mediaextractor_update_service + mediaswcodec + mediaswcodec_exec + mediaswcodec_tmpfs + metadata_bootstat_file + metadata_file + mnt_product_file + mnt_vendor_file + network_stack + network_stack_service + network_watchlist_data_file + network_watchlist_service + oem_unlock_prop + overlayfs_file + packagemanager_config_prop + perfetto + perfetto_exec + perfetto_tmpfs + perfetto_traces_data_file + property_info + property_service_version_prop + provisioned_prop + radio_control_prop + recovery_config_prop + recovery_socket + retaildemo_prop + role_service + runas_app + runtime_service + secure_element + secure_element_device + secure_element_service + secure_element_tmpfs + sendbug_config_prop + server_configurable_flags_data_file + simpleperf_app_runner + simpleperf_app_runner_exec + slice_service + socket_hook_prop + stats + stats_data_file + stats_exec + stats_service + statscompanion_service + statsd + statsd_exec + statsd_tmpfs + statsdw + statsdw_socket + storaged_data_file + super_block_device + surfaceflinger_color_prop + surfaceflinger_prop + staging_data_file + storagemanager_config_prop + system_boot_reason_prop + system_bootstrap_lib_file + system_lmk_prop + system_update_service + systemsound_config_prop + telephony_config_prop + telephony_status_prop + test_boot_reason_prop + time_prop + timedetector_service + tombstone_config_prop + tombstone_wifi_data_file + trace_data_file + traced + traced_consumer_socket + traced_enabled_prop + traced_exec + traced_probes + traced_probes_exec + traced_probes_tmpfs + traced_producer_socket + traced_tmpfs + traceur_app + traceur_app_tmpfs + untrusted_app_all_devpts + update_engine_log_data_file + uri_grants_service + usb_config_prop + usb_control_prop + usbd + usbd_exec + usbd_tmpfs + vendor_apex_file + vendor_default_prop + vendor_init + vendor_security_patch_level_prop + vendor_shell + vendor_socket_hook_prop + vndk_prop + vold_config_prop + vold_metadata_file + vold_post_fs_data_prop + vold_prepare_subdirs + vold_prepare_subdirs_exec + vold_service + vold_status_prop + vrflinger_vsync_service + vts_config_prop + vts_status_prop + wait_for_keymaster + wait_for_keymaster_exec + wait_for_keymaster_tmpfs + watchdogd_tmpfs + wifi_config_prop + wifi_hal_prop + wm_trace_data_file + wpantund + wpantund_exec + wpantund_service + wpantund_tmpfs + zram_config_prop + zram_control_prop)) + +;; private_objects - a collection of types that were labeled differently in +;; older policy, but that should not remain accessible to vendor policy. +;; Thus, these types are also not mapped, but recorded for checkapi tests +(type priv_objects) +(typeattribute priv_objects) +(typeattributeset priv_objects + ( priv_objects + untrusted_app_27_tmpfs)) diff --git a/prebuilts/api/32.0/private/compat/28.0/28.0.cil b/prebuilts/api/32.0/private/compat/28.0/28.0.cil new file mode 100644 index 000000000..321e9387e --- /dev/null +++ b/prebuilts/api/32.0/private/compat/28.0/28.0.cil @@ -0,0 +1,1744 @@ +;; attributes removed from current policy +(typeattribute hal_wifi_offload) +(typeattribute hal_wifi_offload_client) +(typeattribute hal_wifi_offload_server) + +;; types removed from current policy +(type alarm_device) +(type audio_seq_device) +(type audio_timer_device) +(type commontime_management_service) +(type cpuctl_device) +(type full_device) +(type hal_wifi_offload_hwservice) +(type i2c_device) +(type kmem_device) +(type mediacodec) +(type mediacodec_exec) +(type mediaextractor_update_service) +(type mtd_device) +(type netd_socket) +(type qtaguid_proc) +(type thermalcallback_hwservice) +(type thermalserviced) +(type thermalserviced_exec) +(type untrusted_v2_app) +(type vcs_device) + +;; Public 28.0 SEPolicy is divergent on different devices w.r.t +;; exported_audio_prop type. We need this typeattribute declaration so that the +;; mapping file compiles with vendor policies without exported_audio_prop type. +(typeattribute exported_audio_prop_28_0) + +(expandtypeattribute (accessibility_service_28_0) true) +(expandtypeattribute (account_service_28_0) true) +(expandtypeattribute (activity_service_28_0) true) +(expandtypeattribute (adbd_28_0) true) +(expandtypeattribute (adb_data_file_28_0) true) +(expandtypeattribute (adbd_exec_28_0) true) +(expandtypeattribute (adbd_socket_28_0) true) +(expandtypeattribute (adb_keys_file_28_0) true) +(expandtypeattribute (alarm_device_28_0) true) +(expandtypeattribute (alarm_service_28_0) true) +(expandtypeattribute (anr_data_file_28_0) true) +(expandtypeattribute (apk_data_file_28_0) true) +(expandtypeattribute (apk_private_data_file_28_0) true) +(expandtypeattribute (apk_private_tmp_file_28_0) true) +(expandtypeattribute (apk_tmp_file_28_0) true) +(expandtypeattribute (app_data_file_28_0) true) +(expandtypeattribute (app_fuse_file_28_0) true) +(expandtypeattribute (app_fusefs_28_0) true) +(expandtypeattribute (appops_service_28_0) true) +(expandtypeattribute (appwidget_service_28_0) true) +(expandtypeattribute (asec_apk_file_28_0) true) +(expandtypeattribute (asec_image_file_28_0) true) +(expandtypeattribute (asec_public_file_28_0) true) +(expandtypeattribute (ashmem_device_28_0) true) +(expandtypeattribute (assetatlas_service_28_0) true) +(expandtypeattribute (audio_data_file_28_0) true) +(expandtypeattribute (audio_device_28_0) true) +(expandtypeattribute (audiohal_data_file_28_0) true) +(expandtypeattribute (audio_prop_28_0) true) +(expandtypeattribute (audio_seq_device_28_0) true) +(expandtypeattribute (audioserver_28_0) true) +(expandtypeattribute (audioserver_data_file_28_0) true) +(expandtypeattribute (audioserver_service_28_0) true) +(expandtypeattribute (audio_service_28_0) true) +(expandtypeattribute (audio_timer_device_28_0) true) +(expandtypeattribute (autofill_service_28_0) true) +(expandtypeattribute (backup_data_file_28_0) true) +(expandtypeattribute (backup_service_28_0) true) +(expandtypeattribute (batteryproperties_service_28_0) true) +(expandtypeattribute (battery_service_28_0) true) +(expandtypeattribute (batterystats_service_28_0) true) +(expandtypeattribute (binder_calls_stats_service_28_0) true) +(expandtypeattribute (binder_device_28_0) true) +(expandtypeattribute (binfmt_miscfs_28_0) true) +(expandtypeattribute (blkid_28_0) true) +(expandtypeattribute (blkid_untrusted_28_0) true) +(expandtypeattribute (block_device_28_0) true) +(expandtypeattribute (bluetooth_28_0) true) +(expandtypeattribute (bluetooth_a2dp_offload_prop_28_0) true) +(expandtypeattribute (bluetooth_data_file_28_0) true) +(expandtypeattribute (bluetooth_efs_file_28_0) true) +(expandtypeattribute (bluetooth_logs_data_file_28_0) true) +(expandtypeattribute (bluetooth_manager_service_28_0) true) +(expandtypeattribute (bluetooth_prop_28_0) true) +(expandtypeattribute (bluetooth_service_28_0) true) +(expandtypeattribute (bluetooth_socket_28_0) true) +(expandtypeattribute (bootanim_28_0) true) +(expandtypeattribute (bootanim_exec_28_0) true) +(expandtypeattribute (boot_block_device_28_0) true) +(expandtypeattribute (bootchart_data_file_28_0) true) +(expandtypeattribute (bootloader_boot_reason_prop_28_0) true) +(expandtypeattribute (bootstat_28_0) true) +(expandtypeattribute (bootstat_data_file_28_0) true) +(expandtypeattribute (bootstat_exec_28_0) true) +(expandtypeattribute (boottime_prop_28_0) true) +(expandtypeattribute (boottrace_data_file_28_0) true) +(expandtypeattribute (broadcastradio_service_28_0) true) +(expandtypeattribute (bufferhubd_28_0) true) +(expandtypeattribute (bufferhubd_exec_28_0) true) +(expandtypeattribute (cache_backup_file_28_0) true) +(expandtypeattribute (cache_block_device_28_0) true) +(expandtypeattribute (cache_file_28_0) true) +(expandtypeattribute (cache_private_backup_file_28_0) true) +(expandtypeattribute (cache_recovery_file_28_0) true) +(expandtypeattribute (camera_data_file_28_0) true) +(expandtypeattribute (camera_device_28_0) true) +(expandtypeattribute (cameraproxy_service_28_0) true) +(expandtypeattribute (cameraserver_28_0) true) +(expandtypeattribute (cameraserver_exec_28_0) true) +(expandtypeattribute (cameraserver_service_28_0) true) +(expandtypeattribute (cgroup_28_0) true) +(expandtypeattribute (cgroup_bpf_28_0) true) +(expandtypeattribute (charger_28_0) true) +(expandtypeattribute (clatd_28_0) true) +(expandtypeattribute (clatd_exec_28_0) true) +(expandtypeattribute (clipboard_service_28_0) true) +(expandtypeattribute (commontime_management_service_28_0) true) +(expandtypeattribute (companion_device_service_28_0) true) +(expandtypeattribute (configfs_28_0) true) +(expandtypeattribute (config_prop_28_0) true) +(expandtypeattribute (connectivity_service_28_0) true) +(expandtypeattribute (connmetrics_service_28_0) true) +(expandtypeattribute (console_device_28_0) true) +(expandtypeattribute (consumer_ir_service_28_0) true) +(expandtypeattribute (content_service_28_0) true) +(expandtypeattribute (contexthub_service_28_0) true) +(expandtypeattribute (coredump_file_28_0) true) +(expandtypeattribute (country_detector_service_28_0) true) +(expandtypeattribute (coverage_service_28_0) true) +(expandtypeattribute (cppreopt_prop_28_0) true) +(expandtypeattribute (cppreopts_28_0) true) +(expandtypeattribute (cppreopts_exec_28_0) true) +(expandtypeattribute (cpuctl_device_28_0) true) +(expandtypeattribute (cpuinfo_service_28_0) true) +(expandtypeattribute (crash_dump_28_0) true) +(expandtypeattribute (crash_dump_exec_28_0) true) +(expandtypeattribute (crossprofileapps_service_28_0) true) +(expandtypeattribute (ctl_bootanim_prop_28_0) true) +(expandtypeattribute (ctl_bugreport_prop_28_0) true) +(expandtypeattribute (ctl_console_prop_28_0) true) +(expandtypeattribute (ctl_default_prop_28_0) true) +(expandtypeattribute (ctl_dumpstate_prop_28_0) true) +(expandtypeattribute (ctl_fuse_prop_28_0) true) +(expandtypeattribute (ctl_interface_restart_prop_28_0) true) +(expandtypeattribute (ctl_interface_start_prop_28_0) true) +(expandtypeattribute (ctl_interface_stop_prop_28_0) true) +(expandtypeattribute (ctl_mdnsd_prop_28_0) true) +(expandtypeattribute (ctl_restart_prop_28_0) true) +(expandtypeattribute (ctl_rildaemon_prop_28_0) true) +(expandtypeattribute (ctl_sigstop_prop_28_0) true) +(expandtypeattribute (ctl_start_prop_28_0) true) +(expandtypeattribute (ctl_stop_prop_28_0) true) +(expandtypeattribute (dalvikcache_data_file_28_0) true) +(expandtypeattribute (dalvik_prop_28_0) true) +(expandtypeattribute (dbinfo_service_28_0) true) +(expandtypeattribute (debugfs_28_0) true) +(expandtypeattribute (debugfs_mmc_28_0) true) +(expandtypeattribute (debugfs_trace_marker_28_0) true) +(expandtypeattribute (debugfs_tracing_28_0) true) +(expandtypeattribute (debugfs_tracing_debug_28_0) true) +(expandtypeattribute (debugfs_tracing_instances_28_0) true) +(expandtypeattribute (debugfs_wakeup_sources_28_0) true) +(expandtypeattribute (debugfs_wifi_tracing_28_0) true) +(expandtypeattribute (debuggerd_prop_28_0) true) +(expandtypeattribute (debug_prop_28_0) true) +(expandtypeattribute (default_android_hwservice_28_0) true) +(expandtypeattribute (default_android_service_28_0) true) +(expandtypeattribute (default_android_vndservice_28_0) true) +(expandtypeattribute (default_prop_28_0) true) +(expandtypeattribute (device_28_0) true) +(expandtypeattribute (device_identifiers_service_28_0) true) +(expandtypeattribute (deviceidle_service_28_0) true) +(expandtypeattribute (device_logging_prop_28_0) true) +(expandtypeattribute (device_policy_service_28_0) true) +(expandtypeattribute (devicestoragemonitor_service_28_0) true) +(expandtypeattribute (devpts_28_0) true) +(expandtypeattribute (dex2oat_28_0) true) +(expandtypeattribute (dex2oat_exec_28_0) true) +(expandtypeattribute (dhcp_28_0) true) +(expandtypeattribute (dhcp_data_file_28_0) true) +(expandtypeattribute (dhcp_exec_28_0) true) +(expandtypeattribute (dhcp_prop_28_0) true) +(expandtypeattribute (diskstats_service_28_0) true) +(expandtypeattribute (display_service_28_0) true) +(expandtypeattribute (dm_device_28_0) true) +(expandtypeattribute (dnsmasq_28_0) true) +(expandtypeattribute (dnsmasq_exec_28_0) true) +(expandtypeattribute (dnsproxyd_socket_28_0) true) +(expandtypeattribute (DockObserver_service_28_0) true) +(expandtypeattribute (dreams_service_28_0) true) +(expandtypeattribute (drm_data_file_28_0) true) +(expandtypeattribute (drmserver_28_0) true) +(expandtypeattribute (drmserver_exec_28_0) true) +(expandtypeattribute (drmserver_service_28_0) true) +(expandtypeattribute (drmserver_socket_28_0) true) +(expandtypeattribute (dropbox_service_28_0) true) +(expandtypeattribute (dumpstate_28_0) true) +(expandtypeattribute (dumpstate_exec_28_0) true) +(expandtypeattribute (dumpstate_options_prop_28_0) true) +(expandtypeattribute (dumpstate_prop_28_0) true) +(expandtypeattribute (dumpstate_service_28_0) true) +(expandtypeattribute (dumpstate_socket_28_0) true) +(expandtypeattribute (e2fs_28_0) true) +(expandtypeattribute (e2fs_exec_28_0) true) +(expandtypeattribute (efs_file_28_0) true) +(expandtypeattribute (ephemeral_app_28_0) true) +(expandtypeattribute (ethernet_service_28_0) true) +(expandtypeattribute (exfat_28_0) true) +(expandtypeattribute (exported2_config_prop_28_0) true) +(expandtypeattribute (exported2_default_prop_28_0) true) +(expandtypeattribute (exported2_radio_prop_28_0) true) +(expandtypeattribute (exported2_system_prop_28_0) true) +(expandtypeattribute (exported2_vold_prop_28_0) true) +(expandtypeattribute (exported3_default_prop_28_0) true) +(expandtypeattribute (exported3_radio_prop_28_0) true) +(expandtypeattribute (exported3_system_prop_28_0) true) +(expandtypeattribute (exported_audio_prop_28_0) true) +(expandtypeattribute (exported_bluetooth_prop_28_0) true) +(expandtypeattribute (exported_config_prop_28_0) true) +(expandtypeattribute (exported_dalvik_prop_28_0) true) +(expandtypeattribute (exported_default_prop_28_0) true) +(expandtypeattribute (exported_dumpstate_prop_28_0) true) +(expandtypeattribute (exported_ffs_prop_28_0) true) +(expandtypeattribute (exported_fingerprint_prop_28_0) true) +(expandtypeattribute (exported_overlay_prop_28_0) true) +(expandtypeattribute (exported_pm_prop_28_0) true) +(expandtypeattribute (exported_radio_prop_28_0) true) +(expandtypeattribute (exported_secure_prop_28_0) true) +(expandtypeattribute (exported_system_prop_28_0) true) +(expandtypeattribute (exported_system_radio_prop_28_0) true) +(expandtypeattribute (exported_vold_prop_28_0) true) +(expandtypeattribute (exported_wifi_prop_28_0) true) +(expandtypeattribute (ffs_prop_28_0) true) +(expandtypeattribute (file_contexts_file_28_0) true) +(expandtypeattribute (fingerprintd_28_0) true) +(expandtypeattribute (fingerprintd_data_file_28_0) true) +(expandtypeattribute (fingerprintd_exec_28_0) true) +(expandtypeattribute (fingerprintd_service_28_0) true) +(expandtypeattribute (fingerprint_prop_28_0) true) +(expandtypeattribute (fingerprint_service_28_0) true) +(expandtypeattribute (fingerprint_vendor_data_file_28_0) true) +(expandtypeattribute (firstboot_prop_28_0) true) +(expandtypeattribute (font_service_28_0) true) +(expandtypeattribute (frp_block_device_28_0) true) +(expandtypeattribute (fs_bpf_28_0) true) +(expandtypeattribute (fsck_28_0) true) +(expandtypeattribute (fsck_exec_28_0) true) +(expandtypeattribute (fscklogs_28_0) true) +(expandtypeattribute (fsck_untrusted_28_0) true) +(expandtypeattribute (full_device_28_0) true) +(expandtypeattribute (functionfs_28_0) true) +(expandtypeattribute (fuse_28_0) true) +(expandtypeattribute (fuse_device_28_0) true) +(expandtypeattribute (fwk_display_hwservice_28_0) true) +(expandtypeattribute (fwk_scheduler_hwservice_28_0) true) +(expandtypeattribute (fwk_sensor_hwservice_28_0) true) +(expandtypeattribute (fwmarkd_socket_28_0) true) +(expandtypeattribute (gatekeeperd_28_0) true) +(expandtypeattribute (gatekeeper_data_file_28_0) true) +(expandtypeattribute (gatekeeperd_exec_28_0) true) +(expandtypeattribute (gatekeeper_service_28_0) true) +(expandtypeattribute (gfxinfo_service_28_0) true) +(expandtypeattribute (gps_control_28_0) true) +(expandtypeattribute (gpu_device_28_0) true) +(expandtypeattribute (gpu_service_28_0) true) +(expandtypeattribute (graphics_device_28_0) true) +(expandtypeattribute (graphicsstats_service_28_0) true) +(expandtypeattribute (hal_audiocontrol_hwservice_28_0) true) +(expandtypeattribute (hal_audio_hwservice_28_0) true) +(expandtypeattribute (hal_authsecret_hwservice_28_0) true) +(expandtypeattribute (hal_bluetooth_hwservice_28_0) true) +(expandtypeattribute (hal_bootctl_hwservice_28_0) true) +(expandtypeattribute (hal_broadcastradio_hwservice_28_0) true) +(expandtypeattribute (hal_camera_hwservice_28_0) true) +(expandtypeattribute (hal_cas_hwservice_28_0) true) +(expandtypeattribute (hal_codec2_hwservice_28_0) true) +(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_28_0) true) +(expandtypeattribute (hal_confirmationui_hwservice_28_0) true) +(expandtypeattribute (hal_contexthub_hwservice_28_0) true) +(expandtypeattribute (hal_drm_hwservice_28_0) true) +(expandtypeattribute (hal_dumpstate_hwservice_28_0) true) +(expandtypeattribute (hal_evs_hwservice_28_0) true) +(expandtypeattribute (hal_fingerprint_hwservice_28_0) true) +(expandtypeattribute (hal_fingerprint_service_28_0) true) +(expandtypeattribute (hal_gatekeeper_hwservice_28_0) true) +(expandtypeattribute (hal_gnss_hwservice_28_0) true) +(expandtypeattribute (hal_graphics_allocator_hwservice_28_0) true) +(expandtypeattribute (hal_graphics_composer_hwservice_28_0) true) +(expandtypeattribute (hal_graphics_mapper_hwservice_28_0) true) +(expandtypeattribute (hal_health_hwservice_28_0) true) +(expandtypeattribute (hal_ir_hwservice_28_0) true) +(expandtypeattribute (hal_keymaster_hwservice_28_0) true) +(expandtypeattribute (hal_light_hwservice_28_0) true) +(expandtypeattribute (hal_lowpan_hwservice_28_0) true) +(expandtypeattribute (hal_memtrack_hwservice_28_0) true) +(expandtypeattribute (hal_neuralnetworks_hwservice_28_0) true) +(expandtypeattribute (hal_nfc_hwservice_28_0) true) +(expandtypeattribute (hal_oemlock_hwservice_28_0) true) +(expandtypeattribute (hal_omx_hwservice_28_0) true) +(expandtypeattribute (hal_power_hwservice_28_0) true) +(expandtypeattribute (hal_renderscript_hwservice_28_0) true) +(expandtypeattribute (hal_secure_element_hwservice_28_0) true) +(expandtypeattribute (hal_sensors_hwservice_28_0) true) +(expandtypeattribute (hal_telephony_hwservice_28_0) true) +(expandtypeattribute (hal_tetheroffload_hwservice_28_0) true) +(expandtypeattribute (hal_thermal_hwservice_28_0) true) +(expandtypeattribute (hal_tv_cec_hwservice_28_0) true) +(expandtypeattribute (hal_tv_input_hwservice_28_0) true) +(expandtypeattribute (hal_usb_gadget_hwservice_28_0) true) +(expandtypeattribute (hal_usb_hwservice_28_0) true) +(expandtypeattribute (hal_vehicle_hwservice_28_0) true) +(expandtypeattribute (hal_vibrator_hwservice_28_0) true) +(expandtypeattribute (hal_vr_hwservice_28_0) true) +(expandtypeattribute (hal_weaver_hwservice_28_0) true) +(expandtypeattribute (hal_wifi_hostapd_hwservice_28_0) true) +(expandtypeattribute (hal_wifi_hwservice_28_0) true) +(expandtypeattribute (hal_wifi_offload_hwservice_28_0) true) +(expandtypeattribute (hal_wifi_supplicant_hwservice_28_0) true) +(expandtypeattribute (hardware_properties_service_28_0) true) +(expandtypeattribute (hardware_service_28_0) true) +(expandtypeattribute (hci_attach_dev_28_0) true) +(expandtypeattribute (hdmi_control_service_28_0) true) +(expandtypeattribute (healthd_28_0) true) +(expandtypeattribute (healthd_exec_28_0) true) +(expandtypeattribute (heapdump_data_file_28_0) true) +(expandtypeattribute (hidl_allocator_hwservice_28_0) true) +(expandtypeattribute (hidl_base_hwservice_28_0) true) +(expandtypeattribute (hidl_manager_hwservice_28_0) true) +(expandtypeattribute (hidl_memory_hwservice_28_0) true) +(expandtypeattribute (hidl_token_hwservice_28_0) true) +(expandtypeattribute (hwbinder_device_28_0) true) +(expandtypeattribute (hw_random_device_28_0) true) +(expandtypeattribute (hwservice_contexts_file_28_0) true) +(expandtypeattribute (hwservicemanager_28_0) true) +(expandtypeattribute (hwservicemanager_exec_28_0) true) +(expandtypeattribute (hwservicemanager_prop_28_0) true) +(expandtypeattribute (i2c_device_28_0) true) +(expandtypeattribute (icon_file_28_0) true) +(expandtypeattribute (idmap_28_0) true) +(expandtypeattribute (idmap_exec_28_0) true) +(expandtypeattribute (iio_device_28_0) true) +(expandtypeattribute (imms_service_28_0) true) +(expandtypeattribute (incident_28_0) true) +(expandtypeattribute (incidentd_28_0) true) +(expandtypeattribute (incident_data_file_28_0) true) +(expandtypeattribute (incident_helper_28_0) true) +(expandtypeattribute (incident_service_28_0) true) +(expandtypeattribute (init_28_0) true) +(expandtypeattribute (init_exec_28_0) true) +(expandtypeattribute (inotify_28_0) true) +(expandtypeattribute (input_device_28_0) true) +(expandtypeattribute (inputflinger_28_0) true) +(expandtypeattribute (inputflinger_exec_28_0) true) +(expandtypeattribute (inputflinger_service_28_0) true) +(expandtypeattribute (input_method_service_28_0) true) +(expandtypeattribute (input_service_28_0) true) +(expandtypeattribute (installd_28_0) true) +(expandtypeattribute (install_data_file_28_0) true) +(expandtypeattribute (installd_exec_28_0) true) +(expandtypeattribute (installd_service_28_0) true) +(expandtypeattribute (install_recovery_28_0) true) +(expandtypeattribute (install_recovery_exec_28_0) true) +(expandtypeattribute (ion_device_28_0) true) +(expandtypeattribute (IProxyService_service_28_0) true) +(expandtypeattribute (ipsec_service_28_0) true) +(expandtypeattribute (isolated_app_28_0) true) +(expandtypeattribute (jobscheduler_service_28_0) true) +(expandtypeattribute (kernel_28_0) true) +(expandtypeattribute (keychain_data_file_28_0) true) +(expandtypeattribute (keychord_device_28_0) true) +(expandtypeattribute (keystore_28_0) true) +(expandtypeattribute (keystore_data_file_28_0) true) +(expandtypeattribute (keystore_exec_28_0) true) +(expandtypeattribute (keystore_service_28_0) true) +(expandtypeattribute (kmem_device_28_0) true) +(expandtypeattribute (kmsg_debug_device_28_0) true) +(expandtypeattribute (kmsg_device_28_0) true) +(expandtypeattribute (labeledfs_28_0) true) +(expandtypeattribute (last_boot_reason_prop_28_0) true) +(expandtypeattribute (launcherapps_service_28_0) true) +(expandtypeattribute (lmkd_28_0) true) +(expandtypeattribute (lmkd_exec_28_0) true) +(expandtypeattribute (lmkd_socket_28_0) true) +(expandtypeattribute (location_service_28_0) true) +(expandtypeattribute (lock_settings_service_28_0) true) +(expandtypeattribute (logcat_exec_28_0) true) +(expandtypeattribute (logd_28_0) true) +(expandtypeattribute (logd_exec_28_0) true) +(expandtypeattribute (logd_prop_28_0) true) +(expandtypeattribute (logdr_socket_28_0) true) +(expandtypeattribute (logd_socket_28_0) true) +(expandtypeattribute (logdw_socket_28_0) true) +(expandtypeattribute (logpersist_28_0) true) +(expandtypeattribute (logpersistd_logging_prop_28_0) true) +(expandtypeattribute (log_prop_28_0) true) +(expandtypeattribute (log_tag_prop_28_0) true) +(expandtypeattribute (loop_control_device_28_0) true) +(expandtypeattribute (loop_device_28_0) true) +(expandtypeattribute (lowpan_device_28_0) true) +(expandtypeattribute (lowpan_prop_28_0) true) +(expandtypeattribute (lowpan_service_28_0) true) +(expandtypeattribute (mac_perms_file_28_0) true) +(expandtypeattribute (mdnsd_28_0) true) +(expandtypeattribute (mdnsd_socket_28_0) true) +(expandtypeattribute (mdns_socket_28_0) true) +(expandtypeattribute (mediacodec_28_0) true) +(expandtypeattribute (mediacodec_exec_28_0) true) +(expandtypeattribute (mediacodec_service_28_0) true) +(expandtypeattribute (media_data_file_28_0) true) +(expandtypeattribute (mediadrmserver_28_0) true) +(expandtypeattribute (mediadrmserver_exec_28_0) true) +(expandtypeattribute (mediadrmserver_service_28_0) true) +(expandtypeattribute (mediaextractor_28_0) true) +(expandtypeattribute (mediaextractor_exec_28_0) true) +(expandtypeattribute (mediaextractor_service_28_0) true) +(expandtypeattribute (mediaextractor_update_service_28_0) true) +(expandtypeattribute (mediametrics_28_0) true) +(expandtypeattribute (mediametrics_exec_28_0) true) +(expandtypeattribute (mediametrics_service_28_0) true) +(expandtypeattribute (media_projection_service_28_0) true) +(expandtypeattribute (mediaprovider_28_0) true) +(expandtypeattribute (media_router_service_28_0) true) +(expandtypeattribute (media_rw_data_file_28_0) true) +(expandtypeattribute (mediaserver_28_0) true) +(expandtypeattribute (mediaserver_exec_28_0) true) +(expandtypeattribute (mediaserver_service_28_0) true) +(expandtypeattribute (media_session_service_28_0) true) +(expandtypeattribute (meminfo_service_28_0) true) +(expandtypeattribute (metadata_block_device_28_0) true) +(expandtypeattribute (metadata_file_28_0) true) +(expandtypeattribute (method_trace_data_file_28_0) true) +(expandtypeattribute (midi_service_28_0) true) +(expandtypeattribute (misc_block_device_28_0) true) +(expandtypeattribute (misc_logd_file_28_0) true) +(expandtypeattribute (misc_user_data_file_28_0) true) +(expandtypeattribute (mmc_prop_28_0) true) +(expandtypeattribute (mnt_expand_file_28_0) true) +(expandtypeattribute (mnt_media_rw_file_28_0) true) +(expandtypeattribute (mnt_media_rw_stub_file_28_0) true) +(expandtypeattribute (mnt_user_file_28_0) true) +(expandtypeattribute (mnt_vendor_file_28_0) true) +(expandtypeattribute (modprobe_28_0) true) +(expandtypeattribute (mount_service_28_0) true) +(expandtypeattribute (mqueue_28_0) true) +(expandtypeattribute (mtd_device_28_0) true) +(expandtypeattribute (mtp_28_0) true) +(expandtypeattribute (mtp_device_28_0) true) +(expandtypeattribute (mtpd_socket_28_0) true) +(expandtypeattribute (mtp_exec_28_0) true) +(expandtypeattribute (nativetest_data_file_28_0) true) +(expandtypeattribute (netd_28_0) true) +(expandtypeattribute (net_data_file_28_0) true) +(expandtypeattribute (netd_exec_28_0) true) +(expandtypeattribute (netd_listener_service_28_0) true) +(expandtypeattribute (net_dns_prop_28_0) true) +(expandtypeattribute (netd_service_28_0) true) +(expandtypeattribute (netd_socket_28_0) true) +(expandtypeattribute (netd_stable_secret_prop_28_0) true) +(expandtypeattribute (netif_28_0) true) +(expandtypeattribute (netpolicy_service_28_0) true) +(expandtypeattribute (net_radio_prop_28_0) true) +(expandtypeattribute (netstats_service_28_0) true) +(expandtypeattribute (netutils_wrapper_28_0) true) +(expandtypeattribute (netutils_wrapper_exec_28_0) true) +(expandtypeattribute (network_management_service_28_0) true) +(expandtypeattribute (network_score_service_28_0) true) +(expandtypeattribute (network_time_update_service_28_0) true) +(expandtypeattribute (network_watchlist_data_file_28_0) true) +(expandtypeattribute (network_watchlist_service_28_0) true) +(expandtypeattribute (nfc_28_0) true) +(expandtypeattribute (nfc_data_file_28_0) true) +(expandtypeattribute (nfc_device_28_0) true) +(expandtypeattribute (nfc_prop_28_0) true) +(expandtypeattribute (nfc_service_28_0) true) +(expandtypeattribute (node_28_0) true) +(expandtypeattribute (nonplat_service_contexts_file_28_0) true) +(expandtypeattribute (notification_service_28_0) true) +(expandtypeattribute (null_device_28_0) true) +(expandtypeattribute (oemfs_28_0) true) +(expandtypeattribute (oem_lock_service_28_0) true) +(expandtypeattribute (ota_data_file_28_0) true) +(expandtypeattribute (otadexopt_service_28_0) true) +(expandtypeattribute (ota_package_file_28_0) true) +(expandtypeattribute (otapreopt_chroot_28_0) true) +(expandtypeattribute (otapreopt_chroot_exec_28_0) true) +(expandtypeattribute (otapreopt_slot_28_0) true) +(expandtypeattribute (otapreopt_slot_exec_28_0) true) +(expandtypeattribute (overlay_prop_28_0) true) +(expandtypeattribute (overlay_service_28_0) true) +(expandtypeattribute (owntty_device_28_0) true) +(expandtypeattribute (package_native_service_28_0) true) +(expandtypeattribute (package_service_28_0) true) +(expandtypeattribute (pan_result_prop_28_0) true) +(expandtypeattribute (pdx_bufferhub_client_channel_socket_28_0) true) +(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_28_0) true) +(expandtypeattribute (pdx_bufferhub_dir_28_0) true) +(expandtypeattribute (pdx_display_client_channel_socket_28_0) true) +(expandtypeattribute (pdx_display_client_endpoint_socket_28_0) true) +(expandtypeattribute (pdx_display_dir_28_0) true) +(expandtypeattribute (pdx_display_manager_channel_socket_28_0) true) +(expandtypeattribute (pdx_display_manager_endpoint_socket_28_0) true) +(expandtypeattribute (pdx_display_screenshot_channel_socket_28_0) true) +(expandtypeattribute (pdx_display_screenshot_endpoint_socket_28_0) true) +(expandtypeattribute (pdx_display_vsync_channel_socket_28_0) true) +(expandtypeattribute (pdx_display_vsync_endpoint_socket_28_0) true) +(expandtypeattribute (pdx_performance_client_channel_socket_28_0) true) +(expandtypeattribute (pdx_performance_client_endpoint_socket_28_0) true) +(expandtypeattribute (pdx_performance_dir_28_0) true) +(expandtypeattribute (performanced_28_0) true) +(expandtypeattribute (performanced_exec_28_0) true) +(expandtypeattribute (permission_service_28_0) true) +(expandtypeattribute (persist_debug_prop_28_0) true) +(expandtypeattribute (persistent_data_block_service_28_0) true) +(expandtypeattribute (persistent_properties_ready_prop_28_0) true) +(expandtypeattribute (pinner_service_28_0) true) +(expandtypeattribute (pipefs_28_0) true) +(expandtypeattribute (platform_app_28_0) true) +(expandtypeattribute (pm_prop_28_0) true) +(expandtypeattribute (pmsg_device_28_0) true) +(expandtypeattribute (port_28_0) true) +(expandtypeattribute (port_device_28_0) true) +(expandtypeattribute (postinstall_28_0) true) +(expandtypeattribute (postinstall_dexopt_28_0) true) +(expandtypeattribute (postinstall_file_28_0) true) +(expandtypeattribute (postinstall_mnt_dir_28_0) true) +(expandtypeattribute (powerctl_prop_28_0) true) +(expandtypeattribute (power_service_28_0) true) +(expandtypeattribute (ppp_28_0) true) +(expandtypeattribute (ppp_device_28_0) true) +(expandtypeattribute (ppp_exec_28_0) true) +(expandtypeattribute (preloads_data_file_28_0) true) +(expandtypeattribute (preloads_media_file_28_0) true) +(expandtypeattribute (preopt2cachename_28_0) true) +(expandtypeattribute (preopt2cachename_exec_28_0) true) +(expandtypeattribute (print_service_28_0) true) +(expandtypeattribute (priv_app_28_0) true) +(expandtypeattribute (proc_28_0) true) +(expandtypeattribute (proc_abi_28_0) true) +(expandtypeattribute (proc_asound_28_0) true) +(expandtypeattribute (proc_bluetooth_writable_28_0) true) +(expandtypeattribute (proc_buddyinfo_28_0) true) +(expandtypeattribute (proc_cmdline_28_0) true) +(expandtypeattribute (proc_cpuinfo_28_0) true) +(expandtypeattribute (proc_dirty_28_0) true) +(expandtypeattribute (proc_diskstats_28_0) true) +(expandtypeattribute (proc_drop_caches_28_0) true) +(expandtypeattribute (processinfo_service_28_0) true) +(expandtypeattribute (proc_extra_free_kbytes_28_0) true) +(expandtypeattribute (proc_filesystems_28_0) true) +(expandtypeattribute (proc_hostname_28_0) true) +(expandtypeattribute (proc_hung_task_28_0) true) +(expandtypeattribute (proc_interrupts_28_0) true) +(expandtypeattribute (proc_iomem_28_0) true) +(expandtypeattribute (proc_kmsg_28_0) true) +(expandtypeattribute (proc_loadavg_28_0) true) +(expandtypeattribute (proc_max_map_count_28_0) true) +(expandtypeattribute (proc_meminfo_28_0) true) +(expandtypeattribute (proc_min_free_order_shift_28_0) true) +(expandtypeattribute (proc_misc_28_0) true) +(expandtypeattribute (proc_modules_28_0) true) +(expandtypeattribute (proc_mounts_28_0) true) +(expandtypeattribute (proc_net_28_0) true) +(expandtypeattribute (proc_overcommit_memory_28_0) true) +(expandtypeattribute (proc_page_cluster_28_0) true) +(expandtypeattribute (proc_pagetypeinfo_28_0) true) +(expandtypeattribute (proc_panic_28_0) true) +(expandtypeattribute (proc_perf_28_0) true) +(expandtypeattribute (proc_pid_max_28_0) true) +(expandtypeattribute (proc_pipe_conf_28_0) true) +(expandtypeattribute (proc_qtaguid_stat_28_0) true) +(expandtypeattribute (proc_random_28_0) true) +(expandtypeattribute (proc_sched_28_0) true) +(expandtypeattribute (proc_security_28_0) true) +(expandtypeattribute (proc_stat_28_0) true) +(expandtypeattribute (procstats_service_28_0) true) +(expandtypeattribute (proc_swaps_28_0) true) +(expandtypeattribute (proc_sysrq_28_0) true) +(expandtypeattribute (proc_timer_28_0) true) +(expandtypeattribute (proc_tty_drivers_28_0) true) +(expandtypeattribute (proc_uid_concurrent_active_time_28_0) true) +(expandtypeattribute (proc_uid_concurrent_policy_time_28_0) true) +(expandtypeattribute (proc_uid_cpupower_28_0) true) +(expandtypeattribute (proc_uid_cputime_removeuid_28_0) true) +(expandtypeattribute (proc_uid_cputime_showstat_28_0) true) +(expandtypeattribute (proc_uid_io_stats_28_0) true) +(expandtypeattribute (proc_uid_procstat_set_28_0) true) +(expandtypeattribute (proc_uid_time_in_state_28_0) true) +(expandtypeattribute (proc_uptime_28_0) true) +(expandtypeattribute (proc_version_28_0) true) +(expandtypeattribute (proc_vmallocinfo_28_0) true) +(expandtypeattribute (proc_vmstat_28_0) true) +(expandtypeattribute (proc_zoneinfo_28_0) true) +(expandtypeattribute (profman_28_0) true) +(expandtypeattribute (profman_dump_data_file_28_0) true) +(expandtypeattribute (profman_exec_28_0) true) +(expandtypeattribute (properties_device_28_0) true) +(expandtypeattribute (properties_serial_28_0) true) +(expandtypeattribute (property_contexts_file_28_0) true) +(expandtypeattribute (property_data_file_28_0) true) +(expandtypeattribute (property_info_28_0) true) +(expandtypeattribute (property_socket_28_0) true) +(expandtypeattribute (pstorefs_28_0) true) +(expandtypeattribute (ptmx_device_28_0) true) +(expandtypeattribute (qtaguid_device_28_0) true) +(expandtypeattribute (qtaguid_proc_28_0) true) +(expandtypeattribute (racoon_28_0) true) +(expandtypeattribute (racoon_exec_28_0) true) +(expandtypeattribute (racoon_socket_28_0) true) +(expandtypeattribute (radio_28_0) true) +(expandtypeattribute (radio_data_file_28_0) true) +(expandtypeattribute (radio_device_28_0) true) +(expandtypeattribute (radio_prop_28_0) true) +(expandtypeattribute (radio_service_28_0) true) +(expandtypeattribute (ram_device_28_0) true) +(expandtypeattribute (random_device_28_0) true) +(expandtypeattribute (recovery_28_0) true) +(expandtypeattribute (recovery_block_device_28_0) true) +(expandtypeattribute (recovery_data_file_28_0) true) +(expandtypeattribute (recovery_persist_28_0) true) +(expandtypeattribute (recovery_persist_exec_28_0) true) +(expandtypeattribute (recovery_refresh_28_0) true) +(expandtypeattribute (recovery_refresh_exec_28_0) true) +(expandtypeattribute (recovery_service_28_0) true) +(expandtypeattribute (registry_service_28_0) true) +(expandtypeattribute (resourcecache_data_file_28_0) true) +(expandtypeattribute (restorecon_prop_28_0) true) +(expandtypeattribute (restrictions_service_28_0) true) +(expandtypeattribute (rild_debug_socket_28_0) true) +(expandtypeattribute (rild_socket_28_0) true) +(expandtypeattribute (ringtone_file_28_0) true) +(expandtypeattribute (root_block_device_28_0) true) +(expandtypeattribute (rootfs_28_0) true) +(expandtypeattribute (rpmsg_device_28_0) true) +(expandtypeattribute (rtc_device_28_0) true) +(expandtypeattribute (rttmanager_service_28_0) true) +(expandtypeattribute (runas_28_0) true) +(expandtypeattribute (runas_exec_28_0) true) +(expandtypeattribute (runtime_event_log_tags_file_28_0) true) +(expandtypeattribute (safemode_prop_28_0) true) +(expandtypeattribute (same_process_hal_file_28_0) true) +(expandtypeattribute (samplingprofiler_service_28_0) true) +(expandtypeattribute (scheduling_policy_service_28_0) true) +(expandtypeattribute (sdcardd_28_0) true) +(expandtypeattribute (sdcardd_exec_28_0) true) +(expandtypeattribute (sdcardfs_28_0) true) +(expandtypeattribute (seapp_contexts_file_28_0) true) +(expandtypeattribute (search_service_28_0) true) +(expandtypeattribute (sec_key_att_app_id_provider_service_28_0) true) +(expandtypeattribute (secure_element_28_0) true) +(expandtypeattribute (secure_element_device_28_0) true) +(expandtypeattribute (secure_element_service_28_0) true) +(expandtypeattribute (selinuxfs_28_0) true) +(expandtypeattribute (sensors_device_28_0) true) +(expandtypeattribute (sensorservice_service_28_0) true) +(expandtypeattribute (sepolicy_file_28_0) true) +(expandtypeattribute (serial_device_28_0) true) +(expandtypeattribute (serialno_prop_28_0) true) +(expandtypeattribute (serial_service_28_0) true) +(expandtypeattribute (service_contexts_file_28_0) true) +(expandtypeattribute (servicediscovery_service_28_0) true) +(expandtypeattribute (servicemanager_28_0) true) +(expandtypeattribute (servicemanager_exec_28_0) true) +(expandtypeattribute (settings_service_28_0) true) +(expandtypeattribute (sgdisk_28_0) true) +(expandtypeattribute (sgdisk_exec_28_0) true) +(expandtypeattribute (shared_relro_28_0) true) +(expandtypeattribute (shared_relro_file_28_0) true) +(expandtypeattribute (shell_28_0) true) +(expandtypeattribute (shell_data_file_28_0) true) +(expandtypeattribute (shell_exec_28_0) true) +(expandtypeattribute (shell_prop_28_0) true) +(expandtypeattribute (shm_28_0) true) +(expandtypeattribute (shortcut_manager_icons_28_0) true) +(expandtypeattribute (shortcut_service_28_0) true) +(expandtypeattribute (slice_service_28_0) true) +(expandtypeattribute (slideshow_28_0) true) +(expandtypeattribute (socket_device_28_0) true) +(expandtypeattribute (sockfs_28_0) true) +(expandtypeattribute (statusbar_service_28_0) true) +(expandtypeattribute (storaged_service_28_0) true) +(expandtypeattribute (storage_file_28_0) true) +(expandtypeattribute (storagestats_service_28_0) true) +(expandtypeattribute (storage_stub_file_28_0) true) +(expandtypeattribute (su_28_0) true) +(expandtypeattribute (su_exec_28_0) true) +(expandtypeattribute (surfaceflinger_28_0) true) +(expandtypeattribute (surfaceflinger_service_28_0) true) +(expandtypeattribute (swap_block_device_28_0) true) +(expandtypeattribute (sysfs_28_0) true) +(expandtypeattribute (sysfs_android_usb_28_0) true) +(expandtypeattribute (sysfs_batteryinfo_28_0) true) +(expandtypeattribute (sysfs_bluetooth_writable_28_0) true) +(expandtypeattribute (sysfs_devices_system_cpu_28_0) true) +(expandtypeattribute (sysfs_dm_28_0) true) +(expandtypeattribute (sysfs_dt_firmware_android_28_0) true) +(expandtypeattribute (sysfs_fs_ext4_features_28_0) true) +(expandtypeattribute (sysfs_hwrandom_28_0) true) +(expandtypeattribute (sysfs_ipv4_28_0) true) +(expandtypeattribute (sysfs_kernel_notes_28_0) true) +(expandtypeattribute (sysfs_leds_28_0) true) +(expandtypeattribute (sysfs_lowmemorykiller_28_0) true) +(expandtypeattribute (sysfs_mac_address_28_0) true) +(expandtypeattribute (sysfs_net_28_0) true) +(expandtypeattribute (sysfs_nfc_power_writable_28_0) true) +(expandtypeattribute (sysfs_power_28_0) true) +(expandtypeattribute (sysfs_rtc_28_0) true) +(expandtypeattribute (sysfs_switch_28_0) true) +(expandtypeattribute (sysfs_thermal_28_0) true) +(expandtypeattribute (sysfs_uio_28_0) true) +(expandtypeattribute (sysfs_usb_28_0) true) +(expandtypeattribute (sysfs_usermodehelper_28_0) true) +(expandtypeattribute (sysfs_vibrator_28_0) true) +(expandtypeattribute (sysfs_wake_lock_28_0) true) +(expandtypeattribute (sysfs_wakeup_reasons_28_0) true) +(expandtypeattribute (sysfs_wlan_fwpath_28_0) true) +(expandtypeattribute (sysfs_zram_28_0) true) +(expandtypeattribute (sysfs_zram_uevent_28_0) true) +(expandtypeattribute (system_app_28_0) true) +(expandtypeattribute (system_app_data_file_28_0) true) +(expandtypeattribute (system_app_service_28_0) true) +(expandtypeattribute (system_block_device_28_0) true) +(expandtypeattribute (system_boot_reason_prop_28_0) true) +(expandtypeattribute (system_data_file_28_0) true) +(expandtypeattribute (system_file_28_0) true) +(expandtypeattribute (systemkeys_data_file_28_0) true) +(expandtypeattribute (system_ndebug_socket_28_0) true) +(expandtypeattribute (system_net_netd_hwservice_28_0) true) +(expandtypeattribute (system_prop_28_0) true) +(expandtypeattribute (system_radio_prop_28_0) true) +(expandtypeattribute (system_server_28_0) true) +(expandtypeattribute (system_update_service_28_0) true) +(expandtypeattribute (system_wifi_keystore_hwservice_28_0) true) +(expandtypeattribute (system_wpa_socket_28_0) true) +(expandtypeattribute (task_service_28_0) true) +(expandtypeattribute (tee_28_0) true) +(expandtypeattribute (tee_data_file_28_0) true) +(expandtypeattribute (tee_device_28_0) true) +(expandtypeattribute (telecom_service_28_0) true) +(expandtypeattribute (test_boot_reason_prop_28_0) true) +(expandtypeattribute (textclassification_service_28_0) true) +(expandtypeattribute (textclassifier_data_file_28_0) true) +(expandtypeattribute (textservices_service_28_0) true) +(expandtypeattribute (thermalcallback_hwservice_28_0) true) +(expandtypeattribute (thermal_service_28_0) true) +(expandtypeattribute (timezone_service_28_0) true) +(expandtypeattribute (tmpfs_28_0) true) +(expandtypeattribute (tombstoned_28_0) true) +(expandtypeattribute (tombstone_data_file_28_0) true) +(expandtypeattribute (tombstoned_crash_socket_28_0) true) +(expandtypeattribute (tombstoned_exec_28_0) true) +(expandtypeattribute (tombstoned_intercept_socket_28_0) true) +(expandtypeattribute (tombstoned_java_trace_socket_28_0) true) +(expandtypeattribute (tombstone_wifi_data_file_28_0) true) +(expandtypeattribute (toolbox_28_0) true) +(expandtypeattribute (toolbox_exec_28_0) true) +(expandtypeattribute (trace_data_file_28_0) true) +(expandtypeattribute (traced_consumer_socket_28_0) true) +(expandtypeattribute (traced_enabled_prop_28_0) true) +(expandtypeattribute (traced_probes_28_0) true) +(expandtypeattribute (traced_producer_socket_28_0) true) +(expandtypeattribute (traceur_app_28_0) true) +(expandtypeattribute (trust_service_28_0) true) +(expandtypeattribute (tty_device_28_0) true) +(expandtypeattribute (tun_device_28_0) true) +(expandtypeattribute (tv_input_service_28_0) true) +(expandtypeattribute (tzdatacheck_28_0) true) +(expandtypeattribute (tzdatacheck_exec_28_0) true) +(expandtypeattribute (ueventd_28_0) true) +(expandtypeattribute (uhid_device_28_0) true) +(expandtypeattribute (uimode_service_28_0) true) +(expandtypeattribute (uio_device_28_0) true) +(expandtypeattribute (uncrypt_28_0) true) +(expandtypeattribute (uncrypt_exec_28_0) true) +(expandtypeattribute (uncrypt_socket_28_0) true) +(expandtypeattribute (unencrypted_data_file_28_0) true) +(expandtypeattribute (unlabeled_28_0) true) +(expandtypeattribute (untrusted_app_25_28_0) true) +(expandtypeattribute (untrusted_app_27_28_0) true) +(expandtypeattribute (untrusted_app_28_0) true) +(expandtypeattribute (untrusted_v2_app_28_0) true) +(expandtypeattribute (update_engine_28_0) true) +(expandtypeattribute (update_engine_data_file_28_0) true) +(expandtypeattribute (update_engine_exec_28_0) true) +(expandtypeattribute (update_engine_log_data_file_28_0) true) +(expandtypeattribute (update_engine_service_28_0) true) +(expandtypeattribute (updatelock_service_28_0) true) +(expandtypeattribute (update_verifier_28_0) true) +(expandtypeattribute (update_verifier_exec_28_0) true) +(expandtypeattribute (usagestats_service_28_0) true) +(expandtypeattribute (usbaccessory_device_28_0) true) +(expandtypeattribute (usbd_28_0) true) +(expandtypeattribute (usb_device_28_0) true) +(expandtypeattribute (usbd_exec_28_0) true) +(expandtypeattribute (usbfs_28_0) true) +(expandtypeattribute (usb_service_28_0) true) +(expandtypeattribute (userdata_block_device_28_0) true) +(expandtypeattribute (usermodehelper_28_0) true) +(expandtypeattribute (user_profile_data_file_28_0) true) +(expandtypeattribute (user_service_28_0) true) +(expandtypeattribute (vcs_device_28_0) true) +(expandtypeattribute (vdc_28_0) true) +(expandtypeattribute (vdc_exec_28_0) true) +(expandtypeattribute (vendor_app_file_28_0) true) +(expandtypeattribute (vendor_configs_file_28_0) true) +(expandtypeattribute (vendor_data_file_28_0) true) +(expandtypeattribute (vendor_default_prop_28_0) true) +(expandtypeattribute (vendor_file_28_0) true) +(expandtypeattribute (vendor_framework_file_28_0) true) +(expandtypeattribute (vendor_hal_file_28_0) true) +(expandtypeattribute (vendor_init_28_0) true) +(expandtypeattribute (vendor_overlay_file_28_0) true) +(expandtypeattribute (vendor_security_patch_level_prop_28_0) true) +(expandtypeattribute (vendor_shell_28_0) true) +(expandtypeattribute (vendor_shell_exec_28_0) true) +(expandtypeattribute (vendor_toolbox_exec_28_0) true) +(expandtypeattribute (vfat_28_0) true) +(expandtypeattribute (vibrator_service_28_0) true) +(expandtypeattribute (video_device_28_0) true) +(expandtypeattribute (virtual_touchpad_28_0) true) +(expandtypeattribute (virtual_touchpad_exec_28_0) true) +(expandtypeattribute (virtual_touchpad_service_28_0) true) +(expandtypeattribute (vndbinder_device_28_0) true) +(expandtypeattribute (vndk_sp_file_28_0) true) +(expandtypeattribute (vndservice_contexts_file_28_0) true) +(expandtypeattribute (vndservicemanager_28_0) true) +(expandtypeattribute (voiceinteraction_service_28_0) true) +(expandtypeattribute (vold_28_0) true) +(expandtypeattribute (vold_data_file_28_0) true) +(expandtypeattribute (vold_device_28_0) true) +(expandtypeattribute (vold_exec_28_0) true) +(expandtypeattribute (vold_metadata_file_28_0) true) +(expandtypeattribute (vold_prepare_subdirs_28_0) true) +(expandtypeattribute (vold_prepare_subdirs_exec_28_0) true) +(expandtypeattribute (vold_prop_28_0) true) +(expandtypeattribute (vold_service_28_0) true) +(expandtypeattribute (vpn_data_file_28_0) true) +(expandtypeattribute (vr_hwc_28_0) true) +(expandtypeattribute (vr_hwc_exec_28_0) true) +(expandtypeattribute (vr_hwc_service_28_0) true) +(expandtypeattribute (vr_manager_service_28_0) true) +(expandtypeattribute (wallpaper_file_28_0) true) +(expandtypeattribute (wallpaper_service_28_0) true) +(expandtypeattribute (watchdogd_28_0) true) +(expandtypeattribute (watchdog_device_28_0) true) +(expandtypeattribute (webviewupdate_service_28_0) true) +(expandtypeattribute (webview_zygote_28_0) true) +(expandtypeattribute (webview_zygote_exec_28_0) true) +(expandtypeattribute (wifiaware_service_28_0) true) +(expandtypeattribute (wificond_28_0) true) +(expandtypeattribute (wificond_exec_28_0) true) +(expandtypeattribute (wificond_service_28_0) true) +(expandtypeattribute (wifi_data_file_28_0) true) +(expandtypeattribute (wifi_log_prop_28_0) true) +(expandtypeattribute (wifip2p_service_28_0) true) +(expandtypeattribute (wifi_prop_28_0) true) +(expandtypeattribute (wifiscanner_service_28_0) true) +(expandtypeattribute (wifi_service_28_0) true) +(expandtypeattribute (window_service_28_0) true) +(expandtypeattribute (wpantund_28_0) true) +(expandtypeattribute (wpantund_exec_28_0) true) +(expandtypeattribute (wpantund_service_28_0) true) +(expandtypeattribute (wpa_socket_28_0) true) +(expandtypeattribute (zero_device_28_0) true) +(expandtypeattribute (zoneinfo_data_file_28_0) true) +(expandtypeattribute (zygote_28_0) true) +(expandtypeattribute (zygote_exec_28_0) true) +(expandtypeattribute (zygote_socket_28_0) true) +(typeattributeset accessibility_service_28_0 (accessibility_service)) +(typeattributeset account_service_28_0 (account_service)) +(typeattributeset activity_service_28_0 (activity_service)) +(typeattributeset adbd_28_0 (adbd)) +(typeattributeset adb_data_file_28_0 (adb_data_file)) +(typeattributeset adbd_exec_28_0 (adbd_exec)) +(typeattributeset adbd_socket_28_0 (adbd_socket)) +(typeattributeset adb_keys_file_28_0 (adb_keys_file)) +(typeattributeset alarm_device_28_0 (alarm_device)) +(typeattributeset alarm_service_28_0 (alarm_service)) +(typeattributeset anr_data_file_28_0 (anr_data_file)) +(typeattributeset apk_data_file_28_0 (apk_data_file)) +(typeattributeset apk_private_data_file_28_0 (apk_private_data_file)) +(typeattributeset apk_private_tmp_file_28_0 (apk_private_tmp_file)) +(typeattributeset apk_tmp_file_28_0 (apk_tmp_file)) +(typeattributeset app_data_file_28_0 (app_data_file privapp_data_file)) +(typeattributeset app_fuse_file_28_0 (app_fuse_file)) +(typeattributeset app_fusefs_28_0 (app_fusefs)) +(typeattributeset appops_service_28_0 (appops_service)) +(typeattributeset appwidget_service_28_0 (appwidget_service)) +(typeattributeset asec_apk_file_28_0 (asec_apk_file)) +(typeattributeset asec_image_file_28_0 (asec_image_file)) +(typeattributeset asec_public_file_28_0 (asec_public_file)) +(typeattributeset ashmem_device_28_0 (ashmem_device)) +(typeattributeset assetatlas_service_28_0 (assetatlas_service)) +(typeattributeset audio_data_file_28_0 (audio_data_file)) +(typeattributeset audio_device_28_0 (audio_device)) +(typeattributeset audiohal_data_file_28_0 (audiohal_data_file)) +(typeattributeset audio_prop_28_0 (audio_prop)) +(typeattributeset audio_seq_device_28_0 (audio_seq_device)) +(typeattributeset audioserver_28_0 (audioserver)) +(typeattributeset audioserver_data_file_28_0 (audioserver_data_file)) +(typeattributeset audioserver_service_28_0 (audioserver_service)) +(typeattributeset audio_service_28_0 (audio_service)) +(typeattributeset audio_timer_device_28_0 (audio_timer_device)) +(typeattributeset autofill_service_28_0 (autofill_service)) +(typeattributeset backup_data_file_28_0 (backup_data_file)) +(typeattributeset backup_service_28_0 (backup_service)) +(typeattributeset batteryproperties_service_28_0 (batteryproperties_service)) +(typeattributeset battery_service_28_0 (battery_service)) +(typeattributeset batterystats_service_28_0 (batterystats_service)) +(typeattributeset binder_calls_stats_service_28_0 (binder_calls_stats_service)) +(typeattributeset binder_device_28_0 (binder_device)) +(typeattributeset binfmt_miscfs_28_0 (binfmt_miscfs)) +(typeattributeset blkid_28_0 (blkid)) +(typeattributeset blkid_untrusted_28_0 (blkid_untrusted)) +(typeattributeset block_device_28_0 (block_device)) +(typeattributeset bluetooth_28_0 (bluetooth)) +(typeattributeset bluetooth_a2dp_offload_prop_28_0 (bluetooth_a2dp_offload_prop)) +(typeattributeset bluetooth_data_file_28_0 (bluetooth_data_file)) +(typeattributeset bluetooth_efs_file_28_0 (bluetooth_efs_file)) +(typeattributeset bluetooth_logs_data_file_28_0 (bluetooth_logs_data_file)) +(typeattributeset bluetooth_manager_service_28_0 (bluetooth_manager_service)) +(typeattributeset bluetooth_prop_28_0 (bluetooth_prop)) +(typeattributeset bluetooth_service_28_0 (bluetooth_service)) +(typeattributeset bluetooth_socket_28_0 (bluetooth_socket)) +(typeattributeset bootanim_28_0 (bootanim)) +(typeattributeset bootanim_exec_28_0 (bootanim_exec)) +(typeattributeset boot_block_device_28_0 (boot_block_device)) +(typeattributeset bootchart_data_file_28_0 (bootchart_data_file)) +(typeattributeset bootloader_boot_reason_prop_28_0 (bootloader_boot_reason_prop)) +(typeattributeset bootstat_28_0 (bootstat)) +(typeattributeset bootstat_data_file_28_0 (bootstat_data_file)) +(typeattributeset bootstat_exec_28_0 (bootstat_exec)) +(typeattributeset boottime_prop_28_0 (boottime_prop)) +(typeattributeset boottrace_data_file_28_0 (boottrace_data_file)) +(typeattributeset broadcastradio_service_28_0 (broadcastradio_service)) +(typeattributeset bufferhubd_28_0 (bufferhubd)) +(typeattributeset bufferhubd_exec_28_0 (bufferhubd_exec)) +(typeattributeset cache_backup_file_28_0 (cache_backup_file)) +(typeattributeset cache_block_device_28_0 (cache_block_device)) +(typeattributeset cache_file_28_0 (cache_file)) +(typeattributeset cache_private_backup_file_28_0 (cache_private_backup_file)) +(typeattributeset cache_recovery_file_28_0 (cache_recovery_file)) +(typeattributeset camera_data_file_28_0 (camera_data_file)) +(typeattributeset camera_device_28_0 (camera_device)) +(typeattributeset cameraproxy_service_28_0 (cameraproxy_service)) +(typeattributeset cameraserver_28_0 (cameraserver)) +(typeattributeset cameraserver_exec_28_0 (cameraserver_exec)) +(typeattributeset cameraserver_service_28_0 (cameraserver_service)) +(typeattributeset cgroup_28_0 (cgroup)) +(typeattributeset cgroup_bpf_28_0 (cgroup_bpf)) +(typeattributeset charger_28_0 (charger)) +(typeattributeset clatd_28_0 (clatd)) +(typeattributeset clatd_exec_28_0 (clatd_exec)) +(typeattributeset clipboard_service_28_0 (clipboard_service)) +(typeattributeset commontime_management_service_28_0 (commontime_management_service)) +(typeattributeset companion_device_service_28_0 (companion_device_service)) +(typeattributeset configfs_28_0 (configfs)) +(typeattributeset config_prop_28_0 (config_prop)) +(typeattributeset connectivity_service_28_0 (connectivity_service)) +(typeattributeset connmetrics_service_28_0 (connmetrics_service)) +(typeattributeset console_device_28_0 (console_device)) +(typeattributeset consumer_ir_service_28_0 (consumer_ir_service)) +(typeattributeset content_service_28_0 (content_service)) +(typeattributeset contexthub_service_28_0 (contexthub_service)) +(typeattributeset coredump_file_28_0 (coredump_file)) +(typeattributeset country_detector_service_28_0 (country_detector_service)) +(typeattributeset coverage_service_28_0 (coverage_service)) +(typeattributeset cppreopt_prop_28_0 (cppreopt_prop)) +(typeattributeset cppreopts_28_0 (cppreopts)) +(typeattributeset cppreopts_exec_28_0 (cppreopts_exec)) +(typeattributeset cpuctl_device_28_0 (cpuctl_device)) +(typeattributeset cpuinfo_service_28_0 (cpuinfo_service)) +(typeattributeset crash_dump_28_0 (crash_dump)) +(typeattributeset crash_dump_exec_28_0 (crash_dump_exec)) +(typeattributeset crossprofileapps_service_28_0 (crossprofileapps_service)) +(typeattributeset ctl_bootanim_prop_28_0 (ctl_bootanim_prop)) +(typeattributeset ctl_bugreport_prop_28_0 (ctl_bugreport_prop)) +(typeattributeset ctl_console_prop_28_0 (ctl_console_prop)) +(typeattributeset ctl_default_prop_28_0 + ( ctl_adbd_prop + ctl_default_prop)) +(typeattributeset ctl_dumpstate_prop_28_0 (ctl_dumpstate_prop)) +(typeattributeset ctl_fuse_prop_28_0 (ctl_fuse_prop)) +(typeattributeset ctl_interface_restart_prop_28_0 (ctl_interface_restart_prop)) +(typeattributeset ctl_interface_start_prop_28_0 (ctl_interface_start_prop)) +(typeattributeset ctl_interface_stop_prop_28_0 (ctl_interface_stop_prop)) +(typeattributeset ctl_mdnsd_prop_28_0 (ctl_mdnsd_prop)) +(typeattributeset ctl_restart_prop_28_0 (ctl_restart_prop)) +(typeattributeset ctl_rildaemon_prop_28_0 (ctl_rildaemon_prop)) +(typeattributeset ctl_sigstop_prop_28_0 (ctl_sigstop_prop)) +(typeattributeset ctl_start_prop_28_0 (ctl_start_prop)) +(typeattributeset ctl_stop_prop_28_0 (ctl_stop_prop)) +(typeattributeset dalvikcache_data_file_28_0 (dalvikcache_data_file)) +(typeattributeset dalvik_prop_28_0 (dalvik_prop)) +(typeattributeset dbinfo_service_28_0 (dbinfo_service)) +(typeattributeset debugfs_28_0 (debugfs)) +(typeattributeset debugfs_mmc_28_0 (debugfs_mmc)) +(typeattributeset debugfs_trace_marker_28_0 (debugfs_trace_marker)) +(typeattributeset debugfs_tracing_28_0 (debugfs_tracing)) +(typeattributeset debugfs_tracing_debug_28_0 (debugfs_tracing_debug)) +(typeattributeset debugfs_tracing_instances_28_0 (debugfs_tracing_instances)) +(typeattributeset debugfs_wakeup_sources_28_0 (debugfs_wakeup_sources)) +(typeattributeset debugfs_wifi_tracing_28_0 (debugfs_wifi_tracing)) +(typeattributeset debuggerd_prop_28_0 (debuggerd_prop)) +(typeattributeset debug_prop_28_0 (debug_prop)) +(typeattributeset default_android_hwservice_28_0 (default_android_hwservice)) +(typeattributeset default_android_service_28_0 (default_android_service)) +(typeattributeset default_android_vndservice_28_0 (default_android_vndservice)) +(typeattributeset default_prop_28_0 (default_prop)) +(typeattributeset device_28_0 (device)) +(typeattributeset device_identifiers_service_28_0 (device_identifiers_service)) +(typeattributeset deviceidle_service_28_0 (deviceidle_service)) +(typeattributeset device_logging_prop_28_0 (device_logging_prop)) +(typeattributeset device_policy_service_28_0 (device_policy_service)) +(typeattributeset devicestoragemonitor_service_28_0 (devicestoragemonitor_service)) +(typeattributeset devpts_28_0 (devpts)) +(typeattributeset dex2oat_28_0 (dex2oat)) +(typeattributeset dex2oat_exec_28_0 (dex2oat_exec)) +(typeattributeset dhcp_28_0 (dhcp)) +(typeattributeset dhcp_data_file_28_0 (dhcp_data_file)) +(typeattributeset dhcp_exec_28_0 (dhcp_exec)) +(typeattributeset dhcp_prop_28_0 (dhcp_prop)) +(typeattributeset diskstats_service_28_0 (diskstats_service)) +(typeattributeset display_service_28_0 (display_service)) +(typeattributeset dm_device_28_0 (dm_device)) +(typeattributeset dnsmasq_28_0 (dnsmasq)) +(typeattributeset dnsmasq_exec_28_0 (dnsmasq_exec)) +(typeattributeset dnsproxyd_socket_28_0 (dnsproxyd_socket)) +(typeattributeset DockObserver_service_28_0 (DockObserver_service)) +(typeattributeset dreams_service_28_0 (dreams_service)) +(typeattributeset drm_data_file_28_0 (drm_data_file)) +(typeattributeset drmserver_28_0 (drmserver)) +(typeattributeset drmserver_exec_28_0 (drmserver_exec)) +(typeattributeset drmserver_service_28_0 (drmserver_service)) +(typeattributeset drmserver_socket_28_0 (drmserver_socket)) +(typeattributeset dropbox_service_28_0 (dropbox_service)) +(typeattributeset dumpstate_28_0 (dumpstate)) +(typeattributeset dumpstate_exec_28_0 (dumpstate_exec)) +(typeattributeset dumpstate_options_prop_28_0 (dumpstate_options_prop)) +(typeattributeset dumpstate_prop_28_0 (dumpstate_prop)) +(typeattributeset dumpstate_service_28_0 (dumpstate_service)) +(typeattributeset dumpstate_socket_28_0 (dumpstate_socket)) +(typeattributeset e2fs_28_0 (e2fs)) +(typeattributeset e2fs_exec_28_0 (e2fs_exec)) +(typeattributeset efs_file_28_0 (efs_file)) +(typeattributeset ephemeral_app_28_0 (ephemeral_app)) +(typeattributeset ethernet_service_28_0 (ethernet_service)) +(typeattributeset exfat_28_0 (exfat)) +(typeattributeset exported2_config_prop_28_0 (exported2_config_prop)) +(typeattributeset exported2_default_prop_28_0 (exported2_default_prop)) +(typeattributeset exported2_radio_prop_28_0 (exported2_radio_prop)) +(typeattributeset exported2_system_prop_28_0 (exported2_system_prop)) +(typeattributeset exported2_vold_prop_28_0 (exported2_vold_prop)) +(typeattributeset exported3_default_prop_28_0 (exported3_default_prop)) +(typeattributeset exported3_radio_prop_28_0 (exported3_radio_prop)) +(typeattributeset exported3_system_prop_28_0 (exported3_system_prop)) +(typeattributeset exported_audio_prop_28_0 (exported_audio_prop)) +(typeattributeset exported_bluetooth_prop_28_0 (exported_bluetooth_prop)) +(typeattributeset exported_config_prop_28_0 (exported_config_prop)) +(typeattributeset exported_dalvik_prop_28_0 (exported_dalvik_prop)) +(typeattributeset exported_default_prop_28_0 (exported_default_prop)) +(typeattributeset exported_dumpstate_prop_28_0 (exported_dumpstate_prop)) +(typeattributeset exported_ffs_prop_28_0 (exported_ffs_prop)) +(typeattributeset exported_fingerprint_prop_28_0 (exported_fingerprint_prop)) +(typeattributeset exported_overlay_prop_28_0 (exported_overlay_prop)) +(typeattributeset exported_pm_prop_28_0 (exported_pm_prop)) +(typeattributeset exported_radio_prop_28_0 (exported_radio_prop)) +(typeattributeset exported_secure_prop_28_0 (exported_secure_prop)) +(typeattributeset exported_system_prop_28_0 (exported_system_prop)) +(typeattributeset exported_system_radio_prop_28_0 (exported_system_radio_prop)) +(typeattributeset exported_vold_prop_28_0 (exported_vold_prop)) +(typeattributeset exported_wifi_prop_28_0 (exported_wifi_prop)) +(typeattributeset ffs_prop_28_0 (ffs_prop)) +(typeattributeset file_contexts_file_28_0 (file_contexts_file)) +(typeattributeset fingerprintd_28_0 (fingerprintd)) +(typeattributeset fingerprintd_data_file_28_0 (fingerprintd_data_file)) +(typeattributeset fingerprintd_exec_28_0 (fingerprintd_exec)) +(typeattributeset fingerprintd_service_28_0 (fingerprintd_service)) +(typeattributeset fingerprint_prop_28_0 (fingerprint_prop)) +(typeattributeset fingerprint_service_28_0 (fingerprint_service)) +(typeattributeset fingerprint_vendor_data_file_28_0 (fingerprint_vendor_data_file)) +(typeattributeset firstboot_prop_28_0 (firstboot_prop)) +(typeattributeset font_service_28_0 (font_service)) +(typeattributeset frp_block_device_28_0 (frp_block_device)) +(typeattributeset fs_bpf_28_0 (fs_bpf)) +(typeattributeset fsck_28_0 (fsck)) +(typeattributeset fsck_exec_28_0 (fsck_exec)) +(typeattributeset fscklogs_28_0 (fscklogs)) +(typeattributeset fsck_untrusted_28_0 (fsck_untrusted)) +(typeattributeset full_device_28_0 (full_device)) +(typeattributeset functionfs_28_0 (functionfs)) +(typeattributeset fuse_28_0 (fuse)) +(typeattributeset fuse_device_28_0 (fuse_device)) +(typeattributeset fwk_display_hwservice_28_0 (fwk_display_hwservice)) +(typeattributeset fwk_scheduler_hwservice_28_0 (fwk_scheduler_hwservice)) +(typeattributeset fwk_sensor_hwservice_28_0 (fwk_sensor_hwservice)) +(typeattributeset fwmarkd_socket_28_0 (fwmarkd_socket)) +(typeattributeset gatekeeperd_28_0 (gatekeeperd)) +(typeattributeset gatekeeper_data_file_28_0 (gatekeeper_data_file)) +(typeattributeset gatekeeperd_exec_28_0 (gatekeeperd_exec)) +(typeattributeset gatekeeper_service_28_0 (gatekeeper_service)) +(typeattributeset gfxinfo_service_28_0 (gfxinfo_service)) +(typeattributeset gps_control_28_0 (gps_control)) +(typeattributeset gpu_device_28_0 (gpu_device)) +(typeattributeset gpu_service_28_0 (gpu_service)) +(typeattributeset graphics_device_28_0 (graphics_device)) +(typeattributeset graphicsstats_service_28_0 (graphicsstats_service)) +(typeattributeset hal_audiocontrol_hwservice_28_0 (hal_audiocontrol_hwservice)) +(typeattributeset hal_audio_hwservice_28_0 (hal_audio_hwservice)) +(typeattributeset hal_authsecret_hwservice_28_0 (hal_authsecret_hwservice)) +(typeattributeset hal_bluetooth_hwservice_28_0 (hal_bluetooth_hwservice)) +(typeattributeset hal_bootctl_hwservice_28_0 (hal_bootctl_hwservice)) +(typeattributeset hal_broadcastradio_hwservice_28_0 (hal_broadcastradio_hwservice)) +(typeattributeset hal_camera_hwservice_28_0 (hal_camera_hwservice)) +(typeattributeset hal_cas_hwservice_28_0 (hal_cas_hwservice)) +(typeattributeset hal_codec2_hwservice_28_0 (hal_codec2_hwservice)) +(typeattributeset hal_configstore_ISurfaceFlingerConfigs_28_0 (hal_configstore_ISurfaceFlingerConfigs)) +(typeattributeset hal_confirmationui_hwservice_28_0 (hal_confirmationui_hwservice)) +(typeattributeset hal_contexthub_hwservice_28_0 (hal_contexthub_hwservice)) +(typeattributeset hal_drm_hwservice_28_0 (hal_drm_hwservice)) +(typeattributeset hal_dumpstate_hwservice_28_0 (hal_dumpstate_hwservice)) +(typeattributeset hal_evs_hwservice_28_0 (hal_evs_hwservice)) +(typeattributeset hal_fingerprint_hwservice_28_0 (hal_fingerprint_hwservice)) +(typeattributeset hal_fingerprint_service_28_0 (hal_fingerprint_service)) +(typeattributeset hal_gatekeeper_hwservice_28_0 (hal_gatekeeper_hwservice)) +(typeattributeset hal_gnss_hwservice_28_0 (hal_gnss_hwservice)) +(typeattributeset hal_graphics_allocator_hwservice_28_0 (hal_graphics_allocator_hwservice)) +(typeattributeset hal_graphics_composer_hwservice_28_0 (hal_graphics_composer_hwservice)) +(typeattributeset hal_graphics_mapper_hwservice_28_0 (hal_graphics_mapper_hwservice)) +(typeattributeset hal_health_hwservice_28_0 (hal_health_hwservice)) +(typeattributeset hal_ir_hwservice_28_0 (hal_ir_hwservice)) +(typeattributeset hal_keymaster_hwservice_28_0 (hal_keymaster_hwservice)) +(typeattributeset hal_light_hwservice_28_0 (hal_light_hwservice)) +(typeattributeset hal_lowpan_hwservice_28_0 (hal_lowpan_hwservice)) +(typeattributeset hal_memtrack_hwservice_28_0 (hal_memtrack_hwservice)) +(typeattributeset hal_neuralnetworks_hwservice_28_0 (hal_neuralnetworks_hwservice)) +(typeattributeset hal_nfc_hwservice_28_0 (hal_nfc_hwservice)) +(typeattributeset hal_oemlock_hwservice_28_0 (hal_oemlock_hwservice)) +(typeattributeset hal_omx_hwservice_28_0 (hal_omx_hwservice)) +(typeattributeset hal_power_hwservice_28_0 (hal_power_hwservice)) +(typeattributeset hal_renderscript_hwservice_28_0 (hal_renderscript_hwservice)) +(typeattributeset hal_secure_element_hwservice_28_0 (hal_secure_element_hwservice)) +(typeattributeset hal_sensors_hwservice_28_0 (hal_sensors_hwservice)) +(typeattributeset hal_telephony_hwservice_28_0 (hal_telephony_hwservice)) +(typeattributeset hal_tetheroffload_hwservice_28_0 (hal_tetheroffload_hwservice)) +(typeattributeset hal_thermal_hwservice_28_0 (hal_thermal_hwservice)) +(typeattributeset hal_tv_cec_hwservice_28_0 (hal_tv_cec_hwservice)) +(typeattributeset hal_tv_input_hwservice_28_0 (hal_tv_input_hwservice)) +(typeattributeset hal_usb_gadget_hwservice_28_0 (hal_usb_gadget_hwservice)) +(typeattributeset hal_usb_hwservice_28_0 (hal_usb_hwservice)) +(typeattributeset hal_vehicle_hwservice_28_0 (hal_vehicle_hwservice)) +(typeattributeset hal_vibrator_hwservice_28_0 (hal_vibrator_hwservice)) +(typeattributeset hal_vr_hwservice_28_0 (hal_vr_hwservice)) +(typeattributeset hal_weaver_hwservice_28_0 (hal_weaver_hwservice)) +(typeattributeset hal_wifi_hostapd_hwservice_28_0 (hal_wifi_hostapd_hwservice)) +(typeattributeset hal_wifi_hwservice_28_0 (hal_wifi_hwservice)) +(typeattributeset hal_wifi_offload_hwservice_28_0 (hal_wifi_offload_hwservice)) +(typeattributeset hal_wifi_supplicant_hwservice_28_0 (hal_wifi_supplicant_hwservice)) +(typeattributeset hardware_properties_service_28_0 (hardware_properties_service)) +(typeattributeset hardware_service_28_0 (hardware_service)) +(typeattributeset hci_attach_dev_28_0 (hci_attach_dev)) +(typeattributeset hdmi_control_service_28_0 (hdmi_control_service)) +(typeattributeset healthd_28_0 (healthd)) +(typeattributeset healthd_exec_28_0 (healthd_exec)) +(typeattributeset heapdump_data_file_28_0 (heapdump_data_file)) +(typeattributeset hidl_allocator_hwservice_28_0 (hidl_allocator_hwservice)) +(typeattributeset hidl_base_hwservice_28_0 (hidl_base_hwservice)) +(typeattributeset hidl_manager_hwservice_28_0 (hidl_manager_hwservice)) +(typeattributeset hidl_memory_hwservice_28_0 (hidl_memory_hwservice)) +(typeattributeset hidl_token_hwservice_28_0 (hidl_token_hwservice)) +(typeattributeset hwbinder_device_28_0 (hwbinder_device)) +(typeattributeset hw_random_device_28_0 (hw_random_device)) +(typeattributeset hwservice_contexts_file_28_0 (hwservice_contexts_file)) +(typeattributeset hwservicemanager_28_0 (hwservicemanager)) +(typeattributeset hwservicemanager_exec_28_0 (hwservicemanager_exec)) +(typeattributeset hwservicemanager_prop_28_0 (hwservicemanager_prop)) +(typeattributeset i2c_device_28_0 (i2c_device)) +(typeattributeset icon_file_28_0 (icon_file)) +(typeattributeset idmap_28_0 (idmap)) +(typeattributeset idmap_exec_28_0 (idmap_exec)) +(typeattributeset iio_device_28_0 (iio_device)) +(typeattributeset imms_service_28_0 (imms_service)) +(typeattributeset incident_28_0 (incident)) +(typeattributeset incidentd_28_0 (incidentd)) +(typeattributeset incident_data_file_28_0 (incident_data_file)) +(typeattributeset incident_helper_28_0 (incident_helper)) +(typeattributeset incident_service_28_0 (incident_service)) +(typeattributeset init_28_0 (init)) +(typeattributeset init_exec_28_0 (init_exec watchdogd_exec)) +(typeattributeset inotify_28_0 (inotify)) +(typeattributeset input_device_28_0 (input_device)) +(typeattributeset inputflinger_28_0 (inputflinger)) +(typeattributeset inputflinger_exec_28_0 (inputflinger_exec)) +(typeattributeset inputflinger_service_28_0 (inputflinger_service)) +(typeattributeset input_method_service_28_0 (input_method_service)) +(typeattributeset input_service_28_0 (input_service)) +(typeattributeset installd_28_0 (installd)) +(typeattributeset install_data_file_28_0 (install_data_file)) +(typeattributeset installd_exec_28_0 (installd_exec)) +(typeattributeset installd_service_28_0 (installd_service)) +(typeattributeset install_recovery_28_0 (install_recovery)) +(typeattributeset install_recovery_exec_28_0 (install_recovery_exec)) +(typeattributeset ion_device_28_0 (ion_device)) +(typeattributeset IProxyService_service_28_0 (IProxyService_service)) +(typeattributeset ipsec_service_28_0 (ipsec_service)) +(typeattributeset isolated_app_28_0 (isolated_app)) +(typeattributeset jobscheduler_service_28_0 (jobscheduler_service)) +(typeattributeset kernel_28_0 (kernel)) +(typeattributeset keychain_data_file_28_0 (keychain_data_file)) +(typeattributeset keychord_device_28_0 (keychord_device)) +(typeattributeset keystore_28_0 (keystore)) +(typeattributeset keystore_data_file_28_0 (keystore_data_file)) +(typeattributeset keystore_exec_28_0 (keystore_exec)) +(typeattributeset keystore_service_28_0 (keystore_service)) +(typeattributeset kmem_device_28_0 (kmem_device)) +(typeattributeset kmsg_debug_device_28_0 (kmsg_debug_device)) +(typeattributeset kmsg_device_28_0 (kmsg_device)) +(typeattributeset labeledfs_28_0 (labeledfs)) +(typeattributeset last_boot_reason_prop_28_0 (last_boot_reason_prop)) +(typeattributeset launcherapps_service_28_0 (launcherapps_service)) +(typeattributeset lmkd_28_0 (lmkd)) +(typeattributeset lmkd_exec_28_0 (lmkd_exec)) +(typeattributeset lmkd_socket_28_0 (lmkd_socket)) +(typeattributeset location_service_28_0 (location_service)) +(typeattributeset lock_settings_service_28_0 (lock_settings_service)) +(typeattributeset logcat_exec_28_0 (logcat_exec)) +(typeattributeset logd_28_0 (logd)) +(typeattributeset logd_exec_28_0 (logd_exec)) +(typeattributeset logd_prop_28_0 (logd_prop)) +(typeattributeset logdr_socket_28_0 (logdr_socket)) +(typeattributeset logd_socket_28_0 (logd_socket)) +(typeattributeset logdw_socket_28_0 (logdw_socket)) +(typeattributeset logpersist_28_0 (logpersist)) +(typeattributeset logpersistd_logging_prop_28_0 (logpersistd_logging_prop)) +(typeattributeset log_prop_28_0 (log_prop)) +(typeattributeset log_tag_prop_28_0 (log_tag_prop)) +(typeattributeset loop_control_device_28_0 (loop_control_device)) +(typeattributeset loop_device_28_0 (loop_device)) +(typeattributeset lowpan_device_28_0 (lowpan_device)) +(typeattributeset lowpan_prop_28_0 (lowpan_prop)) +(typeattributeset lowpan_service_28_0 (lowpan_service)) +(typeattributeset mac_perms_file_28_0 (mac_perms_file)) +(typeattributeset mdnsd_28_0 (mdnsd)) +(typeattributeset mdnsd_socket_28_0 (mdnsd_socket)) +(typeattributeset mdns_socket_28_0 (mdns_socket)) +(typeattributeset hal_omx_server (mediacodec_28_0)) +(typeattributeset mediacodec_28_0 (mediacodec)) +(typeattributeset mediacodec_exec_28_0 (mediacodec_exec)) +(typeattributeset mediacodec_service_28_0 (mediacodec_service)) +(typeattributeset media_data_file_28_0 (media_data_file)) +(typeattributeset mediadrmserver_28_0 (mediadrmserver)) +(typeattributeset mediadrmserver_exec_28_0 (mediadrmserver_exec)) +(typeattributeset mediadrmserver_service_28_0 (mediadrmserver_service)) +(typeattributeset mediaextractor_28_0 (mediaextractor)) +(typeattributeset mediaextractor_exec_28_0 (mediaextractor_exec)) +(typeattributeset mediaextractor_service_28_0 (mediaextractor_service)) +(typeattributeset mediaextractor_update_service_28_0 (mediaextractor_update_service)) +(typeattributeset mediametrics_28_0 (mediametrics)) +(typeattributeset mediametrics_exec_28_0 (mediametrics_exec)) +(typeattributeset mediametrics_service_28_0 (mediametrics_service)) +(typeattributeset media_projection_service_28_0 (media_projection_service)) +(typeattributeset mediaprovider_28_0 (mediaprovider)) +(typeattributeset media_router_service_28_0 (media_router_service)) +(typeattributeset media_rw_data_file_28_0 (media_rw_data_file)) +(typeattributeset mediaserver_28_0 (mediaserver)) +(typeattributeset mediaserver_exec_28_0 (mediaserver_exec)) +(typeattributeset mediaserver_service_28_0 (mediaserver_service)) +(typeattributeset media_session_service_28_0 (media_session_service)) +(typeattributeset meminfo_service_28_0 (meminfo_service)) +(typeattributeset metadata_block_device_28_0 (metadata_block_device)) +(typeattributeset metadata_file_28_0 (metadata_file)) +(typeattributeset method_trace_data_file_28_0 (method_trace_data_file)) +(typeattributeset midi_service_28_0 (midi_service)) +(typeattributeset misc_block_device_28_0 (misc_block_device)) +(typeattributeset misc_logd_file_28_0 (misc_logd_file)) +(typeattributeset misc_user_data_file_28_0 (misc_user_data_file)) +(typeattributeset mmc_prop_28_0 (mmc_prop)) +(typeattributeset mnt_expand_file_28_0 (mnt_expand_file)) +(typeattributeset mnt_media_rw_file_28_0 (mnt_media_rw_file)) +(typeattributeset mnt_media_rw_stub_file_28_0 (mnt_media_rw_stub_file)) +(typeattributeset mnt_user_file_28_0 (mnt_user_file)) +(typeattributeset mnt_vendor_file_28_0 (mnt_vendor_file)) +(typeattributeset modprobe_28_0 (modprobe)) +(typeattributeset mount_service_28_0 (mount_service)) +(typeattributeset mqueue_28_0 (mqueue)) +(typeattributeset mtd_device_28_0 (mtd_device)) +(typeattributeset mtp_28_0 (mtp)) +(typeattributeset mtp_device_28_0 (mtp_device)) +(typeattributeset mtpd_socket_28_0 (mtpd_socket)) +(typeattributeset mtp_exec_28_0 (mtp_exec)) +(typeattributeset nativetest_data_file_28_0 (nativetest_data_file)) +(typeattributeset netd_28_0 (netd)) +(typeattributeset net_data_file_28_0 (net_data_file)) +(typeattributeset netd_exec_28_0 (netd_exec)) +(typeattributeset netd_listener_service_28_0 (netd_listener_service)) +(typeattributeset net_dns_prop_28_0 (net_dns_prop)) +(typeattributeset netd_service_28_0 (netd_service)) +(typeattributeset netd_socket_28_0 (netd_socket)) +(typeattributeset netd_stable_secret_prop_28_0 (netd_stable_secret_prop)) +(typeattributeset netif_28_0 (netif)) +(typeattributeset netpolicy_service_28_0 (netpolicy_service)) +(typeattributeset net_radio_prop_28_0 (net_radio_prop)) +(typeattributeset netstats_service_28_0 (netstats_service)) +(typeattributeset netutils_wrapper_28_0 (netutils_wrapper)) +(typeattributeset netutils_wrapper_exec_28_0 (netutils_wrapper_exec)) +(typeattributeset network_management_service_28_0 (network_management_service)) +(typeattributeset network_score_service_28_0 (network_score_service)) +(typeattributeset network_time_update_service_28_0 (network_time_update_service)) +(typeattributeset network_watchlist_data_file_28_0 (network_watchlist_data_file)) +(typeattributeset network_watchlist_service_28_0 (network_watchlist_service)) +(typeattributeset nfc_28_0 (nfc)) +(typeattributeset nfc_data_file_28_0 (nfc_data_file)) +(typeattributeset nfc_device_28_0 (nfc_device)) +(typeattributeset nfc_prop_28_0 (nfc_prop)) +(typeattributeset nfc_service_28_0 (nfc_service)) +(typeattributeset node_28_0 (node)) +(typeattributeset nonplat_service_contexts_file_28_0 (nonplat_service_contexts_file)) +(typeattributeset notification_service_28_0 (notification_service)) +(typeattributeset null_device_28_0 (null_device)) +(typeattributeset oemfs_28_0 (oemfs)) +(typeattributeset oem_lock_service_28_0 (oem_lock_service)) +(typeattributeset ota_data_file_28_0 (ota_data_file)) +(typeattributeset otadexopt_service_28_0 (otadexopt_service)) +(typeattributeset ota_package_file_28_0 (ota_package_file)) +(typeattributeset otapreopt_chroot_28_0 (otapreopt_chroot)) +(typeattributeset otapreopt_chroot_exec_28_0 (otapreopt_chroot_exec)) +(typeattributeset otapreopt_slot_28_0 (otapreopt_slot)) +(typeattributeset otapreopt_slot_exec_28_0 (otapreopt_slot_exec)) +(typeattributeset overlay_prop_28_0 (overlay_prop)) +(typeattributeset overlay_service_28_0 (overlay_service)) +(typeattributeset owntty_device_28_0 (owntty_device)) +(typeattributeset package_native_service_28_0 (package_native_service)) +(typeattributeset package_service_28_0 (package_service)) +(typeattributeset pan_result_prop_28_0 (pan_result_prop)) +(typeattributeset pdx_bufferhub_client_channel_socket_28_0 (pdx_bufferhub_client_channel_socket)) +(typeattributeset pdx_bufferhub_client_endpoint_socket_28_0 (pdx_bufferhub_client_endpoint_socket)) +(typeattributeset pdx_bufferhub_dir_28_0 (pdx_bufferhub_dir)) +(typeattributeset pdx_display_client_channel_socket_28_0 (pdx_display_client_channel_socket)) +(typeattributeset pdx_display_client_endpoint_socket_28_0 (pdx_display_client_endpoint_socket)) +(typeattributeset pdx_display_dir_28_0 (pdx_display_dir)) +(typeattributeset pdx_display_manager_channel_socket_28_0 (pdx_display_manager_channel_socket)) +(typeattributeset pdx_display_manager_endpoint_socket_28_0 (pdx_display_manager_endpoint_socket)) +(typeattributeset pdx_display_screenshot_channel_socket_28_0 (pdx_display_screenshot_channel_socket)) +(typeattributeset pdx_display_screenshot_endpoint_socket_28_0 (pdx_display_screenshot_endpoint_socket)) +(typeattributeset pdx_display_vsync_channel_socket_28_0 (pdx_display_vsync_channel_socket)) +(typeattributeset pdx_display_vsync_endpoint_socket_28_0 (pdx_display_vsync_endpoint_socket)) +(typeattributeset pdx_performance_client_channel_socket_28_0 (pdx_performance_client_channel_socket)) +(typeattributeset pdx_performance_client_endpoint_socket_28_0 (pdx_performance_client_endpoint_socket)) +(typeattributeset pdx_performance_dir_28_0 (pdx_performance_dir)) +(typeattributeset performanced_28_0 (performanced)) +(typeattributeset performanced_exec_28_0 (performanced_exec)) +(typeattributeset permission_service_28_0 (permission_service)) +(typeattributeset persist_debug_prop_28_0 (persist_debug_prop)) +(typeattributeset persistent_data_block_service_28_0 (persistent_data_block_service)) +(typeattributeset persistent_properties_ready_prop_28_0 (persistent_properties_ready_prop)) +(typeattributeset pinner_service_28_0 (pinner_service)) +(typeattributeset pipefs_28_0 (pipefs)) +(typeattributeset platform_app_28_0 (platform_app)) +(typeattributeset pm_prop_28_0 (pm_prop)) +(typeattributeset pmsg_device_28_0 (pmsg_device)) +(typeattributeset port_28_0 (port)) +(typeattributeset port_device_28_0 (port_device)) +(typeattributeset postinstall_28_0 (postinstall)) +(typeattributeset postinstall_dexopt_28_0 (postinstall_dexopt)) +(typeattributeset postinstall_file_28_0 (postinstall_file)) +(typeattributeset postinstall_mnt_dir_28_0 (postinstall_mnt_dir)) +(typeattributeset powerctl_prop_28_0 (powerctl_prop)) +(typeattributeset power_service_28_0 (power_service)) +(typeattributeset ppp_28_0 (ppp)) +(typeattributeset ppp_device_28_0 (ppp_device)) +(typeattributeset ppp_exec_28_0 (ppp_exec)) +(typeattributeset preloads_data_file_28_0 (preloads_data_file)) +(typeattributeset preloads_media_file_28_0 (preloads_media_file)) +(typeattributeset preopt2cachename_28_0 (preopt2cachename)) +(typeattributeset preopt2cachename_exec_28_0 (preopt2cachename_exec)) +(typeattributeset print_service_28_0 (print_service)) +(typeattributeset priv_app_28_0 (priv_app)) +(typeattributeset proc_28_0 + ( proc + proc_fs_verity + proc_keys + proc_kpageflags + proc_lowmemorykiller + proc_pressure_cpu + proc_pressure_io + proc_pressure_mem + proc_slabinfo)) +(typeattributeset proc_abi_28_0 (proc_abi)) +(typeattributeset proc_asound_28_0 (proc_asound)) +(typeattributeset proc_bluetooth_writable_28_0 (proc_bluetooth_writable)) +(typeattributeset proc_buddyinfo_28_0 (proc_buddyinfo)) +(typeattributeset proc_cmdline_28_0 (proc_cmdline)) +(typeattributeset proc_cpuinfo_28_0 (proc_cpuinfo)) +(typeattributeset proc_dirty_28_0 (proc_dirty)) +(typeattributeset proc_diskstats_28_0 (proc_diskstats)) +(typeattributeset proc_drop_caches_28_0 (proc_drop_caches)) +(typeattributeset processinfo_service_28_0 (processinfo_service)) +(typeattributeset proc_extra_free_kbytes_28_0 (proc_extra_free_kbytes)) +(typeattributeset proc_filesystems_28_0 (proc_filesystems)) +(typeattributeset proc_hostname_28_0 (proc_hostname)) +(typeattributeset proc_hung_task_28_0 (proc_hung_task)) +(typeattributeset proc_interrupts_28_0 (proc_interrupts)) +(typeattributeset proc_iomem_28_0 (proc_iomem)) +(typeattributeset proc_kmsg_28_0 (proc_kmsg)) +(typeattributeset proc_loadavg_28_0 (proc_loadavg)) +(typeattributeset proc_max_map_count_28_0 (proc_max_map_count)) +(typeattributeset proc_meminfo_28_0 (proc_meminfo)) +(typeattributeset proc_min_free_order_shift_28_0 (proc_min_free_order_shift)) +(typeattributeset proc_misc_28_0 (proc_misc)) +(typeattributeset proc_modules_28_0 (proc_modules)) +(typeattributeset proc_mounts_28_0 (proc_mounts)) +(typeattributeset proc_net_28_0 + ( proc_net + proc_net_tcp_udp)) +(typeattributeset proc_overcommit_memory_28_0 (proc_overcommit_memory)) +(typeattributeset proc_page_cluster_28_0 (proc_page_cluster)) +(typeattributeset proc_pagetypeinfo_28_0 (proc_pagetypeinfo)) +(typeattributeset proc_panic_28_0 (proc_panic)) +(typeattributeset proc_perf_28_0 (proc_perf)) +(typeattributeset proc_pid_max_28_0 (proc_pid_max)) +(typeattributeset proc_pipe_conf_28_0 (proc_pipe_conf)) +(typeattributeset proc_qtaguid_stat_28_0 (proc_qtaguid_stat)) +(typeattributeset proc_random_28_0 (proc_random)) +(typeattributeset proc_sched_28_0 (proc_sched)) +(typeattributeset proc_security_28_0 (proc_security)) +(typeattributeset proc_stat_28_0 (proc_stat)) +(typeattributeset procstats_service_28_0 (procstats_service)) +(typeattributeset proc_swaps_28_0 (proc_swaps)) +(typeattributeset proc_sysrq_28_0 (proc_sysrq)) +(typeattributeset proc_timer_28_0 (proc_timer)) +(typeattributeset proc_tty_drivers_28_0 (proc_tty_drivers)) +(typeattributeset proc_uid_concurrent_active_time_28_0 (proc_uid_concurrent_active_time)) +(typeattributeset proc_uid_concurrent_policy_time_28_0 (proc_uid_concurrent_policy_time)) +(typeattributeset proc_uid_cpupower_28_0 (proc_uid_cpupower)) +(typeattributeset proc_uid_cputime_removeuid_28_0 (proc_uid_cputime_removeuid)) +(typeattributeset proc_uid_cputime_showstat_28_0 (proc_uid_cputime_showstat)) +(typeattributeset proc_uid_io_stats_28_0 (proc_uid_io_stats)) +(typeattributeset proc_uid_procstat_set_28_0 (proc_uid_procstat_set)) +(typeattributeset proc_uid_time_in_state_28_0 (proc_uid_time_in_state)) +(typeattributeset proc_uptime_28_0 (proc_uptime)) +(typeattributeset proc_version_28_0 (proc_version)) +(typeattributeset proc_vmallocinfo_28_0 (proc_vmallocinfo)) +(typeattributeset proc_vmstat_28_0 (proc_vmstat)) +(typeattributeset proc_zoneinfo_28_0 (proc_zoneinfo)) +(typeattributeset profman_28_0 (profman)) +(typeattributeset profman_dump_data_file_28_0 (profman_dump_data_file)) +(typeattributeset profman_exec_28_0 (profman_exec)) +(typeattributeset properties_device_28_0 (properties_device)) +(typeattributeset properties_serial_28_0 (properties_serial)) +(typeattributeset property_contexts_file_28_0 (property_contexts_file)) +(typeattributeset property_data_file_28_0 (property_data_file)) +(typeattributeset property_info_28_0 (property_info)) +(typeattributeset property_socket_28_0 (property_socket)) +(typeattributeset pstorefs_28_0 (pstorefs)) +(typeattributeset ptmx_device_28_0 (ptmx_device)) +(typeattributeset qtaguid_device_28_0 (qtaguid_device)) +(typeattributeset qtaguid_proc_28_0 + ( proc_qtaguid_ctrl + qtaguid_proc)) +(typeattributeset racoon_28_0 (racoon)) +(typeattributeset racoon_exec_28_0 (racoon_exec)) +(typeattributeset racoon_socket_28_0 (racoon_socket)) +(typeattributeset radio_28_0 (radio)) +(typeattributeset radio_data_file_28_0 (radio_data_file)) +(typeattributeset radio_device_28_0 (radio_device)) +(typeattributeset radio_prop_28_0 (radio_prop)) +(typeattributeset radio_service_28_0 (radio_service)) +(typeattributeset ram_device_28_0 (ram_device)) +(typeattributeset random_device_28_0 (random_device)) +(typeattributeset recovery_28_0 (recovery)) +(typeattributeset recovery_block_device_28_0 (recovery_block_device)) +(typeattributeset recovery_data_file_28_0 (recovery_data_file)) +(typeattributeset recovery_persist_28_0 (recovery_persist)) +(typeattributeset recovery_persist_exec_28_0 (recovery_persist_exec)) +(typeattributeset recovery_refresh_28_0 (recovery_refresh)) +(typeattributeset recovery_refresh_exec_28_0 (recovery_refresh_exec)) +(typeattributeset recovery_service_28_0 (recovery_service)) +(typeattributeset registry_service_28_0 (registry_service)) +(typeattributeset resourcecache_data_file_28_0 (resourcecache_data_file)) +(typeattributeset restorecon_prop_28_0 (restorecon_prop)) +(typeattributeset restrictions_service_28_0 (restrictions_service)) +(typeattributeset rild_debug_socket_28_0 (rild_debug_socket)) +(typeattributeset rild_socket_28_0 (rild_socket)) +(typeattributeset ringtone_file_28_0 (ringtone_file)) +(typeattributeset root_block_device_28_0 (root_block_device)) +(typeattributeset rootfs_28_0 (rootfs)) +(typeattributeset rpmsg_device_28_0 (rpmsg_device)) +(typeattributeset rtc_device_28_0 (rtc_device)) +(typeattributeset rttmanager_service_28_0 (rttmanager_service)) +(typeattributeset runas_28_0 (runas)) +(typeattributeset runas_exec_28_0 (runas_exec)) +(typeattributeset runtime_event_log_tags_file_28_0 (runtime_event_log_tags_file)) +(typeattributeset safemode_prop_28_0 (safemode_prop)) +(typeattributeset same_process_hal_file_28_0 + ( same_process_hal_file + vendor_public_lib_file)) +(typeattributeset samplingprofiler_service_28_0 (samplingprofiler_service)) +(typeattributeset scheduling_policy_service_28_0 (scheduling_policy_service)) +(typeattributeset sdcardd_28_0 (sdcardd)) +(typeattributeset sdcardd_exec_28_0 (sdcardd_exec)) +(typeattributeset sdcardfs_28_0 (sdcardfs)) +(typeattributeset seapp_contexts_file_28_0 (seapp_contexts_file)) +(typeattributeset search_service_28_0 (search_service)) +(typeattributeset sec_key_att_app_id_provider_service_28_0 (sec_key_att_app_id_provider_service)) +(typeattributeset secure_element_28_0 (secure_element)) +(typeattributeset secure_element_device_28_0 (secure_element_device)) +(typeattributeset secure_element_service_28_0 (secure_element_service)) +(typeattributeset selinuxfs_28_0 (selinuxfs)) +(typeattributeset sensors_device_28_0 (sensors_device)) +(typeattributeset sensorservice_service_28_0 (sensorservice_service)) +(typeattributeset sepolicy_file_28_0 (sepolicy_file)) +(typeattributeset serial_device_28_0 (serial_device)) +(typeattributeset serialno_prop_28_0 (serialno_prop)) +(typeattributeset serial_service_28_0 (serial_service)) +(typeattributeset service_contexts_file_28_0 (service_contexts_file)) +(typeattributeset servicediscovery_service_28_0 (servicediscovery_service)) +(typeattributeset servicemanager_28_0 (servicemanager)) +(typeattributeset servicemanager_exec_28_0 (servicemanager_exec)) +(typeattributeset settings_service_28_0 (settings_service)) +(typeattributeset sgdisk_28_0 (sgdisk)) +(typeattributeset sgdisk_exec_28_0 (sgdisk_exec)) +(typeattributeset shared_relro_28_0 (shared_relro)) +(typeattributeset shared_relro_file_28_0 (shared_relro_file)) +(typeattributeset shell_28_0 (shell)) +(typeattributeset shell_data_file_28_0 (shell_data_file)) +(typeattributeset shell_exec_28_0 (shell_exec)) +(typeattributeset shell_prop_28_0 (shell_prop)) +(typeattributeset shm_28_0 (shm)) +(typeattributeset shortcut_manager_icons_28_0 (shortcut_manager_icons)) +(typeattributeset shortcut_service_28_0 (shortcut_service)) +(typeattributeset slice_service_28_0 (slice_service)) +(typeattributeset slideshow_28_0 (slideshow)) +(typeattributeset socket_device_28_0 (socket_device)) +(typeattributeset sockfs_28_0 (sockfs)) +(typeattributeset statusbar_service_28_0 (statusbar_service)) +(typeattributeset storaged_service_28_0 (storaged_service)) +(typeattributeset storage_file_28_0 (storage_file)) +(typeattributeset storagestats_service_28_0 (storagestats_service)) +(typeattributeset storage_stub_file_28_0 (storage_stub_file)) +(typeattributeset su_28_0 (su)) +(typeattributeset su_exec_28_0 (su_exec)) +(typeattributeset surfaceflinger_28_0 (surfaceflinger)) +(typeattributeset surfaceflinger_service_28_0 (surfaceflinger_service)) +(typeattributeset swap_block_device_28_0 (swap_block_device)) +(typeattributeset sysfs_28_0 + ( sysfs + sysfs_devices_block + sysfs_extcon + sysfs_loop + sysfs_transparent_hugepage)) +(typeattributeset sysfs_android_usb_28_0 (sysfs_android_usb)) +(typeattributeset sysfs_batteryinfo_28_0 (sysfs_batteryinfo)) +(typeattributeset sysfs_bluetooth_writable_28_0 (sysfs_bluetooth_writable)) +(typeattributeset sysfs_devices_system_cpu_28_0 (sysfs_devices_system_cpu)) +(typeattributeset sysfs_dm_28_0 (sysfs_dm)) +(typeattributeset sysfs_dt_firmware_android_28_0 (sysfs_dt_firmware_android)) +(typeattributeset sysfs_fs_ext4_features_28_0 (sysfs_fs_ext4_features)) +(typeattributeset sysfs_hwrandom_28_0 (sysfs_hwrandom)) +(typeattributeset sysfs_ipv4_28_0 (sysfs_ipv4)) +(typeattributeset sysfs_kernel_notes_28_0 (sysfs_kernel_notes)) +(typeattributeset sysfs_leds_28_0 (sysfs_leds)) +(typeattributeset sysfs_lowmemorykiller_28_0 (sysfs_lowmemorykiller)) +(typeattributeset sysfs_mac_address_28_0 (sysfs_mac_address)) +(typeattributeset sysfs_net_28_0 (sysfs_net)) +(typeattributeset sysfs_nfc_power_writable_28_0 (sysfs_nfc_power_writable)) +(typeattributeset sysfs_power_28_0 (sysfs_power)) +(typeattributeset sysfs_rtc_28_0 (sysfs_rtc)) +(typeattributeset sysfs_switch_28_0 (sysfs_switch)) +(typeattributeset sysfs_thermal_28_0 (sysfs_thermal)) +(typeattributeset sysfs_uio_28_0 (sysfs_uio)) +(typeattributeset sysfs_usb_28_0 (sysfs_usb)) +(typeattributeset sysfs_usermodehelper_28_0 (sysfs_usermodehelper)) +(typeattributeset sysfs_vibrator_28_0 (sysfs_vibrator)) +(typeattributeset sysfs_wake_lock_28_0 (sysfs_wake_lock)) +(typeattributeset sysfs_wakeup_reasons_28_0 (sysfs_wakeup_reasons)) +(typeattributeset sysfs_wlan_fwpath_28_0 (sysfs_wlan_fwpath)) +(typeattributeset sysfs_zram_28_0 (sysfs_zram)) +(typeattributeset sysfs_zram_uevent_28_0 (sysfs_zram_uevent)) +(typeattributeset system_app_28_0 (system_app)) +(typeattributeset system_app_data_file_28_0 (system_app_data_file)) +(typeattributeset system_app_service_28_0 (system_app_service)) +(typeattributeset system_block_device_28_0 (system_block_device)) +(typeattributeset system_boot_reason_prop_28_0 (system_boot_reason_prop)) +(typeattributeset system_data_file_28_0 + ( dropbox_data_file + system_data_file + packages_list_file)) +(typeattributeset system_file_28_0 + ( system_file + system_asan_options_file + system_lib_file + system_linker_config_file + system_linker_exec + system_seccomp_policy_file + system_security_cacerts_file + tcpdump_exec + system_zoneinfo_file +)) +(typeattributeset systemkeys_data_file_28_0 (systemkeys_data_file)) +(typeattributeset system_ndebug_socket_28_0 (system_ndebug_socket)) +(typeattributeset system_net_netd_hwservice_28_0 (system_net_netd_hwservice)) +(typeattributeset system_prop_28_0 (system_prop)) +(typeattributeset system_radio_prop_28_0 (system_radio_prop)) +(typeattributeset system_server_28_0 (system_server)) +(typeattributeset system_update_service_28_0 (system_update_service)) +(typeattributeset system_wifi_keystore_hwservice_28_0 (system_wifi_keystore_hwservice)) +(typeattributeset system_wpa_socket_28_0 (system_wpa_socket)) +(typeattributeset task_service_28_0 (task_service)) +(typeattributeset tee_28_0 (tee)) +(typeattributeset tee_data_file_28_0 (tee_data_file)) +(typeattributeset tee_device_28_0 (tee_device)) +(typeattributeset telecom_service_28_0 (telecom_service)) +(typeattributeset test_boot_reason_prop_28_0 (test_boot_reason_prop)) +(typeattributeset textclassification_service_28_0 (textclassification_service)) +(typeattributeset textclassifier_data_file_28_0 (textclassifier_data_file)) +(typeattributeset textservices_service_28_0 (textservices_service)) +(typeattributeset thermalcallback_hwservice_28_0 (thermalcallback_hwservice)) +(typeattributeset thermal_service_28_0 (thermal_service)) +(typeattributeset timezone_service_28_0 (timezone_service)) +(typeattributeset tmpfs_28_0 + ( mnt_sdcard_file + tmpfs)) +(typeattributeset tombstoned_28_0 (tombstoned)) +(typeattributeset tombstone_data_file_28_0 (tombstone_data_file)) +(typeattributeset tombstoned_crash_socket_28_0 (tombstoned_crash_socket)) +(typeattributeset tombstoned_exec_28_0 (tombstoned_exec)) +(typeattributeset tombstoned_intercept_socket_28_0 (tombstoned_intercept_socket)) +(typeattributeset tombstoned_java_trace_socket_28_0 (tombstoned_java_trace_socket)) +(typeattributeset tombstone_wifi_data_file_28_0 (tombstone_wifi_data_file)) +(typeattributeset toolbox_28_0 (toolbox)) +(typeattributeset toolbox_exec_28_0 (toolbox_exec)) +(typeattributeset trace_data_file_28_0 (trace_data_file)) +(typeattributeset traced_consumer_socket_28_0 (traced_consumer_socket)) +(typeattributeset traced_enabled_prop_28_0 (traced_enabled_prop)) +(typeattributeset traced_probes_28_0 (traced_probes)) +(typeattributeset traced_producer_socket_28_0 (traced_producer_socket)) +(typeattributeset traceur_app_28_0 (traceur_app)) +(typeattributeset trust_service_28_0 (trust_service)) +(typeattributeset tty_device_28_0 (tty_device)) +(typeattributeset tun_device_28_0 (tun_device)) +(typeattributeset tv_input_service_28_0 (tv_input_service)) +(typeattributeset tzdatacheck_28_0 (tzdatacheck)) +(typeattributeset tzdatacheck_exec_28_0 (tzdatacheck_exec)) +(typeattributeset ueventd_28_0 (ueventd)) +(typeattributeset uhid_device_28_0 (uhid_device)) +(typeattributeset uimode_service_28_0 (uimode_service)) +(typeattributeset uio_device_28_0 (uio_device)) +(typeattributeset uncrypt_28_0 (uncrypt)) +(typeattributeset uncrypt_exec_28_0 (uncrypt_exec)) +(typeattributeset uncrypt_socket_28_0 (uncrypt_socket)) +(typeattributeset unencrypted_data_file_28_0 (unencrypted_data_file)) +(typeattributeset unlabeled_28_0 (unlabeled)) +(typeattributeset untrusted_app_25_28_0 (untrusted_app_25)) +(typeattributeset untrusted_app_27_28_0 (untrusted_app_27)) +(typeattributeset untrusted_app_28_0 (untrusted_app)) +(typeattributeset untrusted_v2_app_28_0 (untrusted_v2_app)) +(typeattributeset update_engine_28_0 (update_engine)) +(typeattributeset update_engine_data_file_28_0 (update_engine_data_file)) +(typeattributeset update_engine_exec_28_0 (update_engine_exec)) +(typeattributeset update_engine_log_data_file_28_0 (update_engine_log_data_file)) +(typeattributeset update_engine_service_28_0 (update_engine_service)) +(typeattributeset updatelock_service_28_0 (updatelock_service)) +(typeattributeset update_verifier_28_0 (update_verifier)) +(typeattributeset update_verifier_exec_28_0 (update_verifier_exec)) +(typeattributeset usagestats_service_28_0 (usagestats_service)) +(typeattributeset usbaccessory_device_28_0 (usbaccessory_device)) +(typeattributeset usbd_28_0 (usbd)) +(typeattributeset usb_device_28_0 (usb_device)) +(typeattributeset usbd_exec_28_0 (usbd_exec)) +(typeattributeset usbfs_28_0 (usbfs)) +(typeattributeset usb_service_28_0 (usb_service)) +(typeattributeset userdata_block_device_28_0 (userdata_block_device)) +(typeattributeset usermodehelper_28_0 (usermodehelper)) +(typeattributeset user_profile_data_file_28_0 (user_profile_data_file)) +(typeattributeset user_service_28_0 (user_service)) +(typeattributeset vcs_device_28_0 (vcs_device)) +(typeattributeset vdc_28_0 (vdc)) +(typeattributeset vdc_exec_28_0 (vdc_exec)) +(typeattributeset vendor_app_file_28_0 (vendor_app_file)) +(typeattributeset vendor_configs_file_28_0 (vendor_configs_file)) +(typeattributeset vendor_data_file_28_0 (vendor_data_file)) +(typeattributeset vendor_default_prop_28_0 (vendor_default_prop)) +(typeattributeset vendor_file_28_0 (vendor_file)) +(typeattributeset vendor_framework_file_28_0 (vendor_framework_file)) +(typeattributeset vendor_hal_file_28_0 (vendor_hal_file)) +(typeattributeset vendor_init_28_0 (vendor_init)) +(typeattributeset vendor_overlay_file_28_0 (vendor_overlay_file)) +(typeattributeset vendor_security_patch_level_prop_28_0 (vendor_security_patch_level_prop)) +(typeattributeset vendor_shell_28_0 (vendor_shell)) +(typeattributeset vendor_shell_exec_28_0 (vendor_shell_exec)) +(typeattributeset vendor_toolbox_exec_28_0 (vendor_toolbox_exec)) +(typeattributeset vfat_28_0 (vfat)) +(typeattributeset vibrator_service_28_0 (vibrator_service)) +(typeattributeset video_device_28_0 (video_device)) +(typeattributeset virtual_touchpad_28_0 (virtual_touchpad)) +(typeattributeset virtual_touchpad_exec_28_0 (virtual_touchpad_exec)) +(typeattributeset virtual_touchpad_service_28_0 (virtual_touchpad_service)) +(typeattributeset vndbinder_device_28_0 (vndbinder_device)) +(typeattributeset vndk_sp_file_28_0 (vndk_sp_file)) +(typeattributeset vndservice_contexts_file_28_0 (vndservice_contexts_file)) +(typeattributeset vndservicemanager_28_0 (vndservicemanager)) +(typeattributeset voiceinteraction_service_28_0 (voiceinteraction_service)) +(typeattributeset vold_28_0 (vold)) +(typeattributeset vold_data_file_28_0 (vold_data_file)) +(typeattributeset vold_device_28_0 (vold_device)) +(typeattributeset vold_exec_28_0 (vold_exec)) +(typeattributeset vold_metadata_file_28_0 (vold_metadata_file)) +(typeattributeset vold_prepare_subdirs_28_0 (vold_prepare_subdirs)) +(typeattributeset vold_prepare_subdirs_exec_28_0 (vold_prepare_subdirs_exec)) +(typeattributeset vold_prop_28_0 (vold_prop)) +(typeattributeset vold_service_28_0 (vold_service)) +(typeattributeset vpn_data_file_28_0 (vpn_data_file)) +(typeattributeset vr_hwc_28_0 (vr_hwc)) +(typeattributeset vr_hwc_exec_28_0 (vr_hwc_exec)) +(typeattributeset vr_hwc_service_28_0 (vr_hwc_service)) +(typeattributeset vr_manager_service_28_0 (vr_manager_service)) +(typeattributeset wallpaper_file_28_0 (wallpaper_file)) +(typeattributeset wallpaper_service_28_0 (wallpaper_service)) +(typeattributeset watchdogd_28_0 (watchdogd)) +(typeattributeset watchdog_device_28_0 (watchdog_device)) +(typeattributeset webviewupdate_service_28_0 (webviewupdate_service)) +(typeattributeset webview_zygote_28_0 (webview_zygote)) +(typeattributeset webview_zygote_exec_28_0 (webview_zygote_exec)) +(typeattributeset wifiaware_service_28_0 (wifiaware_service)) +(typeattributeset wificond_28_0 (wificond)) +(typeattributeset wificond_exec_28_0 (wificond_exec)) +(typeattributeset wificond_service_28_0 (wificond_service)) +(typeattributeset wifi_data_file_28_0 (wifi_data_file)) +(typeattributeset wifi_log_prop_28_0 (wifi_log_prop)) +(typeattributeset wifip2p_service_28_0 (wifip2p_service)) +(typeattributeset wifi_prop_28_0 (wifi_prop)) +(typeattributeset wifiscanner_service_28_0 (wifiscanner_service)) +(typeattributeset wifi_service_28_0 (wifi_service)) +(typeattributeset window_service_28_0 (window_service)) +(typeattributeset wpantund_28_0 (wpantund)) +(typeattributeset wpantund_exec_28_0 (wpantund_exec)) +(typeattributeset wpantund_service_28_0 (wpantund_service)) +(typeattributeset wpa_socket_28_0 (wpa_socket)) +(typeattributeset zero_device_28_0 (zero_device)) +(typeattributeset zoneinfo_data_file_28_0 (zoneinfo_data_file)) +(typeattributeset zygote_28_0 (zygote)) +(typeattributeset zygote_exec_28_0 (zygote_exec)) +(typeattributeset zygote_socket_28_0 (zygote_socket)) diff --git a/prebuilts/api/32.0/private/compat/28.0/28.0.compat.cil b/prebuilts/api/32.0/private/compat/28.0/28.0.compat.cil new file mode 100644 index 000000000..2e85b23fc --- /dev/null +++ b/prebuilts/api/32.0/private/compat/28.0/28.0.compat.cil @@ -0,0 +1,11 @@ +(typeattribute vendordomain) +(typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) +(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff)))) +(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff)))) +(allow vendordomain self (netlink_route_socket (nlmsg_readpriv))) + +(typeattributeset mlsvendorcompat (and appdomain vendordomain)) +(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) +(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) +(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) +(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) diff --git a/prebuilts/api/32.0/private/compat/28.0/28.0.ignore.cil b/prebuilts/api/32.0/private/compat/28.0/28.0.ignore.cil new file mode 100644 index 000000000..e7ddf4805 --- /dev/null +++ b/prebuilts/api/32.0/private/compat/28.0/28.0.ignore.cil @@ -0,0 +1,160 @@ +;; new_objects - a collection of types that have been introduced that have no +;; analogue in older policy. Thus, we do not need to map these types to +;; previous ones. Add here to pass checkapi tests. +(type new_objects) +(typeattribute new_objects) +(typeattributeset new_objects + ( new_objects + activity_task_service + adb_service + apex_data_file + apex_metadata_file + apex_mnt_dir + apex_service + apexd + apexd_exec + apexd_prop + apexd_tmpfs + appdomain_tmpfs + app_binding_service + app_prediction_service + app_zygote + app_zygote_tmpfs + ashmemd + ashmem_device_service + attention_service + biometric_service + bluetooth_audio_hal_prop + bpf_progs_loaded_prop + bugreport_service + cgroup_desc_file + cgroup_rc_file + charger_exec + content_capture_service + content_suggestions_service + cpu_variant_prop + ctl_apexd_prop + ctl_gsid_prop + dev_cpu_variant + device_config_activity_manager_native_boot_prop + device_config_boot_count_prop + device_config_input_native_boot_prop + device_config_netd_native_prop + device_config_reset_performed_prop + device_config_runtime_native_boot_prop + device_config_runtime_native_prop + device_config_media_native_prop + device_config_service + device_config_sys_traced_prop + dnsresolver_service + dynamic_system_service + dynamic_system_prop + face_service + face_vendor_data_file + sota_prop + fastbootd + flags_health_check + flags_health_check_exec + fwk_bufferhub_hwservice + fwk_camera_hwservice + fwk_stats_hwservice + gpuservice + gsi_data_file + gsi_metadata_file + gsi_public_metadata_file + gsi_service + gsid + gsid_exec + gsid_prop + color_display_service + external_vibrator_service + hal_atrace_hwservice + hal_face_hwservice + hal_graphics_composer_server_tmpfs + hal_health_storage_hwservice + hal_input_classifier_hwservice + hal_power_stats_hwservice + heapprofd + heapprofd_enabled_prop + heapprofd_exec + heapprofd_prop + heapprofd_socket + idmap_service + iris_service + iris_vendor_data_file + llkd + llkd_exec + llkd_prop + llkd_tmpfs + looper_stats_service + lpdumpd + lpdumpd_exec + lpdumpd_prop + lpdump_service + iorapd + iorapd_exec + iorapd_data_file + iorapd_service + iorapd_tmpfs + mediaswcodec + mediaswcodec_exec + mediaswcodec_tmpfs + metadata_bootstat_file + mnt_product_file + network_stack + network_stack_service + network_stack_tmpfs + nnapi_ext_deny_product_prop + overlayfs_file + password_slot_metadata_file + permissionmgr_service + postinstall_apex_mnt_dir + recovery_socket + role_service + rollback_service + rs + rs_exec + rss_hwm_reset + rss_hwm_reset_exec + runas_app + runas_app_tmpfs + art_apex_dir + runtime_service + sdcard_block_device + sensor_privacy_service + server_configurable_flags_data_file + simpleperf_app_runner + simpleperf_app_runner_exec + socket_hook_prop + su_tmpfs + super_block_device + sysfs_fs_f2fs + system_bootstrap_lib_file + system_event_log_tags_file + system_lmk_prop + system_suspend_hwservice + system_suspend_control_service + system_trace_prop + staging_data_file + task_profiles_file + testharness_service + test_harness_prop + theme_prop + time_prop + timedetector_service + timezonedetector_service + traced_lazy_prop + uri_grants_service + use_memfd_prop + vendor_apex_file + vendor_cgroup_desc_file + vendor_idc_file + vendor_keychars_file + vendor_keylayout_file + vendor_misc_writer + vendor_misc_writer_exec + vendor_socket_hook_prop + vendor_task_profiles_file + vndk_prop + vrflinger_vsync_service + watchdogd_tmpfs)) diff --git a/prebuilts/api/32.0/private/compat/29.0/29.0.cil b/prebuilts/api/32.0/private/compat/29.0/29.0.cil new file mode 100644 index 000000000..0fb0a1c5b --- /dev/null +++ b/prebuilts/api/32.0/private/compat/29.0/29.0.cil @@ -0,0 +1,1983 @@ +;; types removed from current policy +(type ashmemd) +(type exported_audio_prop) +(type exported_dalvik_prop) +(type exported_vold_prop) +(type exported2_config_prop) +(type exported2_vold_prop) +(type hal_wifi_offload_hwservice) +(type install_recovery) +(type install_recovery_exec) +(type mediacodec_service) +(type perfprofd_data_file) +(type perfprofd_service) +(type sysfs_mac_address) +(type wificond_service) + +(expandtypeattribute (accessibility_service_29_0) true) +(expandtypeattribute (account_service_29_0) true) +(expandtypeattribute (activity_service_29_0) true) +(expandtypeattribute (activity_task_service_29_0) true) +(expandtypeattribute (adbd_29_0) true) +(expandtypeattribute (adb_data_file_29_0) true) +(expandtypeattribute (adbd_exec_29_0) true) +(expandtypeattribute (adbd_socket_29_0) true) +(expandtypeattribute (adb_keys_file_29_0) true) +(expandtypeattribute (adb_service_29_0) true) +(expandtypeattribute (alarm_service_29_0) true) +(expandtypeattribute (anr_data_file_29_0) true) +(expandtypeattribute (apexd_29_0) true) +(expandtypeattribute (apex_data_file_29_0) true) +(expandtypeattribute (apexd_exec_29_0) true) +(expandtypeattribute (apexd_prop_29_0) true) +(expandtypeattribute (apex_metadata_file_29_0) true) +(expandtypeattribute (apex_mnt_dir_29_0) true) +(expandtypeattribute (apex_service_29_0) true) +(expandtypeattribute (apk_data_file_29_0) true) +(expandtypeattribute (apk_private_data_file_29_0) true) +(expandtypeattribute (apk_private_tmp_file_29_0) true) +(expandtypeattribute (apk_tmp_file_29_0) true) +(expandtypeattribute (app_binding_service_29_0) true) +(expandtypeattribute (app_data_file_29_0) true) +(expandtypeattribute (appdomain_tmpfs_29_0) true) +(expandtypeattribute (app_fuse_file_29_0) true) +(expandtypeattribute (app_fusefs_29_0) true) +(expandtypeattribute (appops_service_29_0) true) +(expandtypeattribute (app_prediction_service_29_0) true) +(expandtypeattribute (appwidget_service_29_0) true) +(expandtypeattribute (app_zygote_29_0) true) +(expandtypeattribute (app_zygote_tmpfs_29_0) true) +(expandtypeattribute (asec_apk_file_29_0) true) +(expandtypeattribute (asec_image_file_29_0) true) +(expandtypeattribute (asec_public_file_29_0) true) +(expandtypeattribute (ashmemd_29_0) true) +(expandtypeattribute (ashmem_device_29_0) true) +(expandtypeattribute (assetatlas_service_29_0) true) +(expandtypeattribute (audio_data_file_29_0) true) +(expandtypeattribute (audio_device_29_0) true) +(expandtypeattribute (audiohal_data_file_29_0) true) +(expandtypeattribute (audio_prop_29_0) true) +(expandtypeattribute (audioserver_29_0) true) +(expandtypeattribute (audioserver_data_file_29_0) true) +(expandtypeattribute (audioserver_service_29_0) true) +(expandtypeattribute (audioserver_tmpfs_29_0) true) +(expandtypeattribute (audio_service_29_0) true) +(expandtypeattribute (autofill_service_29_0) true) +(expandtypeattribute (backup_data_file_29_0) true) +(expandtypeattribute (backup_service_29_0) true) +(expandtypeattribute (batteryproperties_service_29_0) true) +(expandtypeattribute (battery_service_29_0) true) +(expandtypeattribute (batterystats_service_29_0) true) +(expandtypeattribute (binder_calls_stats_service_29_0) true) +(expandtypeattribute (binder_device_29_0) true) +(expandtypeattribute (binfmt_miscfs_29_0) true) +(expandtypeattribute (biometric_service_29_0) true) +(expandtypeattribute (blkid_29_0) true) +(expandtypeattribute (blkid_untrusted_29_0) true) +(expandtypeattribute (block_device_29_0) true) +(expandtypeattribute (bluetooth_29_0) true) +(expandtypeattribute (bluetooth_a2dp_offload_prop_29_0) true) +(expandtypeattribute (bluetooth_audio_hal_prop_29_0) true) +(expandtypeattribute (bluetooth_data_file_29_0) true) +(expandtypeattribute (bluetooth_efs_file_29_0) true) +(expandtypeattribute (bluetooth_logs_data_file_29_0) true) +(expandtypeattribute (bluetooth_manager_service_29_0) true) +(expandtypeattribute (bluetooth_prop_29_0) true) +(expandtypeattribute (bluetooth_service_29_0) true) +(expandtypeattribute (bluetooth_socket_29_0) true) +(expandtypeattribute (bootanim_29_0) true) +(expandtypeattribute (bootanim_exec_29_0) true) +(expandtypeattribute (boot_block_device_29_0) true) +(expandtypeattribute (bootchart_data_file_29_0) true) +(expandtypeattribute (bootloader_boot_reason_prop_29_0) true) +(expandtypeattribute (bootstat_29_0) true) +(expandtypeattribute (bootstat_data_file_29_0) true) +(expandtypeattribute (bootstat_exec_29_0) true) +(expandtypeattribute (boottime_prop_29_0) true) +(expandtypeattribute (boottrace_data_file_29_0) true) +(expandtypeattribute (bpf_progs_loaded_prop_29_0) true) +(expandtypeattribute (broadcastradio_service_29_0) true) +(expandtypeattribute (bufferhubd_29_0) true) +(expandtypeattribute (bufferhubd_exec_29_0) true) +(expandtypeattribute (bugreport_service_29_0) true) +(expandtypeattribute (cache_backup_file_29_0) true) +(expandtypeattribute (cache_block_device_29_0) true) +(expandtypeattribute (cache_file_29_0) true) +(expandtypeattribute (cache_private_backup_file_29_0) true) +(expandtypeattribute (cache_recovery_file_29_0) true) +(expandtypeattribute (camera_data_file_29_0) true) +(expandtypeattribute (camera_device_29_0) true) +(expandtypeattribute (cameraproxy_service_29_0) true) +(expandtypeattribute (cameraserver_29_0) true) +(expandtypeattribute (cameraserver_exec_29_0) true) +(expandtypeattribute (cameraserver_service_29_0) true) +(expandtypeattribute (cameraserver_tmpfs_29_0) true) +(expandtypeattribute (cgroup_29_0) true) +(expandtypeattribute (cgroup_bpf_29_0) true) +(expandtypeattribute (cgroup_desc_file_29_0) true) +(expandtypeattribute (cgroup_rc_file_29_0) true) +(expandtypeattribute (charger_29_0) true) +(expandtypeattribute (charger_exec_29_0) true) +(expandtypeattribute (clatd_29_0) true) +(expandtypeattribute (clatd_exec_29_0) true) +(expandtypeattribute (clipboard_service_29_0) true) +(expandtypeattribute (color_display_service_29_0) true) +(expandtypeattribute (companion_device_service_29_0) true) +(expandtypeattribute (configfs_29_0) true) +(expandtypeattribute (config_prop_29_0) true) +(expandtypeattribute (connectivity_service_29_0) true) +(expandtypeattribute (connmetrics_service_29_0) true) +(expandtypeattribute (console_device_29_0) true) +(expandtypeattribute (consumer_ir_service_29_0) true) +(expandtypeattribute (content_capture_service_29_0) true) +(expandtypeattribute (content_service_29_0) true) +(expandtypeattribute (content_suggestions_service_29_0) true) +(expandtypeattribute (contexthub_service_29_0) true) +(expandtypeattribute (coredump_file_29_0) true) +(expandtypeattribute (country_detector_service_29_0) true) +(expandtypeattribute (coverage_service_29_0) true) +(expandtypeattribute (cppreopt_prop_29_0) true) +(expandtypeattribute (cpuinfo_service_29_0) true) +(expandtypeattribute (cpu_variant_prop_29_0) true) +(expandtypeattribute (crash_dump_29_0) true) +(expandtypeattribute (crash_dump_exec_29_0) true) +(expandtypeattribute (crossprofileapps_service_29_0) true) +(expandtypeattribute (ctl_adbd_prop_29_0) true) +(expandtypeattribute (ctl_bootanim_prop_29_0) true) +(expandtypeattribute (ctl_bugreport_prop_29_0) true) +(expandtypeattribute (ctl_console_prop_29_0) true) +(expandtypeattribute (ctl_default_prop_29_0) true) +(expandtypeattribute (ctl_dumpstate_prop_29_0) true) +(expandtypeattribute (ctl_fuse_prop_29_0) true) +(expandtypeattribute (ctl_gsid_prop_29_0) true) +(expandtypeattribute (ctl_interface_restart_prop_29_0) true) +(expandtypeattribute (ctl_interface_start_prop_29_0) true) +(expandtypeattribute (ctl_interface_stop_prop_29_0) true) +(expandtypeattribute (ctl_mdnsd_prop_29_0) true) +(expandtypeattribute (ctl_restart_prop_29_0) true) +(expandtypeattribute (ctl_rildaemon_prop_29_0) true) +(expandtypeattribute (ctl_sigstop_prop_29_0) true) +(expandtypeattribute (ctl_start_prop_29_0) true) +(expandtypeattribute (ctl_stop_prop_29_0) true) +(expandtypeattribute (dalvikcache_data_file_29_0) true) +(expandtypeattribute (dalvik_prop_29_0) true) +(expandtypeattribute (dbinfo_service_29_0) true) +(expandtypeattribute (debugfs_29_0) true) +(expandtypeattribute (debugfs_mmc_29_0) true) +(expandtypeattribute (debugfs_trace_marker_29_0) true) +(expandtypeattribute (debugfs_tracing_29_0) true) +(expandtypeattribute (debugfs_tracing_debug_29_0) true) +(expandtypeattribute (debugfs_tracing_instances_29_0) true) +(expandtypeattribute (debugfs_wakeup_sources_29_0) true) +(expandtypeattribute (debugfs_wifi_tracing_29_0) true) +(expandtypeattribute (debuggerd_prop_29_0) true) +(expandtypeattribute (debug_prop_29_0) true) +(expandtypeattribute (default_android_hwservice_29_0) true) +(expandtypeattribute (default_android_service_29_0) true) +(expandtypeattribute (default_android_vndservice_29_0) true) +(expandtypeattribute (default_prop_29_0) true) +(expandtypeattribute (dev_cpu_variant_29_0) true) +(expandtypeattribute (device_29_0) true) +(expandtypeattribute (device_config_activity_manager_native_boot_prop_29_0) true) +(expandtypeattribute (device_config_boot_count_prop_29_0) true) +(expandtypeattribute (device_config_input_native_boot_prop_29_0) true) +(expandtypeattribute (device_config_media_native_prop_29_0) true) +(expandtypeattribute (device_config_netd_native_prop_29_0) true) +(expandtypeattribute (device_config_reset_performed_prop_29_0) true) +(expandtypeattribute (device_config_runtime_native_boot_prop_29_0) true) +(expandtypeattribute (device_config_runtime_native_prop_29_0) true) +(expandtypeattribute (device_config_service_29_0) true) +(expandtypeattribute (device_identifiers_service_29_0) true) +(expandtypeattribute (deviceidle_service_29_0) true) +(expandtypeattribute (device_logging_prop_29_0) true) +(expandtypeattribute (device_policy_service_29_0) true) +(expandtypeattribute (devicestoragemonitor_service_29_0) true) +(expandtypeattribute (devpts_29_0) true) +(expandtypeattribute (dhcp_29_0) true) +(expandtypeattribute (dhcp_data_file_29_0) true) +(expandtypeattribute (dhcp_exec_29_0) true) +(expandtypeattribute (dhcp_prop_29_0) true) +(expandtypeattribute (diskstats_service_29_0) true) +(expandtypeattribute (display_service_29_0) true) +(expandtypeattribute (dm_device_29_0) true) +(expandtypeattribute (dnsmasq_29_0) true) +(expandtypeattribute (dnsmasq_exec_29_0) true) +(expandtypeattribute (dnsproxyd_socket_29_0) true) +(expandtypeattribute (dnsresolver_service_29_0) true) +(expandtypeattribute (DockObserver_service_29_0) true) +(expandtypeattribute (dreams_service_29_0) true) +(expandtypeattribute (drm_data_file_29_0) true) +(expandtypeattribute (drmserver_29_0) true) +(expandtypeattribute (drmserver_exec_29_0) true) +(expandtypeattribute (drmserver_service_29_0) true) +(expandtypeattribute (drmserver_socket_29_0) true) +(expandtypeattribute (dropbox_data_file_29_0) true) +(expandtypeattribute (dropbox_service_29_0) true) +(expandtypeattribute (dumpstate_29_0) true) +(expandtypeattribute (dumpstate_exec_29_0) true) +(expandtypeattribute (dumpstate_options_prop_29_0) true) +(expandtypeattribute (dumpstate_prop_29_0) true) +(expandtypeattribute (dumpstate_service_29_0) true) +(expandtypeattribute (dumpstate_socket_29_0) true) +(expandtypeattribute (dynamic_system_prop_29_0) true) +(expandtypeattribute (e2fs_29_0) true) +(expandtypeattribute (e2fs_exec_29_0) true) +(expandtypeattribute (efs_file_29_0) true) +(expandtypeattribute (ephemeral_app_29_0) true) +(expandtypeattribute (ethernet_service_29_0) true) +(expandtypeattribute (exfat_29_0) true) +(expandtypeattribute (exported2_config_prop_29_0) true) +(expandtypeattribute (exported2_default_prop_29_0) true) +(expandtypeattribute (exported2_radio_prop_29_0) true) +(expandtypeattribute (exported2_system_prop_29_0) true) +(expandtypeattribute (exported2_vold_prop_29_0) true) +(expandtypeattribute (exported3_default_prop_29_0) true) +(expandtypeattribute (exported3_radio_prop_29_0) true) +(expandtypeattribute (exported3_system_prop_29_0) true) +(expandtypeattribute (exported_audio_prop_29_0) true) +(expandtypeattribute (exported_bluetooth_prop_29_0) true) +(expandtypeattribute (exported_config_prop_29_0) true) +(expandtypeattribute (exported_dalvik_prop_29_0) true) +(expandtypeattribute (exported_default_prop_29_0) true) +(expandtypeattribute (exported_dumpstate_prop_29_0) true) +(expandtypeattribute (exported_ffs_prop_29_0) true) +(expandtypeattribute (exported_fingerprint_prop_29_0) true) +(expandtypeattribute (exported_overlay_prop_29_0) true) +(expandtypeattribute (exported_pm_prop_29_0) true) +(expandtypeattribute (exported_radio_prop_29_0) true) +(expandtypeattribute (exported_secure_prop_29_0) true) +(expandtypeattribute (exported_system_prop_29_0) true) +(expandtypeattribute (exported_system_radio_prop_29_0) true) +(expandtypeattribute (exported_vold_prop_29_0) true) +(expandtypeattribute (exported_wifi_prop_29_0) true) +(expandtypeattribute (external_vibrator_service_29_0) true) +(expandtypeattribute (face_service_29_0) true) +(expandtypeattribute (face_vendor_data_file_29_0) true) +(expandtypeattribute (fastbootd_29_0) true) +(expandtypeattribute (ffs_prop_29_0) true) +(expandtypeattribute (file_contexts_file_29_0) true) +(expandtypeattribute (fingerprintd_29_0) true) +(expandtypeattribute (fingerprintd_data_file_29_0) true) +(expandtypeattribute (fingerprintd_exec_29_0) true) +(expandtypeattribute (fingerprintd_service_29_0) true) +(expandtypeattribute (fingerprint_prop_29_0) true) +(expandtypeattribute (fingerprint_service_29_0) true) +(expandtypeattribute (fingerprint_vendor_data_file_29_0) true) +(expandtypeattribute (firstboot_prop_29_0) true) +(expandtypeattribute (flags_health_check_29_0) true) +(expandtypeattribute (flags_health_check_exec_29_0) true) +(expandtypeattribute (font_service_29_0) true) +(expandtypeattribute (frp_block_device_29_0) true) +(expandtypeattribute (fs_bpf_29_0) true) +(expandtypeattribute (fsck_29_0) true) +(expandtypeattribute (fsck_exec_29_0) true) +(expandtypeattribute (fscklogs_29_0) true) +(expandtypeattribute (fsck_untrusted_29_0) true) +(expandtypeattribute (functionfs_29_0) true) +(expandtypeattribute (fuse_29_0) true) +(expandtypeattribute (fuse_device_29_0) true) +(expandtypeattribute (fwk_bufferhub_hwservice_29_0) true) +(expandtypeattribute (fwk_camera_hwservice_29_0) true) +(expandtypeattribute (fwk_display_hwservice_29_0) true) +(expandtypeattribute (fwk_scheduler_hwservice_29_0) true) +(expandtypeattribute (fwk_sensor_hwservice_29_0) true) +(expandtypeattribute (fwk_stats_hwservice_29_0) true) +(expandtypeattribute (fwmarkd_socket_29_0) true) +(expandtypeattribute (gatekeeperd_29_0) true) +(expandtypeattribute (gatekeeper_data_file_29_0) true) +(expandtypeattribute (gatekeeperd_exec_29_0) true) +(expandtypeattribute (gatekeeper_service_29_0) true) +(expandtypeattribute (gfxinfo_service_29_0) true) +(expandtypeattribute (gps_control_29_0) true) +(expandtypeattribute (gpu_device_29_0) true) +(expandtypeattribute (gpu_service_29_0) true) +(expandtypeattribute (gpuservice_29_0) true) +(expandtypeattribute (graphics_device_29_0) true) +(expandtypeattribute (graphicsstats_service_29_0) true) +(expandtypeattribute (gsi_data_file_29_0) true) +(expandtypeattribute (gsid_prop_29_0) true) +(expandtypeattribute (gsi_metadata_file_29_0) true) +(expandtypeattribute (hal_atrace_hwservice_29_0) true) +(expandtypeattribute (hal_audiocontrol_hwservice_29_0) true) +(expandtypeattribute (hal_audio_hwservice_29_0) true) +(expandtypeattribute (hal_authsecret_hwservice_29_0) true) +(expandtypeattribute (hal_bluetooth_hwservice_29_0) true) +(expandtypeattribute (hal_bootctl_hwservice_29_0) true) +(expandtypeattribute (hal_broadcastradio_hwservice_29_0) true) +(expandtypeattribute (hal_camera_hwservice_29_0) true) +(expandtypeattribute (hal_cas_hwservice_29_0) true) +(expandtypeattribute (hal_codec2_hwservice_29_0) true) +(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_29_0) true) +(expandtypeattribute (hal_confirmationui_hwservice_29_0) true) +(expandtypeattribute (hal_contexthub_hwservice_29_0) true) +(expandtypeattribute (hal_drm_hwservice_29_0) true) +(expandtypeattribute (hal_dumpstate_hwservice_29_0) true) +(expandtypeattribute (hal_evs_hwservice_29_0) true) +(expandtypeattribute (hal_face_hwservice_29_0) true) +(expandtypeattribute (hal_fingerprint_hwservice_29_0) true) +(expandtypeattribute (hal_fingerprint_service_29_0) true) +(expandtypeattribute (hal_gatekeeper_hwservice_29_0) true) +(expandtypeattribute (hal_gnss_hwservice_29_0) true) +(expandtypeattribute (hal_graphics_allocator_hwservice_29_0) true) +(expandtypeattribute (hal_graphics_composer_hwservice_29_0) true) +(expandtypeattribute (hal_graphics_composer_server_tmpfs_29_0) true) +(expandtypeattribute (hal_graphics_mapper_hwservice_29_0) true) +(expandtypeattribute (hal_health_hwservice_29_0) true) +(expandtypeattribute (hal_health_storage_hwservice_29_0) true) +(expandtypeattribute (hal_input_classifier_hwservice_29_0) true) +(expandtypeattribute (hal_ir_hwservice_29_0) true) +(expandtypeattribute (hal_keymaster_hwservice_29_0) true) +(expandtypeattribute (hal_light_hwservice_29_0) true) +(expandtypeattribute (hal_lowpan_hwservice_29_0) true) +(expandtypeattribute (hal_memtrack_hwservice_29_0) true) +(expandtypeattribute (hal_neuralnetworks_hwservice_29_0) true) +(expandtypeattribute (hal_nfc_hwservice_29_0) true) +(expandtypeattribute (hal_oemlock_hwservice_29_0) true) +(expandtypeattribute (hal_omx_hwservice_29_0) true) +(expandtypeattribute (hal_power_hwservice_29_0) true) +(expandtypeattribute (hal_power_stats_hwservice_29_0) true) +(expandtypeattribute (hal_renderscript_hwservice_29_0) true) +(expandtypeattribute (hal_secure_element_hwservice_29_0) true) +(expandtypeattribute (hal_sensors_hwservice_29_0) true) +(expandtypeattribute (hal_telephony_hwservice_29_0) true) +(expandtypeattribute (hal_tetheroffload_hwservice_29_0) true) +(expandtypeattribute (hal_thermal_hwservice_29_0) true) +(expandtypeattribute (hal_tv_cec_hwservice_29_0) true) +(expandtypeattribute (hal_tv_input_hwservice_29_0) true) +(expandtypeattribute (hal_usb_gadget_hwservice_29_0) true) +(expandtypeattribute (hal_usb_hwservice_29_0) true) +(expandtypeattribute (hal_vehicle_hwservice_29_0) true) +(expandtypeattribute (hal_vibrator_hwservice_29_0) true) +(expandtypeattribute (hal_vr_hwservice_29_0) true) +(expandtypeattribute (hal_weaver_hwservice_29_0) true) +(expandtypeattribute (hal_wifi_hostapd_hwservice_29_0) true) +(expandtypeattribute (hal_wifi_hwservice_29_0) true) +(expandtypeattribute (hal_wifi_offload_hwservice_29_0) true) +(expandtypeattribute (hal_wifi_supplicant_hwservice_29_0) true) +(expandtypeattribute (hardware_properties_service_29_0) true) +(expandtypeattribute (hardware_service_29_0) true) +(expandtypeattribute (hci_attach_dev_29_0) true) +(expandtypeattribute (hdmi_control_service_29_0) true) +(expandtypeattribute (healthd_29_0) true) +(expandtypeattribute (healthd_exec_29_0) true) +(expandtypeattribute (heapdump_data_file_29_0) true) +(expandtypeattribute (heapprofd_29_0) true) +(expandtypeattribute (heapprofd_enabled_prop_29_0) true) +(expandtypeattribute (heapprofd_prop_29_0) true) +(expandtypeattribute (heapprofd_socket_29_0) true) +(expandtypeattribute (hidl_allocator_hwservice_29_0) true) +(expandtypeattribute (hidl_base_hwservice_29_0) true) +(expandtypeattribute (hidl_manager_hwservice_29_0) true) +(expandtypeattribute (hidl_memory_hwservice_29_0) true) +(expandtypeattribute (hidl_token_hwservice_29_0) true) +(expandtypeattribute (hwbinder_device_29_0) true) +(expandtypeattribute (hw_random_device_29_0) true) +(expandtypeattribute (hwservice_contexts_file_29_0) true) +(expandtypeattribute (hwservicemanager_29_0) true) +(expandtypeattribute (hwservicemanager_exec_29_0) true) +(expandtypeattribute (hwservicemanager_prop_29_0) true) +(expandtypeattribute (icon_file_29_0) true) +(expandtypeattribute (idmap_29_0) true) +(expandtypeattribute (idmap_exec_29_0) true) +(expandtypeattribute (idmap_service_29_0) true) +(expandtypeattribute (iio_device_29_0) true) +(expandtypeattribute (imms_service_29_0) true) +(expandtypeattribute (incident_29_0) true) +(expandtypeattribute (incidentd_29_0) true) +(expandtypeattribute (incident_data_file_29_0) true) +(expandtypeattribute (incident_helper_29_0) true) +(expandtypeattribute (incident_service_29_0) true) +(expandtypeattribute (init_29_0) true) +(expandtypeattribute (init_exec_29_0) true) +(expandtypeattribute (init_tmpfs_29_0) true) +(expandtypeattribute (inotify_29_0) true) +(expandtypeattribute (input_device_29_0) true) +(expandtypeattribute (inputflinger_29_0) true) +(expandtypeattribute (inputflinger_exec_29_0) true) +(expandtypeattribute (inputflinger_service_29_0) true) +(expandtypeattribute (input_method_service_29_0) true) +(expandtypeattribute (input_service_29_0) true) +(expandtypeattribute (installd_29_0) true) +(expandtypeattribute (install_data_file_29_0) true) +(expandtypeattribute (installd_exec_29_0) true) +(expandtypeattribute (installd_service_29_0) true) +(expandtypeattribute (install_recovery_29_0) true) +(expandtypeattribute (install_recovery_exec_29_0) true) +(expandtypeattribute (ion_device_29_0) true) +(expandtypeattribute (iorapd_29_0) true) +(expandtypeattribute (iorapd_data_file_29_0) true) +(expandtypeattribute (iorapd_exec_29_0) true) +(expandtypeattribute (iorapd_service_29_0) true) +(expandtypeattribute (iorapd_tmpfs_29_0) true) +(expandtypeattribute (IProxyService_service_29_0) true) +(expandtypeattribute (ipsec_service_29_0) true) +(expandtypeattribute (iris_service_29_0) true) +(expandtypeattribute (iris_vendor_data_file_29_0) true) +(expandtypeattribute (isolated_app_29_0) true) +(expandtypeattribute (jobscheduler_service_29_0) true) +(expandtypeattribute (kernel_29_0) true) +(expandtypeattribute (keychain_data_file_29_0) true) +(expandtypeattribute (keychord_device_29_0) true) +(expandtypeattribute (keystore_29_0) true) +(expandtypeattribute (keystore_data_file_29_0) true) +(expandtypeattribute (keystore_exec_29_0) true) +(expandtypeattribute (keystore_service_29_0) true) +(expandtypeattribute (kmsg_debug_device_29_0) true) +(expandtypeattribute (kmsg_device_29_0) true) +(expandtypeattribute (labeledfs_29_0) true) +(expandtypeattribute (last_boot_reason_prop_29_0) true) +(expandtypeattribute (launcherapps_service_29_0) true) +(expandtypeattribute (llkd_29_0) true) +(expandtypeattribute (llkd_exec_29_0) true) +(expandtypeattribute (llkd_prop_29_0) true) +(expandtypeattribute (lmkd_29_0) true) +(expandtypeattribute (lmkd_exec_29_0) true) +(expandtypeattribute (lmkd_socket_29_0) true) +(expandtypeattribute (location_service_29_0) true) +(expandtypeattribute (lock_settings_service_29_0) true) +(expandtypeattribute (logcat_exec_29_0) true) +(expandtypeattribute (logd_29_0) true) +(expandtypeattribute (logd_exec_29_0) true) +(expandtypeattribute (logd_prop_29_0) true) +(expandtypeattribute (logdr_socket_29_0) true) +(expandtypeattribute (logd_socket_29_0) true) +(expandtypeattribute (logdw_socket_29_0) true) +(expandtypeattribute (logpersist_29_0) true) +(expandtypeattribute (logpersistd_logging_prop_29_0) true) +(expandtypeattribute (log_prop_29_0) true) +(expandtypeattribute (log_tag_prop_29_0) true) +(expandtypeattribute (loop_control_device_29_0) true) +(expandtypeattribute (loop_device_29_0) true) +(expandtypeattribute (looper_stats_service_29_0) true) +(expandtypeattribute (lowpan_device_29_0) true) +(expandtypeattribute (lowpan_prop_29_0) true) +(expandtypeattribute (lowpan_service_29_0) true) +(expandtypeattribute (lpdumpd_prop_29_0) true) +(expandtypeattribute (lpdump_service_29_0) true) +(expandtypeattribute (mac_perms_file_29_0) true) +(expandtypeattribute (mdnsd_29_0) true) +(expandtypeattribute (mdnsd_socket_29_0) true) +(expandtypeattribute (mdns_socket_29_0) true) +(expandtypeattribute (mediacodec_service_29_0) true) +(expandtypeattribute (media_data_file_29_0) true) +(expandtypeattribute (mediadrmserver_29_0) true) +(expandtypeattribute (mediadrmserver_exec_29_0) true) +(expandtypeattribute (mediadrmserver_service_29_0) true) +(expandtypeattribute (mediaextractor_29_0) true) +(expandtypeattribute (mediaextractor_exec_29_0) true) +(expandtypeattribute (mediaextractor_service_29_0) true) +(expandtypeattribute (mediaextractor_tmpfs_29_0) true) +(expandtypeattribute (mediametrics_29_0) true) +(expandtypeattribute (mediametrics_exec_29_0) true) +(expandtypeattribute (mediametrics_service_29_0) true) +(expandtypeattribute (media_projection_service_29_0) true) +(expandtypeattribute (mediaprovider_29_0) true) +(expandtypeattribute (media_router_service_29_0) true) +(expandtypeattribute (media_rw_data_file_29_0) true) +(expandtypeattribute (mediaserver_29_0) true) +(expandtypeattribute (mediaserver_exec_29_0) true) +(expandtypeattribute (mediaserver_service_29_0) true) +(expandtypeattribute (mediaserver_tmpfs_29_0) true) +(expandtypeattribute (media_session_service_29_0) true) +(expandtypeattribute (mediaswcodec_29_0) true) +(expandtypeattribute (mediaswcodec_exec_29_0) true) +(expandtypeattribute (meminfo_service_29_0) true) +(expandtypeattribute (metadata_block_device_29_0) true) +(expandtypeattribute (metadata_file_29_0) true) +(expandtypeattribute (method_trace_data_file_29_0) true) +(expandtypeattribute (midi_service_29_0) true) +(expandtypeattribute (misc_block_device_29_0) true) +(expandtypeattribute (misc_logd_file_29_0) true) +(expandtypeattribute (misc_user_data_file_29_0) true) +(expandtypeattribute (mmc_prop_29_0) true) +(expandtypeattribute (mnt_expand_file_29_0) true) +(expandtypeattribute (mnt_media_rw_file_29_0) true) +(expandtypeattribute (mnt_media_rw_stub_file_29_0) true) +(expandtypeattribute (mnt_product_file_29_0) true) +(expandtypeattribute (mnt_user_file_29_0) true) +(expandtypeattribute (mnt_vendor_file_29_0) true) +(expandtypeattribute (modprobe_29_0) true) +(expandtypeattribute (mount_service_29_0) true) +(expandtypeattribute (mqueue_29_0) true) +(expandtypeattribute (mtp_29_0) true) +(expandtypeattribute (mtp_device_29_0) true) +(expandtypeattribute (mtpd_socket_29_0) true) +(expandtypeattribute (mtp_exec_29_0) true) +(expandtypeattribute (nativetest_data_file_29_0) true) +(expandtypeattribute (netd_29_0) true) +(expandtypeattribute (net_data_file_29_0) true) +(expandtypeattribute (netd_exec_29_0) true) +(expandtypeattribute (netd_listener_service_29_0) true) +(expandtypeattribute (net_dns_prop_29_0) true) +(expandtypeattribute (netd_service_29_0) true) +(expandtypeattribute (netd_stable_secret_prop_29_0) true) +(expandtypeattribute (netif_29_0) true) +(expandtypeattribute (netpolicy_service_29_0) true) +(expandtypeattribute (net_radio_prop_29_0) true) +(expandtypeattribute (netstats_service_29_0) true) +(expandtypeattribute (netutils_wrapper_29_0) true) +(expandtypeattribute (netutils_wrapper_exec_29_0) true) +(expandtypeattribute (network_management_service_29_0) true) +(expandtypeattribute (network_score_service_29_0) true) +(expandtypeattribute (network_stack_29_0) true) +(expandtypeattribute (network_stack_service_29_0) true) +(expandtypeattribute (network_time_update_service_29_0) true) +(expandtypeattribute (network_watchlist_data_file_29_0) true) +(expandtypeattribute (network_watchlist_service_29_0) true) +(expandtypeattribute (nfc_29_0) true) +(expandtypeattribute (nfc_data_file_29_0) true) +(expandtypeattribute (nfc_device_29_0) true) +(expandtypeattribute (nfc_prop_29_0) true) +(expandtypeattribute (nfc_service_29_0) true) +(expandtypeattribute (nnapi_ext_deny_product_prop_29_0) true) +(expandtypeattribute (node_29_0) true) +(expandtypeattribute (nonplat_service_contexts_file_29_0) true) +(expandtypeattribute (notification_service_29_0) true) +(expandtypeattribute (null_device_29_0) true) +(expandtypeattribute (oemfs_29_0) true) +(expandtypeattribute (oem_lock_service_29_0) true) +(expandtypeattribute (ota_data_file_29_0) true) +(expandtypeattribute (otadexopt_service_29_0) true) +(expandtypeattribute (ota_package_file_29_0) true) +(expandtypeattribute (overlayfs_file_29_0) true) +(expandtypeattribute (overlay_prop_29_0) true) +(expandtypeattribute (overlay_service_29_0) true) +(expandtypeattribute (owntty_device_29_0) true) +(expandtypeattribute (package_native_service_29_0) true) +(expandtypeattribute (package_service_29_0) true) +(expandtypeattribute (packages_list_file_29_0) true) +(expandtypeattribute (pan_result_prop_29_0) true) +(expandtypeattribute (password_slot_metadata_file_29_0) true) +(expandtypeattribute (pdx_bufferhub_client_channel_socket_29_0) true) +(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_29_0) true) +(expandtypeattribute (pdx_bufferhub_dir_29_0) true) +(expandtypeattribute (pdx_display_client_channel_socket_29_0) true) +(expandtypeattribute (pdx_display_client_endpoint_socket_29_0) true) +(expandtypeattribute (pdx_display_dir_29_0) true) +(expandtypeattribute (pdx_display_manager_channel_socket_29_0) true) +(expandtypeattribute (pdx_display_manager_endpoint_socket_29_0) true) +(expandtypeattribute (pdx_display_screenshot_channel_socket_29_0) true) +(expandtypeattribute (pdx_display_screenshot_endpoint_socket_29_0) true) +(expandtypeattribute (pdx_display_vsync_channel_socket_29_0) true) +(expandtypeattribute (pdx_display_vsync_endpoint_socket_29_0) true) +(expandtypeattribute (pdx_performance_client_channel_socket_29_0) true) +(expandtypeattribute (pdx_performance_client_endpoint_socket_29_0) true) +(expandtypeattribute (pdx_performance_dir_29_0) true) +(expandtypeattribute (perfetto_29_0) true) +(expandtypeattribute (performanced_29_0) true) +(expandtypeattribute (performanced_exec_29_0) true) +(expandtypeattribute (permissionmgr_service_29_0) true) +(expandtypeattribute (permission_service_29_0) true) +(expandtypeattribute (persist_debug_prop_29_0) true) +(expandtypeattribute (persistent_data_block_service_29_0) true) +(expandtypeattribute (persistent_properties_ready_prop_29_0) true) +(expandtypeattribute (pinner_service_29_0) true) +(expandtypeattribute (pipefs_29_0) true) +(expandtypeattribute (platform_app_29_0) true) +(expandtypeattribute (pm_prop_29_0) true) +(expandtypeattribute (pmsg_device_29_0) true) +(expandtypeattribute (port_29_0) true) +(expandtypeattribute (port_device_29_0) true) +(expandtypeattribute (postinstall_29_0) true) +(expandtypeattribute (postinstall_apex_mnt_dir_29_0) true) +(expandtypeattribute (postinstall_file_29_0) true) +(expandtypeattribute (postinstall_mnt_dir_29_0) true) +(expandtypeattribute (powerctl_prop_29_0) true) +(expandtypeattribute (power_service_29_0) true) +(expandtypeattribute (ppp_29_0) true) +(expandtypeattribute (ppp_device_29_0) true) +(expandtypeattribute (ppp_exec_29_0) true) +(expandtypeattribute (preloads_data_file_29_0) true) +(expandtypeattribute (preloads_media_file_29_0) true) +(expandtypeattribute (print_service_29_0) true) +(expandtypeattribute (priv_app_29_0) true) +(expandtypeattribute (privapp_data_file_29_0) true) +(expandtypeattribute (proc_29_0) true) +(expandtypeattribute (proc_abi_29_0) true) +(expandtypeattribute (proc_asound_29_0) true) +(expandtypeattribute (proc_bluetooth_writable_29_0) true) +(expandtypeattribute (proc_buddyinfo_29_0) true) +(expandtypeattribute (proc_cmdline_29_0) true) +(expandtypeattribute (proc_cpuinfo_29_0) true) +(expandtypeattribute (proc_dirty_29_0) true) +(expandtypeattribute (proc_diskstats_29_0) true) +(expandtypeattribute (proc_drop_caches_29_0) true) +(expandtypeattribute (processinfo_service_29_0) true) +(expandtypeattribute (proc_extra_free_kbytes_29_0) true) +(expandtypeattribute (proc_filesystems_29_0) true) +(expandtypeattribute (proc_fs_verity_29_0) true) +(expandtypeattribute (proc_hostname_29_0) true) +(expandtypeattribute (proc_hung_task_29_0) true) +(expandtypeattribute (proc_interrupts_29_0) true) +(expandtypeattribute (proc_iomem_29_0) true) +(expandtypeattribute (proc_keys_29_0) true) +(expandtypeattribute (proc_kmsg_29_0) true) +(expandtypeattribute (proc_loadavg_29_0) true) +(expandtypeattribute (proc_max_map_count_29_0) true) +(expandtypeattribute (proc_meminfo_29_0) true) +(expandtypeattribute (proc_min_free_order_shift_29_0) true) +(expandtypeattribute (proc_misc_29_0) true) +(expandtypeattribute (proc_modules_29_0) true) +(expandtypeattribute (proc_mounts_29_0) true) +(expandtypeattribute (proc_net_29_0) true) +(expandtypeattribute (proc_net_tcp_udp_29_0) true) +(expandtypeattribute (proc_overcommit_memory_29_0) true) +(expandtypeattribute (proc_page_cluster_29_0) true) +(expandtypeattribute (proc_pagetypeinfo_29_0) true) +(expandtypeattribute (proc_panic_29_0) true) +(expandtypeattribute (proc_perf_29_0) true) +(expandtypeattribute (proc_pid_max_29_0) true) +(expandtypeattribute (proc_pipe_conf_29_0) true) +(expandtypeattribute (proc_pressure_cpu_29_0) true) +(expandtypeattribute (proc_pressure_io_29_0) true) +(expandtypeattribute (proc_pressure_mem_29_0) true) +(expandtypeattribute (proc_qtaguid_ctrl_29_0) true) +(expandtypeattribute (proc_qtaguid_stat_29_0) true) +(expandtypeattribute (proc_random_29_0) true) +(expandtypeattribute (proc_sched_29_0) true) +(expandtypeattribute (proc_security_29_0) true) +(expandtypeattribute (proc_slabinfo_29_0) true) +(expandtypeattribute (proc_stat_29_0) true) +(expandtypeattribute (procstats_service_29_0) true) +(expandtypeattribute (proc_swaps_29_0) true) +(expandtypeattribute (proc_sysrq_29_0) true) +(expandtypeattribute (proc_timer_29_0) true) +(expandtypeattribute (proc_tty_drivers_29_0) true) +(expandtypeattribute (proc_uid_concurrent_active_time_29_0) true) +(expandtypeattribute (proc_uid_concurrent_policy_time_29_0) true) +(expandtypeattribute (proc_uid_cpupower_29_0) true) +(expandtypeattribute (proc_uid_cputime_removeuid_29_0) true) +(expandtypeattribute (proc_uid_cputime_showstat_29_0) true) +(expandtypeattribute (proc_uid_io_stats_29_0) true) +(expandtypeattribute (proc_uid_procstat_set_29_0) true) +(expandtypeattribute (proc_uid_time_in_state_29_0) true) +(expandtypeattribute (proc_uptime_29_0) true) +(expandtypeattribute (proc_version_29_0) true) +(expandtypeattribute (proc_vmallocinfo_29_0) true) +(expandtypeattribute (proc_vmstat_29_0) true) +(expandtypeattribute (proc_zoneinfo_29_0) true) +(expandtypeattribute (profman_29_0) true) +(expandtypeattribute (profman_dump_data_file_29_0) true) +(expandtypeattribute (profman_exec_29_0) true) +(expandtypeattribute (properties_device_29_0) true) +(expandtypeattribute (properties_serial_29_0) true) +(expandtypeattribute (property_contexts_file_29_0) true) +(expandtypeattribute (property_data_file_29_0) true) +(expandtypeattribute (property_info_29_0) true) +(expandtypeattribute (property_socket_29_0) true) +(expandtypeattribute (pstorefs_29_0) true) +(expandtypeattribute (ptmx_device_29_0) true) +(expandtypeattribute (qtaguid_device_29_0) true) +(expandtypeattribute (racoon_29_0) true) +(expandtypeattribute (racoon_exec_29_0) true) +(expandtypeattribute (racoon_socket_29_0) true) +(expandtypeattribute (radio_29_0) true) +(expandtypeattribute (radio_data_file_29_0) true) +(expandtypeattribute (radio_device_29_0) true) +(expandtypeattribute (radio_prop_29_0) true) +(expandtypeattribute (radio_service_29_0) true) +(expandtypeattribute (ram_device_29_0) true) +(expandtypeattribute (random_device_29_0) true) +(expandtypeattribute (recovery_29_0) true) +(expandtypeattribute (recovery_block_device_29_0) true) +(expandtypeattribute (recovery_data_file_29_0) true) +(expandtypeattribute (recovery_persist_29_0) true) +(expandtypeattribute (recovery_persist_exec_29_0) true) +(expandtypeattribute (recovery_refresh_29_0) true) +(expandtypeattribute (recovery_refresh_exec_29_0) true) +(expandtypeattribute (recovery_service_29_0) true) +(expandtypeattribute (recovery_socket_29_0) true) +(expandtypeattribute (registry_service_29_0) true) +(expandtypeattribute (resourcecache_data_file_29_0) true) +(expandtypeattribute (restorecon_prop_29_0) true) +(expandtypeattribute (restrictions_service_29_0) true) +(expandtypeattribute (rild_debug_socket_29_0) true) +(expandtypeattribute (rild_socket_29_0) true) +(expandtypeattribute (ringtone_file_29_0) true) +(expandtypeattribute (role_service_29_0) true) +(expandtypeattribute (rollback_service_29_0) true) +(expandtypeattribute (root_block_device_29_0) true) +(expandtypeattribute (rootfs_29_0) true) +(expandtypeattribute (rpmsg_device_29_0) true) +(expandtypeattribute (rs_29_0) true) +(expandtypeattribute (rs_exec_29_0) true) +(expandtypeattribute (rss_hwm_reset_29_0) true) +(expandtypeattribute (rtc_device_29_0) true) +(expandtypeattribute (rttmanager_service_29_0) true) +(expandtypeattribute (runas_29_0) true) +(expandtypeattribute (runas_app_29_0) true) +(expandtypeattribute (runas_exec_29_0) true) +(expandtypeattribute (runtime_event_log_tags_file_29_0) true) +(expandtypeattribute (runtime_service_29_0) true) +(expandtypeattribute (safemode_prop_29_0) true) +(expandtypeattribute (same_process_hal_file_29_0) true) +(expandtypeattribute (samplingprofiler_service_29_0) true) +(expandtypeattribute (scheduling_policy_service_29_0) true) +(expandtypeattribute (sdcard_block_device_29_0) true) +(expandtypeattribute (sdcardd_29_0) true) +(expandtypeattribute (sdcardd_exec_29_0) true) +(expandtypeattribute (sdcardfs_29_0) true) +(expandtypeattribute (seapp_contexts_file_29_0) true) +(expandtypeattribute (search_service_29_0) true) +(expandtypeattribute (sec_key_att_app_id_provider_service_29_0) true) +(expandtypeattribute (secure_element_29_0) true) +(expandtypeattribute (secure_element_device_29_0) true) +(expandtypeattribute (secure_element_service_29_0) true) +(expandtypeattribute (selinuxfs_29_0) true) +(expandtypeattribute (sensor_privacy_service_29_0) true) +(expandtypeattribute (sensors_device_29_0) true) +(expandtypeattribute (sensorservice_service_29_0) true) +(expandtypeattribute (sepolicy_file_29_0) true) +(expandtypeattribute (serial_device_29_0) true) +(expandtypeattribute (serialno_prop_29_0) true) +(expandtypeattribute (serial_service_29_0) true) +(expandtypeattribute (server_configurable_flags_data_file_29_0) true) +(expandtypeattribute (service_contexts_file_29_0) true) +(expandtypeattribute (servicediscovery_service_29_0) true) +(expandtypeattribute (servicemanager_29_0) true) +(expandtypeattribute (servicemanager_exec_29_0) true) +(expandtypeattribute (settings_service_29_0) true) +(expandtypeattribute (sgdisk_29_0) true) +(expandtypeattribute (sgdisk_exec_29_0) true) +(expandtypeattribute (shared_relro_29_0) true) +(expandtypeattribute (shared_relro_file_29_0) true) +(expandtypeattribute (shell_29_0) true) +(expandtypeattribute (shell_data_file_29_0) true) +(expandtypeattribute (shell_exec_29_0) true) +(expandtypeattribute (shell_prop_29_0) true) +(expandtypeattribute (shm_29_0) true) +(expandtypeattribute (shortcut_manager_icons_29_0) true) +(expandtypeattribute (shortcut_service_29_0) true) +(expandtypeattribute (simpleperf_app_runner_29_0) true) +(expandtypeattribute (simpleperf_app_runner_exec_29_0) true) +(expandtypeattribute (slice_service_29_0) true) +(expandtypeattribute (slideshow_29_0) true) +(expandtypeattribute (socket_device_29_0) true) +(expandtypeattribute (sockfs_29_0) true) +(expandtypeattribute (staging_data_file_29_0) true) +(expandtypeattribute (statsd_29_0) true) +(expandtypeattribute (stats_data_file_29_0) true) +(expandtypeattribute (statsd_exec_29_0) true) +(expandtypeattribute (statsdw_socket_29_0) true) +(expandtypeattribute (statusbar_service_29_0) true) +(expandtypeattribute (storaged_service_29_0) true) +(expandtypeattribute (storage_file_29_0) true) +(expandtypeattribute (storagestats_service_29_0) true) +(expandtypeattribute (storage_stub_file_29_0) true) +(expandtypeattribute (su_29_0) true) +(expandtypeattribute (su_exec_29_0) true) +(expandtypeattribute (super_block_device_29_0) true) +(expandtypeattribute (surfaceflinger_29_0) true) +(expandtypeattribute (surfaceflinger_service_29_0) true) +(expandtypeattribute (surfaceflinger_tmpfs_29_0) true) +(expandtypeattribute (swap_block_device_29_0) true) +(expandtypeattribute (sysfs_29_0) true) +(expandtypeattribute (sysfs_android_usb_29_0) true) +(expandtypeattribute (sysfs_batteryinfo_29_0) true) +(expandtypeattribute (sysfs_bluetooth_writable_29_0) true) +(expandtypeattribute (sysfs_devices_block_29_0) true) +(expandtypeattribute (sysfs_devices_system_cpu_29_0) true) +(expandtypeattribute (sysfs_dm_29_0) true) +(expandtypeattribute (sysfs_dt_firmware_android_29_0) true) +(expandtypeattribute (sysfs_extcon_29_0) true) +(expandtypeattribute (sysfs_fs_ext4_features_29_0) true) +(expandtypeattribute (sysfs_fs_f2fs_29_0) true) +(expandtypeattribute (sysfs_hwrandom_29_0) true) +(expandtypeattribute (sysfs_ipv4_29_0) true) +(expandtypeattribute (sysfs_kernel_notes_29_0) true) +(expandtypeattribute (sysfs_leds_29_0) true) +(expandtypeattribute (sysfs_loop_29_0) true) +(expandtypeattribute (sysfs_lowmemorykiller_29_0) true) +(expandtypeattribute (sysfs_mac_address_29_0) true) +(expandtypeattribute (sysfs_net_29_0) true) +(expandtypeattribute (sysfs_nfc_power_writable_29_0) true) +(expandtypeattribute (sysfs_power_29_0) true) +(expandtypeattribute (sysfs_rtc_29_0) true) +(expandtypeattribute (sysfs_switch_29_0) true) +(expandtypeattribute (sysfs_thermal_29_0) true) +(expandtypeattribute (sysfs_transparent_hugepage_29_0) true) +(expandtypeattribute (sysfs_uio_29_0) true) +(expandtypeattribute (sysfs_usb_29_0) true) +(expandtypeattribute (sysfs_usermodehelper_29_0) true) +(expandtypeattribute (sysfs_vibrator_29_0) true) +(expandtypeattribute (sysfs_wake_lock_29_0) true) +(expandtypeattribute (sysfs_wakeup_reasons_29_0) true) +(expandtypeattribute (sysfs_wlan_fwpath_29_0) true) +(expandtypeattribute (sysfs_zram_29_0) true) +(expandtypeattribute (sysfs_zram_uevent_29_0) true) +(expandtypeattribute (system_app_29_0) true) +(expandtypeattribute (system_app_data_file_29_0) true) +(expandtypeattribute (system_app_service_29_0) true) +(expandtypeattribute (system_asan_options_file_29_0) true) +(expandtypeattribute (system_block_device_29_0) true) +(expandtypeattribute (system_boot_reason_prop_29_0) true) +(expandtypeattribute (system_bootstrap_lib_file_29_0) true) +(expandtypeattribute (system_data_file_29_0) true) +(expandtypeattribute (system_event_log_tags_file_29_0) true) +(expandtypeattribute (system_file_29_0) true) +(expandtypeattribute (systemkeys_data_file_29_0) true) +(expandtypeattribute (system_lib_file_29_0) true) +(expandtypeattribute (system_linker_config_file_29_0) true) +(expandtypeattribute (system_linker_exec_29_0) true) +(expandtypeattribute (system_lmk_prop_29_0) true) +(expandtypeattribute (system_ndebug_socket_29_0) true) +(expandtypeattribute (system_net_netd_hwservice_29_0) true) +(expandtypeattribute (system_prop_29_0) true) +(expandtypeattribute (system_radio_prop_29_0) true) +(expandtypeattribute (system_seccomp_policy_file_29_0) true) +(expandtypeattribute (system_security_cacerts_file_29_0) true) +(expandtypeattribute (system_server_29_0) true) +(expandtypeattribute (system_server_tmpfs_29_0) true) +(expandtypeattribute (system_suspend_control_service_29_0) true) +(expandtypeattribute (system_suspend_hwservice_29_0) true) +(expandtypeattribute (system_trace_prop_29_0) true) +(expandtypeattribute (system_update_service_29_0) true) +(expandtypeattribute (system_wifi_keystore_hwservice_29_0) true) +(expandtypeattribute (system_wpa_socket_29_0) true) +(expandtypeattribute (system_zoneinfo_file_29_0) true) +(expandtypeattribute (task_profiles_file_29_0) true) +(expandtypeattribute (task_service_29_0) true) +(expandtypeattribute (tcpdump_exec_29_0) true) +(expandtypeattribute (tee_29_0) true) +(expandtypeattribute (tee_data_file_29_0) true) +(expandtypeattribute (tee_device_29_0) true) +(expandtypeattribute (telecom_service_29_0) true) +(expandtypeattribute (test_boot_reason_prop_29_0) true) +(expandtypeattribute (test_harness_prop_29_0) true) +(expandtypeattribute (testharness_service_29_0) true) +(expandtypeattribute (textclassification_service_29_0) true) +(expandtypeattribute (textclassifier_data_file_29_0) true) +(expandtypeattribute (textservices_service_29_0) true) +(expandtypeattribute (thermalcallback_hwservice_29_0) true) +(expandtypeattribute (thermal_service_29_0) true) +(expandtypeattribute (timedetector_service_29_0) true) +(expandtypeattribute (time_prop_29_0) true) +(expandtypeattribute (timezone_service_29_0) true) +(expandtypeattribute (tmpfs_29_0) true) +(expandtypeattribute (tombstoned_29_0) true) +(expandtypeattribute (tombstone_data_file_29_0) true) +(expandtypeattribute (tombstoned_crash_socket_29_0) true) +(expandtypeattribute (tombstoned_exec_29_0) true) +(expandtypeattribute (tombstoned_intercept_socket_29_0) true) +(expandtypeattribute (tombstoned_java_trace_socket_29_0) true) +(expandtypeattribute (tombstone_wifi_data_file_29_0) true) +(expandtypeattribute (toolbox_29_0) true) +(expandtypeattribute (toolbox_exec_29_0) true) +(expandtypeattribute (traced_29_0) true) +(expandtypeattribute (trace_data_file_29_0) true) +(expandtypeattribute (traced_consumer_socket_29_0) true) +(expandtypeattribute (traced_enabled_prop_29_0) true) +(expandtypeattribute (traced_lazy_prop_29_0) true) +(expandtypeattribute (traced_probes_29_0) true) +(expandtypeattribute (traced_producer_socket_29_0) true) +(expandtypeattribute (traceur_app_29_0) true) +(expandtypeattribute (trust_service_29_0) true) +(expandtypeattribute (tty_device_29_0) true) +(expandtypeattribute (tun_device_29_0) true) +(expandtypeattribute (tv_input_service_29_0) true) +(expandtypeattribute (tzdatacheck_29_0) true) +(expandtypeattribute (tzdatacheck_exec_29_0) true) +(expandtypeattribute (ueventd_29_0) true) +(expandtypeattribute (ueventd_tmpfs_29_0) true) +(expandtypeattribute (uhid_device_29_0) true) +(expandtypeattribute (uimode_service_29_0) true) +(expandtypeattribute (uio_device_29_0) true) +(expandtypeattribute (uncrypt_29_0) true) +(expandtypeattribute (uncrypt_exec_29_0) true) +(expandtypeattribute (uncrypt_socket_29_0) true) +(expandtypeattribute (unencrypted_data_file_29_0) true) +(expandtypeattribute (unlabeled_29_0) true) +(expandtypeattribute (untrusted_app_25_29_0) true) +(expandtypeattribute (untrusted_app_27_29_0) true) +(expandtypeattribute (untrusted_app_29_0) true) +(expandtypeattribute (update_engine_29_0) true) +(expandtypeattribute (update_engine_data_file_29_0) true) +(expandtypeattribute (update_engine_exec_29_0) true) +(expandtypeattribute (update_engine_log_data_file_29_0) true) +(expandtypeattribute (update_engine_service_29_0) true) +(expandtypeattribute (updatelock_service_29_0) true) +(expandtypeattribute (update_verifier_29_0) true) +(expandtypeattribute (update_verifier_exec_29_0) true) +(expandtypeattribute (uri_grants_service_29_0) true) +(expandtypeattribute (usagestats_service_29_0) true) +(expandtypeattribute (usbaccessory_device_29_0) true) +(expandtypeattribute (usbd_29_0) true) +(expandtypeattribute (usb_device_29_0) true) +(expandtypeattribute (usbd_exec_29_0) true) +(expandtypeattribute (usbfs_29_0) true) +(expandtypeattribute (usb_service_29_0) true) +(expandtypeattribute (use_memfd_prop_29_0) true) +(expandtypeattribute (userdata_block_device_29_0) true) +(expandtypeattribute (usermodehelper_29_0) true) +(expandtypeattribute (user_profile_data_file_29_0) true) +(expandtypeattribute (user_service_29_0) true) +(expandtypeattribute (vdc_29_0) true) +(expandtypeattribute (vdc_exec_29_0) true) +(expandtypeattribute (vendor_app_file_29_0) true) +(expandtypeattribute (vendor_cgroup_desc_file_29_0) true) +(expandtypeattribute (vendor_configs_file_29_0) true) +(expandtypeattribute (vendor_data_file_29_0) true) +(expandtypeattribute (vendor_default_prop_29_0) true) +(expandtypeattribute (vendor_file_29_0) true) +(expandtypeattribute (vendor_framework_file_29_0) true) +(expandtypeattribute (vendor_hal_file_29_0) true) +(expandtypeattribute (vendor_idc_file_29_0) true) +(expandtypeattribute (vendor_init_29_0) true) +(expandtypeattribute (vendor_keychars_file_29_0) true) +(expandtypeattribute (vendor_keylayout_file_29_0) true) +(expandtypeattribute (vendor_overlay_file_29_0) true) +(expandtypeattribute (vendor_public_lib_file_29_0) true) +(expandtypeattribute (vendor_security_patch_level_prop_29_0) true) +(expandtypeattribute (vendor_shell_29_0) true) +(expandtypeattribute (vendor_shell_exec_29_0) true) +(expandtypeattribute (vendor_task_profiles_file_29_0) true) +(expandtypeattribute (vendor_toolbox_exec_29_0) true) +(expandtypeattribute (vfat_29_0) true) +(expandtypeattribute (vibrator_service_29_0) true) +(expandtypeattribute (video_device_29_0) true) +(expandtypeattribute (virtual_touchpad_29_0) true) +(expandtypeattribute (virtual_touchpad_exec_29_0) true) +(expandtypeattribute (virtual_touchpad_service_29_0) true) +(expandtypeattribute (vndbinder_device_29_0) true) +(expandtypeattribute (vndk_sp_file_29_0) true) +(expandtypeattribute (vndservice_contexts_file_29_0) true) +(expandtypeattribute (vndservicemanager_29_0) true) +(expandtypeattribute (voiceinteraction_service_29_0) true) +(expandtypeattribute (vold_29_0) true) +(expandtypeattribute (vold_data_file_29_0) true) +(expandtypeattribute (vold_device_29_0) true) +(expandtypeattribute (vold_exec_29_0) true) +(expandtypeattribute (vold_metadata_file_29_0) true) +(expandtypeattribute (vold_prepare_subdirs_29_0) true) +(expandtypeattribute (vold_prepare_subdirs_exec_29_0) true) +(expandtypeattribute (vold_prop_29_0) true) +(expandtypeattribute (vold_service_29_0) true) +(expandtypeattribute (vpn_data_file_29_0) true) +(expandtypeattribute (vrflinger_vsync_service_29_0) true) +(expandtypeattribute (vr_hwc_29_0) true) +(expandtypeattribute (vr_hwc_exec_29_0) true) +(expandtypeattribute (vr_hwc_service_29_0) true) +(expandtypeattribute (vr_manager_service_29_0) true) +(expandtypeattribute (wallpaper_file_29_0) true) +(expandtypeattribute (wallpaper_service_29_0) true) +(expandtypeattribute (watchdogd_29_0) true) +(expandtypeattribute (watchdog_device_29_0) true) +(expandtypeattribute (watchdogd_exec_29_0) true) +(expandtypeattribute (webviewupdate_service_29_0) true) +(expandtypeattribute (webview_zygote_29_0) true) +(expandtypeattribute (webview_zygote_exec_29_0) true) +(expandtypeattribute (webview_zygote_tmpfs_29_0) true) +(expandtypeattribute (wifiaware_service_29_0) true) +(expandtypeattribute (wificond_29_0) true) +(expandtypeattribute (wificond_exec_29_0) true) +(expandtypeattribute (wificond_service_29_0) true) +(expandtypeattribute (wifi_data_file_29_0) true) +(expandtypeattribute (wifi_log_prop_29_0) true) +(expandtypeattribute (wifip2p_service_29_0) true) +(expandtypeattribute (wifi_prop_29_0) true) +(expandtypeattribute (wifiscanner_service_29_0) true) +(expandtypeattribute (wifi_service_29_0) true) +(expandtypeattribute (window_service_29_0) true) +(expandtypeattribute (wpantund_29_0) true) +(expandtypeattribute (wpantund_exec_29_0) true) +(expandtypeattribute (wpantund_service_29_0) true) +(expandtypeattribute (wpa_socket_29_0) true) +(expandtypeattribute (zero_device_29_0) true) +(expandtypeattribute (zoneinfo_data_file_29_0) true) +(expandtypeattribute (zygote_29_0) true) +(expandtypeattribute (zygote_exec_29_0) true) +(expandtypeattribute (zygote_socket_29_0) true) +(expandtypeattribute (zygote_tmpfs_29_0) true) +(typeattributeset accessibility_service_29_0 (accessibility_service)) +(typeattributeset account_service_29_0 (account_service)) +(typeattributeset activity_service_29_0 (activity_service)) +(typeattributeset activity_task_service_29_0 (activity_task_service)) +(typeattributeset adbd_29_0 (adbd)) +(typeattributeset adb_data_file_29_0 (adb_data_file)) +(typeattributeset adbd_exec_29_0 (adbd_exec)) +(typeattributeset adbd_socket_29_0 (adbd_socket)) +(typeattributeset adb_keys_file_29_0 (adb_keys_file)) +(typeattributeset adb_service_29_0 (adb_service)) +(typeattributeset alarm_service_29_0 (alarm_service)) +(typeattributeset anr_data_file_29_0 (anr_data_file)) +(typeattributeset apexd_29_0 (apexd)) +(typeattributeset apex_data_file_29_0 (apex_data_file)) +(typeattributeset apexd_exec_29_0 (apexd_exec)) +(typeattributeset apexd_prop_29_0 (apexd_prop)) +(typeattributeset apex_metadata_file_29_0 (apex_metadata_file)) +(typeattributeset apex_mnt_dir_29_0 (apex_mnt_dir)) +(typeattributeset apex_service_29_0 (apex_service)) +(typeattributeset apk_data_file_29_0 (apk_data_file)) +(typeattributeset apk_private_data_file_29_0 (apk_private_data_file)) +(typeattributeset apk_private_tmp_file_29_0 (apk_private_tmp_file)) +(typeattributeset apk_tmp_file_29_0 (apk_tmp_file)) +(typeattributeset app_binding_service_29_0 (app_binding_service)) +(typeattributeset app_data_file_29_0 (app_data_file)) +(typeattributeset appdomain_tmpfs_29_0 (appdomain_tmpfs)) +(typeattributeset app_fuse_file_29_0 (app_fuse_file)) +(typeattributeset app_fusefs_29_0 (app_fusefs)) +(typeattributeset appops_service_29_0 (appops_service)) +(typeattributeset app_prediction_service_29_0 (app_prediction_service)) +(typeattributeset appwidget_service_29_0 (appwidget_service)) +(typeattributeset app_zygote_29_0 (app_zygote)) +(typeattributeset app_zygote_tmpfs_29_0 (app_zygote_tmpfs)) +(typeattributeset asec_apk_file_29_0 (asec_apk_file)) +(typeattributeset asec_image_file_29_0 (asec_image_file)) +(typeattributeset asec_public_file_29_0 (asec_public_file)) +(typeattributeset ashmemd_29_0 (ashmemd)) +(typeattributeset ashmem_device_29_0 (ashmem_device)) +(typeattributeset assetatlas_service_29_0 (assetatlas_service)) +(typeattributeset audio_data_file_29_0 (audio_data_file)) +(typeattributeset audio_device_29_0 (audio_device)) +(typeattributeset audiohal_data_file_29_0 (audiohal_data_file)) +(typeattributeset audio_prop_29_0 (audio_prop)) +(typeattributeset audioserver_29_0 (audioserver)) +(typeattributeset audioserver_data_file_29_0 (audioserver_data_file)) +(typeattributeset audioserver_service_29_0 (audioserver_service)) +(typeattributeset audioserver_tmpfs_29_0 (audioserver_tmpfs)) +(typeattributeset audio_service_29_0 (audio_service)) +(typeattributeset autofill_service_29_0 (autofill_service)) +(typeattributeset backup_data_file_29_0 (backup_data_file)) +(typeattributeset backup_service_29_0 (backup_service)) +(typeattributeset batteryproperties_service_29_0 (batteryproperties_service)) +(typeattributeset battery_service_29_0 (battery_service)) +(typeattributeset batterystats_service_29_0 (batterystats_service)) +(typeattributeset binder_calls_stats_service_29_0 (binder_calls_stats_service)) +(typeattributeset binder_device_29_0 (binder_device)) +(typeattributeset binfmt_miscfs_29_0 (binfmt_miscfs)) +(typeattributeset biometric_service_29_0 (biometric_service)) +(typeattributeset blkid_29_0 (blkid)) +(typeattributeset blkid_untrusted_29_0 (blkid_untrusted)) +(typeattributeset block_device_29_0 (block_device)) +(typeattributeset bluetooth_29_0 (bluetooth)) +(typeattributeset bluetooth_a2dp_offload_prop_29_0 (bluetooth_a2dp_offload_prop)) +(typeattributeset bluetooth_audio_hal_prop_29_0 (bluetooth_audio_hal_prop)) +(typeattributeset bluetooth_data_file_29_0 (bluetooth_data_file)) +(typeattributeset bluetooth_efs_file_29_0 (bluetooth_efs_file)) +(typeattributeset bluetooth_logs_data_file_29_0 (bluetooth_logs_data_file)) +(typeattributeset bluetooth_manager_service_29_0 (bluetooth_manager_service)) +(typeattributeset bluetooth_prop_29_0 (bluetooth_prop)) +(typeattributeset bluetooth_service_29_0 (bluetooth_service)) +(typeattributeset bluetooth_socket_29_0 (bluetooth_socket)) +(typeattributeset bootanim_29_0 (bootanim)) +(typeattributeset bootanim_exec_29_0 (bootanim_exec)) +(typeattributeset boot_block_device_29_0 (boot_block_device)) +(typeattributeset bootchart_data_file_29_0 (bootchart_data_file)) +(typeattributeset bootloader_boot_reason_prop_29_0 (bootloader_boot_reason_prop)) +(typeattributeset bootstat_29_0 (bootstat)) +(typeattributeset bootstat_data_file_29_0 (bootstat_data_file)) +(typeattributeset bootstat_exec_29_0 (bootstat_exec)) +(typeattributeset boottime_prop_29_0 (boottime_prop)) +(typeattributeset boottrace_data_file_29_0 (boottrace_data_file)) +(typeattributeset bpf_progs_loaded_prop_29_0 (bpf_progs_loaded_prop)) +(typeattributeset broadcastradio_service_29_0 (broadcastradio_service)) +(typeattributeset bufferhubd_29_0 (bufferhubd)) +(typeattributeset bufferhubd_exec_29_0 (bufferhubd_exec)) +(typeattributeset bugreport_service_29_0 (bugreport_service)) +(typeattributeset cache_backup_file_29_0 (cache_backup_file)) +(typeattributeset cache_block_device_29_0 (cache_block_device)) +(typeattributeset cache_file_29_0 (cache_file)) +(typeattributeset cache_private_backup_file_29_0 (cache_private_backup_file)) +(typeattributeset cache_recovery_file_29_0 (cache_recovery_file)) +(typeattributeset camera_data_file_29_0 (camera_data_file)) +(typeattributeset camera_device_29_0 (camera_device)) +(typeattributeset cameraproxy_service_29_0 (cameraproxy_service)) +(typeattributeset cameraserver_29_0 (cameraserver)) +(typeattributeset cameraserver_exec_29_0 (cameraserver_exec)) +(typeattributeset cameraserver_service_29_0 (cameraserver_service)) +(typeattributeset cameraserver_tmpfs_29_0 (cameraserver_tmpfs)) +(typeattributeset cgroup_29_0 (cgroup)) +(typeattributeset cgroup_bpf_29_0 (cgroup_bpf)) +(typeattributeset cgroup_desc_file_29_0 (cgroup_desc_file)) +(typeattributeset cgroup_rc_file_29_0 (cgroup_rc_file)) +(typeattributeset charger_29_0 (charger)) +(typeattributeset charger_exec_29_0 (charger_exec)) +(typeattributeset clatd_29_0 (clatd)) +(typeattributeset clatd_exec_29_0 (clatd_exec)) +(typeattributeset clipboard_service_29_0 (clipboard_service)) +(typeattributeset color_display_service_29_0 (color_display_service)) +(typeattributeset companion_device_service_29_0 (companion_device_service)) +(typeattributeset configfs_29_0 (configfs)) +(typeattributeset config_prop_29_0 (config_prop)) +(typeattributeset connectivity_service_29_0 (connectivity_service)) +(typeattributeset connmetrics_service_29_0 (connmetrics_service)) +(typeattributeset console_device_29_0 (console_device)) +(typeattributeset consumer_ir_service_29_0 (consumer_ir_service)) +(typeattributeset content_capture_service_29_0 (content_capture_service)) +(typeattributeset content_service_29_0 (content_service)) +(typeattributeset content_suggestions_service_29_0 (content_suggestions_service)) +(typeattributeset contexthub_service_29_0 (contexthub_service)) +(typeattributeset coredump_file_29_0 (coredump_file)) +(typeattributeset country_detector_service_29_0 (country_detector_service)) +(typeattributeset coverage_service_29_0 (coverage_service)) +(typeattributeset cppreopt_prop_29_0 (cppreopt_prop)) +(typeattributeset cpuinfo_service_29_0 (cpuinfo_service)) +(typeattributeset cpu_variant_prop_29_0 (cpu_variant_prop)) +(typeattributeset crash_dump_29_0 (crash_dump)) +(typeattributeset crash_dump_exec_29_0 (crash_dump_exec)) +(typeattributeset crossprofileapps_service_29_0 (crossprofileapps_service)) +(typeattributeset ctl_adbd_prop_29_0 (ctl_adbd_prop)) +(typeattributeset ctl_bootanim_prop_29_0 (ctl_bootanim_prop)) +(typeattributeset ctl_bugreport_prop_29_0 (ctl_bugreport_prop)) +(typeattributeset ctl_console_prop_29_0 (ctl_console_prop)) +(typeattributeset ctl_default_prop_29_0 (ctl_default_prop)) +(typeattributeset ctl_dumpstate_prop_29_0 (ctl_dumpstate_prop)) +(typeattributeset ctl_fuse_prop_29_0 (ctl_fuse_prop)) +(typeattributeset ctl_gsid_prop_29_0 (ctl_gsid_prop)) +(typeattributeset ctl_interface_restart_prop_29_0 (ctl_interface_restart_prop)) +(typeattributeset ctl_interface_start_prop_29_0 (ctl_interface_start_prop)) +(typeattributeset ctl_interface_stop_prop_29_0 (ctl_interface_stop_prop)) +(typeattributeset ctl_mdnsd_prop_29_0 (ctl_mdnsd_prop)) +(typeattributeset ctl_restart_prop_29_0 (ctl_restart_prop)) +(typeattributeset ctl_rildaemon_prop_29_0 (ctl_rildaemon_prop)) +(typeattributeset ctl_sigstop_prop_29_0 (ctl_sigstop_prop)) +(typeattributeset ctl_start_prop_29_0 (ctl_start_prop)) +(typeattributeset ctl_stop_prop_29_0 (ctl_stop_prop)) +(typeattributeset dalvikcache_data_file_29_0 (dalvikcache_data_file)) +(typeattributeset dalvik_prop_29_0 (dalvik_prop)) +(typeattributeset dbinfo_service_29_0 (dbinfo_service)) +(typeattributeset debugfs_29_0 (debugfs)) +(typeattributeset debugfs_mmc_29_0 (debugfs_mmc)) +(typeattributeset debugfs_trace_marker_29_0 (debugfs_trace_marker)) +(typeattributeset debugfs_tracing_29_0 (debugfs_tracing)) +(typeattributeset debugfs_tracing_debug_29_0 (debugfs_tracing_debug)) +(typeattributeset debugfs_tracing_instances_29_0 (debugfs_tracing_instances)) +(typeattributeset debugfs_wakeup_sources_29_0 (debugfs_wakeup_sources)) +(typeattributeset debugfs_wifi_tracing_29_0 (debugfs_wifi_tracing)) +(typeattributeset debuggerd_prop_29_0 (debuggerd_prop)) +(typeattributeset debug_prop_29_0 (debug_prop)) +(typeattributeset default_android_hwservice_29_0 (default_android_hwservice)) +(typeattributeset default_android_service_29_0 (default_android_service)) +(typeattributeset default_android_vndservice_29_0 (default_android_vndservice)) +(typeattributeset default_prop_29_0 (default_prop apk_verity_prop)) +(typeattributeset dev_cpu_variant_29_0 (dev_cpu_variant)) +(typeattributeset device_29_0 (device)) +(typeattributeset device_config_activity_manager_native_boot_prop_29_0 (device_config_activity_manager_native_boot_prop)) +(typeattributeset device_config_boot_count_prop_29_0 (device_config_boot_count_prop)) +(typeattributeset device_config_input_native_boot_prop_29_0 (device_config_input_native_boot_prop)) +(typeattributeset device_config_media_native_prop_29_0 (device_config_media_native_prop)) +(typeattributeset device_config_netd_native_prop_29_0 (device_config_netd_native_prop)) +(typeattributeset device_config_reset_performed_prop_29_0 (device_config_reset_performed_prop)) +(typeattributeset device_config_runtime_native_boot_prop_29_0 (device_config_runtime_native_boot_prop)) +(typeattributeset device_config_runtime_native_prop_29_0 (device_config_runtime_native_prop)) +(typeattributeset device_config_service_29_0 (device_config_service)) +(typeattributeset device_identifiers_service_29_0 (device_identifiers_service)) +(typeattributeset deviceidle_service_29_0 (deviceidle_service)) +(typeattributeset device_logging_prop_29_0 (device_logging_prop)) +(typeattributeset device_policy_service_29_0 (device_policy_service)) +(typeattributeset devicestoragemonitor_service_29_0 (devicestoragemonitor_service)) +(typeattributeset devpts_29_0 (devpts)) +(typeattributeset dhcp_29_0 (dhcp)) +(typeattributeset dhcp_data_file_29_0 (dhcp_data_file)) +(typeattributeset dhcp_exec_29_0 (dhcp_exec)) +(typeattributeset dhcp_prop_29_0 (dhcp_prop)) +(typeattributeset diskstats_service_29_0 (diskstats_service)) +(typeattributeset display_service_29_0 (display_service)) +(typeattributeset dm_device_29_0 (dm_device)) +(typeattributeset dnsmasq_29_0 (dnsmasq)) +(typeattributeset dnsmasq_exec_29_0 (dnsmasq_exec)) +(typeattributeset dnsproxyd_socket_29_0 (dnsproxyd_socket)) +(typeattributeset dnsresolver_service_29_0 (dnsresolver_service)) +(typeattributeset DockObserver_service_29_0 (DockObserver_service)) +(typeattributeset dreams_service_29_0 (dreams_service)) +(typeattributeset drm_data_file_29_0 (drm_data_file)) +(typeattributeset drmserver_29_0 (drmserver)) +(typeattributeset drmserver_exec_29_0 (drmserver_exec)) +(typeattributeset drmserver_service_29_0 (drmserver_service)) +(typeattributeset drmserver_socket_29_0 (drmserver_socket)) +(typeattributeset dropbox_data_file_29_0 (dropbox_data_file)) +(typeattributeset dropbox_service_29_0 (dropbox_service)) +(typeattributeset dumpstate_29_0 (dumpstate)) +(typeattributeset dumpstate_exec_29_0 (dumpstate_exec)) +(typeattributeset dumpstate_options_prop_29_0 (dumpstate_options_prop)) +(typeattributeset dumpstate_prop_29_0 (dumpstate_prop)) +(typeattributeset dumpstate_service_29_0 (dumpstate_service)) +(typeattributeset dumpstate_socket_29_0 (dumpstate_socket)) +(typeattributeset dynamic_system_prop_29_0 (dynamic_system_prop)) +(typeattributeset e2fs_29_0 (e2fs)) +(typeattributeset e2fs_exec_29_0 (e2fs_exec)) +(typeattributeset efs_file_29_0 (efs_file)) +(typeattributeset ephemeral_app_29_0 (ephemeral_app)) +(typeattributeset ethernet_service_29_0 (ethernet_service)) +(typeattributeset exfat_29_0 (exfat)) +(typeattributeset exported2_config_prop_29_0 (exported2_config_prop systemsound_config_prop)) +(typeattributeset exported2_default_prop_29_0 (exported2_default_prop)) +(typeattributeset exported2_radio_prop_29_0 (exported2_radio_prop)) +(typeattributeset exported2_system_prop_29_0 + ( exported2_system_prop + surfaceflinger_color_prop)) +(typeattributeset exported2_vold_prop_29_0 + ( exported2_vold_prop + vold_config_prop + vold_post_fs_data_prop)) +(typeattributeset exported3_default_prop_29_0 (exported3_default_prop lmkd_config_prop)) +(typeattributeset exported3_radio_prop_29_0 (exported3_radio_prop)) +(typeattributeset exported3_system_prop_29_0 (exported3_system_prop boot_status_prop)) +(typeattributeset exported_audio_prop_29_0 (exported_audio_prop audio_config_prop)) +(typeattributeset exported_bluetooth_prop_29_0 (exported_bluetooth_prop)) +(typeattributeset exported_config_prop_29_0 (exported_config_prop)) +(typeattributeset exported_dalvik_prop_29_0 (exported_dalvik_prop dalvik_config_prop)) +(typeattributeset exported_default_prop_29_0 + ( exported_default_prop + surfaceflinger_prop + vndk_prop)) +(typeattributeset exported_dumpstate_prop_29_0 (exported_dumpstate_prop)) +(typeattributeset exported_ffs_prop_29_0 (exported_ffs_prop)) +(typeattributeset exported_fingerprint_prop_29_0 (exported_fingerprint_prop)) +(typeattributeset exported_overlay_prop_29_0 (exported_overlay_prop)) +(typeattributeset exported_pm_prop_29_0 (exported_pm_prop)) +(typeattributeset exported_radio_prop_29_0 (exported_radio_prop)) +(typeattributeset exported_secure_prop_29_0 (exported_secure_prop)) +(typeattributeset exported_system_prop_29_0 (exported_system_prop)) +(typeattributeset exported_system_radio_prop_29_0 (exported_system_radio_prop)) +(typeattributeset exported_vold_prop_29_0 (exported_vold_prop vold_status_prop)) +(typeattributeset exported_wifi_prop_29_0 (exported_wifi_prop)) +(typeattributeset external_vibrator_service_29_0 (external_vibrator_service)) +(typeattributeset face_service_29_0 (face_service)) +(typeattributeset face_vendor_data_file_29_0 (face_vendor_data_file)) +(typeattributeset fastbootd_29_0 (fastbootd)) +(typeattributeset ffs_prop_29_0 (ffs_prop)) +(typeattributeset file_contexts_file_29_0 (file_contexts_file)) +(typeattributeset fingerprintd_29_0 (fingerprintd)) +(typeattributeset fingerprintd_data_file_29_0 (fingerprintd_data_file)) +(typeattributeset fingerprintd_exec_29_0 (fingerprintd_exec)) +(typeattributeset fingerprintd_service_29_0 (fingerprintd_service)) +(typeattributeset fingerprint_prop_29_0 (fingerprint_prop)) +(typeattributeset fingerprint_service_29_0 (fingerprint_service)) +(typeattributeset fingerprint_vendor_data_file_29_0 (fingerprint_vendor_data_file)) +(typeattributeset firstboot_prop_29_0 (firstboot_prop)) +(typeattributeset flags_health_check_29_0 (flags_health_check)) +(typeattributeset flags_health_check_exec_29_0 (flags_health_check_exec)) +(typeattributeset font_service_29_0 (font_service)) +(typeattributeset frp_block_device_29_0 (frp_block_device)) +(typeattributeset fs_bpf_29_0 (fs_bpf)) +(typeattributeset fsck_29_0 (fsck)) +(typeattributeset fsck_exec_29_0 (fsck_exec)) +(typeattributeset fscklogs_29_0 (fscklogs)) +(typeattributeset fsck_untrusted_29_0 (fsck_untrusted)) +(typeattributeset functionfs_29_0 (functionfs)) +(typeattributeset fuse_29_0 (fuse)) +(typeattributeset fuse_device_29_0 (fuse_device)) +(typeattributeset fwk_bufferhub_hwservice_29_0 (fwk_bufferhub_hwservice)) +(typeattributeset fwk_camera_hwservice_29_0 (fwk_camera_hwservice)) +(typeattributeset fwk_display_hwservice_29_0 (fwk_display_hwservice)) +(typeattributeset fwk_scheduler_hwservice_29_0 (fwk_scheduler_hwservice)) +(typeattributeset fwk_sensor_hwservice_29_0 (fwk_sensor_hwservice)) +(typeattributeset fwk_stats_hwservice_29_0 (fwk_stats_hwservice)) +(typeattributeset fwmarkd_socket_29_0 (fwmarkd_socket)) +(typeattributeset gatekeeperd_29_0 (gatekeeperd)) +(typeattributeset gatekeeper_data_file_29_0 (gatekeeper_data_file)) +(typeattributeset gatekeeperd_exec_29_0 (gatekeeperd_exec)) +(typeattributeset gatekeeper_service_29_0 (gatekeeper_service)) +(typeattributeset gfxinfo_service_29_0 (gfxinfo_service)) +(typeattributeset gps_control_29_0 (gps_control)) +(typeattributeset gpu_device_29_0 (gpu_device)) +(typeattributeset gpu_service_29_0 (gpu_service)) +(typeattributeset gpuservice_29_0 (gpuservice)) +(typeattributeset graphics_device_29_0 (graphics_device)) +(typeattributeset graphicsstats_service_29_0 (graphicsstats_service)) +(typeattributeset gsi_data_file_29_0 (gsi_data_file)) +(typeattributeset gsid_prop_29_0 (gsid_prop)) +(typeattributeset gsi_metadata_file_29_0 (gsi_metadata_file)) +(typeattributeset hal_atrace_hwservice_29_0 (hal_atrace_hwservice)) +(typeattributeset hal_audiocontrol_hwservice_29_0 (hal_audiocontrol_hwservice)) +(typeattributeset hal_audio_hwservice_29_0 (hal_audio_hwservice)) +(typeattributeset hal_authsecret_hwservice_29_0 (hal_authsecret_hwservice)) +(typeattributeset hal_bluetooth_hwservice_29_0 (hal_bluetooth_hwservice)) +(typeattributeset hal_bootctl_hwservice_29_0 (hal_bootctl_hwservice)) +(typeattributeset hal_broadcastradio_hwservice_29_0 (hal_broadcastradio_hwservice)) +(typeattributeset hal_camera_hwservice_29_0 (hal_camera_hwservice)) +(typeattributeset hal_cas_hwservice_29_0 (hal_cas_hwservice)) +(typeattributeset hal_codec2_hwservice_29_0 (hal_codec2_hwservice)) +(typeattributeset hal_configstore_ISurfaceFlingerConfigs_29_0 (hal_configstore_ISurfaceFlingerConfigs)) +(typeattributeset hal_confirmationui_hwservice_29_0 (hal_confirmationui_hwservice)) +(typeattributeset hal_contexthub_hwservice_29_0 (hal_contexthub_hwservice)) +(typeattributeset hal_drm_hwservice_29_0 (hal_drm_hwservice)) +(typeattributeset hal_dumpstate_hwservice_29_0 (hal_dumpstate_hwservice)) +(typeattributeset hal_evs_hwservice_29_0 (hal_evs_hwservice)) +(typeattributeset hal_face_hwservice_29_0 (hal_face_hwservice)) +(typeattributeset hal_fingerprint_hwservice_29_0 (hal_fingerprint_hwservice)) +(typeattributeset hal_fingerprint_service_29_0 (hal_fingerprint_service)) +(typeattributeset hal_gatekeeper_hwservice_29_0 (hal_gatekeeper_hwservice)) +(typeattributeset hal_gnss_hwservice_29_0 (hal_gnss_hwservice)) +(typeattributeset hal_graphics_allocator_hwservice_29_0 (hal_graphics_allocator_hwservice)) +(typeattributeset hal_graphics_composer_hwservice_29_0 (hal_graphics_composer_hwservice)) +(typeattributeset hal_graphics_composer_server_tmpfs_29_0 (hal_graphics_composer_server_tmpfs)) +(typeattributeset hal_graphics_mapper_hwservice_29_0 (hal_graphics_mapper_hwservice)) +(typeattributeset hal_health_hwservice_29_0 (hal_health_hwservice)) +(typeattributeset hal_health_storage_hwservice_29_0 (hal_health_storage_hwservice)) +(typeattributeset hal_input_classifier_hwservice_29_0 (hal_input_classifier_hwservice)) +(typeattributeset hal_ir_hwservice_29_0 (hal_ir_hwservice)) +(typeattributeset hal_keymaster_hwservice_29_0 (hal_keymaster_hwservice)) +(typeattributeset hal_light_hwservice_29_0 (hal_light_hwservice)) +(typeattributeset hal_lowpan_hwservice_29_0 (hal_lowpan_hwservice)) +(typeattributeset hal_memtrack_hwservice_29_0 (hal_memtrack_hwservice)) +(typeattributeset hal_neuralnetworks_hwservice_29_0 (hal_neuralnetworks_hwservice)) +(typeattributeset hal_nfc_hwservice_29_0 (hal_nfc_hwservice)) +(typeattributeset hal_oemlock_hwservice_29_0 (hal_oemlock_hwservice)) +(typeattributeset hal_omx_hwservice_29_0 (hal_omx_hwservice)) +(typeattributeset hal_power_hwservice_29_0 (hal_power_hwservice)) +(typeattributeset hal_power_stats_hwservice_29_0 (hal_power_stats_hwservice)) +(typeattributeset hal_renderscript_hwservice_29_0 (hal_renderscript_hwservice)) +(typeattributeset hal_secure_element_hwservice_29_0 (hal_secure_element_hwservice)) +(typeattributeset hal_sensors_hwservice_29_0 (hal_sensors_hwservice)) +(typeattributeset hal_telephony_hwservice_29_0 (hal_telephony_hwservice)) +(typeattributeset hal_tetheroffload_hwservice_29_0 (hal_tetheroffload_hwservice)) +(typeattributeset hal_thermal_hwservice_29_0 (hal_thermal_hwservice)) +(typeattributeset hal_tv_cec_hwservice_29_0 (hal_tv_cec_hwservice)) +(typeattributeset hal_tv_input_hwservice_29_0 (hal_tv_input_hwservice)) +(typeattributeset hal_usb_gadget_hwservice_29_0 (hal_usb_gadget_hwservice)) +(typeattributeset hal_usb_hwservice_29_0 (hal_usb_hwservice)) +(typeattributeset hal_vehicle_hwservice_29_0 (hal_vehicle_hwservice)) +(typeattributeset hal_vibrator_hwservice_29_0 (hal_vibrator_hwservice)) +(typeattributeset hal_vr_hwservice_29_0 (hal_vr_hwservice)) +(typeattributeset hal_weaver_hwservice_29_0 (hal_weaver_hwservice)) +(typeattributeset hal_wifi_hostapd_hwservice_29_0 (hal_wifi_hostapd_hwservice)) +(typeattributeset hal_wifi_hwservice_29_0 (hal_wifi_hwservice)) +(typeattributeset hal_wifi_offload_hwservice_29_0 (hal_wifi_offload_hwservice)) +(typeattributeset hal_wifi_supplicant_hwservice_29_0 (hal_wifi_supplicant_hwservice)) +(typeattributeset hardware_properties_service_29_0 (hardware_properties_service)) +(typeattributeset hardware_service_29_0 (hardware_service)) +(typeattributeset hci_attach_dev_29_0 (hci_attach_dev)) +(typeattributeset hdmi_control_service_29_0 (hdmi_control_service)) +(typeattributeset healthd_29_0 (healthd)) +(typeattributeset healthd_exec_29_0 (healthd_exec)) +(typeattributeset heapdump_data_file_29_0 (heapdump_data_file)) +(typeattributeset heapprofd_29_0 (heapprofd)) +(typeattributeset heapprofd_enabled_prop_29_0 (heapprofd_enabled_prop)) +(typeattributeset heapprofd_prop_29_0 (heapprofd_prop)) +(typeattributeset heapprofd_socket_29_0 (heapprofd_socket)) +(typeattributeset hidl_allocator_hwservice_29_0 (hidl_allocator_hwservice)) +(typeattributeset hidl_base_hwservice_29_0 (hidl_base_hwservice)) +(typeattributeset hidl_manager_hwservice_29_0 (hidl_manager_hwservice)) +(typeattributeset hidl_memory_hwservice_29_0 (hidl_memory_hwservice)) +(typeattributeset hidl_token_hwservice_29_0 (hidl_token_hwservice)) +(typeattributeset hwbinder_device_29_0 (hwbinder_device)) +(typeattributeset hw_random_device_29_0 (hw_random_device)) +(typeattributeset hwservice_contexts_file_29_0 (hwservice_contexts_file)) +(typeattributeset hwservicemanager_29_0 (hwservicemanager)) +(typeattributeset hwservicemanager_exec_29_0 (hwservicemanager_exec)) +(typeattributeset hwservicemanager_prop_29_0 (hwservicemanager_prop)) +(typeattributeset icon_file_29_0 (icon_file)) +(typeattributeset idmap_29_0 (idmap)) +(typeattributeset idmap_exec_29_0 (idmap_exec)) +(typeattributeset idmap_service_29_0 (idmap_service)) +(typeattributeset iio_device_29_0 (iio_device)) +(typeattributeset imms_service_29_0 (imms_service)) +(typeattributeset incident_29_0 (incident)) +(typeattributeset incidentd_29_0 (incidentd)) +(typeattributeset incident_data_file_29_0 (incident_data_file)) +(typeattributeset incident_helper_29_0 (incident_helper)) +(typeattributeset incident_service_29_0 (incident_service)) +(typeattributeset init_29_0 (init)) +(typeattributeset init_exec_29_0 (init_exec)) +(typeattributeset init_tmpfs_29_0 (init_tmpfs)) +(typeattributeset inotify_29_0 (inotify)) +(typeattributeset input_device_29_0 (input_device)) +(typeattributeset inputflinger_29_0 (inputflinger)) +(typeattributeset inputflinger_exec_29_0 (inputflinger_exec)) +(typeattributeset inputflinger_service_29_0 (inputflinger_service)) +(typeattributeset input_method_service_29_0 (input_method_service)) +(typeattributeset input_service_29_0 (input_service)) +(typeattributeset installd_29_0 (installd)) +(typeattributeset install_data_file_29_0 (install_data_file)) +(typeattributeset installd_exec_29_0 (installd_exec)) +(typeattributeset installd_service_29_0 (installd_service)) +(typeattributeset install_recovery_29_0 (install_recovery)) +(typeattributeset install_recovery_exec_29_0 (install_recovery_exec)) +(typeattributeset ion_device_29_0 (ion_device)) +(typeattributeset iorapd_29_0 (iorapd)) +(typeattributeset iorapd_data_file_29_0 (iorapd_data_file)) +(typeattributeset iorapd_exec_29_0 (iorapd_exec)) +(typeattributeset iorapd_service_29_0 (iorapd_service)) +(typeattributeset iorapd_tmpfs_29_0 (iorapd_tmpfs)) +(typeattributeset IProxyService_service_29_0 (IProxyService_service)) +(typeattributeset ipsec_service_29_0 (ipsec_service)) +(typeattributeset iris_service_29_0 (iris_service)) +(typeattributeset iris_vendor_data_file_29_0 (iris_vendor_data_file)) +(typeattributeset isolated_app_29_0 (isolated_app)) +(typeattributeset jobscheduler_service_29_0 (jobscheduler_service)) +(typeattributeset kernel_29_0 (kernel)) +(typeattributeset keychain_data_file_29_0 (keychain_data_file)) +(typeattributeset keychord_device_29_0 (keychord_device)) +(typeattributeset keystore_29_0 (keystore)) +(typeattributeset keystore_data_file_29_0 (keystore_data_file)) +(typeattributeset keystore_exec_29_0 (keystore_exec)) +(typeattributeset keystore_service_29_0 (keystore_service)) +(typeattributeset kmsg_debug_device_29_0 (kmsg_debug_device)) +(typeattributeset kmsg_device_29_0 (kmsg_device)) +(typeattributeset labeledfs_29_0 (labeledfs)) +(typeattributeset last_boot_reason_prop_29_0 (last_boot_reason_prop)) +(typeattributeset launcherapps_service_29_0 (launcherapps_service)) +(typeattributeset llkd_29_0 (llkd)) +(typeattributeset llkd_exec_29_0 (llkd_exec)) +(typeattributeset llkd_prop_29_0 (llkd_prop)) +(typeattributeset lmkd_29_0 (lmkd)) +(typeattributeset lmkd_exec_29_0 (lmkd_exec)) +(typeattributeset lmkd_socket_29_0 (lmkd_socket)) +(typeattributeset location_service_29_0 (location_service)) +(typeattributeset lock_settings_service_29_0 (lock_settings_service)) +(typeattributeset logcat_exec_29_0 (logcat_exec)) +(typeattributeset logd_29_0 (logd)) +(typeattributeset logd_exec_29_0 (logd_exec)) +(typeattributeset logd_prop_29_0 (logd_prop)) +(typeattributeset logdr_socket_29_0 (logdr_socket)) +(typeattributeset logd_socket_29_0 (logd_socket)) +(typeattributeset logdw_socket_29_0 (logdw_socket)) +(typeattributeset logpersist_29_0 (logpersist)) +(typeattributeset logpersistd_logging_prop_29_0 (logpersistd_logging_prop)) +(typeattributeset log_prop_29_0 (log_prop)) +(typeattributeset log_tag_prop_29_0 (log_tag_prop)) +(typeattributeset loop_control_device_29_0 (loop_control_device)) +(typeattributeset loop_device_29_0 (loop_device)) +(typeattributeset looper_stats_service_29_0 (looper_stats_service)) +(typeattributeset lowpan_device_29_0 (lowpan_device)) +(typeattributeset lowpan_prop_29_0 (lowpan_prop)) +(typeattributeset lowpan_service_29_0 (lowpan_service)) +(typeattributeset lpdumpd_prop_29_0 (lpdumpd_prop)) +(typeattributeset lpdump_service_29_0 (lpdump_service)) +(typeattributeset mac_perms_file_29_0 (mac_perms_file)) +(typeattributeset mdnsd_29_0 (mdnsd)) +(typeattributeset mdnsd_socket_29_0 (mdnsd_socket)) +(typeattributeset mdns_socket_29_0 (mdns_socket)) +(typeattributeset mediacodec_service_29_0 (mediacodec_service)) +(typeattributeset media_data_file_29_0 (media_data_file)) +(typeattributeset mediadrmserver_29_0 (mediadrmserver)) +(typeattributeset mediadrmserver_exec_29_0 (mediadrmserver_exec)) +(typeattributeset mediadrmserver_service_29_0 (mediadrmserver_service)) +(typeattributeset mediaextractor_29_0 (mediaextractor)) +(typeattributeset mediaextractor_exec_29_0 (mediaextractor_exec)) +(typeattributeset mediaextractor_service_29_0 (mediaextractor_service)) +(typeattributeset mediaextractor_tmpfs_29_0 (mediaextractor_tmpfs)) +(typeattributeset mediametrics_29_0 (mediametrics)) +(typeattributeset mediametrics_exec_29_0 (mediametrics_exec)) +(typeattributeset mediametrics_service_29_0 (mediametrics_service)) +(typeattributeset media_projection_service_29_0 (media_projection_service)) +(typeattributeset mediaprovider_29_0 (mediaprovider)) +(typeattributeset media_router_service_29_0 (media_router_service)) +(typeattributeset media_rw_data_file_29_0 (media_rw_data_file)) +(typeattributeset mediaserver_29_0 (mediaserver)) +(typeattributeset mediaserver_exec_29_0 (mediaserver_exec)) +(typeattributeset mediaserver_service_29_0 (mediaserver_service)) +(typeattributeset mediaserver_tmpfs_29_0 (mediaserver_tmpfs)) +(typeattributeset media_session_service_29_0 (media_session_service)) +(typeattributeset mediaswcodec_29_0 (mediaswcodec)) +(typeattributeset mediaswcodec_exec_29_0 (mediaswcodec_exec)) +(typeattributeset meminfo_service_29_0 (meminfo_service)) +(typeattributeset metadata_block_device_29_0 (metadata_block_device)) +(typeattributeset metadata_file_29_0 (metadata_file)) +(typeattributeset method_trace_data_file_29_0 (method_trace_data_file)) +(typeattributeset midi_service_29_0 (midi_service)) +(typeattributeset misc_block_device_29_0 (misc_block_device)) +(typeattributeset misc_logd_file_29_0 (misc_logd_file)) +(typeattributeset misc_user_data_file_29_0 (misc_user_data_file)) +(typeattributeset mmc_prop_29_0 (mmc_prop)) +(typeattributeset mnt_expand_file_29_0 (mnt_expand_file)) +(typeattributeset mnt_media_rw_file_29_0 (mnt_media_rw_file)) +(typeattributeset mnt_media_rw_stub_file_29_0 (mnt_media_rw_stub_file)) +(typeattributeset mnt_product_file_29_0 (mnt_product_file)) +(typeattributeset mnt_user_file_29_0 (mnt_user_file)) +(typeattributeset mnt_vendor_file_29_0 (mnt_vendor_file)) +(typeattributeset modprobe_29_0 (modprobe)) +(typeattributeset mount_service_29_0 (mount_service)) +(typeattributeset mqueue_29_0 (mqueue)) +(typeattributeset mtp_29_0 (mtp)) +(typeattributeset mtp_device_29_0 (mtp_device)) +(typeattributeset mtpd_socket_29_0 (mtpd_socket)) +(typeattributeset mtp_exec_29_0 (mtp_exec)) +(typeattributeset nativetest_data_file_29_0 (nativetest_data_file)) +(typeattributeset netd_29_0 (netd)) +(typeattributeset net_data_file_29_0 (net_data_file)) +(typeattributeset netd_exec_29_0 (netd_exec)) +(typeattributeset netd_listener_service_29_0 (netd_listener_service)) +(typeattributeset net_dns_prop_29_0 (net_dns_prop)) +(typeattributeset netd_service_29_0 (netd_service)) +(typeattributeset netd_stable_secret_prop_29_0 (netd_stable_secret_prop)) +(typeattributeset netif_29_0 (netif)) +(typeattributeset netpolicy_service_29_0 (netpolicy_service)) +(typeattributeset net_radio_prop_29_0 (net_radio_prop)) +(typeattributeset netstats_service_29_0 (netstats_service)) +(typeattributeset netutils_wrapper_29_0 (netutils_wrapper)) +(typeattributeset netutils_wrapper_exec_29_0 (netutils_wrapper_exec)) +(typeattributeset network_management_service_29_0 (network_management_service)) +(typeattributeset network_score_service_29_0 (network_score_service)) +(typeattributeset network_stack_29_0 (network_stack)) +(typeattributeset network_stack_service_29_0 (network_stack_service)) +(typeattributeset network_time_update_service_29_0 (network_time_update_service)) +(typeattributeset network_watchlist_data_file_29_0 (network_watchlist_data_file)) +(typeattributeset network_watchlist_service_29_0 (network_watchlist_service)) +(typeattributeset nfc_29_0 (nfc)) +(typeattributeset nfc_data_file_29_0 (nfc_data_file)) +(typeattributeset nfc_device_29_0 (nfc_device)) +(typeattributeset nfc_prop_29_0 (nfc_prop)) +(typeattributeset nfc_service_29_0 (nfc_service)) +(typeattributeset nnapi_ext_deny_product_prop_29_0 (nnapi_ext_deny_product_prop)) +(typeattributeset node_29_0 (node)) +(typeattributeset nonplat_service_contexts_file_29_0 (nonplat_service_contexts_file)) +(typeattributeset notification_service_29_0 (notification_service)) +(typeattributeset null_device_29_0 (null_device)) +(typeattributeset oemfs_29_0 (oemfs)) +(typeattributeset oem_lock_service_29_0 (oem_lock_service)) +(typeattributeset ota_data_file_29_0 (ota_data_file)) +(typeattributeset otadexopt_service_29_0 (otadexopt_service)) +(typeattributeset ota_package_file_29_0 (ota_package_file)) +(typeattributeset overlayfs_file_29_0 (overlayfs_file)) +(typeattributeset overlay_prop_29_0 (overlay_prop)) +(typeattributeset overlay_service_29_0 (overlay_service)) +(typeattributeset owntty_device_29_0 (owntty_device)) +(typeattributeset package_native_service_29_0 (package_native_service)) +(typeattributeset package_service_29_0 (package_service)) +(typeattributeset packages_list_file_29_0 (packages_list_file)) +(typeattributeset pan_result_prop_29_0 (pan_result_prop)) +(typeattributeset password_slot_metadata_file_29_0 (password_slot_metadata_file)) +(typeattributeset pdx_bufferhub_client_channel_socket_29_0 (pdx_bufferhub_client_channel_socket)) +(typeattributeset pdx_bufferhub_client_endpoint_socket_29_0 (pdx_bufferhub_client_endpoint_socket)) +(typeattributeset pdx_bufferhub_dir_29_0 (pdx_bufferhub_dir)) +(typeattributeset pdx_display_client_channel_socket_29_0 (pdx_display_client_channel_socket)) +(typeattributeset pdx_display_client_endpoint_socket_29_0 (pdx_display_client_endpoint_socket)) +(typeattributeset pdx_display_dir_29_0 (pdx_display_dir)) +(typeattributeset pdx_display_manager_channel_socket_29_0 (pdx_display_manager_channel_socket)) +(typeattributeset pdx_display_manager_endpoint_socket_29_0 (pdx_display_manager_endpoint_socket)) +(typeattributeset pdx_display_screenshot_channel_socket_29_0 (pdx_display_screenshot_channel_socket)) +(typeattributeset pdx_display_screenshot_endpoint_socket_29_0 (pdx_display_screenshot_endpoint_socket)) +(typeattributeset pdx_display_vsync_channel_socket_29_0 (pdx_display_vsync_channel_socket)) +(typeattributeset pdx_display_vsync_endpoint_socket_29_0 (pdx_display_vsync_endpoint_socket)) +(typeattributeset pdx_performance_client_channel_socket_29_0 (pdx_performance_client_channel_socket)) +(typeattributeset pdx_performance_client_endpoint_socket_29_0 (pdx_performance_client_endpoint_socket)) +(typeattributeset pdx_performance_dir_29_0 (pdx_performance_dir)) +(typeattributeset perfetto_29_0 (perfetto)) +(typeattributeset performanced_29_0 (performanced)) +(typeattributeset performanced_exec_29_0 (performanced_exec)) +(typeattributeset permissionmgr_service_29_0 (permissionmgr_service)) +(typeattributeset permission_service_29_0 (permission_service)) +(typeattributeset persist_debug_prop_29_0 (persist_debug_prop)) +(typeattributeset persistent_data_block_service_29_0 (persistent_data_block_service)) +(typeattributeset persistent_properties_ready_prop_29_0 (persistent_properties_ready_prop)) +(typeattributeset pinner_service_29_0 (pinner_service)) +(typeattributeset pipefs_29_0 (pipefs)) +(typeattributeset platform_app_29_0 (platform_app)) +(typeattributeset pm_prop_29_0 (pm_prop)) +(typeattributeset pmsg_device_29_0 (pmsg_device)) +(typeattributeset port_29_0 (port)) +(typeattributeset port_device_29_0 (port_device)) +(typeattributeset postinstall_29_0 (postinstall)) +(typeattributeset postinstall_apex_mnt_dir_29_0 (postinstall_apex_mnt_dir)) +(typeattributeset postinstall_file_29_0 (postinstall_file)) +(typeattributeset postinstall_mnt_dir_29_0 (postinstall_mnt_dir)) +(typeattributeset powerctl_prop_29_0 (powerctl_prop)) +(typeattributeset power_service_29_0 (power_service)) +(typeattributeset ppp_29_0 (ppp)) +(typeattributeset ppp_device_29_0 (ppp_device)) +(typeattributeset ppp_exec_29_0 (ppp_exec)) +(typeattributeset preloads_data_file_29_0 (preloads_data_file)) +(typeattributeset preloads_media_file_29_0 (preloads_media_file)) +(typeattributeset print_service_29_0 (print_service)) +(typeattributeset priv_app_29_0 (priv_app)) +(typeattributeset privapp_data_file_29_0 (privapp_data_file)) +(typeattributeset proc_29_0 + ( proc + proc_kpageflags + proc_lowmemorykiller)) +(typeattributeset proc_abi_29_0 (proc_abi)) +(typeattributeset proc_asound_29_0 (proc_asound)) +(typeattributeset proc_bluetooth_writable_29_0 (proc_bluetooth_writable)) +(typeattributeset proc_buddyinfo_29_0 (proc_buddyinfo)) +(typeattributeset proc_cmdline_29_0 (proc_cmdline)) +(typeattributeset proc_cpuinfo_29_0 (proc_cpuinfo)) +(typeattributeset proc_dirty_29_0 (proc_dirty)) +(typeattributeset proc_diskstats_29_0 (proc_diskstats)) +(typeattributeset proc_drop_caches_29_0 (proc_drop_caches)) +(typeattributeset processinfo_service_29_0 (processinfo_service)) +(typeattributeset proc_extra_free_kbytes_29_0 (proc_extra_free_kbytes)) +(typeattributeset proc_filesystems_29_0 (proc_filesystems)) +(typeattributeset proc_fs_verity_29_0 (proc_fs_verity)) +(typeattributeset proc_hostname_29_0 (proc_hostname)) +(typeattributeset proc_hung_task_29_0 (proc_hung_task)) +(typeattributeset proc_interrupts_29_0 (proc_interrupts)) +(typeattributeset proc_iomem_29_0 (proc_iomem)) +(typeattributeset proc_keys_29_0 (proc_keys)) +(typeattributeset proc_kmsg_29_0 (proc_kmsg)) +(typeattributeset proc_loadavg_29_0 (proc_loadavg)) +(typeattributeset proc_max_map_count_29_0 (proc_max_map_count)) +(typeattributeset proc_meminfo_29_0 (proc_meminfo)) +(typeattributeset proc_min_free_order_shift_29_0 (proc_min_free_order_shift)) +(typeattributeset proc_misc_29_0 (proc_misc)) +(typeattributeset proc_modules_29_0 (proc_modules)) +(typeattributeset proc_mounts_29_0 (proc_mounts)) +(typeattributeset proc_net_29_0 (proc_net)) +(typeattributeset proc_net_tcp_udp_29_0 (proc_net_tcp_udp)) +(typeattributeset proc_overcommit_memory_29_0 (proc_overcommit_memory)) +(typeattributeset proc_page_cluster_29_0 (proc_page_cluster)) +(typeattributeset proc_pagetypeinfo_29_0 (proc_pagetypeinfo)) +(typeattributeset proc_panic_29_0 (proc_panic)) +(typeattributeset proc_perf_29_0 (proc_perf)) +(typeattributeset proc_pid_max_29_0 (proc_pid_max)) +(typeattributeset proc_pipe_conf_29_0 (proc_pipe_conf)) +(typeattributeset proc_pressure_cpu_29_0 (proc_pressure_cpu)) +(typeattributeset proc_pressure_io_29_0 (proc_pressure_io)) +(typeattributeset proc_pressure_mem_29_0 (proc_pressure_mem)) +(typeattributeset proc_qtaguid_ctrl_29_0 (proc_qtaguid_ctrl)) +(typeattributeset proc_qtaguid_stat_29_0 (proc_qtaguid_stat)) +(typeattributeset proc_random_29_0 (proc_random)) +(typeattributeset proc_sched_29_0 (proc_sched)) +(typeattributeset proc_security_29_0 (proc_security)) +(typeattributeset proc_slabinfo_29_0 (proc_slabinfo)) +(typeattributeset proc_stat_29_0 (proc_stat)) +(typeattributeset procstats_service_29_0 (procstats_service)) +(typeattributeset proc_swaps_29_0 (proc_swaps)) +(typeattributeset proc_sysrq_29_0 (proc_sysrq)) +(typeattributeset proc_timer_29_0 (proc_timer)) +(typeattributeset proc_tty_drivers_29_0 (proc_tty_drivers)) +(typeattributeset proc_uid_concurrent_active_time_29_0 (proc_uid_concurrent_active_time)) +(typeattributeset proc_uid_concurrent_policy_time_29_0 (proc_uid_concurrent_policy_time)) +(typeattributeset proc_uid_cpupower_29_0 (proc_uid_cpupower)) +(typeattributeset proc_uid_cputime_removeuid_29_0 (proc_uid_cputime_removeuid)) +(typeattributeset proc_uid_cputime_showstat_29_0 (proc_uid_cputime_showstat)) +(typeattributeset proc_uid_io_stats_29_0 (proc_uid_io_stats)) +(typeattributeset proc_uid_procstat_set_29_0 (proc_uid_procstat_set)) +(typeattributeset proc_uid_time_in_state_29_0 (proc_uid_time_in_state)) +(typeattributeset proc_uptime_29_0 (proc_uptime)) +(typeattributeset proc_version_29_0 (proc_version)) +(typeattributeset proc_vmallocinfo_29_0 (proc_vmallocinfo)) +(typeattributeset proc_vmstat_29_0 (proc_vmstat)) +(typeattributeset proc_zoneinfo_29_0 (proc_zoneinfo)) +(typeattributeset profman_29_0 (profman)) +(typeattributeset profman_dump_data_file_29_0 (profman_dump_data_file)) +(typeattributeset profman_exec_29_0 (profman_exec)) +(typeattributeset properties_device_29_0 (properties_device)) +(typeattributeset properties_serial_29_0 (properties_serial)) +(typeattributeset property_contexts_file_29_0 (property_contexts_file)) +(typeattributeset property_data_file_29_0 (property_data_file)) +(typeattributeset property_info_29_0 (property_info)) +(typeattributeset property_socket_29_0 (property_socket)) +(typeattributeset pstorefs_29_0 (pstorefs)) +(typeattributeset ptmx_device_29_0 (ptmx_device)) +(typeattributeset qtaguid_device_29_0 (qtaguid_device)) +(typeattributeset racoon_29_0 (racoon)) +(typeattributeset racoon_exec_29_0 (racoon_exec)) +(typeattributeset racoon_socket_29_0 (racoon_socket)) +(typeattributeset radio_29_0 (radio)) +(typeattributeset radio_data_file_29_0 (radio_data_file)) +(typeattributeset radio_device_29_0 (radio_device)) +(typeattributeset radio_prop_29_0 (radio_prop)) +(typeattributeset radio_service_29_0 (radio_service)) +(typeattributeset ram_device_29_0 (ram_device)) +(typeattributeset random_device_29_0 (random_device)) +(typeattributeset recovery_29_0 (recovery)) +(typeattributeset recovery_block_device_29_0 (recovery_block_device)) +(typeattributeset recovery_data_file_29_0 (recovery_data_file)) +(typeattributeset recovery_persist_29_0 (recovery_persist)) +(typeattributeset recovery_persist_exec_29_0 (recovery_persist_exec)) +(typeattributeset recovery_refresh_29_0 (recovery_refresh)) +(typeattributeset recovery_refresh_exec_29_0 (recovery_refresh_exec)) +(typeattributeset recovery_service_29_0 (recovery_service)) +(typeattributeset recovery_socket_29_0 (recovery_socket)) +(typeattributeset registry_service_29_0 (registry_service)) +(typeattributeset resourcecache_data_file_29_0 (resourcecache_data_file)) +(typeattributeset restorecon_prop_29_0 (restorecon_prop)) +(typeattributeset restrictions_service_29_0 (restrictions_service)) +(typeattributeset rild_debug_socket_29_0 (rild_debug_socket)) +(typeattributeset rild_socket_29_0 (rild_socket)) +(typeattributeset ringtone_file_29_0 (ringtone_file)) +(typeattributeset role_service_29_0 (role_service)) +(typeattributeset rollback_service_29_0 (rollback_service)) +(typeattributeset root_block_device_29_0 (root_block_device)) +(typeattributeset rootfs_29_0 (rootfs)) +(typeattributeset rpmsg_device_29_0 (rpmsg_device)) +(typeattributeset rs_29_0 (rs)) +(typeattributeset rs_exec_29_0 (rs_exec)) +(typeattributeset rss_hwm_reset_29_0 (rss_hwm_reset)) +(typeattributeset rtc_device_29_0 (rtc_device)) +(typeattributeset rttmanager_service_29_0 (rttmanager_service)) +(typeattributeset runas_29_0 (runas)) +(typeattributeset runas_app_29_0 (runas_app)) +(typeattributeset runas_exec_29_0 (runas_exec)) +(typeattributeset runtime_event_log_tags_file_29_0 (runtime_event_log_tags_file)) +(typeattributeset runtime_service_29_0 (runtime_service)) +(typeattributeset safemode_prop_29_0 (safemode_prop)) +(typeattributeset same_process_hal_file_29_0 (same_process_hal_file)) +(typeattributeset samplingprofiler_service_29_0 (samplingprofiler_service)) +(typeattributeset scheduling_policy_service_29_0 (scheduling_policy_service)) +(typeattributeset sdcard_block_device_29_0 (sdcard_block_device)) +(typeattributeset sdcardd_29_0 (sdcardd)) +(typeattributeset sdcardd_exec_29_0 (sdcardd_exec)) +(typeattributeset sdcardfs_29_0 (sdcardfs)) +(typeattributeset seapp_contexts_file_29_0 (seapp_contexts_file)) +(typeattributeset search_service_29_0 (search_service)) +(typeattributeset sec_key_att_app_id_provider_service_29_0 (sec_key_att_app_id_provider_service)) +(typeattributeset secure_element_29_0 (secure_element)) +(typeattributeset secure_element_device_29_0 (secure_element_device)) +(typeattributeset secure_element_service_29_0 (secure_element_service)) +(typeattributeset selinuxfs_29_0 (selinuxfs)) +(typeattributeset sensor_privacy_service_29_0 (sensor_privacy_service)) +(typeattributeset sensors_device_29_0 (sensors_device)) +(typeattributeset sensorservice_service_29_0 (sensorservice_service)) +(typeattributeset sepolicy_file_29_0 (sepolicy_file)) +(typeattributeset serial_device_29_0 (serial_device)) +(typeattributeset serialno_prop_29_0 (serialno_prop)) +(typeattributeset serial_service_29_0 (serial_service)) +(typeattributeset server_configurable_flags_data_file_29_0 (server_configurable_flags_data_file)) +(typeattributeset service_contexts_file_29_0 (service_contexts_file)) +(typeattributeset servicediscovery_service_29_0 (servicediscovery_service)) +(typeattributeset servicemanager_29_0 (servicemanager)) +(typeattributeset servicemanager_exec_29_0 (servicemanager_exec)) +(typeattributeset settings_service_29_0 (settings_service)) +(typeattributeset sgdisk_29_0 (sgdisk)) +(typeattributeset sgdisk_exec_29_0 (sgdisk_exec)) +(typeattributeset shared_relro_29_0 (shared_relro)) +(typeattributeset shared_relro_file_29_0 (shared_relro_file)) +(typeattributeset shell_29_0 (shell)) +(typeattributeset shell_data_file_29_0 (shell_data_file)) +(typeattributeset shell_exec_29_0 (shell_exec)) +(typeattributeset shell_prop_29_0 (shell_prop)) +(typeattributeset shm_29_0 (shm)) +(typeattributeset shortcut_manager_icons_29_0 (shortcut_manager_icons)) +(typeattributeset shortcut_service_29_0 (shortcut_service)) +(typeattributeset simpleperf_app_runner_29_0 (simpleperf_app_runner)) +(typeattributeset simpleperf_app_runner_exec_29_0 (simpleperf_app_runner_exec)) +(typeattributeset slice_service_29_0 (slice_service)) +(typeattributeset slideshow_29_0 (slideshow)) +(typeattributeset socket_device_29_0 (socket_device)) +(typeattributeset sockfs_29_0 (sockfs)) +(typeattributeset staging_data_file_29_0 (staging_data_file)) +(typeattributeset statsd_29_0 (statsd)) +(typeattributeset stats_data_file_29_0 (stats_data_file)) +(typeattributeset statsd_exec_29_0 (statsd_exec)) +(typeattributeset statsdw_socket_29_0 (statsdw_socket)) +(typeattributeset statusbar_service_29_0 (statusbar_service)) +(typeattributeset storaged_service_29_0 (storaged_service)) +(typeattributeset storage_file_29_0 (storage_file)) +(typeattributeset storagestats_service_29_0 (storagestats_service)) +(typeattributeset storage_stub_file_29_0 (storage_stub_file)) +(typeattributeset su_29_0 (su)) +(typeattributeset su_exec_29_0 (su_exec)) +(typeattributeset super_block_device_29_0 (super_block_device)) +(typeattributeset surfaceflinger_29_0 (surfaceflinger)) +(typeattributeset surfaceflinger_service_29_0 (surfaceflinger_service)) +(typeattributeset surfaceflinger_tmpfs_29_0 (surfaceflinger_tmpfs)) +(typeattributeset swap_block_device_29_0 (swap_block_device)) +(typeattributeset sysfs_29_0 + ( sysfs + sysfs_ion + sysfs_suspend_stats + sysfs_wakeup)) +(typeattributeset sysfs_android_usb_29_0 (sysfs_android_usb)) +(typeattributeset sysfs_batteryinfo_29_0 (sysfs_batteryinfo)) +(typeattributeset sysfs_bluetooth_writable_29_0 (sysfs_bluetooth_writable)) +(typeattributeset sysfs_devices_block_29_0 (sysfs_devices_block)) +(typeattributeset sysfs_devices_system_cpu_29_0 (sysfs_devices_system_cpu)) +(typeattributeset sysfs_dm_29_0 (sysfs_dm)) +(typeattributeset sysfs_dt_firmware_android_29_0 (sysfs_dt_firmware_android)) +(typeattributeset sysfs_extcon_29_0 (sysfs_extcon)) +(typeattributeset sysfs_fs_ext4_features_29_0 (sysfs_fs_ext4_features)) +(typeattributeset sysfs_fs_f2fs_29_0 (sysfs_fs_f2fs)) +(typeattributeset sysfs_hwrandom_29_0 (sysfs_hwrandom)) +(typeattributeset sysfs_ipv4_29_0 (sysfs_ipv4)) +(typeattributeset sysfs_kernel_notes_29_0 (sysfs_kernel_notes)) +(typeattributeset sysfs_leds_29_0 (sysfs_leds)) +(typeattributeset sysfs_loop_29_0 (sysfs_loop)) +(typeattributeset sysfs_lowmemorykiller_29_0 (sysfs_lowmemorykiller)) +(typeattributeset sysfs_mac_address_29_0 (sysfs_mac_address)) +(typeattributeset sysfs_net_29_0 (sysfs_net)) +(typeattributeset sysfs_nfc_power_writable_29_0 (sysfs_nfc_power_writable)) +(typeattributeset sysfs_power_29_0 (sysfs_power)) +(typeattributeset sysfs_rtc_29_0 (sysfs_rtc)) +(typeattributeset sysfs_switch_29_0 (sysfs_switch)) +(typeattributeset sysfs_thermal_29_0 (sysfs_thermal)) +(typeattributeset sysfs_transparent_hugepage_29_0 (sysfs_transparent_hugepage)) +(typeattributeset sysfs_uio_29_0 (sysfs_uio)) +(typeattributeset sysfs_usb_29_0 (sysfs_usb)) +(typeattributeset sysfs_usermodehelper_29_0 (sysfs_usermodehelper)) +(typeattributeset sysfs_vibrator_29_0 (sysfs_vibrator)) +(typeattributeset sysfs_wake_lock_29_0 (sysfs_wake_lock)) +(typeattributeset sysfs_wakeup_reasons_29_0 (sysfs_wakeup_reasons)) +(typeattributeset sysfs_wlan_fwpath_29_0 (sysfs_wlan_fwpath)) +(typeattributeset sysfs_zram_29_0 (sysfs_zram)) +(typeattributeset sysfs_zram_uevent_29_0 (sysfs_zram_uevent)) +(typeattributeset system_app_29_0 (system_app)) +(typeattributeset system_app_data_file_29_0 (system_app_data_file)) +(typeattributeset system_app_service_29_0 (system_app_service)) +(typeattributeset system_asan_options_file_29_0 (system_asan_options_file)) +(typeattributeset system_block_device_29_0 (system_block_device)) +(typeattributeset system_boot_reason_prop_29_0 (system_boot_reason_prop)) +(typeattributeset system_bootstrap_lib_file_29_0 (system_bootstrap_lib_file)) +(typeattributeset system_data_file_29_0 (system_data_file system_data_root_file)) +(typeattributeset system_event_log_tags_file_29_0 (system_event_log_tags_file)) +(typeattributeset system_file_29_0 (system_file)) +(typeattributeset systemkeys_data_file_29_0 (systemkeys_data_file)) +(typeattributeset system_lib_file_29_0 (system_lib_file)) +(typeattributeset system_linker_config_file_29_0 (system_linker_config_file)) +(typeattributeset system_linker_exec_29_0 (system_linker_exec)) +(typeattributeset system_lmk_prop_29_0 (system_lmk_prop)) +(typeattributeset system_ndebug_socket_29_0 (system_ndebug_socket)) +(typeattributeset system_net_netd_hwservice_29_0 (system_net_netd_hwservice)) +(typeattributeset system_prop_29_0 (system_prop)) +(typeattributeset system_radio_prop_29_0 (system_radio_prop)) +(typeattributeset system_seccomp_policy_file_29_0 (system_seccomp_policy_file)) +(typeattributeset system_security_cacerts_file_29_0 (system_security_cacerts_file)) +(typeattributeset system_server_29_0 (system_server)) +(typeattributeset system_server_tmpfs_29_0 (system_server_tmpfs)) +(typeattributeset system_suspend_control_service_29_0 (system_suspend_control_service)) +(typeattributeset system_suspend_hwservice_29_0 (system_suspend_hwservice)) +(typeattributeset system_trace_prop_29_0 (system_trace_prop)) +(typeattributeset system_update_service_29_0 (system_update_service)) +(typeattributeset system_wifi_keystore_hwservice_29_0 (system_wifi_keystore_hwservice)) +(typeattributeset system_wpa_socket_29_0 (system_wpa_socket)) +(typeattributeset system_zoneinfo_file_29_0 (system_zoneinfo_file)) +(typeattributeset task_profiles_file_29_0 (task_profiles_file)) +(typeattributeset task_service_29_0 (task_service)) +(typeattributeset tcpdump_exec_29_0 (tcpdump_exec)) +(typeattributeset tee_29_0 (tee)) +(typeattributeset tee_data_file_29_0 (tee_data_file)) +(typeattributeset tee_device_29_0 (tee_device)) +(typeattributeset telecom_service_29_0 (telecom_service)) +(typeattributeset test_boot_reason_prop_29_0 (test_boot_reason_prop)) +(typeattributeset test_harness_prop_29_0 (test_harness_prop)) +(typeattributeset testharness_service_29_0 (testharness_service)) +(typeattributeset textclassification_service_29_0 (textclassification_service)) +(typeattributeset textclassifier_data_file_29_0 (textclassifier_data_file)) +(typeattributeset textservices_service_29_0 (textservices_service)) +(typeattributeset thermalcallback_hwservice_29_0 (thermalcallback_hwservice)) +(typeattributeset thermal_service_29_0 (thermal_service)) +(typeattributeset timedetector_service_29_0 (timedetector_service)) +(typeattributeset time_prop_29_0 (time_prop)) +(typeattributeset timezone_service_29_0 (timezone_service)) +(typeattributeset tmpfs_29_0 + ( mnt_sdcard_file + tmpfs)) +(typeattributeset tombstoned_29_0 (tombstoned)) +(typeattributeset tombstone_data_file_29_0 (tombstone_data_file)) +(typeattributeset tombstoned_crash_socket_29_0 (tombstoned_crash_socket)) +(typeattributeset tombstoned_exec_29_0 (tombstoned_exec)) +(typeattributeset tombstoned_intercept_socket_29_0 (tombstoned_intercept_socket)) +(typeattributeset tombstoned_java_trace_socket_29_0 (tombstoned_java_trace_socket)) +(typeattributeset tombstone_wifi_data_file_29_0 (tombstone_wifi_data_file)) +(typeattributeset toolbox_29_0 (toolbox)) +(typeattributeset toolbox_exec_29_0 (toolbox_exec)) +(typeattributeset traced_29_0 (traced)) +(typeattributeset trace_data_file_29_0 (trace_data_file)) +(typeattributeset traced_consumer_socket_29_0 (traced_consumer_socket)) +(typeattributeset traced_enabled_prop_29_0 (traced_enabled_prop)) +(typeattributeset traced_lazy_prop_29_0 (traced_lazy_prop)) +(typeattributeset traced_probes_29_0 (traced_probes)) +(typeattributeset traced_producer_socket_29_0 (traced_producer_socket)) +(typeattributeset traceur_app_29_0 (traceur_app)) +(typeattributeset trust_service_29_0 (trust_service)) +(typeattributeset tty_device_29_0 (tty_device)) +(typeattributeset tun_device_29_0 (tun_device)) +(typeattributeset tv_input_service_29_0 (tv_input_service)) +(typeattributeset tzdatacheck_29_0 (tzdatacheck)) +(typeattributeset tzdatacheck_exec_29_0 (tzdatacheck_exec)) +(typeattributeset ueventd_29_0 (ueventd)) +(typeattributeset ueventd_tmpfs_29_0 (ueventd_tmpfs)) +(typeattributeset uhid_device_29_0 (uhid_device)) +(typeattributeset uimode_service_29_0 (uimode_service)) +(typeattributeset uio_device_29_0 (uio_device)) +(typeattributeset uncrypt_29_0 (uncrypt)) +(typeattributeset uncrypt_exec_29_0 (uncrypt_exec)) +(typeattributeset uncrypt_socket_29_0 (uncrypt_socket)) +(typeattributeset unencrypted_data_file_29_0 (unencrypted_data_file)) +(typeattributeset unlabeled_29_0 (unlabeled)) +(typeattributeset untrusted_app_25_29_0 (untrusted_app_25)) +(typeattributeset untrusted_app_27_29_0 (untrusted_app_27)) +(typeattributeset untrusted_app_29_0 (untrusted_app)) +(typeattributeset update_engine_29_0 (update_engine)) +(typeattributeset update_engine_data_file_29_0 (update_engine_data_file)) +(typeattributeset update_engine_exec_29_0 (update_engine_exec)) +(typeattributeset update_engine_log_data_file_29_0 (update_engine_log_data_file)) +(typeattributeset update_engine_service_29_0 (update_engine_service)) +(typeattributeset updatelock_service_29_0 (updatelock_service)) +(typeattributeset update_verifier_29_0 (update_verifier)) +(typeattributeset update_verifier_exec_29_0 (update_verifier_exec)) +(typeattributeset uri_grants_service_29_0 (uri_grants_service)) +(typeattributeset usagestats_service_29_0 (usagestats_service)) +(typeattributeset usbaccessory_device_29_0 (usbaccessory_device)) +(typeattributeset usbd_29_0 (usbd)) +(typeattributeset usb_device_29_0 (usb_device)) +(typeattributeset usbd_exec_29_0 (usbd_exec)) +(typeattributeset usbfs_29_0 (usbfs)) +(typeattributeset usb_service_29_0 (usb_service)) +(typeattributeset use_memfd_prop_29_0 (use_memfd_prop)) +(typeattributeset userdata_block_device_29_0 (userdata_block_device)) +(typeattributeset usermodehelper_29_0 (usermodehelper)) +(typeattributeset user_profile_data_file_29_0 (user_profile_data_file)) +(typeattributeset user_service_29_0 (user_service)) +(typeattributeset vdc_29_0 (vdc)) +(typeattributeset vdc_exec_29_0 (vdc_exec)) +(typeattributeset vendor_app_file_29_0 (vendor_app_file)) +(typeattributeset vendor_cgroup_desc_file_29_0 (vendor_cgroup_desc_file)) +(typeattributeset vendor_configs_file_29_0 (vendor_configs_file)) +(typeattributeset vendor_data_file_29_0 (vendor_data_file)) +(typeattributeset vendor_default_prop_29_0 (vendor_default_prop)) +(typeattributeset vendor_file_29_0 (vendor_file)) +(typeattributeset vendor_framework_file_29_0 (vendor_framework_file)) +(typeattributeset vendor_hal_file_29_0 (vendor_hal_file)) +(typeattributeset vendor_idc_file_29_0 (vendor_idc_file)) +(typeattributeset vendor_init_29_0 (vendor_init)) +(typeattributeset vendor_keychars_file_29_0 (vendor_keychars_file)) +(typeattributeset vendor_keylayout_file_29_0 (vendor_keylayout_file)) +(typeattributeset vendor_overlay_file_29_0 (vendor_overlay_file)) +(typeattributeset vendor_public_lib_file_29_0 + ( vendor_public_framework_file + vendor_public_lib_file)) +(typeattributeset vendor_security_patch_level_prop_29_0 (vendor_security_patch_level_prop)) +(typeattributeset vendor_shell_29_0 (vendor_shell)) +(typeattributeset vendor_shell_exec_29_0 (vendor_shell_exec)) +(typeattributeset vendor_task_profiles_file_29_0 (vendor_task_profiles_file)) +(typeattributeset vendor_toolbox_exec_29_0 (vendor_toolbox_exec)) +(typeattributeset vfat_29_0 (vfat)) +(typeattributeset vibrator_service_29_0 (vibrator_service)) +(typeattributeset video_device_29_0 (video_device)) +(typeattributeset virtual_touchpad_29_0 (virtual_touchpad)) +(typeattributeset virtual_touchpad_exec_29_0 (virtual_touchpad_exec)) +(typeattributeset virtual_touchpad_service_29_0 (virtual_touchpad_service)) +(typeattributeset vndbinder_device_29_0 (vndbinder_device)) +(typeattributeset vndk_sp_file_29_0 (vndk_sp_file)) +(typeattributeset vndservice_contexts_file_29_0 (vndservice_contexts_file)) +(typeattributeset vndservicemanager_29_0 (vndservicemanager)) +(typeattributeset voiceinteraction_service_29_0 (voiceinteraction_service)) +(typeattributeset vold_29_0 (vold)) +(typeattributeset vold_data_file_29_0 (vold_data_file)) +(typeattributeset vold_device_29_0 (vold_device)) +(typeattributeset vold_exec_29_0 (vold_exec)) +(typeattributeset vold_metadata_file_29_0 (vold_metadata_file)) +(typeattributeset vold_prepare_subdirs_29_0 (vold_prepare_subdirs)) +(typeattributeset vold_prepare_subdirs_exec_29_0 (vold_prepare_subdirs_exec)) +(typeattributeset vold_prop_29_0 (vold_prop)) +(typeattributeset vold_service_29_0 (vold_service)) +(typeattributeset vpn_data_file_29_0 (vpn_data_file)) +(typeattributeset vrflinger_vsync_service_29_0 (vrflinger_vsync_service)) +(typeattributeset vr_hwc_29_0 (vr_hwc)) +(typeattributeset vr_hwc_exec_29_0 (vr_hwc_exec)) +(typeattributeset vr_hwc_service_29_0 (vr_hwc_service)) +(typeattributeset vr_manager_service_29_0 (vr_manager_service)) +(typeattributeset wallpaper_file_29_0 (wallpaper_file)) +(typeattributeset wallpaper_service_29_0 (wallpaper_service)) +(typeattributeset watchdogd_29_0 (watchdogd)) +(typeattributeset watchdog_device_29_0 (watchdog_device)) +(typeattributeset watchdogd_exec_29_0 (watchdogd_exec)) +(typeattributeset webviewupdate_service_29_0 (webviewupdate_service)) +(typeattributeset webview_zygote_29_0 (webview_zygote)) +(typeattributeset webview_zygote_exec_29_0 (webview_zygote_exec)) +(typeattributeset webview_zygote_tmpfs_29_0 (webview_zygote_tmpfs)) +(typeattributeset wifiaware_service_29_0 (wifiaware_service)) +(typeattributeset wificond_29_0 (wificond)) +(typeattributeset wificond_exec_29_0 (wificond_exec)) +(typeattributeset wificond_service_29_0 (wificond_service wifinl80211_service)) +(typeattributeset wifi_data_file_29_0 (wifi_data_file)) +(typeattributeset wifi_log_prop_29_0 (wifi_log_prop)) +(typeattributeset wifip2p_service_29_0 (wifip2p_service)) +(typeattributeset wifi_prop_29_0 (wifi_prop)) +(typeattributeset wifiscanner_service_29_0 (wifiscanner_service)) +(typeattributeset wifi_service_29_0 (wifi_service)) +(typeattributeset window_service_29_0 (window_service)) +(typeattributeset wpantund_29_0 (wpantund)) +(typeattributeset wpantund_exec_29_0 (wpantund_exec)) +(typeattributeset wpantund_service_29_0 (wpantund_service)) +(typeattributeset wpa_socket_29_0 (wpa_socket)) +(typeattributeset zero_device_29_0 (zero_device)) +(typeattributeset zoneinfo_data_file_29_0 (zoneinfo_data_file)) +(typeattributeset zygote_29_0 (zygote)) +(typeattributeset zygote_exec_29_0 (zygote_exec)) +(typeattributeset zygote_socket_29_0 (zygote_socket)) +(typeattributeset zygote_tmpfs_29_0 (zygote_tmpfs)) diff --git a/prebuilts/api/32.0/private/compat/29.0/29.0.compat.cil b/prebuilts/api/32.0/private/compat/29.0/29.0.compat.cil new file mode 100644 index 000000000..ccd9d1a05 --- /dev/null +++ b/prebuilts/api/32.0/private/compat/29.0/29.0.compat.cil @@ -0,0 +1,9 @@ +(typeattribute vendordomain) +(typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) +(allow vendordomain self (netlink_route_socket (nlmsg_readpriv))) + +(typeattributeset mlsvendorcompat (and appdomain vendordomain)) +(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) +(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) +(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) +(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) diff --git a/prebuilts/api/32.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/32.0/private/compat/29.0/29.0.ignore.cil new file mode 100644 index 000000000..10790468f --- /dev/null +++ b/prebuilts/api/32.0/private/compat/29.0/29.0.ignore.cil @@ -0,0 +1,130 @@ +;; new_objects - a collection of types that have been introduced that have no +;; analogue in older policy. Thus, we do not need to map these types to +;; previous ones. Add here to pass checkapi tests. +(type new_objects) +(typeattribute new_objects) +(typeattributeset new_objects + ( new_objects + aidl_lazy_test_server + aidl_lazy_test_server_exec + aidl_lazy_test_service + adbd_prop + apex_module_data_file + apex_permission_data_file + apex_rollback_data_file + apex_wifi_data_file + app_integrity_service + app_search_service + auth_service + automotive_display_service + automotive_display_service_exec + ashmem_libcutils_device + blob_store_service + binder_cache_bluetooth_server_prop + binder_cache_system_server_prop + binder_cache_telephony_server_prop + binderfs + binderfs_logs + binderfs_logs_proc + boringssl_self_test + bq_config_prop + cacheinfo_service + charger_prop + cold_boot_done_prop + credstore + credstore_data_file + credstore_exec + credstore_service + platform_compat_service + ctl_apexd_prop + dataloader_manager_service + device_config_storage_native_boot_prop + device_config_sys_traced_prop + device_config_window_manager_native_boot_prop + device_config_configuration_prop + emergency_affordance_service + exported_camera_prop + fastbootd_protocol_prop + file_integrity_service + fwk_automotive_display_hwservice + fusectlfs + gmscore_app + gnss_device + graphics_config_prop + hal_can_bus_hwservice + hal_can_controller_hwservice + hal_identity_service + hal_light_service + hal_power_service + hal_rebootescrow_service + hal_tv_tuner_hwservice + hal_vibrator_service + incremental_control_file + incremental_prop + incremental_service + init_perf_lsm_hooks_prop + init_svc_debug_prop + iorap_inode2filename + iorap_inode2filename_data_file + iorap_inode2filename_exec + iorap_inode2filename_tmpfs + iorap_prefetcherd + iorap_prefetcherd_data_file + iorap_prefetcherd_exec + iorap_prefetcherd_tmpfs + mediatranscoding_service + mediatranscoding + mediatranscoding_exec + mediatranscoding_tmpfs + mirror_data_file + light_service + linkerconfig_file + lmkd_prop + media_variant_prop + metadata_bootstat_file + mnt_pass_through_file + mock_ota_prop + module_sdkextensions_prop + ota_metadata_file + ota_prop + prereboot_data_file + art_apex_dir + rebootescrow_hal_prop + securityfs + service_manager_service + service_manager_vndservice + simpleperf + snapshotctl_log_data_file + socket_hook_prop + soundtrigger_middleware_service + staged_install_file + storage_config_prop + surfaceflinger_display_prop + sysfs_dm_verity + system_adbd_prop + system_config_service + system_group_file + system_jvmti_agent_prop + system_passwd_file + system_unsolzygote_socket + tethering_service + traced_perf + traced_perf_enabled_prop + traced_perf_socket + timezonedetector_service + untrusted_app_29 + usb_serial_device + userspace_reboot_config_prop + userspace_reboot_exported_prop + userspace_reboot_log_prop + userspace_reboot_test_prop + vehicle_hal_prop + tv_tuner_resource_mgr_service + vendor_apex_file + vendor_boringssl_self_test + vendor_install_recovery + vendor_install_recovery_exec + vendor_service_contexts_file + vendor_socket_hook_prop + vendor_socket_hook_prop + virtual_ab_prop)) diff --git a/prebuilts/api/32.0/private/compat/30.0/30.0.cil b/prebuilts/api/32.0/private/compat/30.0/30.0.cil new file mode 100644 index 000000000..9f4087668 --- /dev/null +++ b/prebuilts/api/32.0/private/compat/30.0/30.0.cil @@ -0,0 +1,2266 @@ +;; types removed from current policy +(type cgroup_bpf) +(type exported_audio_prop) +(type exported_dalvik_prop) +(type exported_ffs_prop) +(type exported_fingerprint_prop) +(type exported_system_radio_prop) +(type exported_radio_prop) +(type exported_vold_prop) +(type exported_wifi_prop) +(type exported2_config_prop) +(type exported2_default_prop) +(type exported2_radio_prop) +(type exported2_system_prop) +(type exported2_vold_prop) +(type exported3_default_prop) +(type exported3_radio_prop) +(type ffs_prop) +(type system_radio_prop) +(type thermalcallback_hwservice) + +(typeattribute binder_in_vendor_violators) + +(expandtypeattribute (DockObserver_service_30_0) true) +(expandtypeattribute (IProxyService_service_30_0) true) +(expandtypeattribute (accessibility_service_30_0) true) +(expandtypeattribute (account_service_30_0) true) +(expandtypeattribute (activity_service_30_0) true) +(expandtypeattribute (activity_task_service_30_0) true) +(expandtypeattribute (adb_data_file_30_0) true) +(expandtypeattribute (adb_keys_file_30_0) true) +(expandtypeattribute (adb_service_30_0) true) +(expandtypeattribute (adbd_30_0) true) +(expandtypeattribute (adbd_exec_30_0) true) +(expandtypeattribute (adbd_prop_30_0) true) +(expandtypeattribute (adbd_socket_30_0) true) +(expandtypeattribute (aidl_lazy_test_server_30_0) true) +(expandtypeattribute (aidl_lazy_test_server_exec_30_0) true) +(expandtypeattribute (aidl_lazy_test_service_30_0) true) +(expandtypeattribute (alarm_service_30_0) true) +(expandtypeattribute (anr_data_file_30_0) true) +(expandtypeattribute (apex_data_file_30_0) true) +(expandtypeattribute (apex_metadata_file_30_0) true) +(expandtypeattribute (apex_mnt_dir_30_0) true) +(expandtypeattribute (apex_module_data_file_30_0) true) +(expandtypeattribute (apex_permission_data_file_30_0) true) +(expandtypeattribute (apex_rollback_data_file_30_0) true) +(expandtypeattribute (apex_service_30_0) true) +(expandtypeattribute (apex_wifi_data_file_30_0) true) +(expandtypeattribute (apexd_30_0) true) +(expandtypeattribute (apexd_exec_30_0) true) +(expandtypeattribute (apexd_prop_30_0) true) +(expandtypeattribute (apk_data_file_30_0) true) +(expandtypeattribute (apk_private_data_file_30_0) true) +(expandtypeattribute (apk_private_tmp_file_30_0) true) +(expandtypeattribute (apk_tmp_file_30_0) true) +(expandtypeattribute (apk_verity_prop_30_0) true) +(expandtypeattribute (app_binding_service_30_0) true) +(expandtypeattribute (app_data_file_30_0) true) +(expandtypeattribute (app_fuse_file_30_0) true) +(expandtypeattribute (app_fusefs_30_0) true) +(expandtypeattribute (app_integrity_service_30_0) true) +(expandtypeattribute (app_prediction_service_30_0) true) +(expandtypeattribute (app_search_service_30_0) true) +(expandtypeattribute (app_zygote_30_0) true) +(expandtypeattribute (app_zygote_tmpfs_30_0) true) +(expandtypeattribute (appdomain_tmpfs_30_0) true) +(expandtypeattribute (appops_service_30_0) true) +(expandtypeattribute (appwidget_service_30_0) true) +(expandtypeattribute (art_apex_dir_30_0) true) +(expandtypeattribute (asec_apk_file_30_0) true) +(expandtypeattribute (asec_image_file_30_0) true) +(expandtypeattribute (asec_public_file_30_0) true) +(expandtypeattribute (ashmem_device_30_0) true) +(expandtypeattribute (ashmem_libcutils_device_30_0) true) +(expandtypeattribute (assetatlas_service_30_0) true) +(expandtypeattribute (audio_data_file_30_0) true) +(expandtypeattribute (audio_device_30_0) true) +(expandtypeattribute (audio_prop_30_0) true) +(expandtypeattribute (audio_service_30_0) true) +(expandtypeattribute (audiohal_data_file_30_0) true) +(expandtypeattribute (audioserver_30_0) true) +(expandtypeattribute (audioserver_data_file_30_0) true) +(expandtypeattribute (audioserver_service_30_0) true) +(expandtypeattribute (audioserver_tmpfs_30_0) true) +(expandtypeattribute (auth_service_30_0) true) +(expandtypeattribute (autofill_service_30_0) true) +(expandtypeattribute (backup_data_file_30_0) true) +(expandtypeattribute (backup_service_30_0) true) +(expandtypeattribute (battery_service_30_0) true) +(expandtypeattribute (batteryproperties_service_30_0) true) +(expandtypeattribute (batterystats_service_30_0) true) +(expandtypeattribute (binder_cache_bluetooth_server_prop_30_0) true) +(expandtypeattribute (binder_cache_system_server_prop_30_0) true) +(expandtypeattribute (binder_cache_telephony_server_prop_30_0) true) +(expandtypeattribute (binder_calls_stats_service_30_0) true) +(expandtypeattribute (binder_device_30_0) true) +(expandtypeattribute (binderfs_30_0) true) +(expandtypeattribute (binderfs_logs_30_0) true) +(expandtypeattribute (binderfs_logs_proc_30_0) true) +(expandtypeattribute (binfmt_miscfs_30_0) true) +(expandtypeattribute (biometric_service_30_0) true) +(expandtypeattribute (blkid_30_0) true) +(expandtypeattribute (blkid_untrusted_30_0) true) +(expandtypeattribute (blob_store_service_30_0) true) +(expandtypeattribute (block_device_30_0) true) +(expandtypeattribute (bluetooth_30_0) true) +(expandtypeattribute (bluetooth_a2dp_offload_prop_30_0) true) +(expandtypeattribute (bluetooth_audio_hal_prop_30_0) true) +(expandtypeattribute (bluetooth_data_file_30_0) true) +(expandtypeattribute (bluetooth_efs_file_30_0) true) +(expandtypeattribute (bluetooth_logs_data_file_30_0) true) +(expandtypeattribute (bluetooth_manager_service_30_0) true) +(expandtypeattribute (bluetooth_prop_30_0) true) +(expandtypeattribute (bluetooth_service_30_0) true) +(expandtypeattribute (bluetooth_socket_30_0) true) +(expandtypeattribute (boot_block_device_30_0) true) +(expandtypeattribute (bootanim_30_0) true) +(expandtypeattribute (bootanim_exec_30_0) true) +(expandtypeattribute (bootchart_data_file_30_0) true) +(expandtypeattribute (bootloader_boot_reason_prop_30_0) true) +(expandtypeattribute (bootstat_30_0) true) +(expandtypeattribute (bootstat_data_file_30_0) true) +(expandtypeattribute (bootstat_exec_30_0) true) +(expandtypeattribute (boottime_prop_30_0) true) +(expandtypeattribute (boottime_public_prop_30_0) true) +(expandtypeattribute (boottrace_data_file_30_0) true) +(expandtypeattribute (bpf_progs_loaded_prop_30_0) true) +(expandtypeattribute (bq_config_prop_30_0) true) +(expandtypeattribute (broadcastradio_service_30_0) true) +(expandtypeattribute (bufferhubd_30_0) true) +(expandtypeattribute (bufferhubd_exec_30_0) true) +(expandtypeattribute (bugreport_service_30_0) true) +(expandtypeattribute (cache_backup_file_30_0) true) +(expandtypeattribute (cache_block_device_30_0) true) +(expandtypeattribute (cache_file_30_0) true) +(expandtypeattribute (cache_private_backup_file_30_0) true) +(expandtypeattribute (cache_recovery_file_30_0) true) +(expandtypeattribute (camera_data_file_30_0) true) +(expandtypeattribute (camera_device_30_0) true) +(expandtypeattribute (cameraproxy_service_30_0) true) +(expandtypeattribute (cameraserver_30_0) true) +(expandtypeattribute (cameraserver_exec_30_0) true) +(expandtypeattribute (cameraserver_service_30_0) true) +(expandtypeattribute (cameraserver_tmpfs_30_0) true) +(expandtypeattribute (cgroup_30_0) true) +(expandtypeattribute (cgroup_bpf_30_0) true) +(expandtypeattribute (cgroup_desc_file_30_0) true) +(expandtypeattribute (cgroup_rc_file_30_0) true) +(expandtypeattribute (charger_30_0) true) +(expandtypeattribute (charger_exec_30_0) true) +(expandtypeattribute (charger_prop_30_0) true) +(expandtypeattribute (clipboard_service_30_0) true) +(expandtypeattribute (cold_boot_done_prop_30_0) true) +(expandtypeattribute (color_display_service_30_0) true) +(expandtypeattribute (companion_device_service_30_0) true) +(expandtypeattribute (config_prop_30_0) true) +(expandtypeattribute (configfs_30_0) true) +(expandtypeattribute (connectivity_service_30_0) true) +(expandtypeattribute (connmetrics_service_30_0) true) +(expandtypeattribute (console_device_30_0) true) +(expandtypeattribute (consumer_ir_service_30_0) true) +(expandtypeattribute (content_capture_service_30_0) true) +(expandtypeattribute (content_service_30_0) true) +(expandtypeattribute (content_suggestions_service_30_0) true) +(expandtypeattribute (contexthub_service_30_0) true) +(expandtypeattribute (coredump_file_30_0) true) +(expandtypeattribute (country_detector_service_30_0) true) +(expandtypeattribute (coverage_service_30_0) true) +(expandtypeattribute (cppreopt_prop_30_0) true) +(expandtypeattribute (cpu_variant_prop_30_0) true) +(expandtypeattribute (cpuinfo_service_30_0) true) +(expandtypeattribute (crash_dump_30_0) true) +(expandtypeattribute (crash_dump_exec_30_0) true) +(expandtypeattribute (credstore_30_0) true) +(expandtypeattribute (credstore_data_file_30_0) true) +(expandtypeattribute (credstore_exec_30_0) true) +(expandtypeattribute (credstore_service_30_0) true) +(expandtypeattribute (crossprofileapps_service_30_0) true) +(expandtypeattribute (ctl_adbd_prop_30_0) true) +(expandtypeattribute (ctl_apexd_prop_30_0) true) +(expandtypeattribute (ctl_bootanim_prop_30_0) true) +(expandtypeattribute (ctl_bugreport_prop_30_0) true) +(expandtypeattribute (ctl_console_prop_30_0) true) +(expandtypeattribute (ctl_default_prop_30_0) true) +(expandtypeattribute (ctl_dumpstate_prop_30_0) true) +(expandtypeattribute (ctl_fuse_prop_30_0) true) +(expandtypeattribute (ctl_gsid_prop_30_0) true) +(expandtypeattribute (ctl_interface_restart_prop_30_0) true) +(expandtypeattribute (ctl_interface_start_prop_30_0) true) +(expandtypeattribute (ctl_interface_stop_prop_30_0) true) +(expandtypeattribute (ctl_mdnsd_prop_30_0) true) +(expandtypeattribute (ctl_restart_prop_30_0) true) +(expandtypeattribute (ctl_rildaemon_prop_30_0) true) +(expandtypeattribute (ctl_sigstop_prop_30_0) true) +(expandtypeattribute (ctl_start_prop_30_0) true) +(expandtypeattribute (ctl_stop_prop_30_0) true) +(expandtypeattribute (dalvik_prop_30_0) true) +(expandtypeattribute (dalvikcache_data_file_30_0) true) +(expandtypeattribute (dataloader_manager_service_30_0) true) +(expandtypeattribute (dbinfo_service_30_0) true) +(expandtypeattribute (debug_prop_30_0) true) +(expandtypeattribute (debugfs_30_0) true) +(expandtypeattribute (debugfs_mmc_30_0) true) +(expandtypeattribute (debugfs_trace_marker_30_0) true) +(expandtypeattribute (debugfs_tracing_30_0) true) +(expandtypeattribute (debugfs_tracing_debug_30_0) true) +(expandtypeattribute (debugfs_tracing_instances_30_0) true) +(expandtypeattribute (debugfs_wakeup_sources_30_0) true) +(expandtypeattribute (debugfs_wifi_tracing_30_0) true) +(expandtypeattribute (debuggerd_prop_30_0) true) +(expandtypeattribute (default_android_hwservice_30_0) true) +(expandtypeattribute (default_android_service_30_0) true) +(expandtypeattribute (default_android_vndservice_30_0) true) +(expandtypeattribute (default_prop_30_0) true) +(expandtypeattribute (dev_cpu_variant_30_0) true) +(expandtypeattribute (device_30_0) true) +(expandtypeattribute (device_config_activity_manager_native_boot_prop_30_0) true) +(expandtypeattribute (device_config_boot_count_prop_30_0) true) +(expandtypeattribute (device_config_configuration_prop_30_0) true) +(expandtypeattribute (device_config_input_native_boot_prop_30_0) true) +(expandtypeattribute (device_config_media_native_prop_30_0) true) +(expandtypeattribute (device_config_netd_native_prop_30_0) true) +(expandtypeattribute (device_config_reset_performed_prop_30_0) true) +(expandtypeattribute (device_config_runtime_native_boot_prop_30_0) true) +(expandtypeattribute (device_config_runtime_native_prop_30_0) true) +(expandtypeattribute (device_config_service_30_0) true) +(expandtypeattribute (device_config_storage_native_boot_prop_30_0) true) +(expandtypeattribute (device_config_sys_traced_prop_30_0) true) +(expandtypeattribute (device_config_window_manager_native_boot_prop_30_0) true) +(expandtypeattribute (device_identifiers_service_30_0) true) +(expandtypeattribute (device_logging_prop_30_0) true) +(expandtypeattribute (device_policy_service_30_0) true) +(expandtypeattribute (deviceidle_service_30_0) true) +(expandtypeattribute (devicestoragemonitor_service_30_0) true) +(expandtypeattribute (devpts_30_0) true) +(expandtypeattribute (dhcp_30_0) true) +(expandtypeattribute (dhcp_data_file_30_0) true) +(expandtypeattribute (dhcp_exec_30_0) true) +(expandtypeattribute (dhcp_prop_30_0) true) +(expandtypeattribute (diskstats_service_30_0) true) +(expandtypeattribute (display_service_30_0) true) +(expandtypeattribute (dm_device_30_0) true) +(expandtypeattribute (dnsmasq_30_0) true) +(expandtypeattribute (dnsmasq_exec_30_0) true) +(expandtypeattribute (dnsproxyd_socket_30_0) true) +(expandtypeattribute (dnsresolver_service_30_0) true) +(expandtypeattribute (dreams_service_30_0) true) +(expandtypeattribute (drm_data_file_30_0) true) +(expandtypeattribute (drmserver_30_0) true) +(expandtypeattribute (drmserver_exec_30_0) true) +(expandtypeattribute (drmserver_service_30_0) true) +(expandtypeattribute (drmserver_socket_30_0) true) +(expandtypeattribute (dropbox_data_file_30_0) true) +(expandtypeattribute (dropbox_service_30_0) true) +(expandtypeattribute (dumpstate_30_0) true) +(expandtypeattribute (dumpstate_exec_30_0) true) +(expandtypeattribute (dumpstate_options_prop_30_0) true) +(expandtypeattribute (dumpstate_prop_30_0) true) +(expandtypeattribute (dumpstate_service_30_0) true) +(expandtypeattribute (dumpstate_socket_30_0) true) +(expandtypeattribute (dynamic_system_prop_30_0) true) +(expandtypeattribute (e2fs_30_0) true) +(expandtypeattribute (e2fs_exec_30_0) true) +(expandtypeattribute (efs_file_30_0) true) +(expandtypeattribute (emergency_affordance_service_30_0) true) +(expandtypeattribute (ephemeral_app_30_0) true) +(expandtypeattribute (ethernet_service_30_0) true) +(expandtypeattribute (exfat_30_0) true) +(expandtypeattribute (exported2_config_prop_30_0) true) +(expandtypeattribute (exported2_default_prop_30_0) true) +(expandtypeattribute (exported2_radio_prop_30_0) true) +(expandtypeattribute (exported2_system_prop_30_0) true) +(expandtypeattribute (exported2_vold_prop_30_0) true) +(expandtypeattribute (exported3_default_prop_30_0) true) +(expandtypeattribute (exported3_radio_prop_30_0) true) +(expandtypeattribute (exported3_system_prop_30_0) true) +(expandtypeattribute (exported_audio_prop_30_0) true) +(expandtypeattribute (exported_bluetooth_prop_30_0) true) +(expandtypeattribute (exported_camera_prop_30_0) true) +(expandtypeattribute (exported_config_prop_30_0) true) +(expandtypeattribute (exported_dalvik_prop_30_0) true) +(expandtypeattribute (exported_default_prop_30_0) true) +(expandtypeattribute (exported_dumpstate_prop_30_0) true) +(expandtypeattribute (exported_ffs_prop_30_0) true) +(expandtypeattribute (exported_fingerprint_prop_30_0) true) +(expandtypeattribute (exported_overlay_prop_30_0) true) +(expandtypeattribute (exported_pm_prop_30_0) true) +(expandtypeattribute (exported_radio_prop_30_0) true) +(expandtypeattribute (exported_secure_prop_30_0) true) +(expandtypeattribute (exported_system_prop_30_0) true) +(expandtypeattribute (exported_system_radio_prop_30_0) true) +(expandtypeattribute (exported_vold_prop_30_0) true) +(expandtypeattribute (exported_wifi_prop_30_0) true) +(expandtypeattribute (external_vibrator_service_30_0) true) +(expandtypeattribute (face_service_30_0) true) +(expandtypeattribute (face_vendor_data_file_30_0) true) +(expandtypeattribute (fastbootd_30_0) true) +(expandtypeattribute (ffs_prop_30_0) true) +(expandtypeattribute (file_contexts_file_30_0) true) +(expandtypeattribute (file_integrity_service_30_0) true) +(expandtypeattribute (fingerprint_service_30_0) true) +(expandtypeattribute (fingerprint_vendor_data_file_30_0) true) +(expandtypeattribute (fingerprintd_30_0) true) +(expandtypeattribute (fingerprintd_data_file_30_0) true) +(expandtypeattribute (fingerprintd_exec_30_0) true) +(expandtypeattribute (fingerprintd_service_30_0) true) +(expandtypeattribute (firstboot_prop_30_0) true) +(expandtypeattribute (flags_health_check_30_0) true) +(expandtypeattribute (flags_health_check_exec_30_0) true) +(expandtypeattribute (font_service_30_0) true) +(expandtypeattribute (frp_block_device_30_0) true) +(expandtypeattribute (fs_bpf_30_0) true) +(expandtypeattribute (fsck_30_0) true) +(expandtypeattribute (fsck_exec_30_0) true) +(expandtypeattribute (fsck_untrusted_30_0) true) +(expandtypeattribute (fscklogs_30_0) true) +(expandtypeattribute (functionfs_30_0) true) +(expandtypeattribute (fuse_30_0) true) +(expandtypeattribute (fuse_device_30_0) true) +(expandtypeattribute (fwk_automotive_display_hwservice_30_0) true) +(expandtypeattribute (fwk_bufferhub_hwservice_30_0) true) +(expandtypeattribute (fwk_camera_hwservice_30_0) true) +(expandtypeattribute (fwk_display_hwservice_30_0) true) +(expandtypeattribute (fwk_scheduler_hwservice_30_0) true) +(expandtypeattribute (fwk_sensor_hwservice_30_0) true) +(expandtypeattribute (fwk_stats_hwservice_30_0) true) +(expandtypeattribute (fwmarkd_socket_30_0) true) +(expandtypeattribute (gatekeeper_data_file_30_0) true) +(expandtypeattribute (gatekeeper_service_30_0) true) +(expandtypeattribute (gatekeeperd_30_0) true) +(expandtypeattribute (gatekeeperd_exec_30_0) true) +(expandtypeattribute (gfxinfo_service_30_0) true) +(expandtypeattribute (gmscore_app_30_0) true) +(expandtypeattribute (gps_control_30_0) true) +(expandtypeattribute (gpu_device_30_0) true) +(expandtypeattribute (gpu_service_30_0) true) +(expandtypeattribute (gpuservice_30_0) true) +(expandtypeattribute (graphics_device_30_0) true) +(expandtypeattribute (graphicsstats_service_30_0) true) +(expandtypeattribute (gsi_data_file_30_0) true) +(expandtypeattribute (gsi_metadata_file_30_0) true) +(expandtypeattribute (gsid_prop_30_0) true) +(expandtypeattribute (hal_atrace_hwservice_30_0) true) +(expandtypeattribute (hal_audio_hwservice_30_0) true) +(expandtypeattribute (hal_audiocontrol_hwservice_30_0) true) +(expandtypeattribute (hal_authsecret_hwservice_30_0) true) +(expandtypeattribute (hal_bluetooth_hwservice_30_0) true) +(expandtypeattribute (hal_bootctl_hwservice_30_0) true) +(expandtypeattribute (hal_broadcastradio_hwservice_30_0) true) +(expandtypeattribute (hal_camera_hwservice_30_0) true) +(expandtypeattribute (hal_can_bus_hwservice_30_0) true) +(expandtypeattribute (hal_can_controller_hwservice_30_0) true) +(expandtypeattribute (hal_cas_hwservice_30_0) true) +(expandtypeattribute (hal_codec2_hwservice_30_0) true) +(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_30_0) true) +(expandtypeattribute (hal_confirmationui_hwservice_30_0) true) +(expandtypeattribute (hal_contexthub_hwservice_30_0) true) +(expandtypeattribute (hal_drm_hwservice_30_0) true) +(expandtypeattribute (hal_dumpstate_hwservice_30_0) true) +(expandtypeattribute (hal_evs_hwservice_30_0) true) +(expandtypeattribute (hal_face_hwservice_30_0) true) +(expandtypeattribute (hal_fingerprint_hwservice_30_0) true) +(expandtypeattribute (hal_fingerprint_service_30_0) true) +(expandtypeattribute (hal_gatekeeper_hwservice_30_0) true) +(expandtypeattribute (hal_gnss_hwservice_30_0) true) +(expandtypeattribute (hal_graphics_allocator_hwservice_30_0) true) +(expandtypeattribute (hal_graphics_composer_hwservice_30_0) true) +(expandtypeattribute (hal_graphics_composer_server_tmpfs_30_0) true) +(expandtypeattribute (hal_graphics_mapper_hwservice_30_0) true) +(expandtypeattribute (hal_health_hwservice_30_0) true) +(expandtypeattribute (hal_health_storage_hwservice_30_0) true) +(expandtypeattribute (hal_identity_service_30_0) true) +(expandtypeattribute (hal_input_classifier_hwservice_30_0) true) +(expandtypeattribute (hal_ir_hwservice_30_0) true) +(expandtypeattribute (hal_keymaster_hwservice_30_0) true) +(expandtypeattribute (hal_light_hwservice_30_0) true) +(expandtypeattribute (hal_light_service_30_0) true) +(expandtypeattribute (hal_lowpan_hwservice_30_0) true) +(expandtypeattribute (hal_memtrack_hwservice_30_0) true) +(expandtypeattribute (hal_neuralnetworks_hwservice_30_0) true) +(expandtypeattribute (hal_nfc_hwservice_30_0) true) +(expandtypeattribute (hal_oemlock_hwservice_30_0) true) +(expandtypeattribute (hal_omx_hwservice_30_0) true) +(expandtypeattribute (hal_power_hwservice_30_0) true) +(expandtypeattribute (hal_power_service_30_0) true) +(expandtypeattribute (hal_power_stats_hwservice_30_0) true) +(expandtypeattribute (hal_rebootescrow_service_30_0) true) +(expandtypeattribute (hal_renderscript_hwservice_30_0) true) +(expandtypeattribute (hal_secure_element_hwservice_30_0) true) +(expandtypeattribute (hal_sensors_hwservice_30_0) true) +(expandtypeattribute (hal_telephony_hwservice_30_0) true) +(expandtypeattribute (hal_tetheroffload_hwservice_30_0) true) +(expandtypeattribute (hal_thermal_hwservice_30_0) true) +(expandtypeattribute (hal_tv_cec_hwservice_30_0) true) +(expandtypeattribute (hal_tv_input_hwservice_30_0) true) +(expandtypeattribute (hal_tv_tuner_hwservice_30_0) true) +(expandtypeattribute (hal_usb_gadget_hwservice_30_0) true) +(expandtypeattribute (hal_usb_hwservice_30_0) true) +(expandtypeattribute (hal_vehicle_hwservice_30_0) true) +(expandtypeattribute (hal_vibrator_hwservice_30_0) true) +(expandtypeattribute (hal_vibrator_service_30_0) true) +(expandtypeattribute (hal_vr_hwservice_30_0) true) +(expandtypeattribute (hal_weaver_hwservice_30_0) true) +(expandtypeattribute (hal_wifi_hostapd_hwservice_30_0) true) +(expandtypeattribute (hal_wifi_hwservice_30_0) true) +(expandtypeattribute (hal_wifi_supplicant_hwservice_30_0) true) +(expandtypeattribute (hardware_properties_service_30_0) true) +(expandtypeattribute (hardware_service_30_0) true) +(expandtypeattribute (hci_attach_dev_30_0) true) +(expandtypeattribute (hdmi_control_service_30_0) true) +(expandtypeattribute (healthd_30_0) true) +(expandtypeattribute (healthd_exec_30_0) true) +(expandtypeattribute (heapdump_data_file_30_0) true) +(expandtypeattribute (heapprofd_30_0) true) +(expandtypeattribute (heapprofd_enabled_prop_30_0) true) +(expandtypeattribute (heapprofd_prop_30_0) true) +(expandtypeattribute (heapprofd_socket_30_0) true) +(expandtypeattribute (hidl_allocator_hwservice_30_0) true) +(expandtypeattribute (hidl_base_hwservice_30_0) true) +(expandtypeattribute (hidl_manager_hwservice_30_0) true) +(expandtypeattribute (hidl_memory_hwservice_30_0) true) +(expandtypeattribute (hidl_token_hwservice_30_0) true) +(expandtypeattribute (hw_random_device_30_0) true) +(expandtypeattribute (hwbinder_device_30_0) true) +(expandtypeattribute (hwservice_contexts_file_30_0) true) +(expandtypeattribute (hwservicemanager_30_0) true) +(expandtypeattribute (hwservicemanager_exec_30_0) true) +(expandtypeattribute (hwservicemanager_prop_30_0) true) +(expandtypeattribute (icon_file_30_0) true) +(expandtypeattribute (idmap_30_0) true) +(expandtypeattribute (idmap_exec_30_0) true) +(expandtypeattribute (idmap_service_30_0) true) +(expandtypeattribute (iio_device_30_0) true) +(expandtypeattribute (imms_service_30_0) true) +(expandtypeattribute (incident_30_0) true) +(expandtypeattribute (incident_data_file_30_0) true) +(expandtypeattribute (incident_helper_30_0) true) +(expandtypeattribute (incident_service_30_0) true) +(expandtypeattribute (incidentd_30_0) true) +(expandtypeattribute (incremental_control_file_30_0) true) +(expandtypeattribute (incremental_prop_30_0) true) +(expandtypeattribute (incremental_service_30_0) true) +(expandtypeattribute (init_30_0) true) +(expandtypeattribute (init_exec_30_0) true) +(expandtypeattribute (init_perf_lsm_hooks_prop_30_0) true) +(expandtypeattribute (init_svc_debug_prop_30_0) true) +(expandtypeattribute (init_tmpfs_30_0) true) +(expandtypeattribute (inotify_30_0) true) +(expandtypeattribute (input_device_30_0) true) +(expandtypeattribute (input_method_service_30_0) true) +(expandtypeattribute (input_service_30_0) true) +(expandtypeattribute (inputflinger_30_0) true) +(expandtypeattribute (inputflinger_exec_30_0) true) +(expandtypeattribute (inputflinger_service_30_0) true) +(expandtypeattribute (install_data_file_30_0) true) +(expandtypeattribute (installd_30_0) true) +(expandtypeattribute (installd_exec_30_0) true) +(expandtypeattribute (installd_service_30_0) true) +(expandtypeattribute (ion_device_30_0) true) +(expandtypeattribute (iorap_inode2filename_30_0) true) +(expandtypeattribute (iorap_inode2filename_exec_30_0) true) +(expandtypeattribute (iorap_inode2filename_tmpfs_30_0) true) +(expandtypeattribute (iorap_prefetcherd_30_0) true) +(expandtypeattribute (iorap_prefetcherd_exec_30_0) true) +(expandtypeattribute (iorap_prefetcherd_tmpfs_30_0) true) +(expandtypeattribute (iorapd_30_0) true) +(expandtypeattribute (iorapd_data_file_30_0) true) +(expandtypeattribute (iorapd_exec_30_0) true) +(expandtypeattribute (iorapd_service_30_0) true) +(expandtypeattribute (iorapd_tmpfs_30_0) true) +(expandtypeattribute (ipsec_service_30_0) true) +(expandtypeattribute (iris_service_30_0) true) +(expandtypeattribute (iris_vendor_data_file_30_0) true) +(expandtypeattribute (isolated_app_30_0) true) +(expandtypeattribute (jobscheduler_service_30_0) true) +(expandtypeattribute (kernel_30_0) true) +(expandtypeattribute (keychain_data_file_30_0) true) +(expandtypeattribute (keychord_device_30_0) true) +(expandtypeattribute (keystore_30_0) true) +(expandtypeattribute (keystore_data_file_30_0) true) +(expandtypeattribute (keystore_exec_30_0) true) +(expandtypeattribute (keystore_service_30_0) true) +(expandtypeattribute (kmsg_debug_device_30_0) true) +(expandtypeattribute (kmsg_device_30_0) true) +(expandtypeattribute (labeledfs_30_0) true) +(expandtypeattribute (last_boot_reason_prop_30_0) true) +(expandtypeattribute (launcherapps_service_30_0) true) +(expandtypeattribute (light_service_30_0) true) +(expandtypeattribute (linkerconfig_file_30_0) true) +(expandtypeattribute (llkd_30_0) true) +(expandtypeattribute (llkd_exec_30_0) true) +(expandtypeattribute (llkd_prop_30_0) true) +(expandtypeattribute (lmkd_30_0) true) +(expandtypeattribute (lmkd_exec_30_0) true) +(expandtypeattribute (lmkd_prop_30_0) true) +(expandtypeattribute (lmkd_socket_30_0) true) +(expandtypeattribute (location_service_30_0) true) +(expandtypeattribute (lock_settings_service_30_0) true) +(expandtypeattribute (log_prop_30_0) true) +(expandtypeattribute (log_tag_prop_30_0) true) +(expandtypeattribute (logcat_exec_30_0) true) +(expandtypeattribute (logd_30_0) true) +(expandtypeattribute (logd_exec_30_0) true) +(expandtypeattribute (logd_prop_30_0) true) +(expandtypeattribute (logd_socket_30_0) true) +(expandtypeattribute (logdr_socket_30_0) true) +(expandtypeattribute (logdw_socket_30_0) true) +(expandtypeattribute (logpersist_30_0) true) +(expandtypeattribute (logpersistd_logging_prop_30_0) true) +(expandtypeattribute (loop_control_device_30_0) true) +(expandtypeattribute (loop_device_30_0) true) +(expandtypeattribute (looper_stats_service_30_0) true) +(expandtypeattribute (lowpan_device_30_0) true) +(expandtypeattribute (lowpan_prop_30_0) true) +(expandtypeattribute (lowpan_service_30_0) true) +(expandtypeattribute (lpdump_service_30_0) true) +(expandtypeattribute (lpdumpd_prop_30_0) true) +(expandtypeattribute (mac_perms_file_30_0) true) +(expandtypeattribute (mdns_socket_30_0) true) +(expandtypeattribute (mdnsd_30_0) true) +(expandtypeattribute (mdnsd_socket_30_0) true) +(expandtypeattribute (media_data_file_30_0) true) +(expandtypeattribute (media_projection_service_30_0) true) +(expandtypeattribute (media_router_service_30_0) true) +(expandtypeattribute (media_rw_data_file_30_0) true) +(expandtypeattribute (media_session_service_30_0) true) +(expandtypeattribute (media_variant_prop_30_0) true) +(expandtypeattribute (mediadrmserver_30_0) true) +(expandtypeattribute (mediadrmserver_exec_30_0) true) +(expandtypeattribute (mediadrmserver_service_30_0) true) +(expandtypeattribute (mediaextractor_30_0) true) +(expandtypeattribute (mediaextractor_exec_30_0) true) +(expandtypeattribute (mediaextractor_service_30_0) true) +(expandtypeattribute (mediaextractor_tmpfs_30_0) true) +(expandtypeattribute (mediametrics_30_0) true) +(expandtypeattribute (mediametrics_exec_30_0) true) +(expandtypeattribute (mediametrics_service_30_0) true) +(expandtypeattribute (mediaprovider_30_0) true) +(expandtypeattribute (mediaserver_30_0) true) +(expandtypeattribute (mediaserver_exec_30_0) true) +(expandtypeattribute (mediaserver_service_30_0) true) +(expandtypeattribute (mediaserver_tmpfs_30_0) true) +(expandtypeattribute (mediaswcodec_30_0) true) +(expandtypeattribute (mediaswcodec_exec_30_0) true) +(expandtypeattribute (mediatranscoding_30_0) true) +(expandtypeattribute (mediatranscoding_exec_30_0) true) +(expandtypeattribute (mediatranscoding_service_30_0) true) +(expandtypeattribute (meminfo_service_30_0) true) +(expandtypeattribute (metadata_block_device_30_0) true) +(expandtypeattribute (metadata_bootstat_file_30_0) true) +(expandtypeattribute (metadata_file_30_0) true) +(expandtypeattribute (method_trace_data_file_30_0) true) +(expandtypeattribute (midi_service_30_0) true) +(expandtypeattribute (mirror_data_file_30_0) true) +(expandtypeattribute (misc_block_device_30_0) true) +(expandtypeattribute (misc_logd_file_30_0) true) +(expandtypeattribute (misc_user_data_file_30_0) true) +(expandtypeattribute (mmc_prop_30_0) true) +(expandtypeattribute (mnt_expand_file_30_0) true) +(expandtypeattribute (mnt_media_rw_file_30_0) true) +(expandtypeattribute (mnt_media_rw_stub_file_30_0) true) +(expandtypeattribute (mnt_pass_through_file_30_0) true) +(expandtypeattribute (mnt_product_file_30_0) true) +(expandtypeattribute (mnt_sdcard_file_30_0) true) +(expandtypeattribute (mnt_user_file_30_0) true) +(expandtypeattribute (mnt_vendor_file_30_0) true) +(expandtypeattribute (mock_ota_prop_30_0) true) +(expandtypeattribute (modprobe_30_0) true) +(expandtypeattribute (module_sdkextensions_prop_30_0) true) +(expandtypeattribute (mount_service_30_0) true) +(expandtypeattribute (mqueue_30_0) true) +(expandtypeattribute (mtp_30_0) true) +(expandtypeattribute (mtp_device_30_0) true) +(expandtypeattribute (mtp_exec_30_0) true) +(expandtypeattribute (mtpd_socket_30_0) true) +(expandtypeattribute (nativetest_data_file_30_0) true) +(expandtypeattribute (net_data_file_30_0) true) +(expandtypeattribute (net_dns_prop_30_0) true) +(expandtypeattribute (net_radio_prop_30_0) true) +(expandtypeattribute (netd_30_0) true) +(expandtypeattribute (netd_exec_30_0) true) +(expandtypeattribute (netd_listener_service_30_0) true) +(expandtypeattribute (netd_service_30_0) true) +(expandtypeattribute (netd_stable_secret_prop_30_0) true) +(expandtypeattribute (netif_30_0) true) +(expandtypeattribute (netpolicy_service_30_0) true) +(expandtypeattribute (netstats_service_30_0) true) +(expandtypeattribute (netutils_wrapper_30_0) true) +(expandtypeattribute (netutils_wrapper_exec_30_0) true) +(expandtypeattribute (network_management_service_30_0) true) +(expandtypeattribute (network_score_service_30_0) true) +(expandtypeattribute (network_stack_30_0) true) +(expandtypeattribute (network_stack_service_30_0) true) +(expandtypeattribute (network_time_update_service_30_0) true) +(expandtypeattribute (network_watchlist_data_file_30_0) true) +(expandtypeattribute (network_watchlist_service_30_0) true) +(expandtypeattribute (nfc_30_0) true) +(expandtypeattribute (nfc_data_file_30_0) true) +(expandtypeattribute (nfc_device_30_0) true) +(expandtypeattribute (nfc_prop_30_0) true) +(expandtypeattribute (nfc_service_30_0) true) +(expandtypeattribute (nnapi_ext_deny_product_prop_30_0) true) +(expandtypeattribute (node_30_0) true) +(expandtypeattribute (nonplat_service_contexts_file_30_0) true) +(expandtypeattribute (notification_service_30_0) true) +(expandtypeattribute (null_device_30_0) true) +(expandtypeattribute (oem_lock_service_30_0) true) +(expandtypeattribute (oemfs_30_0) true) +(expandtypeattribute (ota_data_file_30_0) true) +(expandtypeattribute (ota_metadata_file_30_0) true) +(expandtypeattribute (ota_package_file_30_0) true) +(expandtypeattribute (ota_prop_30_0) true) +(expandtypeattribute (otadexopt_service_30_0) true) +(expandtypeattribute (overlay_prop_30_0) true) +(expandtypeattribute (overlay_service_30_0) true) +(expandtypeattribute (overlayfs_file_30_0) true) +(expandtypeattribute (owntty_device_30_0) true) +(expandtypeattribute (package_native_service_30_0) true) +(expandtypeattribute (package_service_30_0) true) +(expandtypeattribute (packages_list_file_30_0) true) +(expandtypeattribute (pan_result_prop_30_0) true) +(expandtypeattribute (password_slot_metadata_file_30_0) true) +(expandtypeattribute (pdx_bufferhub_client_channel_socket_30_0) true) +(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_30_0) true) +(expandtypeattribute (pdx_bufferhub_dir_30_0) true) +(expandtypeattribute (pdx_display_client_channel_socket_30_0) true) +(expandtypeattribute (pdx_display_client_endpoint_socket_30_0) true) +(expandtypeattribute (pdx_display_dir_30_0) true) +(expandtypeattribute (pdx_display_manager_channel_socket_30_0) true) +(expandtypeattribute (pdx_display_manager_endpoint_socket_30_0) true) +(expandtypeattribute (pdx_display_screenshot_channel_socket_30_0) true) +(expandtypeattribute (pdx_display_screenshot_endpoint_socket_30_0) true) +(expandtypeattribute (pdx_display_vsync_channel_socket_30_0) true) +(expandtypeattribute (pdx_display_vsync_endpoint_socket_30_0) true) +(expandtypeattribute (pdx_performance_client_channel_socket_30_0) true) +(expandtypeattribute (pdx_performance_client_endpoint_socket_30_0) true) +(expandtypeattribute (pdx_performance_dir_30_0) true) +(expandtypeattribute (perfetto_30_0) true) +(expandtypeattribute (performanced_30_0) true) +(expandtypeattribute (performanced_exec_30_0) true) +(expandtypeattribute (permission_service_30_0) true) +(expandtypeattribute (permissionmgr_service_30_0) true) +(expandtypeattribute (persist_debug_prop_30_0) true) +(expandtypeattribute (persistent_data_block_service_30_0) true) +(expandtypeattribute (persistent_properties_ready_prop_30_0) true) +(expandtypeattribute (pinner_service_30_0) true) +(expandtypeattribute (pipefs_30_0) true) +(expandtypeattribute (platform_app_30_0) true) +(expandtypeattribute (platform_compat_service_30_0) true) +(expandtypeattribute (pm_prop_30_0) true) +(expandtypeattribute (pmsg_device_30_0) true) +(expandtypeattribute (port_30_0) true) +(expandtypeattribute (port_device_30_0) true) +(expandtypeattribute (postinstall_30_0) true) +(expandtypeattribute (postinstall_apex_mnt_dir_30_0) true) +(expandtypeattribute (postinstall_file_30_0) true) +(expandtypeattribute (postinstall_mnt_dir_30_0) true) +(expandtypeattribute (power_service_30_0) true) +(expandtypeattribute (powerctl_prop_30_0) true) +(expandtypeattribute (ppp_30_0) true) +(expandtypeattribute (ppp_device_30_0) true) +(expandtypeattribute (ppp_exec_30_0) true) +(expandtypeattribute (preloads_data_file_30_0) true) +(expandtypeattribute (preloads_media_file_30_0) true) +(expandtypeattribute (prereboot_data_file_30_0) true) +(expandtypeattribute (print_service_30_0) true) +(expandtypeattribute (priv_app_30_0) true) +(expandtypeattribute (privapp_data_file_30_0) true) +(expandtypeattribute (proc_30_0) true) +(expandtypeattribute (proc_abi_30_0) true) +(expandtypeattribute (proc_asound_30_0) true) +(expandtypeattribute (proc_bluetooth_writable_30_0) true) +(expandtypeattribute (proc_buddyinfo_30_0) true) +(expandtypeattribute (proc_cmdline_30_0) true) +(expandtypeattribute (proc_cpuinfo_30_0) true) +(expandtypeattribute (proc_dirty_30_0) true) +(expandtypeattribute (proc_diskstats_30_0) true) +(expandtypeattribute (proc_drop_caches_30_0) true) +(expandtypeattribute (proc_extra_free_kbytes_30_0) true) +(expandtypeattribute (proc_filesystems_30_0) true) +(expandtypeattribute (proc_fs_verity_30_0) true) +(expandtypeattribute (proc_hostname_30_0) true) +(expandtypeattribute (proc_hung_task_30_0) true) +(expandtypeattribute (proc_interrupts_30_0) true) +(expandtypeattribute (proc_iomem_30_0) true) +(expandtypeattribute (proc_keys_30_0) true) +(expandtypeattribute (proc_kmsg_30_0) true) +(expandtypeattribute (proc_kpageflags_30_0) true) +(expandtypeattribute (proc_loadavg_30_0) true) +(expandtypeattribute (proc_lowmemorykiller_30_0) true) +(expandtypeattribute (proc_max_map_count_30_0) true) +(expandtypeattribute (proc_meminfo_30_0) true) +(expandtypeattribute (proc_min_free_order_shift_30_0) true) +(expandtypeattribute (proc_misc_30_0) true) +(expandtypeattribute (proc_modules_30_0) true) +(expandtypeattribute (proc_mounts_30_0) true) +(expandtypeattribute (proc_net_30_0) true) +(expandtypeattribute (proc_net_tcp_udp_30_0) true) +(expandtypeattribute (proc_overcommit_memory_30_0) true) +(expandtypeattribute (proc_page_cluster_30_0) true) +(expandtypeattribute (proc_pagetypeinfo_30_0) true) +(expandtypeattribute (proc_panic_30_0) true) +(expandtypeattribute (proc_perf_30_0) true) +(expandtypeattribute (proc_pid_max_30_0) true) +(expandtypeattribute (proc_pipe_conf_30_0) true) +(expandtypeattribute (proc_pressure_cpu_30_0) true) +(expandtypeattribute (proc_pressure_io_30_0) true) +(expandtypeattribute (proc_pressure_mem_30_0) true) +(expandtypeattribute (proc_qtaguid_ctrl_30_0) true) +(expandtypeattribute (proc_qtaguid_stat_30_0) true) +(expandtypeattribute (proc_random_30_0) true) +(expandtypeattribute (proc_sched_30_0) true) +(expandtypeattribute (proc_security_30_0) true) +(expandtypeattribute (proc_slabinfo_30_0) true) +(expandtypeattribute (proc_stat_30_0) true) +(expandtypeattribute (proc_swaps_30_0) true) +(expandtypeattribute (proc_sysrq_30_0) true) +(expandtypeattribute (proc_timer_30_0) true) +(expandtypeattribute (proc_tty_drivers_30_0) true) +(expandtypeattribute (proc_uid_concurrent_active_time_30_0) true) +(expandtypeattribute (proc_uid_concurrent_policy_time_30_0) true) +(expandtypeattribute (proc_uid_cpupower_30_0) true) +(expandtypeattribute (proc_uid_cputime_removeuid_30_0) true) +(expandtypeattribute (proc_uid_cputime_showstat_30_0) true) +(expandtypeattribute (proc_uid_io_stats_30_0) true) +(expandtypeattribute (proc_uid_procstat_set_30_0) true) +(expandtypeattribute (proc_uid_time_in_state_30_0) true) +(expandtypeattribute (proc_uptime_30_0) true) +(expandtypeattribute (proc_version_30_0) true) +(expandtypeattribute (proc_vmallocinfo_30_0) true) +(expandtypeattribute (proc_vmstat_30_0) true) +(expandtypeattribute (proc_zoneinfo_30_0) true) +(expandtypeattribute (processinfo_service_30_0) true) +(expandtypeattribute (procstats_service_30_0) true) +(expandtypeattribute (profman_30_0) true) +(expandtypeattribute (profman_dump_data_file_30_0) true) +(expandtypeattribute (profman_exec_30_0) true) +(expandtypeattribute (properties_device_30_0) true) +(expandtypeattribute (properties_serial_30_0) true) +(expandtypeattribute (property_contexts_file_30_0) true) +(expandtypeattribute (property_data_file_30_0) true) +(expandtypeattribute (property_info_30_0) true) +(expandtypeattribute (property_socket_30_0) true) +(expandtypeattribute (pstorefs_30_0) true) +(expandtypeattribute (ptmx_device_30_0) true) +(expandtypeattribute (qtaguid_device_30_0) true) +(expandtypeattribute (racoon_30_0) true) +(expandtypeattribute (racoon_exec_30_0) true) +(expandtypeattribute (racoon_socket_30_0) true) +(expandtypeattribute (radio_30_0) true) +(expandtypeattribute (radio_data_file_30_0) true) +(expandtypeattribute (radio_device_30_0) true) +(expandtypeattribute (radio_prop_30_0) true) +(expandtypeattribute (radio_service_30_0) true) +(expandtypeattribute (ram_device_30_0) true) +(expandtypeattribute (random_device_30_0) true) +(expandtypeattribute (rebootescrow_hal_prop_30_0) true) +(expandtypeattribute (recovery_30_0) true) +(expandtypeattribute (recovery_block_device_30_0) true) +(expandtypeattribute (recovery_data_file_30_0) true) +(expandtypeattribute (recovery_persist_30_0) true) +(expandtypeattribute (recovery_persist_exec_30_0) true) +(expandtypeattribute (recovery_refresh_30_0) true) +(expandtypeattribute (recovery_refresh_exec_30_0) true) +(expandtypeattribute (recovery_service_30_0) true) +(expandtypeattribute (recovery_socket_30_0) true) +(expandtypeattribute (registry_service_30_0) true) +(expandtypeattribute (resourcecache_data_file_30_0) true) +(expandtypeattribute (restorecon_prop_30_0) true) +(expandtypeattribute (restrictions_service_30_0) true) +(expandtypeattribute (rild_debug_socket_30_0) true) +(expandtypeattribute (rild_socket_30_0) true) +(expandtypeattribute (ringtone_file_30_0) true) +(expandtypeattribute (role_service_30_0) true) +(expandtypeattribute (rollback_service_30_0) true) +(expandtypeattribute (root_block_device_30_0) true) +(expandtypeattribute (rootfs_30_0) true) +(expandtypeattribute (rpmsg_device_30_0) true) +(expandtypeattribute (rs_30_0) true) +(expandtypeattribute (rs_exec_30_0) true) +(expandtypeattribute (rss_hwm_reset_30_0) true) +(expandtypeattribute (rtc_device_30_0) true) +(expandtypeattribute (rttmanager_service_30_0) true) +(expandtypeattribute (runas_30_0) true) +(expandtypeattribute (runas_app_30_0) true) +(expandtypeattribute (runas_exec_30_0) true) +(expandtypeattribute (runtime_event_log_tags_file_30_0) true) +(expandtypeattribute (runtime_service_30_0) true) +(expandtypeattribute (safemode_prop_30_0) true) +(expandtypeattribute (same_process_hal_file_30_0) true) +(expandtypeattribute (samplingprofiler_service_30_0) true) +(expandtypeattribute (scheduling_policy_service_30_0) true) +(expandtypeattribute (sdcard_block_device_30_0) true) +(expandtypeattribute (sdcardd_30_0) true) +(expandtypeattribute (sdcardd_exec_30_0) true) +(expandtypeattribute (sdcardfs_30_0) true) +(expandtypeattribute (seapp_contexts_file_30_0) true) +(expandtypeattribute (search_service_30_0) true) +(expandtypeattribute (sec_key_att_app_id_provider_service_30_0) true) +(expandtypeattribute (secure_element_30_0) true) +(expandtypeattribute (secure_element_device_30_0) true) +(expandtypeattribute (secure_element_service_30_0) true) +(expandtypeattribute (securityfs_30_0) true) +(expandtypeattribute (selinuxfs_30_0) true) +(expandtypeattribute (sensor_privacy_service_30_0) true) +(expandtypeattribute (sensors_device_30_0) true) +(expandtypeattribute (sensorservice_service_30_0) true) +(expandtypeattribute (sepolicy_file_30_0) true) +(expandtypeattribute (serial_device_30_0) true) +(expandtypeattribute (serial_service_30_0) true) +(expandtypeattribute (serialno_prop_30_0) true) +(expandtypeattribute (server_configurable_flags_data_file_30_0) true) +(expandtypeattribute (service_contexts_file_30_0) true) +(expandtypeattribute (service_manager_service_30_0) true) +(expandtypeattribute (service_manager_vndservice_30_0) true) +(expandtypeattribute (servicediscovery_service_30_0) true) +(expandtypeattribute (servicemanager_30_0) true) +(expandtypeattribute (servicemanager_exec_30_0) true) +(expandtypeattribute (settings_service_30_0) true) +(expandtypeattribute (sgdisk_30_0) true) +(expandtypeattribute (sgdisk_exec_30_0) true) +(expandtypeattribute (shared_relro_30_0) true) +(expandtypeattribute (shared_relro_file_30_0) true) +(expandtypeattribute (shell_30_0) true) +(expandtypeattribute (shell_data_file_30_0) true) +(expandtypeattribute (shell_exec_30_0) true) +(expandtypeattribute (shell_prop_30_0) true) +(expandtypeattribute (shm_30_0) true) +(expandtypeattribute (shortcut_manager_icons_30_0) true) +(expandtypeattribute (shortcut_service_30_0) true) +(expandtypeattribute (simpleperf_30_0) true) +(expandtypeattribute (simpleperf_app_runner_30_0) true) +(expandtypeattribute (simpleperf_app_runner_exec_30_0) true) +(expandtypeattribute (slice_service_30_0) true) +(expandtypeattribute (slideshow_30_0) true) +(expandtypeattribute (snapshotctl_log_data_file_30_0) true) +(expandtypeattribute (socket_device_30_0) true) +(expandtypeattribute (socket_hook_prop_30_0) true) +(expandtypeattribute (sockfs_30_0) true) +(expandtypeattribute (sota_prop_30_0) true) +(expandtypeattribute (soundtrigger_middleware_service_30_0) true) +(expandtypeattribute (staging_data_file_30_0) true) +(expandtypeattribute (stats_data_file_30_0) true) +(expandtypeattribute (statsd_30_0) true) +(expandtypeattribute (statsd_exec_30_0) true) +(expandtypeattribute (statsdw_socket_30_0) true) +(expandtypeattribute (statusbar_service_30_0) true) +(expandtypeattribute (storage_config_prop_30_0) true) +(expandtypeattribute (storage_file_30_0) true) +(expandtypeattribute (storage_stub_file_30_0) true) +(expandtypeattribute (storaged_service_30_0) true) +(expandtypeattribute (storagestats_service_30_0) true) +(expandtypeattribute (su_30_0) true) +(expandtypeattribute (su_exec_30_0) true) +(expandtypeattribute (super_block_device_30_0) true) +(expandtypeattribute (surfaceflinger_30_0) true) +(expandtypeattribute (surfaceflinger_service_30_0) true) +(expandtypeattribute (surfaceflinger_tmpfs_30_0) true) +(expandtypeattribute (swap_block_device_30_0) true) +(expandtypeattribute (sysfs_30_0) true) +(expandtypeattribute (sysfs_android_usb_30_0) true) +(expandtypeattribute (sysfs_batteryinfo_30_0) true) +(expandtypeattribute (sysfs_bluetooth_writable_30_0) true) +(expandtypeattribute (sysfs_devices_block_30_0) true) +(expandtypeattribute (sysfs_devices_system_cpu_30_0) true) +(expandtypeattribute (sysfs_dm_30_0) true) +(expandtypeattribute (sysfs_dm_verity_30_0) true) +(expandtypeattribute (sysfs_dt_firmware_android_30_0) true) +(expandtypeattribute (sysfs_extcon_30_0) true) +(expandtypeattribute (sysfs_fs_ext4_features_30_0) true) +(expandtypeattribute (sysfs_fs_f2fs_30_0) true) +(expandtypeattribute (sysfs_hwrandom_30_0) true) +(expandtypeattribute (sysfs_ion_30_0) true) +(expandtypeattribute (sysfs_ipv4_30_0) true) +(expandtypeattribute (sysfs_kernel_notes_30_0) true) +(expandtypeattribute (sysfs_leds_30_0) true) +(expandtypeattribute (sysfs_loop_30_0) true) +(expandtypeattribute (sysfs_lowmemorykiller_30_0) true) +(expandtypeattribute (sysfs_net_30_0) true) +(expandtypeattribute (sysfs_nfc_power_writable_30_0) true) +(expandtypeattribute (sysfs_power_30_0) true) +(expandtypeattribute (sysfs_rtc_30_0) true) +(expandtypeattribute (sysfs_suspend_stats_30_0) true) +(expandtypeattribute (sysfs_switch_30_0) true) +(expandtypeattribute (sysfs_thermal_30_0) true) +(expandtypeattribute (sysfs_transparent_hugepage_30_0) true) +(expandtypeattribute (sysfs_uio_30_0) true) +(expandtypeattribute (sysfs_usb_30_0) true) +(expandtypeattribute (sysfs_usermodehelper_30_0) true) +(expandtypeattribute (sysfs_vibrator_30_0) true) +(expandtypeattribute (sysfs_wake_lock_30_0) true) +(expandtypeattribute (sysfs_wakeup_30_0) true) +(expandtypeattribute (sysfs_wakeup_reasons_30_0) true) +(expandtypeattribute (sysfs_wlan_fwpath_30_0) true) +(expandtypeattribute (sysfs_zram_30_0) true) +(expandtypeattribute (sysfs_zram_uevent_30_0) true) +(expandtypeattribute (system_adbd_prop_30_0) true) +(expandtypeattribute (system_app_30_0) true) +(expandtypeattribute (system_app_data_file_30_0) true) +(expandtypeattribute (system_app_service_30_0) true) +(expandtypeattribute (system_asan_options_file_30_0) true) +(expandtypeattribute (system_block_device_30_0) true) +(expandtypeattribute (system_boot_reason_prop_30_0) true) +(expandtypeattribute (system_bootstrap_lib_file_30_0) true) +(expandtypeattribute (system_config_service_30_0) true) +(expandtypeattribute (system_data_file_30_0) true) +(expandtypeattribute (system_data_root_file_30_0) true) +(expandtypeattribute (system_event_log_tags_file_30_0) true) +(expandtypeattribute (system_file_30_0) true) +(expandtypeattribute (system_group_file_30_0) true) +(expandtypeattribute (system_jvmti_agent_prop_30_0) true) +(expandtypeattribute (system_lib_file_30_0) true) +(expandtypeattribute (system_linker_config_file_30_0) true) +(expandtypeattribute (system_linker_exec_30_0) true) +(expandtypeattribute (system_lmk_prop_30_0) true) +(expandtypeattribute (system_ndebug_socket_30_0) true) +(expandtypeattribute (system_net_netd_hwservice_30_0) true) +(expandtypeattribute (system_passwd_file_30_0) true) +(expandtypeattribute (system_prop_30_0) true) +(expandtypeattribute (system_radio_prop_30_0) true) +(expandtypeattribute (system_seccomp_policy_file_30_0) true) +(expandtypeattribute (system_security_cacerts_file_30_0) true) +(expandtypeattribute (system_server_30_0) true) +(expandtypeattribute (system_server_tmpfs_30_0) true) +(expandtypeattribute (system_suspend_control_service_30_0) true) +(expandtypeattribute (system_suspend_hwservice_30_0) true) +(expandtypeattribute (system_trace_prop_30_0) true) +(expandtypeattribute (system_unsolzygote_socket_30_0) true) +(expandtypeattribute (system_update_service_30_0) true) +(expandtypeattribute (system_wifi_keystore_hwservice_30_0) true) +(expandtypeattribute (system_wpa_socket_30_0) true) +(expandtypeattribute (system_zoneinfo_file_30_0) true) +(expandtypeattribute (systemkeys_data_file_30_0) true) +(expandtypeattribute (task_profiles_file_30_0) true) +(expandtypeattribute (task_service_30_0) true) +(expandtypeattribute (tcpdump_exec_30_0) true) +(expandtypeattribute (tee_30_0) true) +(expandtypeattribute (tee_data_file_30_0) true) +(expandtypeattribute (tee_device_30_0) true) +(expandtypeattribute (telecom_service_30_0) true) +(expandtypeattribute (test_boot_reason_prop_30_0) true) +(expandtypeattribute (test_harness_prop_30_0) true) +(expandtypeattribute (testharness_service_30_0) true) +(expandtypeattribute (tethering_service_30_0) true) +(expandtypeattribute (textclassification_service_30_0) true) +(expandtypeattribute (textclassifier_data_file_30_0) true) +(expandtypeattribute (textservices_service_30_0) true) +(expandtypeattribute (theme_prop_30_0) true) +(expandtypeattribute (thermal_service_30_0) true) +(expandtypeattribute (thermalcallback_hwservice_30_0) true) +(expandtypeattribute (time_prop_30_0) true) +(expandtypeattribute (timedetector_service_30_0) true) +(expandtypeattribute (timezone_service_30_0) true) +(expandtypeattribute (timezonedetector_service_30_0) true) +(expandtypeattribute (tmpfs_30_0) true) +(expandtypeattribute (tombstone_data_file_30_0) true) +(expandtypeattribute (tombstone_wifi_data_file_30_0) true) +(expandtypeattribute (tombstoned_30_0) true) +(expandtypeattribute (tombstoned_crash_socket_30_0) true) +(expandtypeattribute (tombstoned_exec_30_0) true) +(expandtypeattribute (tombstoned_intercept_socket_30_0) true) +(expandtypeattribute (tombstoned_java_trace_socket_30_0) true) +(expandtypeattribute (toolbox_30_0) true) +(expandtypeattribute (toolbox_exec_30_0) true) +(expandtypeattribute (trace_data_file_30_0) true) +(expandtypeattribute (traced_30_0) true) +(expandtypeattribute (traced_consumer_socket_30_0) true) +(expandtypeattribute (traced_enabled_prop_30_0) true) +(expandtypeattribute (traced_lazy_prop_30_0) true) +(expandtypeattribute (traced_perf_30_0) true) +(expandtypeattribute (traced_perf_enabled_prop_30_0) true) +(expandtypeattribute (traced_perf_socket_30_0) true) +(expandtypeattribute (traced_probes_30_0) true) +(expandtypeattribute (traced_producer_socket_30_0) true) +(expandtypeattribute (traceur_app_30_0) true) +(expandtypeattribute (trust_service_30_0) true) +(expandtypeattribute (tty_device_30_0) true) +(expandtypeattribute (tun_device_30_0) true) +(expandtypeattribute (tv_input_service_30_0) true) +(expandtypeattribute (tv_tuner_resource_mgr_service_30_0) true) +(expandtypeattribute (tzdatacheck_30_0) true) +(expandtypeattribute (tzdatacheck_exec_30_0) true) +(expandtypeattribute (ueventd_30_0) true) +(expandtypeattribute (ueventd_tmpfs_30_0) true) +(expandtypeattribute (uhid_device_30_0) true) +(expandtypeattribute (uimode_service_30_0) true) +(expandtypeattribute (uio_device_30_0) true) +(expandtypeattribute (uncrypt_30_0) true) +(expandtypeattribute (uncrypt_exec_30_0) true) +(expandtypeattribute (uncrypt_socket_30_0) true) +(expandtypeattribute (unencrypted_data_file_30_0) true) +(expandtypeattribute (unlabeled_30_0) true) +(expandtypeattribute (untrusted_app_25_30_0) true) +(expandtypeattribute (untrusted_app_27_30_0) true) +(expandtypeattribute (untrusted_app_29_30_0) true) +(expandtypeattribute (untrusted_app_30_0) true) +(expandtypeattribute (update_engine_30_0) true) +(expandtypeattribute (update_engine_data_file_30_0) true) +(expandtypeattribute (update_engine_exec_30_0) true) +(expandtypeattribute (update_engine_log_data_file_30_0) true) +(expandtypeattribute (update_engine_service_30_0) true) +(expandtypeattribute (update_verifier_30_0) true) +(expandtypeattribute (update_verifier_exec_30_0) true) +(expandtypeattribute (updatelock_service_30_0) true) +(expandtypeattribute (uri_grants_service_30_0) true) +(expandtypeattribute (usagestats_service_30_0) true) +(expandtypeattribute (usb_device_30_0) true) +(expandtypeattribute (usb_serial_device_30_0) true) +(expandtypeattribute (usb_service_30_0) true) +(expandtypeattribute (usbaccessory_device_30_0) true) +(expandtypeattribute (usbd_30_0) true) +(expandtypeattribute (usbd_exec_30_0) true) +(expandtypeattribute (usbfs_30_0) true) +(expandtypeattribute (use_memfd_prop_30_0) true) +(expandtypeattribute (user_profile_data_file_30_0) true) +(expandtypeattribute (user_service_30_0) true) +(expandtypeattribute (userdata_block_device_30_0) true) +(expandtypeattribute (usermodehelper_30_0) true) +(expandtypeattribute (userspace_reboot_config_prop_30_0) true) +(expandtypeattribute (userspace_reboot_exported_prop_30_0) true) +(expandtypeattribute (userspace_reboot_log_prop_30_0) true) +(expandtypeattribute (userspace_reboot_test_prop_30_0) true) +(expandtypeattribute (vdc_30_0) true) +(expandtypeattribute (vdc_exec_30_0) true) +(expandtypeattribute (vehicle_hal_prop_30_0) true) +(expandtypeattribute (vendor_apex_file_30_0) true) +(expandtypeattribute (vendor_app_file_30_0) true) +(expandtypeattribute (vendor_cgroup_desc_file_30_0) true) +(expandtypeattribute (vendor_configs_file_30_0) true) +(expandtypeattribute (vendor_data_file_30_0) true) +(expandtypeattribute (vendor_default_prop_30_0) true) +(expandtypeattribute (vendor_file_30_0) true) +(expandtypeattribute (vendor_framework_file_30_0) true) +(expandtypeattribute (vendor_hal_file_30_0) true) +(expandtypeattribute (vendor_idc_file_30_0) true) +(expandtypeattribute (vendor_init_30_0) true) +(expandtypeattribute (vendor_keychars_file_30_0) true) +(expandtypeattribute (vendor_keylayout_file_30_0) true) +(expandtypeattribute (vendor_misc_writer_30_0) true) +(expandtypeattribute (vendor_misc_writer_exec_30_0) true) +(expandtypeattribute (vendor_overlay_file_30_0) true) +(expandtypeattribute (vendor_public_lib_file_30_0) true) +(expandtypeattribute (vendor_security_patch_level_prop_30_0) true) +(expandtypeattribute (vendor_shell_30_0) true) +(expandtypeattribute (vendor_shell_exec_30_0) true) +(expandtypeattribute (vendor_socket_hook_prop_30_0) true) +(expandtypeattribute (vendor_task_profiles_file_30_0) true) +(expandtypeattribute (vendor_toolbox_exec_30_0) true) +(expandtypeattribute (vfat_30_0) true) +(expandtypeattribute (vibrator_service_30_0) true) +(expandtypeattribute (video_device_30_0) true) +(expandtypeattribute (virtual_ab_prop_30_0) true) +(expandtypeattribute (virtual_touchpad_30_0) true) +(expandtypeattribute (virtual_touchpad_exec_30_0) true) +(expandtypeattribute (virtual_touchpad_service_30_0) true) +(expandtypeattribute (vndbinder_device_30_0) true) +(expandtypeattribute (vndk_prop_30_0) true) +(expandtypeattribute (vndk_sp_file_30_0) true) +(expandtypeattribute (vndservice_contexts_file_30_0) true) +(expandtypeattribute (vndservicemanager_30_0) true) +(expandtypeattribute (voiceinteraction_service_30_0) true) +(expandtypeattribute (vold_30_0) true) +(expandtypeattribute (vold_data_file_30_0) true) +(expandtypeattribute (vold_device_30_0) true) +(expandtypeattribute (vold_exec_30_0) true) +(expandtypeattribute (vold_metadata_file_30_0) true) +(expandtypeattribute (vold_prepare_subdirs_30_0) true) +(expandtypeattribute (vold_prepare_subdirs_exec_30_0) true) +(expandtypeattribute (vold_prop_30_0) true) +(expandtypeattribute (vold_service_30_0) true) +(expandtypeattribute (vpn_data_file_30_0) true) +(expandtypeattribute (vr_hwc_30_0) true) +(expandtypeattribute (vr_hwc_exec_30_0) true) +(expandtypeattribute (vr_hwc_service_30_0) true) +(expandtypeattribute (vr_manager_service_30_0) true) +(expandtypeattribute (vrflinger_vsync_service_30_0) true) +(expandtypeattribute (wallpaper_file_30_0) true) +(expandtypeattribute (wallpaper_service_30_0) true) +(expandtypeattribute (watchdog_device_30_0) true) +(expandtypeattribute (watchdogd_30_0) true) +(expandtypeattribute (watchdogd_exec_30_0) true) +(expandtypeattribute (webview_zygote_30_0) true) +(expandtypeattribute (webview_zygote_exec_30_0) true) +(expandtypeattribute (webview_zygote_tmpfs_30_0) true) +(expandtypeattribute (webviewupdate_service_30_0) true) +(expandtypeattribute (wifi_data_file_30_0) true) +(expandtypeattribute (wifi_log_prop_30_0) true) +(expandtypeattribute (wifi_prop_30_0) true) +(expandtypeattribute (wifi_service_30_0) true) +(expandtypeattribute (wifiaware_service_30_0) true) +(expandtypeattribute (wificond_30_0) true) +(expandtypeattribute (wificond_exec_30_0) true) +(expandtypeattribute (wifinl80211_service_30_0) true) +(expandtypeattribute (wifip2p_service_30_0) true) +(expandtypeattribute (wifiscanner_service_30_0) true) +(expandtypeattribute (window_service_30_0) true) +(expandtypeattribute (wpa_socket_30_0) true) +(expandtypeattribute (wpantund_30_0) true) +(expandtypeattribute (wpantund_exec_30_0) true) +(expandtypeattribute (wpantund_service_30_0) true) +(expandtypeattribute (zero_device_30_0) true) +(expandtypeattribute (zoneinfo_data_file_30_0) true) +(expandtypeattribute (zygote_30_0) true) +(expandtypeattribute (zygote_exec_30_0) true) +(expandtypeattribute (zygote_socket_30_0) true) +(expandtypeattribute (zygote_tmpfs_30_0) true) +(typeattributeset DockObserver_service_30_0 (DockObserver_service)) +(typeattributeset IProxyService_service_30_0 (IProxyService_service)) +(typeattributeset accessibility_service_30_0 (accessibility_service)) +(typeattributeset account_service_30_0 (account_service)) +(typeattributeset activity_service_30_0 (activity_service)) +(typeattributeset activity_task_service_30_0 (activity_task_service)) +(typeattributeset adb_data_file_30_0 (adb_data_file)) +(typeattributeset adb_keys_file_30_0 (adb_keys_file)) +(typeattributeset adb_service_30_0 (adb_service)) +(typeattributeset adbd_30_0 (adbd)) +(typeattributeset adbd_exec_30_0 (adbd_exec)) +(typeattributeset adbd_prop_30_0 (adbd_prop)) +(typeattributeset adbd_socket_30_0 (adbd_socket)) +(typeattributeset aidl_lazy_test_server_30_0 (aidl_lazy_test_server)) +(typeattributeset aidl_lazy_test_server_exec_30_0 (aidl_lazy_test_server_exec)) +(typeattributeset aidl_lazy_test_service_30_0 (aidl_lazy_test_service)) +(typeattributeset alarm_service_30_0 (alarm_service)) +(typeattributeset anr_data_file_30_0 (anr_data_file)) +(typeattributeset apex_data_file_30_0 (apex_data_file)) +(typeattributeset apex_metadata_file_30_0 (apex_metadata_file)) +(typeattributeset apex_mnt_dir_30_0 (apex_mnt_dir)) +(typeattributeset apex_module_data_file_30_0 (apex_module_data_file)) +(typeattributeset apex_permission_data_file_30_0 (apex_permission_data_file)) +(typeattributeset apex_rollback_data_file_30_0 (apex_rollback_data_file)) +(typeattributeset apex_service_30_0 (apex_service)) +(typeattributeset apex_wifi_data_file_30_0 (apex_wifi_data_file)) +(typeattributeset apexd_30_0 (apexd)) +(typeattributeset apexd_exec_30_0 (apexd_exec)) +(typeattributeset apexd_prop_30_0 (apexd_prop)) +(typeattributeset apk_data_file_30_0 (apk_data_file)) +(typeattributeset apk_private_data_file_30_0 (apk_private_data_file)) +(typeattributeset apk_private_tmp_file_30_0 (apk_private_tmp_file)) +(typeattributeset apk_tmp_file_30_0 (apk_tmp_file)) +(typeattributeset apk_verity_prop_30_0 (apk_verity_prop)) +(typeattributeset app_binding_service_30_0 (app_binding_service)) +(typeattributeset app_data_file_30_0 (app_data_file)) +(typeattributeset app_fuse_file_30_0 (app_fuse_file)) +(typeattributeset app_fusefs_30_0 (app_fusefs)) +(typeattributeset app_integrity_service_30_0 (app_integrity_service)) +(typeattributeset app_prediction_service_30_0 (app_prediction_service)) +(typeattributeset app_search_service_30_0 (app_search_service)) +(typeattributeset app_zygote_30_0 (app_zygote)) +(typeattributeset app_zygote_tmpfs_30_0 (app_zygote_tmpfs)) +(typeattributeset appdomain_tmpfs_30_0 (appdomain_tmpfs)) +(typeattributeset appops_service_30_0 (appops_service)) +(typeattributeset appwidget_service_30_0 (appwidget_service)) +(typeattributeset art_apex_dir_30_0 (art_apex_dir)) +(typeattributeset asec_apk_file_30_0 (asec_apk_file)) +(typeattributeset asec_image_file_30_0 (asec_image_file)) +(typeattributeset asec_public_file_30_0 (asec_public_file)) +(typeattributeset ashmem_device_30_0 (ashmem_device)) +(typeattributeset ashmem_libcutils_device_30_0 (ashmem_libcutils_device)) +(typeattributeset assetatlas_service_30_0 (assetatlas_service)) +(typeattributeset audio_data_file_30_0 (audio_data_file)) +(typeattributeset audio_device_30_0 (audio_device)) +(typeattributeset audio_prop_30_0 (audio_prop)) +(typeattributeset audio_service_30_0 (audio_service)) +(typeattributeset audiohal_data_file_30_0 (audiohal_data_file)) +(typeattributeset audioserver_30_0 (audioserver)) +(typeattributeset audioserver_data_file_30_0 (audioserver_data_file)) +(typeattributeset audioserver_service_30_0 (audioserver_service)) +(typeattributeset audioserver_tmpfs_30_0 (audioserver_tmpfs)) +(typeattributeset auth_service_30_0 (auth_service)) +(typeattributeset autofill_service_30_0 (autofill_service)) +(typeattributeset backup_data_file_30_0 (backup_data_file)) +(typeattributeset backup_service_30_0 (backup_service)) +(typeattributeset battery_service_30_0 (battery_service)) +(typeattributeset batteryproperties_service_30_0 (batteryproperties_service)) +(typeattributeset batterystats_service_30_0 (batterystats_service)) +(typeattributeset binder_cache_bluetooth_server_prop_30_0 (binder_cache_bluetooth_server_prop)) +(typeattributeset binder_cache_system_server_prop_30_0 (binder_cache_system_server_prop)) +(typeattributeset binder_cache_telephony_server_prop_30_0 (binder_cache_telephony_server_prop)) +(typeattributeset binder_calls_stats_service_30_0 (binder_calls_stats_service)) +(typeattributeset binder_device_30_0 (binder_device)) +(typeattributeset binderfs_30_0 (binderfs)) +(typeattributeset binderfs_logs_30_0 (binderfs_logs)) +(typeattributeset binderfs_logs_proc_30_0 (binderfs_logs_proc)) +(typeattributeset binfmt_miscfs_30_0 (binfmt_miscfs)) +(typeattributeset biometric_service_30_0 (biometric_service)) +(typeattributeset blkid_30_0 (blkid)) +(typeattributeset blkid_untrusted_30_0 (blkid_untrusted)) +(typeattributeset blob_store_service_30_0 (blob_store_service)) +(typeattributeset block_device_30_0 (block_device)) +(typeattributeset bluetooth_30_0 (bluetooth)) +(typeattributeset bluetooth_a2dp_offload_prop_30_0 (bluetooth_a2dp_offload_prop)) +(typeattributeset bluetooth_audio_hal_prop_30_0 (bluetooth_audio_hal_prop)) +(typeattributeset bluetooth_data_file_30_0 (bluetooth_data_file)) +(typeattributeset bluetooth_efs_file_30_0 (bluetooth_efs_file)) +(typeattributeset bluetooth_logs_data_file_30_0 (bluetooth_logs_data_file)) +(typeattributeset bluetooth_manager_service_30_0 (bluetooth_manager_service)) +(typeattributeset bluetooth_prop_30_0 (bluetooth_prop)) +(typeattributeset bluetooth_service_30_0 (bluetooth_service)) +(typeattributeset bluetooth_socket_30_0 (bluetooth_socket)) +(typeattributeset boot_block_device_30_0 (boot_block_device)) +(typeattributeset bootanim_30_0 (bootanim)) +(typeattributeset bootanim_exec_30_0 (bootanim_exec)) +(typeattributeset bootchart_data_file_30_0 (bootchart_data_file)) +(typeattributeset bootloader_boot_reason_prop_30_0 (bootloader_boot_reason_prop)) +(typeattributeset bootstat_30_0 (bootstat)) +(typeattributeset bootstat_data_file_30_0 (bootstat_data_file)) +(typeattributeset bootstat_exec_30_0 (bootstat_exec)) +(typeattributeset boottime_prop_30_0 (boottime_prop)) +(typeattributeset boottime_public_prop_30_0 (boottime_public_prop)) +(typeattributeset boottrace_data_file_30_0 (boottrace_data_file)) +(typeattributeset bpf_progs_loaded_prop_30_0 (bpf_progs_loaded_prop)) +(typeattributeset bq_config_prop_30_0 (bq_config_prop)) +(typeattributeset broadcastradio_service_30_0 (broadcastradio_service)) +(typeattributeset bufferhubd_30_0 (bufferhubd)) +(typeattributeset bufferhubd_exec_30_0 (bufferhubd_exec)) +(typeattributeset bugreport_service_30_0 (bugreport_service)) +(typeattributeset cache_backup_file_30_0 (cache_backup_file)) +(typeattributeset cache_block_device_30_0 (cache_block_device)) +(typeattributeset cache_file_30_0 (cache_file)) +(typeattributeset cache_private_backup_file_30_0 (cache_private_backup_file)) +(typeattributeset cache_recovery_file_30_0 (cache_recovery_file)) +(typeattributeset camera_data_file_30_0 (camera_data_file)) +(typeattributeset camera_device_30_0 (camera_device)) +(typeattributeset cameraproxy_service_30_0 (cameraproxy_service)) +(typeattributeset cameraserver_30_0 (cameraserver)) +(typeattributeset cameraserver_exec_30_0 (cameraserver_exec)) +(typeattributeset cameraserver_service_30_0 (cameraserver_service)) +(typeattributeset cameraserver_tmpfs_30_0 (cameraserver_tmpfs)) +(typeattributeset cgroup_30_0 (cgroup)) +(typeattributeset cgroup_bpf_30_0 (cgroup_bpf)) +(typeattributeset cgroup_desc_file_30_0 (cgroup_desc_file)) +(typeattributeset cgroup_rc_file_30_0 (cgroup_rc_file)) +(typeattributeset charger_30_0 (charger)) +(typeattributeset charger_exec_30_0 (charger_exec)) +(typeattributeset charger_prop_30_0 (charger_prop)) +(typeattributeset clipboard_service_30_0 (clipboard_service)) +(typeattributeset cold_boot_done_prop_30_0 (cold_boot_done_prop)) +(typeattributeset color_display_service_30_0 (color_display_service)) +(typeattributeset companion_device_service_30_0 (companion_device_service)) +(typeattributeset config_prop_30_0 (config_prop)) +(typeattributeset configfs_30_0 (configfs)) +(typeattributeset connectivity_service_30_0 (connectivity_service)) +(typeattributeset connmetrics_service_30_0 (connmetrics_service)) +(typeattributeset console_device_30_0 (console_device)) +(typeattributeset consumer_ir_service_30_0 (consumer_ir_service)) +(typeattributeset content_capture_service_30_0 (content_capture_service)) +(typeattributeset content_service_30_0 (content_service)) +(typeattributeset content_suggestions_service_30_0 (content_suggestions_service)) +(typeattributeset contexthub_service_30_0 (contexthub_service)) +(typeattributeset coredump_file_30_0 (coredump_file)) +(typeattributeset country_detector_service_30_0 (country_detector_service)) +(typeattributeset coverage_service_30_0 (coverage_service)) +(typeattributeset cppreopt_prop_30_0 (cppreopt_prop)) +(typeattributeset cpu_variant_prop_30_0 (cpu_variant_prop)) +(typeattributeset cpuinfo_service_30_0 (cpuinfo_service)) +(typeattributeset crash_dump_30_0 (crash_dump)) +(typeattributeset crash_dump_exec_30_0 (crash_dump_exec)) +(typeattributeset credstore_30_0 (credstore)) +(typeattributeset credstore_data_file_30_0 (credstore_data_file)) +(typeattributeset credstore_exec_30_0 (credstore_exec)) +(typeattributeset credstore_service_30_0 (credstore_service)) +(typeattributeset crossprofileapps_service_30_0 (crossprofileapps_service)) +(typeattributeset ctl_adbd_prop_30_0 (ctl_adbd_prop)) +(typeattributeset ctl_apexd_prop_30_0 (ctl_apexd_prop)) +(typeattributeset ctl_bootanim_prop_30_0 (ctl_bootanim_prop)) +(typeattributeset ctl_bugreport_prop_30_0 (ctl_bugreport_prop)) +(typeattributeset ctl_console_prop_30_0 (ctl_console_prop)) +(typeattributeset ctl_default_prop_30_0 (ctl_default_prop)) +(typeattributeset ctl_dumpstate_prop_30_0 (ctl_dumpstate_prop)) +(typeattributeset ctl_fuse_prop_30_0 (ctl_fuse_prop)) +(typeattributeset ctl_gsid_prop_30_0 (ctl_gsid_prop)) +(typeattributeset ctl_interface_restart_prop_30_0 (ctl_interface_restart_prop)) +(typeattributeset ctl_interface_start_prop_30_0 (ctl_interface_start_prop)) +(typeattributeset ctl_interface_stop_prop_30_0 (ctl_interface_stop_prop)) +(typeattributeset ctl_mdnsd_prop_30_0 (ctl_mdnsd_prop)) +(typeattributeset ctl_restart_prop_30_0 (ctl_restart_prop)) +(typeattributeset ctl_rildaemon_prop_30_0 (ctl_rildaemon_prop)) +(typeattributeset ctl_sigstop_prop_30_0 (ctl_sigstop_prop)) +(typeattributeset ctl_start_prop_30_0 (ctl_start_prop)) +(typeattributeset ctl_stop_prop_30_0 (ctl_stop_prop)) +(typeattributeset dalvik_prop_30_0 (dalvik_prop)) +(typeattributeset dalvikcache_data_file_30_0 (dalvikcache_data_file)) +(typeattributeset dataloader_manager_service_30_0 (dataloader_manager_service)) +(typeattributeset dbinfo_service_30_0 (dbinfo_service)) +(typeattributeset debug_prop_30_0 (debug_prop)) +(typeattributeset debugfs_30_0 (debugfs)) +(typeattributeset debugfs_mmc_30_0 (debugfs_mmc)) +(typeattributeset debugfs_trace_marker_30_0 (debugfs_trace_marker)) +(typeattributeset debugfs_tracing_30_0 (debugfs_tracing)) +(typeattributeset debugfs_tracing_debug_30_0 (debugfs_tracing_debug + debugfs_tracing_printk_formats)) +(typeattributeset debugfs_tracing_instances_30_0 (debugfs_tracing_instances)) +(typeattributeset debugfs_wakeup_sources_30_0 (debugfs_wakeup_sources)) +(typeattributeset debugfs_wifi_tracing_30_0 (debugfs_wifi_tracing)) +(typeattributeset debuggerd_prop_30_0 (debuggerd_prop)) +(typeattributeset default_android_hwservice_30_0 (default_android_hwservice)) +(typeattributeset default_android_service_30_0 (default_android_service)) +(typeattributeset default_android_vndservice_30_0 (default_android_vndservice)) +(typeattributeset default_prop_30_0 ( + default_prop + audio_config_prop + build_config_prop + suspend_prop + init_service_status_private_prop + setupwizard_prop + sqlite_log_prop + verity_status_prop + zygote_wrap_prop +)) +(typeattributeset dev_cpu_variant_30_0 (dev_cpu_variant)) +(typeattributeset device_30_0 (device)) +(typeattributeset device_config_activity_manager_native_boot_prop_30_0 (device_config_activity_manager_native_boot_prop)) +(typeattributeset device_config_boot_count_prop_30_0 (device_config_boot_count_prop)) +(typeattributeset device_config_configuration_prop_30_0 (device_config_configuration_prop)) +(typeattributeset device_config_input_native_boot_prop_30_0 (device_config_input_native_boot_prop)) +(typeattributeset device_config_media_native_prop_30_0 (device_config_media_native_prop)) +(typeattributeset device_config_netd_native_prop_30_0 (device_config_netd_native_prop)) +(typeattributeset device_config_reset_performed_prop_30_0 (device_config_reset_performed_prop)) +(typeattributeset device_config_runtime_native_boot_prop_30_0 (device_config_runtime_native_boot_prop)) +(typeattributeset device_config_runtime_native_prop_30_0 (device_config_runtime_native_prop)) +(typeattributeset device_config_service_30_0 (device_config_service)) +(typeattributeset device_config_storage_native_boot_prop_30_0 (device_config_storage_native_boot_prop)) +(typeattributeset device_config_sys_traced_prop_30_0 (device_config_sys_traced_prop)) +(typeattributeset device_config_window_manager_native_boot_prop_30_0 (device_config_window_manager_native_boot_prop)) +(typeattributeset device_identifiers_service_30_0 (device_identifiers_service)) +(typeattributeset device_logging_prop_30_0 (device_logging_prop)) +(typeattributeset device_policy_service_30_0 (device_policy_service)) +(typeattributeset deviceidle_service_30_0 (deviceidle_service)) +(typeattributeset devicestoragemonitor_service_30_0 (devicestoragemonitor_service)) +(typeattributeset devpts_30_0 (devpts)) +(typeattributeset dhcp_30_0 (dhcp)) +(typeattributeset dhcp_data_file_30_0 (dhcp_data_file)) +(typeattributeset dhcp_exec_30_0 (dhcp_exec)) +(typeattributeset dhcp_prop_30_0 (dhcp_prop)) +(typeattributeset diskstats_service_30_0 (diskstats_service)) +(typeattributeset display_service_30_0 (display_service)) +(typeattributeset dm_device_30_0 (dm_device)) +(typeattributeset dnsmasq_30_0 (dnsmasq)) +(typeattributeset dnsmasq_exec_30_0 (dnsmasq_exec)) +(typeattributeset dnsproxyd_socket_30_0 (dnsproxyd_socket)) +(typeattributeset dnsresolver_service_30_0 (dnsresolver_service)) +(typeattributeset dreams_service_30_0 (dreams_service)) +(typeattributeset drm_data_file_30_0 (drm_data_file)) +(typeattributeset drmserver_30_0 (drmserver)) +(typeattributeset drmserver_exec_30_0 (drmserver_exec)) +(typeattributeset drmserver_service_30_0 (drmserver_service)) +(typeattributeset drmserver_socket_30_0 (drmserver_socket)) +(typeattributeset dropbox_data_file_30_0 (dropbox_data_file)) +(typeattributeset dropbox_service_30_0 (dropbox_service)) +(typeattributeset dumpstate_30_0 (dumpstate)) +(typeattributeset dumpstate_exec_30_0 (dumpstate_exec)) +(typeattributeset dumpstate_options_prop_30_0 (dumpstate_options_prop)) +(typeattributeset dumpstate_prop_30_0 (dumpstate_prop)) +(typeattributeset dumpstate_service_30_0 (dumpstate_service)) +(typeattributeset dumpstate_socket_30_0 (dumpstate_socket)) +(typeattributeset dynamic_system_prop_30_0 (dynamic_system_prop)) +(typeattributeset e2fs_30_0 (e2fs)) +(typeattributeset e2fs_exec_30_0 (e2fs_exec)) +(typeattributeset efs_file_30_0 (efs_file)) +(typeattributeset emergency_affordance_service_30_0 (emergency_affordance_service)) +(typeattributeset ephemeral_app_30_0 (ephemeral_app)) +(typeattributeset ethernet_service_30_0 (ethernet_service)) +(typeattributeset exfat_30_0 (exfat)) +(typeattributeset exported2_config_prop_30_0 (exported2_config_prop systemsound_config_prop)) +(typeattributeset exported2_default_prop_30_0 + ( exported2_default_prop + aac_drc_prop + bootloader_prop + build_prop + hal_instrumentation_prop + init_service_status_prop + libc_debug_prop + property_service_version_prop)) +(typeattributeset exported2_radio_prop_30_0 (exported2_radio_prop)) +(typeattributeset exported2_system_prop_30_0 + ( exported2_system_prop + dalvik_runtime_prop + surfaceflinger_color_prop + zram_control_prop)) +(typeattributeset exported2_vold_prop_30_0 + ( exported2_vold_prop + vold_config_prop + vold_post_fs_data_prop)) +(typeattributeset exported3_default_prop_30_0 + ( exported3_default_prop + camera_calibration_prop + camera_config_prop + charger_config_prop + drm_service_config_prop + hdmi_config_prop + keyguard_config_prop + lmkd_config_prop + media_config_prop + mediadrm_config_prop + oem_unlock_prop + packagemanager_config_prop + recovery_config_prop + sendbug_config_prop + storagemanager_config_prop + telephony_config_prop + tombstone_config_prop + vts_status_prop + wifi_config_prop + zram_config_prop)) +(typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop radio_control_prop)) +(typeattributeset exported3_system_prop_30_0 + ( exported3_system_prop + boot_status_prop + provisioned_prop + retaildemo_prop)) +(typeattributeset exported_audio_prop_30_0 (exported_audio_prop audio_config_prop)) +(typeattributeset exported_bluetooth_prop_30_0 (exported_bluetooth_prop)) +(typeattributeset exported_camera_prop_30_0 (exported_camera_prop)) +(typeattributeset exported_config_prop_30_0 (exported_config_prop)) +(typeattributeset exported_dalvik_prop_30_0 (exported_dalvik_prop dalvik_config_prop)) +(typeattributeset exported_default_prop_30_0 + ( exported_default_prop + aaudio_config_prop + build_bootimage_prop + build_odm_prop + build_vendor_prop + surfaceflinger_prop + vts_config_prop)) +(typeattributeset exported_dumpstate_prop_30_0 (exported_dumpstate_prop)) +(typeattributeset exported_ffs_prop_30_0 + ( exported_ffs_prop + ffs_config_prop + ffs_control_prop)) +(typeattributeset exported_fingerprint_prop_30_0 (exported_fingerprint_prop fingerprint_prop)) +(typeattributeset exported_overlay_prop_30_0 (exported_overlay_prop)) +(typeattributeset exported_pm_prop_30_0 (exported_pm_prop)) +(typeattributeset exported_radio_prop_30_0 (exported_radio_prop telephony_status_prop)) +(typeattributeset exported_secure_prop_30_0 (exported_secure_prop)) +(typeattributeset exported_system_prop_30_0 (exported_system_prop charger_status_prop)) +(typeattributeset exported_system_prop_30_0 (exported_system_prop bootanim_system_prop)) + +(typeattributeset exported_system_radio_prop_30_0 + ( exported_system_radio_prop + usb_config_prop + usb_control_prop)) +(typeattributeset exported_vold_prop_30_0 (exported_vold_prop vold_status_prop)) +(typeattributeset exported_wifi_prop_30_0 (exported_wifi_prop wifi_hal_prop)) +(typeattributeset external_vibrator_service_30_0 (external_vibrator_service)) +(typeattributeset face_service_30_0 (face_service)) +(typeattributeset face_vendor_data_file_30_0 (face_vendor_data_file)) +(typeattributeset fastbootd_30_0 (fastbootd)) +(typeattributeset ffs_prop_30_0 (ffs_prop)) +(typeattributeset file_contexts_file_30_0 (file_contexts_file)) +(typeattributeset file_integrity_service_30_0 (file_integrity_service)) +(typeattributeset fingerprint_service_30_0 (fingerprint_service)) +(typeattributeset fingerprint_vendor_data_file_30_0 (fingerprint_vendor_data_file)) +(typeattributeset fingerprintd_30_0 (fingerprintd)) +(typeattributeset fingerprintd_data_file_30_0 (fingerprintd_data_file)) +(typeattributeset fingerprintd_exec_30_0 (fingerprintd_exec)) +(typeattributeset fingerprintd_service_30_0 (fingerprintd_service)) +(typeattributeset firstboot_prop_30_0 (firstboot_prop)) +(typeattributeset flags_health_check_30_0 (flags_health_check)) +(typeattributeset flags_health_check_exec_30_0 (flags_health_check_exec)) +(typeattributeset font_service_30_0 (font_service)) +(typeattributeset frp_block_device_30_0 (frp_block_device)) +(typeattributeset fs_bpf_30_0 (fs_bpf)) +(typeattributeset fsck_30_0 (fsck)) +(typeattributeset fsck_exec_30_0 (fsck_exec)) +(typeattributeset fsck_untrusted_30_0 (fsck_untrusted)) +(typeattributeset fscklogs_30_0 (fscklogs)) +(typeattributeset functionfs_30_0 (functionfs)) +(typeattributeset fuse_30_0 (fuse)) +(typeattributeset fuse_device_30_0 (fuse_device)) +(typeattributeset fwk_automotive_display_hwservice_30_0 (fwk_automotive_display_hwservice)) +(typeattributeset fwk_bufferhub_hwservice_30_0 (fwk_bufferhub_hwservice)) +(typeattributeset fwk_camera_hwservice_30_0 (fwk_camera_hwservice)) +(typeattributeset fwk_display_hwservice_30_0 (fwk_display_hwservice)) +(typeattributeset fwk_scheduler_hwservice_30_0 (fwk_scheduler_hwservice)) +(typeattributeset fwk_sensor_hwservice_30_0 (fwk_sensor_hwservice)) +(typeattributeset fwk_stats_hwservice_30_0 (fwk_stats_hwservice)) +(typeattributeset fwmarkd_socket_30_0 (fwmarkd_socket)) +(typeattributeset gatekeeper_data_file_30_0 (gatekeeper_data_file)) +(typeattributeset gatekeeper_service_30_0 (gatekeeper_service)) +(typeattributeset gatekeeperd_30_0 (gatekeeperd)) +(typeattributeset gatekeeperd_exec_30_0 (gatekeeperd_exec)) +(typeattributeset gfxinfo_service_30_0 (gfxinfo_service)) +(typeattributeset gmscore_app_30_0 (gmscore_app)) +(typeattributeset gps_control_30_0 (gps_control)) +(typeattributeset gpu_device_30_0 (gpu_device)) +(typeattributeset gpu_service_30_0 (gpu_service)) +(typeattributeset gpuservice_30_0 (gpuservice)) +(typeattributeset graphics_device_30_0 (graphics_device)) +(typeattributeset graphicsstats_service_30_0 (graphicsstats_service)) +(typeattributeset gsi_data_file_30_0 (gsi_data_file)) +(typeattributeset gsi_metadata_file_30_0 + ( gsi_metadata_file + gsi_public_metadata_file)) +(typeattributeset gsid_prop_30_0 (gsid_prop)) +(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice)) +(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice)) +(typeattributeset hal_audiocontrol_hwservice_30_0 (hal_audiocontrol_hwservice)) +(typeattributeset hal_authsecret_hwservice_30_0 (hal_authsecret_hwservice)) +(typeattributeset hal_bluetooth_hwservice_30_0 (hal_bluetooth_hwservice)) +(typeattributeset hal_bootctl_hwservice_30_0 (hal_bootctl_hwservice)) +(typeattributeset hal_broadcastradio_hwservice_30_0 (hal_broadcastradio_hwservice)) +(typeattributeset hal_camera_hwservice_30_0 (hal_camera_hwservice)) +(typeattributeset hal_can_bus_hwservice_30_0 (hal_can_bus_hwservice)) +(typeattributeset hal_can_controller_hwservice_30_0 (hal_can_controller_hwservice)) +(typeattributeset hal_cas_hwservice_30_0 (hal_cas_hwservice)) +(typeattributeset hal_codec2_hwservice_30_0 (hal_codec2_hwservice)) +(typeattributeset hal_configstore_ISurfaceFlingerConfigs_30_0 (hal_configstore_ISurfaceFlingerConfigs)) +(typeattributeset hal_confirmationui_hwservice_30_0 (hal_confirmationui_hwservice)) +(typeattributeset hal_contexthub_hwservice_30_0 (hal_contexthub_hwservice)) +(typeattributeset hal_drm_hwservice_30_0 (hal_drm_hwservice)) +(typeattributeset hal_dumpstate_hwservice_30_0 (hal_dumpstate_hwservice)) +(typeattributeset hal_evs_hwservice_30_0 (hal_evs_hwservice)) +(typeattributeset hal_face_hwservice_30_0 (hal_face_hwservice)) +(typeattributeset hal_fingerprint_hwservice_30_0 (hal_fingerprint_hwservice)) +(typeattributeset hal_fingerprint_service_30_0 (hal_fingerprint_service)) +(typeattributeset hal_gatekeeper_hwservice_30_0 (hal_gatekeeper_hwservice)) +(typeattributeset hal_gnss_hwservice_30_0 (hal_gnss_hwservice)) +(typeattributeset hal_graphics_allocator_hwservice_30_0 (hal_graphics_allocator_hwservice)) +(typeattributeset hal_graphics_composer_hwservice_30_0 (hal_graphics_composer_hwservice)) +(typeattributeset hal_graphics_composer_server_tmpfs_30_0 (hal_graphics_composer_server_tmpfs)) +(typeattributeset hal_graphics_mapper_hwservice_30_0 (hal_graphics_mapper_hwservice)) +(typeattributeset hal_health_hwservice_30_0 (hal_health_hwservice)) +(typeattributeset hal_health_storage_hwservice_30_0 (hal_health_storage_hwservice)) +(typeattributeset hal_identity_service_30_0 (hal_identity_service)) +(typeattributeset hal_input_classifier_hwservice_30_0 (hal_input_classifier_hwservice)) +(typeattributeset hal_ir_hwservice_30_0 (hal_ir_hwservice)) +(typeattributeset hal_keymaster_hwservice_30_0 (hal_keymaster_hwservice)) +(typeattributeset hal_light_hwservice_30_0 (hal_light_hwservice)) +(typeattributeset hal_light_service_30_0 (hal_light_service)) +(typeattributeset hal_lowpan_hwservice_30_0 (hal_lowpan_hwservice)) +(typeattributeset hal_memtrack_hwservice_30_0 (hal_memtrack_hwservice)) +(typeattributeset hal_neuralnetworks_hwservice_30_0 (hal_neuralnetworks_hwservice)) +(typeattributeset hal_nfc_hwservice_30_0 (hal_nfc_hwservice)) +(typeattributeset hal_oemlock_hwservice_30_0 (hal_oemlock_hwservice)) +(typeattributeset hal_omx_hwservice_30_0 (hal_omx_hwservice)) +(typeattributeset hal_power_hwservice_30_0 (hal_power_hwservice)) +(typeattributeset hal_power_service_30_0 (hal_power_service)) +(typeattributeset hal_power_stats_hwservice_30_0 (hal_power_stats_hwservice)) +(typeattributeset hal_rebootescrow_service_30_0 (hal_rebootescrow_service)) +(typeattributeset hal_renderscript_hwservice_30_0 (hal_renderscript_hwservice)) +(typeattributeset hal_secure_element_hwservice_30_0 (hal_secure_element_hwservice)) +(typeattributeset hal_sensors_hwservice_30_0 (hal_sensors_hwservice)) +(typeattributeset hal_telephony_hwservice_30_0 (hal_telephony_hwservice)) +(typeattributeset hal_tetheroffload_hwservice_30_0 (hal_tetheroffload_hwservice)) +(typeattributeset hal_thermal_hwservice_30_0 (hal_thermal_hwservice)) +(typeattributeset hal_tv_cec_hwservice_30_0 (hal_tv_cec_hwservice)) +(typeattributeset hal_tv_input_hwservice_30_0 (hal_tv_input_hwservice)) +(typeattributeset hal_tv_tuner_hwservice_30_0 (hal_tv_tuner_hwservice)) +(typeattributeset hal_usb_gadget_hwservice_30_0 (hal_usb_gadget_hwservice)) +(typeattributeset hal_usb_hwservice_30_0 (hal_usb_hwservice)) +(typeattributeset hal_vehicle_hwservice_30_0 (hal_vehicle_hwservice)) +(typeattributeset hal_vibrator_hwservice_30_0 (hal_vibrator_hwservice)) +(typeattributeset hal_vibrator_service_30_0 (hal_vibrator_service)) +(typeattributeset hal_vr_hwservice_30_0 (hal_vr_hwservice)) +(typeattributeset hal_weaver_hwservice_30_0 (hal_weaver_hwservice)) +(typeattributeset hal_wifi_hostapd_hwservice_30_0 (hal_wifi_hostapd_hwservice)) +(typeattributeset hal_wifi_hwservice_30_0 (hal_wifi_hwservice)) +(typeattributeset hal_wifi_supplicant_hwservice_30_0 (hal_wifi_supplicant_hwservice)) +(typeattributeset hardware_properties_service_30_0 (hardware_properties_service)) +(typeattributeset hardware_service_30_0 (hardware_service)) +(typeattributeset hci_attach_dev_30_0 (hci_attach_dev)) +(typeattributeset hdmi_control_service_30_0 (hdmi_control_service)) +(typeattributeset healthd_30_0 (healthd)) +(typeattributeset healthd_exec_30_0 (healthd_exec)) +(typeattributeset heapdump_data_file_30_0 (heapdump_data_file)) +(typeattributeset heapprofd_30_0 (heapprofd)) +(typeattributeset heapprofd_enabled_prop_30_0 (heapprofd_enabled_prop)) +(typeattributeset heapprofd_prop_30_0 (heapprofd_prop)) +(typeattributeset heapprofd_socket_30_0 (heapprofd_socket)) +(typeattributeset hidl_allocator_hwservice_30_0 (hidl_allocator_hwservice)) +(typeattributeset hidl_base_hwservice_30_0 (hidl_base_hwservice)) +(typeattributeset hidl_manager_hwservice_30_0 (hidl_manager_hwservice)) +(typeattributeset hidl_memory_hwservice_30_0 (hidl_memory_hwservice)) +(typeattributeset hidl_token_hwservice_30_0 (hidl_token_hwservice)) +(typeattributeset hw_random_device_30_0 (hw_random_device)) +(typeattributeset hwbinder_device_30_0 (hwbinder_device)) +(typeattributeset hwservice_contexts_file_30_0 (hwservice_contexts_file)) +(typeattributeset hwservicemanager_30_0 (hwservicemanager)) +(typeattributeset hwservicemanager_exec_30_0 (hwservicemanager_exec)) +(typeattributeset hwservicemanager_prop_30_0 (hwservicemanager_prop)) +(typeattributeset icon_file_30_0 (icon_file)) +(typeattributeset idmap_30_0 (idmap)) +(typeattributeset idmap_exec_30_0 (idmap_exec)) +(typeattributeset idmap_service_30_0 (idmap_service)) +(typeattributeset iio_device_30_0 (iio_device)) +(typeattributeset imms_service_30_0 (imms_service)) +(typeattributeset incident_30_0 (incident)) +(typeattributeset incident_data_file_30_0 (incident_data_file)) +(typeattributeset incident_helper_30_0 (incident_helper)) +(typeattributeset incident_service_30_0 (incident_service)) +(typeattributeset incidentd_30_0 (incidentd)) +(typeattributeset incremental_control_file_30_0 (incremental_control_file)) +(typeattributeset incremental_prop_30_0 (incremental_prop)) +(typeattributeset incremental_service_30_0 (incremental_service)) +(typeattributeset init_30_0 (init)) +(typeattributeset init_exec_30_0 (init_exec)) +(typeattributeset init_perf_lsm_hooks_prop_30_0 (init_perf_lsm_hooks_prop)) +(typeattributeset init_svc_debug_prop_30_0 (init_svc_debug_prop)) +(typeattributeset init_tmpfs_30_0 (init_tmpfs)) +(typeattributeset inotify_30_0 (inotify)) +(typeattributeset input_device_30_0 (input_device)) +(typeattributeset input_method_service_30_0 (input_method_service)) +(typeattributeset input_service_30_0 (input_service)) +(typeattributeset inputflinger_30_0 (inputflinger)) +(typeattributeset inputflinger_exec_30_0 (inputflinger_exec)) +(typeattributeset inputflinger_service_30_0 (inputflinger_service)) +(typeattributeset install_data_file_30_0 (install_data_file)) +(typeattributeset installd_30_0 (installd)) +(typeattributeset installd_exec_30_0 (installd_exec)) +(typeattributeset installd_service_30_0 (installd_service)) +(typeattributeset ion_device_30_0 (ion_device)) +(typeattributeset iorap_inode2filename_30_0 (iorap_inode2filename)) +(typeattributeset iorap_inode2filename_exec_30_0 (iorap_inode2filename_exec)) +(typeattributeset iorap_inode2filename_tmpfs_30_0 (iorap_inode2filename_tmpfs)) +(typeattributeset iorap_prefetcherd_30_0 (iorap_prefetcherd)) +(typeattributeset iorap_prefetcherd_exec_30_0 (iorap_prefetcherd_exec)) +(typeattributeset iorap_prefetcherd_tmpfs_30_0 (iorap_prefetcherd_tmpfs)) +(typeattributeset iorapd_30_0 (iorapd)) +(typeattributeset iorapd_data_file_30_0 (iorapd_data_file)) +(typeattributeset iorapd_exec_30_0 (iorapd_exec)) +(typeattributeset iorapd_service_30_0 (iorapd_service)) +(typeattributeset iorapd_tmpfs_30_0 (iorapd_tmpfs)) +(typeattributeset ipsec_service_30_0 (ipsec_service)) +(typeattributeset iris_service_30_0 (iris_service)) +(typeattributeset iris_vendor_data_file_30_0 (iris_vendor_data_file)) +(typeattributeset isolated_app_30_0 (isolated_app)) +(typeattributeset jobscheduler_service_30_0 (jobscheduler_service)) +(typeattributeset kernel_30_0 (kernel)) +(typeattributeset keychain_data_file_30_0 (keychain_data_file)) +(typeattributeset keychord_device_30_0 (keychord_device)) +(typeattributeset keystore_30_0 (keystore)) +(typeattributeset keystore_data_file_30_0 (keystore_data_file)) +(typeattributeset keystore_exec_30_0 (keystore_exec)) +(typeattributeset keystore_service_30_0 (keystore_service)) +(typeattributeset kmsg_debug_device_30_0 (kmsg_debug_device)) +(typeattributeset kmsg_device_30_0 (kmsg_device)) +(typeattributeset labeledfs_30_0 (labeledfs)) +(typeattributeset last_boot_reason_prop_30_0 (last_boot_reason_prop)) +(typeattributeset launcherapps_service_30_0 (launcherapps_service)) +(typeattributeset light_service_30_0 (light_service)) +(typeattributeset linkerconfig_file_30_0 (linkerconfig_file)) +(typeattributeset llkd_30_0 (llkd)) +(typeattributeset llkd_exec_30_0 (llkd_exec)) +(typeattributeset llkd_prop_30_0 (llkd_prop)) +(typeattributeset lmkd_30_0 (lmkd)) +(typeattributeset lmkd_exec_30_0 (lmkd_exec)) +(typeattributeset lmkd_prop_30_0 (lmkd_prop)) +(typeattributeset lmkd_socket_30_0 (lmkd_socket)) +(typeattributeset location_service_30_0 (location_service)) +(typeattributeset lock_settings_service_30_0 (lock_settings_service)) +(typeattributeset log_prop_30_0 (log_prop)) +(typeattributeset log_tag_prop_30_0 (log_tag_prop)) +(typeattributeset logcat_exec_30_0 (logcat_exec)) +(typeattributeset logd_30_0 (logd)) +(typeattributeset logd_exec_30_0 (logd_exec)) +(typeattributeset logd_prop_30_0 (logd_prop)) +(typeattributeset logd_socket_30_0 (logd_socket)) +(typeattributeset logdr_socket_30_0 (logdr_socket)) +(typeattributeset logdw_socket_30_0 (logdw_socket)) +(typeattributeset logpersist_30_0 (logpersist)) +(typeattributeset logpersistd_logging_prop_30_0 (logpersistd_logging_prop)) +(typeattributeset loop_control_device_30_0 (loop_control_device)) +(typeattributeset loop_device_30_0 (loop_device)) +(typeattributeset looper_stats_service_30_0 (looper_stats_service)) +(typeattributeset lowpan_device_30_0 (lowpan_device)) +(typeattributeset lowpan_prop_30_0 (lowpan_prop)) +(typeattributeset lowpan_service_30_0 (lowpan_service)) +(typeattributeset lpdump_service_30_0 (lpdump_service)) +(typeattributeset lpdumpd_prop_30_0 (lpdumpd_prop)) +(typeattributeset mac_perms_file_30_0 (mac_perms_file)) +(typeattributeset mdns_socket_30_0 (mdns_socket)) +(typeattributeset mdnsd_30_0 (mdnsd)) +(typeattributeset mdnsd_socket_30_0 (mdnsd_socket)) +(typeattributeset media_data_file_30_0 (media_data_file)) +(typeattributeset media_projection_service_30_0 (media_projection_service)) +(typeattributeset media_router_service_30_0 (media_router_service)) +(typeattributeset media_rw_data_file_30_0 (media_rw_data_file)) +(typeattributeset media_session_service_30_0 (media_session_service)) +(typeattributeset media_variant_prop_30_0 (media_variant_prop)) +(typeattributeset mediadrmserver_30_0 (mediadrmserver)) +(typeattributeset mediadrmserver_exec_30_0 (mediadrmserver_exec)) +(typeattributeset mediadrmserver_service_30_0 (mediadrmserver_service)) +(typeattributeset mediaextractor_30_0 (mediaextractor)) +(typeattributeset mediaextractor_exec_30_0 (mediaextractor_exec)) +(typeattributeset mediaextractor_service_30_0 (mediaextractor_service)) +(typeattributeset mediaextractor_tmpfs_30_0 (mediaextractor_tmpfs)) +(typeattributeset mediametrics_30_0 (mediametrics)) +(typeattributeset mediametrics_exec_30_0 (mediametrics_exec)) +(typeattributeset mediametrics_service_30_0 (mediametrics_service)) +(typeattributeset mediaprovider_30_0 (mediaprovider)) +(typeattributeset mediaserver_30_0 (mediaserver)) +(typeattributeset mediaserver_exec_30_0 (mediaserver_exec)) +(typeattributeset mediaserver_service_30_0 (mediaserver_service)) +(typeattributeset mediaserver_tmpfs_30_0 (mediaserver_tmpfs)) +(typeattributeset mediaswcodec_30_0 (mediaswcodec)) +(typeattributeset mediaswcodec_exec_30_0 (mediaswcodec_exec)) +(typeattributeset mediatranscoding_30_0 (mediatranscoding)) +(typeattributeset mediatranscoding_exec_30_0 (mediatranscoding_exec)) +(typeattributeset mediatranscoding_service_30_0 (mediatranscoding_service)) +(typeattributeset meminfo_service_30_0 (meminfo_service)) +(typeattributeset metadata_block_device_30_0 (metadata_block_device)) +(typeattributeset metadata_bootstat_file_30_0 (metadata_bootstat_file)) +(typeattributeset metadata_file_30_0 (metadata_file)) +(typeattributeset method_trace_data_file_30_0 (method_trace_data_file)) +(typeattributeset midi_service_30_0 (midi_service)) +(typeattributeset mirror_data_file_30_0 (mirror_data_file)) +(typeattributeset misc_block_device_30_0 (misc_block_device)) +(typeattributeset misc_logd_file_30_0 (misc_logd_file)) +(typeattributeset misc_user_data_file_30_0 (misc_user_data_file)) +(typeattributeset mmc_prop_30_0 (mmc_prop)) +(typeattributeset mnt_expand_file_30_0 (mnt_expand_file)) +(typeattributeset mnt_media_rw_file_30_0 (mnt_media_rw_file)) +(typeattributeset mnt_media_rw_stub_file_30_0 (mnt_media_rw_stub_file)) +(typeattributeset mnt_pass_through_file_30_0 (mnt_pass_through_file)) +(typeattributeset mnt_product_file_30_0 (mnt_product_file)) +(typeattributeset mnt_sdcard_file_30_0 (mnt_sdcard_file)) +(typeattributeset mnt_user_file_30_0 (mnt_user_file)) +(typeattributeset mnt_vendor_file_30_0 (mnt_vendor_file)) +(typeattributeset mock_ota_prop_30_0 (mock_ota_prop)) +(typeattributeset modprobe_30_0 (modprobe)) +(typeattributeset module_sdkextensions_prop_30_0 (module_sdkextensions_prop)) +(typeattributeset mount_service_30_0 (mount_service)) +(typeattributeset mqueue_30_0 (mqueue)) +(typeattributeset mtp_30_0 (mtp)) +(typeattributeset mtp_device_30_0 (mtp_device)) +(typeattributeset mtp_exec_30_0 (mtp_exec)) +(typeattributeset mtpd_socket_30_0 (mtpd_socket)) +(typeattributeset nativetest_data_file_30_0 (nativetest_data_file)) +(typeattributeset net_data_file_30_0 (net_data_file)) +(typeattributeset net_dns_prop_30_0 (net_dns_prop)) +(typeattributeset net_radio_prop_30_0 (net_radio_prop)) +(typeattributeset netd_30_0 (netd)) +(typeattributeset netd_exec_30_0 (netd_exec)) +(typeattributeset netd_listener_service_30_0 (netd_listener_service)) +(typeattributeset netd_service_30_0 (netd_service)) +(typeattributeset netd_stable_secret_prop_30_0 (netd_stable_secret_prop)) +(typeattributeset netif_30_0 (netif)) +(typeattributeset netpolicy_service_30_0 (netpolicy_service)) +(typeattributeset netstats_service_30_0 (netstats_service)) +(typeattributeset netutils_wrapper_30_0 (netutils_wrapper)) +(typeattributeset netutils_wrapper_exec_30_0 (netutils_wrapper_exec)) +(typeattributeset network_management_service_30_0 (network_management_service)) +(typeattributeset network_score_service_30_0 (network_score_service)) +(typeattributeset network_stack_30_0 (network_stack)) +(typeattributeset network_stack_service_30_0 (network_stack_service)) +(typeattributeset network_time_update_service_30_0 (network_time_update_service)) +(typeattributeset network_watchlist_data_file_30_0 (network_watchlist_data_file)) +(typeattributeset network_watchlist_service_30_0 (network_watchlist_service)) +(typeattributeset nfc_30_0 (nfc)) +(typeattributeset nfc_data_file_30_0 (nfc_data_file)) +(typeattributeset nfc_device_30_0 (nfc_device)) +(typeattributeset nfc_prop_30_0 (nfc_prop)) +(typeattributeset nfc_service_30_0 (nfc_service)) +(typeattributeset nnapi_ext_deny_product_prop_30_0 (nnapi_ext_deny_product_prop)) +(typeattributeset node_30_0 (node)) +(typeattributeset nonplat_service_contexts_file_30_0 (nonplat_service_contexts_file)) +(typeattributeset notification_service_30_0 (notification_service)) +(typeattributeset null_device_30_0 (null_device)) +(typeattributeset oem_lock_service_30_0 (oem_lock_service)) +(typeattributeset oemfs_30_0 (oemfs)) +(typeattributeset ota_data_file_30_0 (ota_data_file)) +(typeattributeset ota_metadata_file_30_0 (ota_metadata_file)) +(typeattributeset ota_package_file_30_0 (ota_package_file)) +(typeattributeset ota_prop_30_0 (ota_prop)) +(typeattributeset otadexopt_service_30_0 (otadexopt_service)) +(typeattributeset overlay_prop_30_0 (overlay_prop)) +(typeattributeset overlay_service_30_0 (overlay_service)) +(typeattributeset overlayfs_file_30_0 (overlayfs_file)) +(typeattributeset owntty_device_30_0 (owntty_device)) +(typeattributeset package_native_service_30_0 (package_native_service)) +(typeattributeset package_service_30_0 (package_service)) +(typeattributeset packages_list_file_30_0 (packages_list_file)) +(typeattributeset pan_result_prop_30_0 (pan_result_prop)) +(typeattributeset password_slot_metadata_file_30_0 (password_slot_metadata_file)) +(typeattributeset pdx_bufferhub_client_channel_socket_30_0 (pdx_bufferhub_client_channel_socket)) +(typeattributeset pdx_bufferhub_client_endpoint_socket_30_0 (pdx_bufferhub_client_endpoint_socket)) +(typeattributeset pdx_bufferhub_dir_30_0 (pdx_bufferhub_dir)) +(typeattributeset pdx_display_client_channel_socket_30_0 (pdx_display_client_channel_socket)) +(typeattributeset pdx_display_client_endpoint_socket_30_0 (pdx_display_client_endpoint_socket)) +(typeattributeset pdx_display_dir_30_0 (pdx_display_dir)) +(typeattributeset pdx_display_manager_channel_socket_30_0 (pdx_display_manager_channel_socket)) +(typeattributeset pdx_display_manager_endpoint_socket_30_0 (pdx_display_manager_endpoint_socket)) +(typeattributeset pdx_display_screenshot_channel_socket_30_0 (pdx_display_screenshot_channel_socket)) +(typeattributeset pdx_display_screenshot_endpoint_socket_30_0 (pdx_display_screenshot_endpoint_socket)) +(typeattributeset pdx_display_vsync_channel_socket_30_0 (pdx_display_vsync_channel_socket)) +(typeattributeset pdx_display_vsync_endpoint_socket_30_0 (pdx_display_vsync_endpoint_socket)) +(typeattributeset pdx_performance_client_channel_socket_30_0 (pdx_performance_client_channel_socket)) +(typeattributeset pdx_performance_client_endpoint_socket_30_0 (pdx_performance_client_endpoint_socket)) +(typeattributeset pdx_performance_dir_30_0 (pdx_performance_dir)) +(typeattributeset perfetto_30_0 (perfetto)) +(typeattributeset performanced_30_0 (performanced)) +(typeattributeset performanced_exec_30_0 (performanced_exec)) +(typeattributeset permission_service_30_0 (permission_service)) +(typeattributeset permissionmgr_service_30_0 (permissionmgr_service)) +(typeattributeset persist_debug_prop_30_0 (persist_debug_prop)) +(typeattributeset persistent_data_block_service_30_0 (persistent_data_block_service)) +(typeattributeset persistent_properties_ready_prop_30_0 (persistent_properties_ready_prop)) +(typeattributeset pinner_service_30_0 (pinner_service)) +(typeattributeset pipefs_30_0 (pipefs)) +(typeattributeset platform_app_30_0 (platform_app)) +(typeattributeset platform_compat_service_30_0 (platform_compat_service)) +(typeattributeset pm_prop_30_0 (pm_prop)) +(typeattributeset pmsg_device_30_0 (pmsg_device)) +(typeattributeset port_30_0 (port)) +(typeattributeset port_device_30_0 (port_device)) +(typeattributeset postinstall_30_0 (postinstall)) +(typeattributeset postinstall_apex_mnt_dir_30_0 (postinstall_apex_mnt_dir)) +(typeattributeset postinstall_file_30_0 (postinstall_file)) +(typeattributeset postinstall_mnt_dir_30_0 (postinstall_mnt_dir)) +(typeattributeset power_service_30_0 (power_service)) +(typeattributeset powerctl_prop_30_0 (powerctl_prop)) +(typeattributeset ppp_30_0 (ppp)) +(typeattributeset ppp_device_30_0 (ppp_device)) +(typeattributeset ppp_exec_30_0 (ppp_exec)) +(typeattributeset preloads_data_file_30_0 (preloads_data_file)) +(typeattributeset preloads_media_file_30_0 (preloads_media_file)) +(typeattributeset prereboot_data_file_30_0 (prereboot_data_file)) +(typeattributeset print_service_30_0 (print_service)) +(typeattributeset priv_app_30_0 (priv_app)) +(typeattributeset privapp_data_file_30_0 (privapp_data_file)) +(typeattributeset proc_30_0 + ( proc + proc_bootconfig)) +(typeattributeset proc_abi_30_0 (proc_abi)) +(typeattributeset proc_asound_30_0 (proc_asound)) +(typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable)) +(typeattributeset proc_buddyinfo_30_0 (proc_buddyinfo)) +(typeattributeset proc_cmdline_30_0 (proc_cmdline)) +(typeattributeset proc_cpuinfo_30_0 (proc_cpuinfo)) +(typeattributeset proc_dirty_30_0 (proc_dirty)) +(typeattributeset proc_diskstats_30_0 (proc_diskstats)) +(typeattributeset proc_drop_caches_30_0 (proc_drop_caches)) +(typeattributeset proc_extra_free_kbytes_30_0 (proc_extra_free_kbytes)) +(typeattributeset proc_filesystems_30_0 (proc_filesystems)) +(typeattributeset proc_fs_verity_30_0 (proc_fs_verity)) +(typeattributeset proc_hostname_30_0 (proc_hostname)) +(typeattributeset proc_hung_task_30_0 (proc_hung_task)) +(typeattributeset proc_interrupts_30_0 (proc_interrupts)) +(typeattributeset proc_iomem_30_0 (proc_iomem)) +(typeattributeset proc_keys_30_0 (proc_keys)) +(typeattributeset proc_kmsg_30_0 (proc_kmsg)) +(typeattributeset proc_kpageflags_30_0 (proc_kpageflags)) +(typeattributeset proc_loadavg_30_0 (proc_loadavg)) +(typeattributeset proc_lowmemorykiller_30_0 (proc_lowmemorykiller)) +(typeattributeset proc_max_map_count_30_0 (proc_max_map_count)) +(typeattributeset proc_meminfo_30_0 (proc_meminfo)) +(typeattributeset proc_min_free_order_shift_30_0 (proc_min_free_order_shift)) +(typeattributeset proc_misc_30_0 (proc_misc)) +(typeattributeset proc_modules_30_0 (proc_modules)) +(typeattributeset proc_mounts_30_0 (proc_mounts)) +(typeattributeset proc_net_30_0 (proc_net)) +(typeattributeset proc_net_tcp_udp_30_0 (proc_net_tcp_udp)) +(typeattributeset proc_overcommit_memory_30_0 (proc_overcommit_memory)) +(typeattributeset proc_page_cluster_30_0 (proc_page_cluster)) +(typeattributeset proc_pagetypeinfo_30_0 (proc_pagetypeinfo)) +(typeattributeset proc_panic_30_0 (proc_panic)) +(typeattributeset proc_perf_30_0 (proc_perf)) +(typeattributeset proc_pid_max_30_0 (proc_pid_max)) +(typeattributeset proc_pipe_conf_30_0 (proc_pipe_conf)) +(typeattributeset proc_pressure_cpu_30_0 (proc_pressure_cpu)) +(typeattributeset proc_pressure_io_30_0 (proc_pressure_io)) +(typeattributeset proc_pressure_mem_30_0 (proc_pressure_mem)) +(typeattributeset proc_qtaguid_ctrl_30_0 (proc_qtaguid_ctrl)) +(typeattributeset proc_qtaguid_stat_30_0 (proc_qtaguid_stat)) +(typeattributeset proc_random_30_0 (proc_random)) +(typeattributeset proc_sched_30_0 (proc_sched)) +(typeattributeset proc_security_30_0 (proc_security)) +(typeattributeset proc_slabinfo_30_0 (proc_slabinfo)) +(typeattributeset proc_stat_30_0 (proc_stat)) +(typeattributeset proc_swaps_30_0 (proc_swaps)) +(typeattributeset proc_sysrq_30_0 (proc_sysrq)) +(typeattributeset proc_timer_30_0 (proc_timer)) +(typeattributeset proc_tty_drivers_30_0 (proc_tty_drivers)) +(typeattributeset proc_uid_concurrent_active_time_30_0 (proc_uid_concurrent_active_time)) +(typeattributeset proc_uid_concurrent_policy_time_30_0 (proc_uid_concurrent_policy_time)) +(typeattributeset proc_uid_cpupower_30_0 (proc_uid_cpupower)) +(typeattributeset proc_uid_cputime_removeuid_30_0 (proc_uid_cputime_removeuid)) +(typeattributeset proc_uid_cputime_showstat_30_0 (proc_uid_cputime_showstat)) +(typeattributeset proc_uid_io_stats_30_0 (proc_uid_io_stats)) +(typeattributeset proc_uid_procstat_set_30_0 (proc_uid_procstat_set)) +(typeattributeset proc_uid_time_in_state_30_0 (proc_uid_time_in_state)) +(typeattributeset proc_uptime_30_0 (proc_uptime)) +(typeattributeset proc_version_30_0 (proc_version)) +(typeattributeset proc_vmallocinfo_30_0 (proc_vmallocinfo)) +(typeattributeset proc_vmstat_30_0 (proc_vmstat)) +(typeattributeset proc_zoneinfo_30_0 (proc_zoneinfo)) +(typeattributeset processinfo_service_30_0 (processinfo_service)) +(typeattributeset procstats_service_30_0 (procstats_service)) +(typeattributeset profman_30_0 (profman)) +(typeattributeset profman_dump_data_file_30_0 (profman_dump_data_file)) +(typeattributeset profman_exec_30_0 (profman_exec)) +(typeattributeset properties_device_30_0 (properties_device)) +(typeattributeset properties_serial_30_0 (properties_serial)) +(typeattributeset property_contexts_file_30_0 (property_contexts_file)) +(typeattributeset property_data_file_30_0 (property_data_file)) +(typeattributeset property_info_30_0 (property_info)) +(typeattributeset property_socket_30_0 (property_socket)) +(typeattributeset pstorefs_30_0 (pstorefs)) +(typeattributeset ptmx_device_30_0 (ptmx_device)) +(typeattributeset qtaguid_device_30_0 (qtaguid_device)) +(typeattributeset racoon_30_0 (racoon)) +(typeattributeset racoon_exec_30_0 (racoon_exec)) +(typeattributeset racoon_socket_30_0 (racoon_socket)) +(typeattributeset radio_30_0 (radio)) +(typeattributeset radio_data_file_30_0 (radio_data_file)) +(typeattributeset radio_device_30_0 (radio_device)) +(typeattributeset radio_prop_30_0 (radio_prop)) +(typeattributeset radio_service_30_0 (radio_service)) +(typeattributeset ram_device_30_0 (ram_device)) +(typeattributeset random_device_30_0 (random_device)) +(typeattributeset rebootescrow_hal_prop_30_0 (rebootescrow_hal_prop)) +(typeattributeset recovery_30_0 (recovery)) +(typeattributeset recovery_block_device_30_0 (recovery_block_device)) +(typeattributeset recovery_data_file_30_0 (recovery_data_file)) +(typeattributeset recovery_persist_30_0 (recovery_persist)) +(typeattributeset recovery_persist_exec_30_0 (recovery_persist_exec)) +(typeattributeset recovery_refresh_30_0 (recovery_refresh)) +(typeattributeset recovery_refresh_exec_30_0 (recovery_refresh_exec)) +(typeattributeset recovery_service_30_0 (recovery_service)) +(typeattributeset recovery_socket_30_0 (recovery_socket)) +(typeattributeset registry_service_30_0 (registry_service)) +(typeattributeset resourcecache_data_file_30_0 (resourcecache_data_file)) +(typeattributeset restorecon_prop_30_0 (restorecon_prop)) +(typeattributeset restrictions_service_30_0 (restrictions_service)) +(typeattributeset rild_debug_socket_30_0 (rild_debug_socket)) +(typeattributeset rild_socket_30_0 (rild_socket)) +(typeattributeset ringtone_file_30_0 (ringtone_file)) +(typeattributeset role_service_30_0 (role_service)) +(typeattributeset rollback_service_30_0 (rollback_service)) +(typeattributeset root_block_device_30_0 (root_block_device)) +(typeattributeset rootfs_30_0 (rootfs)) +(typeattributeset rpmsg_device_30_0 (rpmsg_device)) +(typeattributeset rs_30_0 (rs)) +(typeattributeset rs_exec_30_0 (rs_exec)) +(typeattributeset rss_hwm_reset_30_0 (rss_hwm_reset)) +(typeattributeset rtc_device_30_0 (rtc_device)) +(typeattributeset rttmanager_service_30_0 (rttmanager_service)) +(typeattributeset runas_30_0 (runas)) +(typeattributeset runas_app_30_0 (runas_app)) +(typeattributeset runas_exec_30_0 (runas_exec)) +(typeattributeset runtime_event_log_tags_file_30_0 (runtime_event_log_tags_file)) +(typeattributeset runtime_service_30_0 (runtime_service)) +(typeattributeset safemode_prop_30_0 (safemode_prop)) +(typeattributeset same_process_hal_file_30_0 (same_process_hal_file)) +(typeattributeset samplingprofiler_service_30_0 (samplingprofiler_service)) +(typeattributeset scheduling_policy_service_30_0 (scheduling_policy_service)) +(typeattributeset sdcard_block_device_30_0 (sdcard_block_device)) +(typeattributeset sdcardd_30_0 (sdcardd)) +(typeattributeset sdcardd_exec_30_0 (sdcardd_exec)) +(typeattributeset sdcardfs_30_0 (sdcardfs)) +(typeattributeset seapp_contexts_file_30_0 (seapp_contexts_file)) +(typeattributeset search_service_30_0 (search_service)) +(typeattributeset sec_key_att_app_id_provider_service_30_0 (sec_key_att_app_id_provider_service)) +(typeattributeset secure_element_30_0 (secure_element)) +(typeattributeset secure_element_device_30_0 (secure_element_device)) +(typeattributeset secure_element_service_30_0 (secure_element_service)) +(typeattributeset securityfs_30_0 (securityfs)) +(typeattributeset selinuxfs_30_0 (selinuxfs)) +(typeattributeset sensor_privacy_service_30_0 (sensor_privacy_service)) +(typeattributeset sensors_device_30_0 (sensors_device)) +(typeattributeset sensorservice_service_30_0 (sensorservice_service)) +(typeattributeset sepolicy_file_30_0 (sepolicy_file)) +(typeattributeset serial_device_30_0 (serial_device)) +(typeattributeset serial_service_30_0 (serial_service)) +(typeattributeset serialno_prop_30_0 (serialno_prop)) +(typeattributeset server_configurable_flags_data_file_30_0 (server_configurable_flags_data_file)) +(typeattributeset service_contexts_file_30_0 (service_contexts_file)) +(typeattributeset service_manager_service_30_0 (service_manager_service)) +(typeattributeset service_manager_vndservice_30_0 (service_manager_vndservice)) +(typeattributeset servicediscovery_service_30_0 (servicediscovery_service)) +(typeattributeset servicemanager_30_0 (servicemanager)) +(typeattributeset servicemanager_exec_30_0 (servicemanager_exec)) +(typeattributeset settings_service_30_0 (settings_service)) +(typeattributeset sgdisk_30_0 (sgdisk)) +(typeattributeset sgdisk_exec_30_0 (sgdisk_exec)) +(typeattributeset shared_relro_30_0 (shared_relro)) +(typeattributeset shared_relro_file_30_0 (shared_relro_file)) +(typeattributeset shell_30_0 (shell)) +(typeattributeset shell_data_file_30_0 (shell_data_file)) +(typeattributeset shell_exec_30_0 (shell_exec)) +(typeattributeset shell_prop_30_0 (shell_prop)) +(typeattributeset shm_30_0 (shm)) +(typeattributeset shortcut_manager_icons_30_0 (shortcut_manager_icons)) +(typeattributeset shortcut_service_30_0 (shortcut_service)) +(typeattributeset simpleperf_30_0 (simpleperf)) +(typeattributeset simpleperf_app_runner_30_0 (simpleperf_app_runner)) +(typeattributeset simpleperf_app_runner_exec_30_0 (simpleperf_app_runner_exec)) +(typeattributeset slice_service_30_0 (slice_service)) +(typeattributeset slideshow_30_0 (slideshow)) +(typeattributeset snapshotctl_log_data_file_30_0 (snapshotctl_log_data_file)) +(typeattributeset socket_device_30_0 (socket_device)) +(typeattributeset socket_hook_prop_30_0 (socket_hook_prop)) +(typeattributeset sockfs_30_0 (sockfs)) +(typeattributeset sota_prop_30_0 (sota_prop)) +(typeattributeset soundtrigger_middleware_service_30_0 (soundtrigger_middleware_service)) +(typeattributeset staging_data_file_30_0 (staging_data_file)) +(typeattributeset stats_data_file_30_0 (stats_data_file)) +(typeattributeset statsd_30_0 (statsd)) +(typeattributeset statsd_exec_30_0 (statsd_exec)) +(typeattributeset statsdw_socket_30_0 (statsdw_socket)) +(typeattributeset statusbar_service_30_0 (statusbar_service)) +(typeattributeset storage_config_prop_30_0 (storage_config_prop)) +(typeattributeset storage_file_30_0 (storage_file)) +(typeattributeset storage_stub_file_30_0 (storage_stub_file)) +(typeattributeset storaged_service_30_0 (storaged_service)) +(typeattributeset storagestats_service_30_0 (storagestats_service)) +(typeattributeset su_30_0 (su)) +(typeattributeset su_exec_30_0 (su_exec)) +(typeattributeset super_block_device_30_0 (super_block_device)) +(typeattributeset surfaceflinger_30_0 (surfaceflinger)) +(typeattributeset surfaceflinger_service_30_0 (surfaceflinger_service)) +(typeattributeset surfaceflinger_tmpfs_30_0 (surfaceflinger_tmpfs)) +(typeattributeset swap_block_device_30_0 (swap_block_device)) +(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_features)) +(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_metrics)) +(typeattributeset sysfs_android_usb_30_0 (sysfs_android_usb)) +(typeattributeset sysfs_batteryinfo_30_0 (sysfs_batteryinfo)) +(typeattributeset sysfs_bluetooth_writable_30_0 (sysfs_bluetooth_writable)) +(typeattributeset sysfs_devices_block_30_0 (sysfs_devices_block)) +(typeattributeset sysfs_devices_system_cpu_30_0 (sysfs_devices_system_cpu)) +(typeattributeset sysfs_dm_30_0 (sysfs_dm)) +(typeattributeset sysfs_dm_verity_30_0 (sysfs_dm_verity)) +(typeattributeset sysfs_dt_firmware_android_30_0 (sysfs_dt_firmware_android)) +(typeattributeset sysfs_extcon_30_0 (sysfs_extcon)) +(typeattributeset sysfs_fs_ext4_features_30_0 (sysfs_fs_ext4_features)) +(typeattributeset sysfs_fs_f2fs_30_0 (sysfs_fs_f2fs)) +(typeattributeset sysfs_hwrandom_30_0 (sysfs_hwrandom)) +(typeattributeset sysfs_ion_30_0 (sysfs_ion)) +(typeattributeset sysfs_ipv4_30_0 (sysfs_ipv4)) +(typeattributeset sysfs_kernel_notes_30_0 (sysfs_kernel_notes)) +(typeattributeset sysfs_leds_30_0 (sysfs_leds)) +(typeattributeset sysfs_loop_30_0 (sysfs_loop)) +(typeattributeset sysfs_lowmemorykiller_30_0 (sysfs_lowmemorykiller)) +(typeattributeset sysfs_net_30_0 (sysfs_net)) +(typeattributeset sysfs_nfc_power_writable_30_0 (sysfs_nfc_power_writable)) +(typeattributeset sysfs_power_30_0 (sysfs_power)) +(typeattributeset sysfs_rtc_30_0 (sysfs_rtc)) +(typeattributeset sysfs_suspend_stats_30_0 (sysfs_suspend_stats)) +(typeattributeset sysfs_switch_30_0 (sysfs_switch)) +(typeattributeset sysfs_thermal_30_0 (sysfs_thermal)) +(typeattributeset sysfs_transparent_hugepage_30_0 (sysfs_transparent_hugepage)) +(typeattributeset sysfs_uio_30_0 (sysfs_uio)) +(typeattributeset sysfs_usb_30_0 (sysfs_usb)) +(typeattributeset sysfs_usermodehelper_30_0 (sysfs_usermodehelper)) +(typeattributeset sysfs_vibrator_30_0 (sysfs_vibrator)) +(typeattributeset sysfs_wake_lock_30_0 (sysfs_wake_lock)) +(typeattributeset sysfs_wakeup_30_0 (sysfs_wakeup)) +(typeattributeset sysfs_wakeup_reasons_30_0 (sysfs_wakeup_reasons)) +(typeattributeset sysfs_wlan_fwpath_30_0 (sysfs_wlan_fwpath)) +(typeattributeset sysfs_zram_30_0 (sysfs_zram)) +(typeattributeset sysfs_zram_uevent_30_0 (sysfs_zram_uevent)) +(typeattributeset system_adbd_prop_30_0 (system_adbd_prop)) +(typeattributeset system_app_30_0 (system_app)) +(typeattributeset system_app_data_file_30_0 (system_app_data_file)) +(typeattributeset system_app_service_30_0 (system_app_service)) +(typeattributeset system_asan_options_file_30_0 (system_asan_options_file)) +(typeattributeset system_block_device_30_0 (system_block_device)) +(typeattributeset system_boot_reason_prop_30_0 (system_boot_reason_prop)) +(typeattributeset system_bootstrap_lib_file_30_0 (system_bootstrap_lib_file)) +(typeattributeset system_config_service_30_0 (system_config_service)) +(typeattributeset system_data_file_30_0 (system_data_file)) +(typeattributeset system_data_root_file_30_0 (system_data_root_file)) +(typeattributeset system_event_log_tags_file_30_0 (system_event_log_tags_file)) +(typeattributeset system_file_30_0 (system_file)) +(typeattributeset system_group_file_30_0 (system_group_file)) +(typeattributeset system_jvmti_agent_prop_30_0 (system_jvmti_agent_prop)) +(typeattributeset system_lib_file_30_0 (system_lib_file)) +(typeattributeset system_linker_config_file_30_0 (system_linker_config_file)) +(typeattributeset system_linker_exec_30_0 (system_linker_exec)) +(typeattributeset system_lmk_prop_30_0 (system_lmk_prop)) +(typeattributeset system_ndebug_socket_30_0 (system_ndebug_socket)) +(typeattributeset system_net_netd_hwservice_30_0 (system_net_netd_hwservice)) +(typeattributeset system_passwd_file_30_0 (system_passwd_file)) +(typeattributeset system_prop_30_0 (system_prop)) +(typeattributeset system_radio_prop_30_0 (system_radio_prop usb_prop)) +(typeattributeset system_seccomp_policy_file_30_0 (system_seccomp_policy_file)) +(typeattributeset system_security_cacerts_file_30_0 (system_security_cacerts_file)) +(typeattributeset system_server_30_0 (system_server)) +(typeattributeset system_server_tmpfs_30_0 (system_server_tmpfs)) +(typeattributeset system_suspend_control_service_30_0 (system_suspend_control_service)) +(typeattributeset system_suspend_hwservice_30_0 (system_suspend_hwservice)) +(typeattributeset system_trace_prop_30_0 (system_trace_prop)) +(typeattributeset system_unsolzygote_socket_30_0 (system_unsolzygote_socket)) +(typeattributeset system_update_service_30_0 (system_update_service)) +(typeattributeset system_wifi_keystore_hwservice_30_0 (system_wifi_keystore_hwservice)) +(typeattributeset system_wpa_socket_30_0 (system_wpa_socket)) +(typeattributeset system_zoneinfo_file_30_0 (system_zoneinfo_file)) +(typeattributeset systemkeys_data_file_30_0 (systemkeys_data_file)) +(typeattributeset task_profiles_file_30_0 (task_profiles_file)) +(typeattributeset task_service_30_0 (task_service)) +(typeattributeset tcpdump_exec_30_0 (tcpdump_exec)) +(typeattributeset tee_30_0 (tee)) +(typeattributeset tee_data_file_30_0 (tee_data_file)) +(typeattributeset tee_device_30_0 (tee_device)) +(typeattributeset telecom_service_30_0 (telecom_service)) +(typeattributeset test_boot_reason_prop_30_0 (test_boot_reason_prop)) +(typeattributeset test_harness_prop_30_0 (test_harness_prop)) +(typeattributeset testharness_service_30_0 (testharness_service)) +(typeattributeset tethering_service_30_0 (tethering_service)) +(typeattributeset textclassification_service_30_0 (textclassification_service)) +(typeattributeset textclassifier_data_file_30_0 (textclassifier_data_file)) +(typeattributeset textservices_service_30_0 (textservices_service)) +(typeattributeset theme_prop_30_0 (theme_prop)) +(typeattributeset thermal_service_30_0 (thermal_service)) +(typeattributeset thermalcallback_hwservice_30_0 (thermalcallback_hwservice)) +(typeattributeset time_prop_30_0 (time_prop)) +(typeattributeset timedetector_service_30_0 (timedetector_service)) +(typeattributeset timezone_service_30_0 (timezone_service)) +(typeattributeset timezonedetector_service_30_0 (timezonedetector_service)) +(typeattributeset tmpfs_30_0 (tmpfs)) +(typeattributeset tombstone_data_file_30_0 (tombstone_data_file)) +(typeattributeset tombstone_wifi_data_file_30_0 (tombstone_wifi_data_file)) +(typeattributeset tombstoned_30_0 (tombstoned)) +(typeattributeset tombstoned_crash_socket_30_0 (tombstoned_crash_socket)) +(typeattributeset tombstoned_exec_30_0 (tombstoned_exec)) +(typeattributeset tombstoned_intercept_socket_30_0 (tombstoned_intercept_socket)) +(typeattributeset tombstoned_java_trace_socket_30_0 (tombstoned_java_trace_socket)) +(typeattributeset toolbox_30_0 (toolbox)) +(typeattributeset toolbox_exec_30_0 (toolbox_exec)) +(typeattributeset trace_data_file_30_0 (trace_data_file)) +(typeattributeset traced_30_0 (traced)) +(typeattributeset traced_consumer_socket_30_0 (traced_consumer_socket)) +(typeattributeset traced_enabled_prop_30_0 (traced_enabled_prop)) +(typeattributeset traced_lazy_prop_30_0 (traced_lazy_prop)) +(typeattributeset traced_perf_30_0 (traced_perf)) +(typeattributeset traced_perf_enabled_prop_30_0 (traced_perf_enabled_prop)) +(typeattributeset traced_perf_socket_30_0 (traced_perf_socket)) +(typeattributeset traced_probes_30_0 (traced_probes)) +(typeattributeset traced_producer_socket_30_0 (traced_producer_socket)) +(typeattributeset traceur_app_30_0 (traceur_app)) +(typeattributeset trust_service_30_0 (trust_service)) +(typeattributeset tty_device_30_0 (tty_device)) +(typeattributeset tun_device_30_0 (tun_device)) +(typeattributeset tv_input_service_30_0 (tv_input_service)) +(typeattributeset tv_tuner_resource_mgr_service_30_0 (tv_tuner_resource_mgr_service)) +(typeattributeset tzdatacheck_30_0 (tzdatacheck)) +(typeattributeset tzdatacheck_exec_30_0 (tzdatacheck_exec)) +(typeattributeset ueventd_30_0 (ueventd)) +(typeattributeset ueventd_tmpfs_30_0 (ueventd_tmpfs)) +(typeattributeset uhid_device_30_0 (uhid_device)) +(typeattributeset uimode_service_30_0 (uimode_service)) +(typeattributeset uio_device_30_0 (uio_device)) +(typeattributeset uncrypt_30_0 (uncrypt)) +(typeattributeset uncrypt_exec_30_0 (uncrypt_exec)) +(typeattributeset uncrypt_socket_30_0 (uncrypt_socket)) +(typeattributeset unencrypted_data_file_30_0 (unencrypted_data_file)) +(typeattributeset unlabeled_30_0 (unlabeled)) +(typeattributeset untrusted_app_25_30_0 (untrusted_app_25)) +(typeattributeset untrusted_app_27_30_0 (untrusted_app_27)) +(typeattributeset untrusted_app_29_30_0 (untrusted_app_29)) +(typeattributeset untrusted_app_30_0 (untrusted_app)) +(typeattributeset update_engine_30_0 (update_engine)) +(typeattributeset update_engine_data_file_30_0 (update_engine_data_file)) +(typeattributeset update_engine_exec_30_0 (update_engine_exec)) +(typeattributeset update_engine_log_data_file_30_0 (update_engine_log_data_file)) +(typeattributeset update_engine_service_30_0 (update_engine_service)) +(typeattributeset update_verifier_30_0 (update_verifier)) +(typeattributeset update_verifier_exec_30_0 (update_verifier_exec)) +(typeattributeset updatelock_service_30_0 (updatelock_service)) +(typeattributeset uri_grants_service_30_0 (uri_grants_service)) +(typeattributeset usagestats_service_30_0 (usagestats_service)) +(typeattributeset usb_device_30_0 (usb_device)) +(typeattributeset usb_serial_device_30_0 (usb_serial_device)) +(typeattributeset usb_service_30_0 (usb_service)) +(typeattributeset usbaccessory_device_30_0 (usbaccessory_device)) +(typeattributeset usbd_30_0 (usbd)) +(typeattributeset usbd_exec_30_0 (usbd_exec)) +(typeattributeset usbfs_30_0 (usbfs)) +(typeattributeset use_memfd_prop_30_0 (use_memfd_prop)) +(typeattributeset user_profile_data_file_30_0 + ( user_profile_data_file + user_profile_root_file +)) +(typeattributeset user_service_30_0 (user_service)) +(typeattributeset userdata_block_device_30_0 (userdata_block_device)) +(typeattributeset usermodehelper_30_0 (usermodehelper)) +(typeattributeset userspace_reboot_config_prop_30_0 (userspace_reboot_config_prop)) +(typeattributeset userspace_reboot_exported_prop_30_0 (userspace_reboot_exported_prop)) +(typeattributeset userspace_reboot_log_prop_30_0 (userspace_reboot_log_prop)) +(typeattributeset userspace_reboot_test_prop_30_0 (userspace_reboot_test_prop)) +(typeattributeset vdc_30_0 (vdc)) +(typeattributeset vdc_exec_30_0 (vdc_exec)) +(typeattributeset vehicle_hal_prop_30_0 (vehicle_hal_prop)) +(typeattributeset vendor_apex_file_30_0 (vendor_apex_file)) +(typeattributeset vendor_app_file_30_0 (vendor_app_file)) +(typeattributeset vendor_cgroup_desc_file_30_0 (vendor_cgroup_desc_file)) +(typeattributeset vendor_configs_file_30_0 (vendor_configs_file)) +(typeattributeset vendor_data_file_30_0 (vendor_data_file)) +(typeattributeset vendor_default_prop_30_0 (vendor_default_prop)) +(typeattributeset vendor_file_30_0 (vendor_file)) +(typeattributeset vendor_framework_file_30_0 (vendor_framework_file)) +(typeattributeset vendor_hal_file_30_0 (vendor_hal_file)) +(typeattributeset vendor_idc_file_30_0 (vendor_idc_file)) +(typeattributeset vendor_init_30_0 (vendor_init)) +(typeattributeset vendor_keychars_file_30_0 (vendor_keychars_file)) +(typeattributeset vendor_keylayout_file_30_0 (vendor_keylayout_file)) +(typeattributeset vendor_misc_writer_30_0 (vendor_misc_writer)) +(typeattributeset vendor_misc_writer_exec_30_0 (vendor_misc_writer_exec)) +(typeattributeset vendor_overlay_file_30_0 (vendor_overlay_file)) +(typeattributeset vendor_public_lib_file_30_0 + ( vendor_public_framework_file + vendor_public_lib_file)) +(typeattributeset vendor_security_patch_level_prop_30_0 (vendor_security_patch_level_prop)) +(typeattributeset vendor_shell_30_0 (vendor_shell)) +(typeattributeset vendor_shell_exec_30_0 (vendor_shell_exec)) +(typeattributeset vendor_socket_hook_prop_30_0 (vendor_socket_hook_prop)) +(typeattributeset vendor_task_profiles_file_30_0 (vendor_task_profiles_file)) +(typeattributeset vendor_toolbox_exec_30_0 (vendor_toolbox_exec)) +(typeattributeset vfat_30_0 (vfat)) +(typeattributeset vibrator_service_30_0 (vibrator_service)) +(typeattributeset video_device_30_0 (video_device)) +(typeattributeset virtual_ab_prop_30_0 (virtual_ab_prop)) +(typeattributeset virtual_touchpad_30_0 (virtual_touchpad)) +(typeattributeset virtual_touchpad_exec_30_0 (virtual_touchpad_exec)) +(typeattributeset virtual_touchpad_service_30_0 (virtual_touchpad_service)) +(typeattributeset vndbinder_device_30_0 (vndbinder_device)) +(typeattributeset vndk_prop_30_0 (vndk_prop)) +(typeattributeset vndk_sp_file_30_0 (vndk_sp_file)) +(typeattributeset vndservice_contexts_file_30_0 (vndservice_contexts_file)) +(typeattributeset vndservicemanager_30_0 (vndservicemanager)) +(typeattributeset voiceinteraction_service_30_0 (voiceinteraction_service)) +(typeattributeset vold_30_0 (vold)) +(typeattributeset vold_data_file_30_0 (vold_data_file)) +(typeattributeset vold_device_30_0 (vold_device)) +(typeattributeset vold_exec_30_0 (vold_exec)) +(typeattributeset vold_metadata_file_30_0 (vold_metadata_file)) +(typeattributeset vold_prepare_subdirs_30_0 (vold_prepare_subdirs)) +(typeattributeset vold_prepare_subdirs_exec_30_0 (vold_prepare_subdirs_exec)) +(typeattributeset vold_prop_30_0 (vold_prop)) +(typeattributeset vold_service_30_0 (vold_service)) +(typeattributeset vpn_data_file_30_0 (vpn_data_file)) +(typeattributeset vr_hwc_30_0 (vr_hwc)) +(typeattributeset vr_hwc_exec_30_0 (vr_hwc_exec)) +(typeattributeset vr_hwc_service_30_0 (vr_hwc_service)) +(typeattributeset vr_manager_service_30_0 (vr_manager_service)) +(typeattributeset vrflinger_vsync_service_30_0 (vrflinger_vsync_service)) +(typeattributeset wallpaper_file_30_0 (wallpaper_file)) +(typeattributeset wallpaper_service_30_0 (wallpaper_service)) +(typeattributeset watchdog_device_30_0 (watchdog_device)) +(typeattributeset watchdogd_30_0 (watchdogd)) +(typeattributeset watchdogd_exec_30_0 (watchdogd_exec)) +(typeattributeset webview_zygote_30_0 (webview_zygote)) +(typeattributeset webview_zygote_exec_30_0 (webview_zygote_exec)) +(typeattributeset webview_zygote_tmpfs_30_0 (webview_zygote_tmpfs)) +(typeattributeset webviewupdate_service_30_0 (webviewupdate_service)) +(typeattributeset wifi_data_file_30_0 (wifi_data_file)) +(typeattributeset wifi_log_prop_30_0 (wifi_log_prop)) +(typeattributeset wifi_prop_30_0 (wifi_prop)) +(typeattributeset wifi_service_30_0 (wifi_service)) +(typeattributeset wifiaware_service_30_0 (wifiaware_service)) +(typeattributeset wificond_30_0 (wificond)) +(typeattributeset wificond_exec_30_0 (wificond_exec)) +(typeattributeset wifinl80211_service_30_0 (wifinl80211_service)) +(typeattributeset wifip2p_service_30_0 (wifip2p_service)) +(typeattributeset wifiscanner_service_30_0 (wifiscanner_service)) +(typeattributeset window_service_30_0 (window_service)) +(typeattributeset wpa_socket_30_0 (wpa_socket)) +(typeattributeset wpantund_30_0 (wpantund)) +(typeattributeset wpantund_exec_30_0 (wpantund_exec)) +(typeattributeset wpantund_service_30_0 (wpantund_service)) +(typeattributeset zero_device_30_0 (zero_device)) +(typeattributeset zoneinfo_data_file_30_0 (zoneinfo_data_file)) +(typeattributeset zygote_30_0 (zygote)) +(typeattributeset zygote_exec_30_0 (zygote_exec)) +(typeattributeset zygote_socket_30_0 (zygote_socket)) +(typeattributeset zygote_tmpfs_30_0 (zygote_tmpfs)) diff --git a/prebuilts/api/32.0/private/compat/30.0/30.0.compat.cil b/prebuilts/api/32.0/private/compat/30.0/30.0.compat.cil new file mode 100644 index 000000000..97c587489 --- /dev/null +++ b/prebuilts/api/32.0/private/compat/30.0/30.0.compat.cil @@ -0,0 +1,10 @@ +(typeattribute vendordomain) +(typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) + +;; TODO: Once 30.0 is no longer supported for vendor images, +;; mlsvendorcompat can be completely from the system policy. +(typeattributeset mlsvendorcompat (and appdomain vendordomain)) +(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) +(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) +(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) +(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) diff --git a/prebuilts/api/32.0/private/compat/30.0/30.0.ignore.cil b/prebuilts/api/32.0/private/compat/30.0/30.0.ignore.cil new file mode 100644 index 000000000..e4acfe8a4 --- /dev/null +++ b/prebuilts/api/32.0/private/compat/30.0/30.0.ignore.cil @@ -0,0 +1,155 @@ +;; new_objects - a collection of types that have been introduced that have no +;; analogue in older policy. Thus, we do not need to map these types to +;; previous ones. Add here to pass checkapi tests. +(type new_objects) +(typeattribute new_objects) +(typeattributeset new_objects + ( new_objects + ab_update_gki_prop + adbd_config_prop + apc_service + apex_appsearch_data_file + apex_art_data_file + apex_art_staging_data_file + apex_info_file + apex_ota_reserved_file + apex_scheduling_data_file + apexd_config_prop + app_hibernation_service + appcompat_data_file + arm64_memtag_prop + authorization_service + bootanim_config_prop + camera2_extensions_prop + camerax_extensions_prop + cgroup_desc_api_file + cgroup_v2 + codec2_config_prop + ctl_snapuserd_prop + dck_prop + debugfs_kprobes + debugfs_mm_events_tracing + debugfs_bootreceiver_tracing + debugfs_restriction_prop + device_config_profcollect_native_boot_prop + device_config_connectivity_prop + device_config_swcodec_native_prop + device_state_service + dm_user_device + dmabuf_heap_device + dmabuf_system_heap_device + dmabuf_system_secure_heap_device + domain_verification_service + dumpstate_tmpfs + framework_watchdog_config_prop + fs_bpf_tethering + fwk_stats_service + game_service + font_data_file + gki_apex_prepostinstall + gki_apex_prepostinstall_exec + hal_audio_service + hal_authsecret_service + hal_audiocontrol_service + hal_face_service + hal_fingerprint_service + hal_health_storage_service + hal_memtrack_service + hal_oemlock_service + hint_service + gnss_device + gnss_time_update_service + hal_dumpstate_config_prop + hal_gnss_service + hal_keymint_service + hal_neuralnetworks_service + hal_power_stats_service + hal_remotelyprovisionedcomponent_service + hal_secureclock_service + hal_sharedsecret_service + hal_uwb_service + hal_weaver_service + hw_timeout_multiplier_prop + hypervisor_prop + keystore_compat_hal_service + keystore_maintenance_service + keystore_metrics_service + keystore2_key_contexts_file + legacy_permission_service + legacykeystore_service + location_time_zone_manager_service + media_communication_service + media_metrics_service + mediatuner_exec + mediatuner_service + mediatuner + mediatranscoding_tmpfs + memtrackproxy_service + mm_events_config_prop + music_recognition_service + nfc_logs_data_file + odrefresh + odrefresh_exec + odsign + odsign_data_file + odsign_exec + pac_proxy_service + permission_checker_service + people_service + persist_vendor_debug_wifi_prop + postinstall_dexopt_exec + postinstall_device_mnt_dir + postinstall_product_mnt_dir + postinstall_vendor_mnt_dir + power_debug_prop + powerstats_service + proc_kallsyms + proc_locks + profcollectd + profcollectd_data_file + profcollectd_exec + profcollectd_node_id_prop + profcollectd_service + qemu_hw_prop + qemu_sf_lcd_density_prop + radio_core_data_file + reboot_readiness_service + remote_prov_app + remoteprovisioning_service + resolver_service + search_ui_service + shell_test_data_file + smartspace_service + snapuserd + snapuserd_exec + snapuserd_socket + soc_prop + speech_recognition_service + sysfs_block + sysfs_devfreq_cur + sysfs_devfreq_dir + sysfs_devices_cs_etm + sysfs_dma_heap + sysfs_dmabuf_stats + sysfs_uhid + system_server_dumper_service + system_suspend_control_internal_service + task_profiles_api_file + texttospeech_service + translation_service + update_engine_stable_service + userdata_sysdev + userspace_reboot_metadata_file + uwb_service + vcn_management_service + vd_device + vendor_kernel_modules + vendor_modprobe + vibrator_manager_service + virtualization_service + vpn_management_service + watchdog_metadata_file + wifi_key + zygote_config_prop + proc_vendor_sched + sysfs_vendor_sched)) diff --git a/prebuilts/api/32.0/private/compat/31.0/31.0.cil b/prebuilts/api/32.0/private/compat/31.0/31.0.cil new file mode 100644 index 000000000..009d8b2de --- /dev/null +++ b/prebuilts/api/32.0/private/compat/31.0/31.0.cil @@ -0,0 +1,2470 @@ +(expandtypeattribute (DockObserver_service_31_0) true) +(expandtypeattribute (IProxyService_service_31_0) true) +(expandtypeattribute (aac_drc_prop_31_0) true) +(expandtypeattribute (aaudio_config_prop_31_0) true) +(expandtypeattribute (ab_update_gki_prop_31_0) true) +(expandtypeattribute (accessibility_service_31_0) true) +(expandtypeattribute (account_service_31_0) true) +(expandtypeattribute (activity_service_31_0) true) +(expandtypeattribute (activity_task_service_31_0) true) +(expandtypeattribute (adb_data_file_31_0) true) +(expandtypeattribute (adb_keys_file_31_0) true) +(expandtypeattribute (adb_service_31_0) true) +(expandtypeattribute (adbd_31_0) true) +(expandtypeattribute (adbd_config_prop_31_0) true) +(expandtypeattribute (adbd_exec_31_0) true) +(expandtypeattribute (adbd_socket_31_0) true) +(expandtypeattribute (aidl_lazy_test_server_31_0) true) +(expandtypeattribute (aidl_lazy_test_server_exec_31_0) true) +(expandtypeattribute (aidl_lazy_test_service_31_0) true) +(expandtypeattribute (alarm_service_31_0) true) +(expandtypeattribute (anr_data_file_31_0) true) +(expandtypeattribute (apc_service_31_0) true) +(expandtypeattribute (apex_appsearch_data_file_31_0) true) +(expandtypeattribute (apex_data_file_31_0) true) +(expandtypeattribute (apex_info_file_31_0) true) +(expandtypeattribute (apex_metadata_file_31_0) true) +(expandtypeattribute (apex_mnt_dir_31_0) true) +(expandtypeattribute (apex_module_data_file_31_0) true) +(expandtypeattribute (apex_ota_reserved_file_31_0) true) +(expandtypeattribute (apex_permission_data_file_31_0) true) +(expandtypeattribute (apex_rollback_data_file_31_0) true) +(expandtypeattribute (apex_scheduling_data_file_31_0) true) +(expandtypeattribute (apex_service_31_0) true) +(expandtypeattribute (apex_wifi_data_file_31_0) true) +(expandtypeattribute (apexd_31_0) true) +(expandtypeattribute (apexd_config_prop_31_0) true) +(expandtypeattribute (apexd_exec_31_0) true) +(expandtypeattribute (apexd_prop_31_0) true) +(expandtypeattribute (apk_data_file_31_0) true) +(expandtypeattribute (apk_private_data_file_31_0) true) +(expandtypeattribute (apk_private_tmp_file_31_0) true) +(expandtypeattribute (apk_tmp_file_31_0) true) +(expandtypeattribute (apk_verity_prop_31_0) true) +(expandtypeattribute (app_binding_service_31_0) true) +(expandtypeattribute (app_data_file_31_0) true) +(expandtypeattribute (app_fuse_file_31_0) true) +(expandtypeattribute (app_fusefs_31_0) true) +(expandtypeattribute (app_hibernation_service_31_0) true) +(expandtypeattribute (app_integrity_service_31_0) true) +(expandtypeattribute (app_prediction_service_31_0) true) +(expandtypeattribute (app_search_service_31_0) true) +(expandtypeattribute (app_zygote_31_0) true) +(expandtypeattribute (app_zygote_tmpfs_31_0) true) +(expandtypeattribute (appcompat_data_file_31_0) true) +(expandtypeattribute (appdomain_tmpfs_31_0) true) +(expandtypeattribute (appops_service_31_0) true) +(expandtypeattribute (appwidget_service_31_0) true) +(expandtypeattribute (arm64_memtag_prop_31_0) true) +(expandtypeattribute (art_apex_dir_31_0) true) +(expandtypeattribute (asec_apk_file_31_0) true) +(expandtypeattribute (asec_image_file_31_0) true) +(expandtypeattribute (asec_public_file_31_0) true) +(expandtypeattribute (ashmem_device_31_0) true) +(expandtypeattribute (ashmem_libcutils_device_31_0) true) +(expandtypeattribute (assetatlas_service_31_0) true) +(expandtypeattribute (atrace_31_0) true) +(expandtypeattribute (audio_config_prop_31_0) true) +(expandtypeattribute (audio_data_file_31_0) true) +(expandtypeattribute (audio_device_31_0) true) +(expandtypeattribute (audio_prop_31_0) true) +(expandtypeattribute (audio_service_31_0) true) +(expandtypeattribute (audiohal_data_file_31_0) true) +(expandtypeattribute (audioserver_31_0) true) +(expandtypeattribute (audioserver_data_file_31_0) true) +(expandtypeattribute (audioserver_service_31_0) true) +(expandtypeattribute (audioserver_tmpfs_31_0) true) +(expandtypeattribute (auth_service_31_0) true) +(expandtypeattribute (authorization_service_31_0) true) +(expandtypeattribute (autofill_service_31_0) true) +(expandtypeattribute (backup_data_file_31_0) true) +(expandtypeattribute (backup_service_31_0) true) +(expandtypeattribute (battery_service_31_0) true) +(expandtypeattribute (batteryproperties_service_31_0) true) +(expandtypeattribute (batterystats_service_31_0) true) +(expandtypeattribute (binder_cache_bluetooth_server_prop_31_0) true) +(expandtypeattribute (binder_cache_system_server_prop_31_0) true) +(expandtypeattribute (binder_cache_telephony_server_prop_31_0) true) +(expandtypeattribute (binder_calls_stats_service_31_0) true) +(expandtypeattribute (binder_device_31_0) true) +(expandtypeattribute (binderfs_31_0) true) +(expandtypeattribute (binderfs_logs_31_0) true) +(expandtypeattribute (binderfs_logs_proc_31_0) true) +(expandtypeattribute (binfmt_miscfs_31_0) true) +(expandtypeattribute (biometric_service_31_0) true) +(expandtypeattribute (blkid_31_0) true) +(expandtypeattribute (blkid_untrusted_31_0) true) +(expandtypeattribute (blob_store_service_31_0) true) +(expandtypeattribute (block_device_31_0) true) +(expandtypeattribute (bluetooth_31_0) true) +(expandtypeattribute (bluetooth_a2dp_offload_prop_31_0) true) +(expandtypeattribute (bluetooth_audio_hal_prop_31_0) true) +(expandtypeattribute (bluetooth_data_file_31_0) true) +(expandtypeattribute (bluetooth_efs_file_31_0) true) +(expandtypeattribute (bluetooth_logs_data_file_31_0) true) +(expandtypeattribute (bluetooth_manager_service_31_0) true) +(expandtypeattribute (bluetooth_prop_31_0) true) +(expandtypeattribute (bluetooth_service_31_0) true) +(expandtypeattribute (bluetooth_socket_31_0) true) +(expandtypeattribute (boot_block_device_31_0) true) +(expandtypeattribute (boot_status_prop_31_0) true) +(expandtypeattribute (bootanim_31_0) true) +(expandtypeattribute (bootanim_config_prop_31_0) true) +(expandtypeattribute (bootanim_exec_31_0) true) +(expandtypeattribute (bootanim_system_prop_31_0) true) +(expandtypeattribute (bootchart_data_file_31_0) true) +(expandtypeattribute (bootloader_boot_reason_prop_31_0) true) +(expandtypeattribute (bootloader_prop_31_0) true) +(expandtypeattribute (bootstat_31_0) true) +(expandtypeattribute (bootstat_data_file_31_0) true) +(expandtypeattribute (bootstat_exec_31_0) true) +(expandtypeattribute (boottime_prop_31_0) true) +(expandtypeattribute (boottime_public_prop_31_0) true) +(expandtypeattribute (boottrace_data_file_31_0) true) +(expandtypeattribute (bpf_progs_loaded_prop_31_0) true) +(expandtypeattribute (bq_config_prop_31_0) true) +(expandtypeattribute (broadcastradio_service_31_0) true) +(expandtypeattribute (bufferhubd_31_0) true) +(expandtypeattribute (bufferhubd_exec_31_0) true) +(expandtypeattribute (bugreport_service_31_0) true) +(expandtypeattribute (build_bootimage_prop_31_0) true) +(expandtypeattribute (build_config_prop_31_0) true) +(expandtypeattribute (build_odm_prop_31_0) true) +(expandtypeattribute (build_prop_31_0) true) +(expandtypeattribute (build_vendor_prop_31_0) true) +(expandtypeattribute (cache_backup_file_31_0) true) +(expandtypeattribute (cache_block_device_31_0) true) +(expandtypeattribute (cache_file_31_0) true) +(expandtypeattribute (cache_private_backup_file_31_0) true) +(expandtypeattribute (cache_recovery_file_31_0) true) +(expandtypeattribute (cacheinfo_service_31_0) true) +(expandtypeattribute (camera2_extensions_prop_31_0) true) +(expandtypeattribute (camera_calibration_prop_31_0) true) +(expandtypeattribute (camera_config_prop_31_0) true) +(expandtypeattribute (camera_data_file_31_0) true) +(expandtypeattribute (camera_device_31_0) true) +(expandtypeattribute (cameraproxy_service_31_0) true) +(expandtypeattribute (cameraserver_31_0) true) +(expandtypeattribute (cameraserver_exec_31_0) true) +(expandtypeattribute (cameraserver_service_31_0) true) +(expandtypeattribute (cameraserver_tmpfs_31_0) true) +(expandtypeattribute (camerax_extensions_prop_31_0) true) +(expandtypeattribute (cgroup_31_0) true) +(expandtypeattribute (cgroup_desc_api_file_31_0) true) +(expandtypeattribute (cgroup_desc_file_31_0) true) +(expandtypeattribute (cgroup_rc_file_31_0) true) +(expandtypeattribute (cgroup_v2_31_0) true) +(expandtypeattribute (charger_31_0) true) +(expandtypeattribute (charger_config_prop_31_0) true) +(expandtypeattribute (charger_exec_31_0) true) +(expandtypeattribute (charger_prop_31_0) true) +(expandtypeattribute (charger_status_prop_31_0) true) +(expandtypeattribute (clipboard_service_31_0) true) +(expandtypeattribute (codec2_config_prop_31_0) true) +(expandtypeattribute (cold_boot_done_prop_31_0) true) +(expandtypeattribute (color_display_service_31_0) true) +(expandtypeattribute (companion_device_service_31_0) true) +(expandtypeattribute (config_prop_31_0) true) +(expandtypeattribute (configfs_31_0) true) +(expandtypeattribute (connectivity_service_31_0) true) +(expandtypeattribute (connmetrics_service_31_0) true) +(expandtypeattribute (console_device_31_0) true) +(expandtypeattribute (consumer_ir_service_31_0) true) +(expandtypeattribute (content_capture_service_31_0) true) +(expandtypeattribute (content_service_31_0) true) +(expandtypeattribute (content_suggestions_service_31_0) true) +(expandtypeattribute (contexthub_service_31_0) true) +(expandtypeattribute (coredump_file_31_0) true) +(expandtypeattribute (country_detector_service_31_0) true) +(expandtypeattribute (coverage_service_31_0) true) +(expandtypeattribute (cppreopt_prop_31_0) true) +(expandtypeattribute (cpu_variant_prop_31_0) true) +(expandtypeattribute (cpuinfo_service_31_0) true) +(expandtypeattribute (crash_dump_31_0) true) +(expandtypeattribute (crash_dump_exec_31_0) true) +(expandtypeattribute (credstore_31_0) true) +(expandtypeattribute (credstore_data_file_31_0) true) +(expandtypeattribute (credstore_exec_31_0) true) +(expandtypeattribute (credstore_service_31_0) true) +(expandtypeattribute (crossprofileapps_service_31_0) true) +(expandtypeattribute (ctl_adbd_prop_31_0) true) +(expandtypeattribute (ctl_apexd_prop_31_0) true) +(expandtypeattribute (ctl_bootanim_prop_31_0) true) +(expandtypeattribute (ctl_bugreport_prop_31_0) true) +(expandtypeattribute (ctl_console_prop_31_0) true) +(expandtypeattribute (ctl_default_prop_31_0) true) +(expandtypeattribute (ctl_dumpstate_prop_31_0) true) +(expandtypeattribute (ctl_fuse_prop_31_0) true) +(expandtypeattribute (ctl_gsid_prop_31_0) true) +(expandtypeattribute (ctl_interface_restart_prop_31_0) true) +(expandtypeattribute (ctl_interface_start_prop_31_0) true) +(expandtypeattribute (ctl_interface_stop_prop_31_0) true) +(expandtypeattribute (ctl_mdnsd_prop_31_0) true) +(expandtypeattribute (ctl_restart_prop_31_0) true) +(expandtypeattribute (ctl_rildaemon_prop_31_0) true) +(expandtypeattribute (ctl_sigstop_prop_31_0) true) +(expandtypeattribute (ctl_start_prop_31_0) true) +(expandtypeattribute (ctl_stop_prop_31_0) true) +(expandtypeattribute (dalvik_config_prop_31_0) true) +(expandtypeattribute (dalvik_prop_31_0) true) +(expandtypeattribute (dalvik_runtime_prop_31_0) true) +(expandtypeattribute (dalvikcache_data_file_31_0) true) +(expandtypeattribute (dataloader_manager_service_31_0) true) +(expandtypeattribute (dbinfo_service_31_0) true) +(expandtypeattribute (dck_prop_31_0) true) +(expandtypeattribute (debug_prop_31_0) true) +(expandtypeattribute (debugfs_31_0) true) +(expandtypeattribute (debugfs_bootreceiver_tracing_31_0) true) +(expandtypeattribute (debugfs_kprobes_31_0) true) +(expandtypeattribute (debugfs_mm_events_tracing_31_0) true) +(expandtypeattribute (debugfs_mmc_31_0) true) +(expandtypeattribute (debugfs_restriction_prop_31_0) true) +(expandtypeattribute (debugfs_trace_marker_31_0) true) +(expandtypeattribute (debugfs_tracing_31_0) true) +(expandtypeattribute (debugfs_tracing_debug_31_0) true) +(expandtypeattribute (debugfs_tracing_instances_31_0) true) +(expandtypeattribute (debugfs_tracing_printk_formats_31_0) true) +(expandtypeattribute (debugfs_wakeup_sources_31_0) true) +(expandtypeattribute (debugfs_wifi_tracing_31_0) true) +(expandtypeattribute (debuggerd_prop_31_0) true) +(expandtypeattribute (default_android_hwservice_31_0) true) +(expandtypeattribute (default_android_service_31_0) true) +(expandtypeattribute (default_android_vndservice_31_0) true) +(expandtypeattribute (default_prop_31_0) true) +(expandtypeattribute (dev_cpu_variant_31_0) true) +(expandtypeattribute (device_31_0) true) +(expandtypeattribute (device_config_activity_manager_native_boot_prop_31_0) true) +(expandtypeattribute (device_config_boot_count_prop_31_0) true) +(expandtypeattribute (device_config_input_native_boot_prop_31_0) true) +(expandtypeattribute (device_config_media_native_prop_31_0) true) +(expandtypeattribute (device_config_netd_native_prop_31_0) true) +(expandtypeattribute (device_config_reset_performed_prop_31_0) true) +(expandtypeattribute (device_config_runtime_native_boot_prop_31_0) true) +(expandtypeattribute (device_config_runtime_native_prop_31_0) true) +(expandtypeattribute (device_config_service_31_0) true) +(expandtypeattribute (device_identifiers_service_31_0) true) +(expandtypeattribute (device_logging_prop_31_0) true) +(expandtypeattribute (device_policy_service_31_0) true) +(expandtypeattribute (device_state_service_31_0) true) +(expandtypeattribute (deviceidle_service_31_0) true) +(expandtypeattribute (devicestoragemonitor_service_31_0) true) +(expandtypeattribute (devpts_31_0) true) +(expandtypeattribute (dhcp_31_0) true) +(expandtypeattribute (dhcp_data_file_31_0) true) +(expandtypeattribute (dhcp_exec_31_0) true) +(expandtypeattribute (dhcp_prop_31_0) true) +(expandtypeattribute (diskstats_service_31_0) true) +(expandtypeattribute (display_service_31_0) true) +(expandtypeattribute (dm_device_31_0) true) +(expandtypeattribute (dm_user_device_31_0) true) +(expandtypeattribute (dmabuf_heap_device_31_0) true) +(expandtypeattribute (dmabuf_system_heap_device_31_0) true) +(expandtypeattribute (dmabuf_system_secure_heap_device_31_0) true) +(expandtypeattribute (dnsmasq_31_0) true) +(expandtypeattribute (dnsmasq_exec_31_0) true) +(expandtypeattribute (dnsproxyd_socket_31_0) true) +(expandtypeattribute (dnsresolver_service_31_0) true) +(expandtypeattribute (domain_verification_service_31_0) true) +(expandtypeattribute (dreams_service_31_0) true) +(expandtypeattribute (drm_data_file_31_0) true) +(expandtypeattribute (drm_service_config_prop_31_0) true) +(expandtypeattribute (drmserver_31_0) true) +(expandtypeattribute (drmserver_exec_31_0) true) +(expandtypeattribute (drmserver_service_31_0) true) +(expandtypeattribute (drmserver_socket_31_0) true) +(expandtypeattribute (dropbox_data_file_31_0) true) +(expandtypeattribute (dropbox_service_31_0) true) +(expandtypeattribute (dumpstate_31_0) true) +(expandtypeattribute (dumpstate_exec_31_0) true) +(expandtypeattribute (dumpstate_options_prop_31_0) true) +(expandtypeattribute (dumpstate_prop_31_0) true) +(expandtypeattribute (dumpstate_service_31_0) true) +(expandtypeattribute (dumpstate_socket_31_0) true) +(expandtypeattribute (dynamic_system_prop_31_0) true) +(expandtypeattribute (e2fs_31_0) true) +(expandtypeattribute (e2fs_exec_31_0) true) +(expandtypeattribute (efs_file_31_0) true) +(expandtypeattribute (emergency_affordance_service_31_0) true) +(expandtypeattribute (ephemeral_app_31_0) true) +(expandtypeattribute (ethernet_service_31_0) true) +(expandtypeattribute (exfat_31_0) true) +(expandtypeattribute (exported3_system_prop_31_0) true) +(expandtypeattribute (exported_bluetooth_prop_31_0) true) +(expandtypeattribute (exported_camera_prop_31_0) true) +(expandtypeattribute (exported_config_prop_31_0) true) +(expandtypeattribute (exported_default_prop_31_0) true) +(expandtypeattribute (exported_dumpstate_prop_31_0) true) +(expandtypeattribute (exported_overlay_prop_31_0) true) +(expandtypeattribute (exported_pm_prop_31_0) true) +(expandtypeattribute (exported_secure_prop_31_0) true) +(expandtypeattribute (exported_system_prop_31_0) true) +(expandtypeattribute (external_vibrator_service_31_0) true) +(expandtypeattribute (face_service_31_0) true) +(expandtypeattribute (face_vendor_data_file_31_0) true) +(expandtypeattribute (fastbootd_31_0) true) +(expandtypeattribute (ffs_config_prop_31_0) true) +(expandtypeattribute (ffs_control_prop_31_0) true) +(expandtypeattribute (file_contexts_file_31_0) true) +(expandtypeattribute (file_integrity_service_31_0) true) +(expandtypeattribute (fingerprint_prop_31_0) true) +(expandtypeattribute (fingerprint_service_31_0) true) +(expandtypeattribute (fingerprint_vendor_data_file_31_0) true) +(expandtypeattribute (fingerprintd_31_0) true) +(expandtypeattribute (fingerprintd_data_file_31_0) true) +(expandtypeattribute (fingerprintd_exec_31_0) true) +(expandtypeattribute (fingerprintd_service_31_0) true) +(expandtypeattribute (firstboot_prop_31_0) true) +(expandtypeattribute (flags_health_check_31_0) true) +(expandtypeattribute (flags_health_check_exec_31_0) true) +(expandtypeattribute (font_service_31_0) true) +(expandtypeattribute (framework_watchdog_config_prop_31_0) true) +(expandtypeattribute (frp_block_device_31_0) true) +(expandtypeattribute (fs_bpf_31_0) true) +(expandtypeattribute (fs_bpf_tethering_31_0) true) +(expandtypeattribute (fsck_31_0) true) +(expandtypeattribute (fsck_exec_31_0) true) +(expandtypeattribute (fsck_untrusted_31_0) true) +(expandtypeattribute (fscklogs_31_0) true) +(expandtypeattribute (functionfs_31_0) true) +(expandtypeattribute (fuse_31_0) true) +(expandtypeattribute (fuse_device_31_0) true) +(expandtypeattribute (fusectlfs_31_0) true) +(expandtypeattribute (fwk_automotive_display_hwservice_31_0) true) +(expandtypeattribute (fwk_bufferhub_hwservice_31_0) true) +(expandtypeattribute (fwk_camera_hwservice_31_0) true) +(expandtypeattribute (fwk_display_hwservice_31_0) true) +(expandtypeattribute (fwk_scheduler_hwservice_31_0) true) +(expandtypeattribute (fwk_sensor_hwservice_31_0) true) +(expandtypeattribute (fwk_stats_hwservice_31_0) true) +(expandtypeattribute (fwk_stats_service_31_0) true) +(expandtypeattribute (fwmarkd_socket_31_0) true) +(expandtypeattribute (game_service_31_0) true) +(expandtypeattribute (gatekeeper_data_file_31_0) true) +(expandtypeattribute (gatekeeper_service_31_0) true) +(expandtypeattribute (gatekeeperd_31_0) true) +(expandtypeattribute (gatekeeperd_exec_31_0) true) +(expandtypeattribute (gfxinfo_service_31_0) true) +(expandtypeattribute (gmscore_app_31_0) true) +(expandtypeattribute (gnss_device_31_0) true) +(expandtypeattribute (gnss_time_update_service_31_0) true) +(expandtypeattribute (gps_control_31_0) true) +(expandtypeattribute (gpu_device_31_0) true) +(expandtypeattribute (gpu_service_31_0) true) +(expandtypeattribute (gpuservice_31_0) true) +(expandtypeattribute (graphics_config_prop_31_0) true) +(expandtypeattribute (graphics_device_31_0) true) +(expandtypeattribute (graphicsstats_service_31_0) true) +(expandtypeattribute (gsi_data_file_31_0) true) +(expandtypeattribute (gsi_metadata_file_31_0) true) +(expandtypeattribute (gsi_public_metadata_file_31_0) true) +(expandtypeattribute (hal_atrace_hwservice_31_0) true) +(expandtypeattribute (hal_audio_hwservice_31_0) true) +(expandtypeattribute (hal_audio_service_31_0) true) +(expandtypeattribute (hal_audiocontrol_hwservice_31_0) true) +(expandtypeattribute (hal_audiocontrol_service_31_0) true) +(expandtypeattribute (hal_authsecret_hwservice_31_0) true) +(expandtypeattribute (hal_authsecret_service_31_0) true) +(expandtypeattribute (hal_bluetooth_hwservice_31_0) true) +(expandtypeattribute (hal_bootctl_hwservice_31_0) true) +(expandtypeattribute (hal_broadcastradio_hwservice_31_0) true) +(expandtypeattribute (hal_camera_hwservice_31_0) true) +(expandtypeattribute (hal_can_bus_hwservice_31_0) true) +(expandtypeattribute (hal_can_controller_hwservice_31_0) true) +(expandtypeattribute (hal_cas_hwservice_31_0) true) +(expandtypeattribute (hal_codec2_hwservice_31_0) true) +(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_31_0) true) +(expandtypeattribute (hal_confirmationui_hwservice_31_0) true) +(expandtypeattribute (hal_contexthub_hwservice_31_0) true) +(expandtypeattribute (hal_drm_hwservice_31_0) true) +(expandtypeattribute (hal_dumpstate_config_prop_31_0) true) +(expandtypeattribute (hal_dumpstate_hwservice_31_0) true) +(expandtypeattribute (hal_evs_hwservice_31_0) true) +(expandtypeattribute (hal_face_hwservice_31_0) true) +(expandtypeattribute (hal_face_service_31_0) true) +(expandtypeattribute (hal_fingerprint_hwservice_31_0) true) +(expandtypeattribute (hal_fingerprint_service_31_0) true) +(expandtypeattribute (hal_gatekeeper_hwservice_31_0) true) +(expandtypeattribute (hal_gnss_hwservice_31_0) true) +(expandtypeattribute (hal_gnss_service_31_0) true) +(expandtypeattribute (hal_graphics_allocator_hwservice_31_0) true) +(expandtypeattribute (hal_graphics_composer_hwservice_31_0) true) +(expandtypeattribute (hal_graphics_composer_server_tmpfs_31_0) true) +(expandtypeattribute (hal_graphics_mapper_hwservice_31_0) true) +(expandtypeattribute (hal_health_hwservice_31_0) true) +(expandtypeattribute (hal_health_storage_hwservice_31_0) true) +(expandtypeattribute (hal_health_storage_service_31_0) true) +(expandtypeattribute (hal_identity_service_31_0) true) +(expandtypeattribute (hal_input_classifier_hwservice_31_0) true) +(expandtypeattribute (hal_instrumentation_prop_31_0) true) +(expandtypeattribute (hal_ir_hwservice_31_0) true) +(expandtypeattribute (hal_keymaster_hwservice_31_0) true) +(expandtypeattribute (hal_keymint_service_31_0) true) +(expandtypeattribute (hal_light_hwservice_31_0) true) +(expandtypeattribute (hal_light_service_31_0) true) +(expandtypeattribute (hal_lowpan_hwservice_31_0) true) +(expandtypeattribute (hal_memtrack_hwservice_31_0) true) +(expandtypeattribute (hal_memtrack_service_31_0) true) +(expandtypeattribute (hal_neuralnetworks_hwservice_31_0) true) +(expandtypeattribute (hal_neuralnetworks_service_31_0) true) +(expandtypeattribute (hal_nfc_hwservice_31_0) true) +(expandtypeattribute (hal_oemlock_hwservice_31_0) true) +(expandtypeattribute (hal_oemlock_service_31_0) true) +(expandtypeattribute (hal_omx_hwservice_31_0) true) +(expandtypeattribute (hal_power_hwservice_31_0) true) +(expandtypeattribute (hal_power_service_31_0) true) +(expandtypeattribute (hal_power_stats_hwservice_31_0) true) +(expandtypeattribute (hal_power_stats_service_31_0) true) +(expandtypeattribute (hal_rebootescrow_service_31_0) true) +(expandtypeattribute (hal_remotelyprovisionedcomponent_service_31_0) true) +(expandtypeattribute (hal_renderscript_hwservice_31_0) true) +(expandtypeattribute (hal_secure_element_hwservice_31_0) true) +(expandtypeattribute (hal_secureclock_service_31_0) true) +(expandtypeattribute (hal_sensors_hwservice_31_0) true) +(expandtypeattribute (hal_sharedsecret_service_31_0) true) +(expandtypeattribute (hal_telephony_hwservice_31_0) true) +(expandtypeattribute (hal_tetheroffload_hwservice_31_0) true) +(expandtypeattribute (hal_thermal_hwservice_31_0) true) +(expandtypeattribute (hal_tv_cec_hwservice_31_0) true) +(expandtypeattribute (hal_tv_input_hwservice_31_0) true) +(expandtypeattribute (hal_tv_tuner_hwservice_31_0) true) +(expandtypeattribute (hal_usb_gadget_hwservice_31_0) true) +(expandtypeattribute (hal_usb_hwservice_31_0) true) +(expandtypeattribute (hal_vehicle_hwservice_31_0) true) +(expandtypeattribute (hal_vibrator_hwservice_31_0) true) +(expandtypeattribute (hal_vibrator_service_31_0) true) +(expandtypeattribute (hal_vr_hwservice_31_0) true) +(expandtypeattribute (hal_weaver_hwservice_31_0) true) +(expandtypeattribute (hal_weaver_service_31_0) true) +(expandtypeattribute (hal_wifi_hostapd_hwservice_31_0) true) +(expandtypeattribute (hal_wifi_hwservice_31_0) true) +(expandtypeattribute (hal_wifi_supplicant_hwservice_31_0) true) +(expandtypeattribute (hardware_properties_service_31_0) true) +(expandtypeattribute (hardware_service_31_0) true) +(expandtypeattribute (hci_attach_dev_31_0) true) +(expandtypeattribute (hdmi_config_prop_31_0) true) +(expandtypeattribute (hdmi_control_service_31_0) true) +(expandtypeattribute (healthd_31_0) true) +(expandtypeattribute (healthd_exec_31_0) true) +(expandtypeattribute (heapdump_data_file_31_0) true) +(expandtypeattribute (heapprofd_31_0) true) +(expandtypeattribute (heapprofd_enabled_prop_31_0) true) +(expandtypeattribute (heapprofd_prop_31_0) true) +(expandtypeattribute (heapprofd_socket_31_0) true) +(expandtypeattribute (hidl_allocator_hwservice_31_0) true) +(expandtypeattribute (hidl_base_hwservice_31_0) true) +(expandtypeattribute (hidl_manager_hwservice_31_0) true) +(expandtypeattribute (hidl_memory_hwservice_31_0) true) +(expandtypeattribute (hidl_token_hwservice_31_0) true) +(expandtypeattribute (hint_service_31_0) true) +(expandtypeattribute (hw_random_device_31_0) true) +(expandtypeattribute (hw_timeout_multiplier_prop_31_0) true) +(expandtypeattribute (hwbinder_device_31_0) true) +(expandtypeattribute (hwservice_contexts_file_31_0) true) +(expandtypeattribute (hwservicemanager_31_0) true) +(expandtypeattribute (hwservicemanager_exec_31_0) true) +(expandtypeattribute (hwservicemanager_prop_31_0) true) +(expandtypeattribute (icon_file_31_0) true) +(expandtypeattribute (idmap_31_0) true) +(expandtypeattribute (idmap_exec_31_0) true) +(expandtypeattribute (idmap_service_31_0) true) +(expandtypeattribute (iio_device_31_0) true) +(expandtypeattribute (imms_service_31_0) true) +(expandtypeattribute (incident_31_0) true) +(expandtypeattribute (incident_data_file_31_0) true) +(expandtypeattribute (incident_helper_31_0) true) +(expandtypeattribute (incident_service_31_0) true) +(expandtypeattribute (incidentd_31_0) true) +(expandtypeattribute (incremental_control_file_31_0) true) +(expandtypeattribute (incremental_prop_31_0) true) +(expandtypeattribute (incremental_service_31_0) true) +(expandtypeattribute (init_31_0) true) +(expandtypeattribute (init_exec_31_0) true) +(expandtypeattribute (init_service_status_prop_31_0) true) +(expandtypeattribute (init_tmpfs_31_0) true) +(expandtypeattribute (inotify_31_0) true) +(expandtypeattribute (input_device_31_0) true) +(expandtypeattribute (input_method_service_31_0) true) +(expandtypeattribute (input_service_31_0) true) +(expandtypeattribute (inputflinger_31_0) true) +(expandtypeattribute (inputflinger_exec_31_0) true) +(expandtypeattribute (inputflinger_service_31_0) true) +(expandtypeattribute (install_data_file_31_0) true) +(expandtypeattribute (installd_31_0) true) +(expandtypeattribute (installd_exec_31_0) true) +(expandtypeattribute (installd_service_31_0) true) +(expandtypeattribute (ion_device_31_0) true) +(expandtypeattribute (iorap_inode2filename_31_0) true) +(expandtypeattribute (iorap_inode2filename_exec_31_0) true) +(expandtypeattribute (iorap_inode2filename_tmpfs_31_0) true) +(expandtypeattribute (iorap_prefetcherd_31_0) true) +(expandtypeattribute (iorap_prefetcherd_exec_31_0) true) +(expandtypeattribute (iorap_prefetcherd_tmpfs_31_0) true) +(expandtypeattribute (iorapd_31_0) true) +(expandtypeattribute (iorapd_data_file_31_0) true) +(expandtypeattribute (iorapd_exec_31_0) true) +(expandtypeattribute (iorapd_service_31_0) true) +(expandtypeattribute (iorapd_tmpfs_31_0) true) +(expandtypeattribute (ipsec_service_31_0) true) +(expandtypeattribute (iris_service_31_0) true) +(expandtypeattribute (iris_vendor_data_file_31_0) true) +(expandtypeattribute (isolated_app_31_0) true) +(expandtypeattribute (jobscheduler_service_31_0) true) +(expandtypeattribute (kernel_31_0) true) +(expandtypeattribute (keychain_data_file_31_0) true) +(expandtypeattribute (keychord_device_31_0) true) +(expandtypeattribute (keyguard_config_prop_31_0) true) +(expandtypeattribute (keystore2_key_contexts_file_31_0) true) +(expandtypeattribute (keystore_31_0) true) +(expandtypeattribute (keystore_compat_hal_service_31_0) true) +(expandtypeattribute (keystore_data_file_31_0) true) +(expandtypeattribute (keystore_exec_31_0) true) +(expandtypeattribute (keystore_maintenance_service_31_0) true) +(expandtypeattribute (keystore_metrics_service_31_0) true) +(expandtypeattribute (keystore_service_31_0) true) +(expandtypeattribute (kmsg_debug_device_31_0) true) +(expandtypeattribute (kmsg_device_31_0) true) +(expandtypeattribute (labeledfs_31_0) true) +(expandtypeattribute (launcherapps_service_31_0) true) +(expandtypeattribute (legacy_permission_service_31_0) true) +(expandtypeattribute (legacykeystore_service_31_0) true) +(expandtypeattribute (libc_debug_prop_31_0) true) +(expandtypeattribute (light_service_31_0) true) +(expandtypeattribute (linkerconfig_file_31_0) true) +(expandtypeattribute (llkd_31_0) true) +(expandtypeattribute (llkd_exec_31_0) true) +(expandtypeattribute (llkd_prop_31_0) true) +(expandtypeattribute (lmkd_31_0) true) +(expandtypeattribute (lmkd_config_prop_31_0) true) +(expandtypeattribute (lmkd_exec_31_0) true) +(expandtypeattribute (lmkd_prop_31_0) true) +(expandtypeattribute (lmkd_socket_31_0) true) +(expandtypeattribute (location_service_31_0) true) +(expandtypeattribute (location_time_zone_manager_service_31_0) true) +(expandtypeattribute (lock_settings_service_31_0) true) +(expandtypeattribute (log_prop_31_0) true) +(expandtypeattribute (log_tag_prop_31_0) true) +(expandtypeattribute (logcat_exec_31_0) true) +(expandtypeattribute (logd_31_0) true) +(expandtypeattribute (logd_exec_31_0) true) +(expandtypeattribute (logd_prop_31_0) true) +(expandtypeattribute (logd_socket_31_0) true) +(expandtypeattribute (logdr_socket_31_0) true) +(expandtypeattribute (logdw_socket_31_0) true) +(expandtypeattribute (logpersist_31_0) true) +(expandtypeattribute (logpersistd_logging_prop_31_0) true) +(expandtypeattribute (loop_control_device_31_0) true) +(expandtypeattribute (loop_device_31_0) true) +(expandtypeattribute (looper_stats_service_31_0) true) +(expandtypeattribute (lowpan_device_31_0) true) +(expandtypeattribute (lowpan_prop_31_0) true) +(expandtypeattribute (lowpan_service_31_0) true) +(expandtypeattribute (lpdump_service_31_0) true) +(expandtypeattribute (lpdumpd_prop_31_0) true) +(expandtypeattribute (mac_perms_file_31_0) true) +(expandtypeattribute (mdns_socket_31_0) true) +(expandtypeattribute (mdnsd_31_0) true) +(expandtypeattribute (mdnsd_socket_31_0) true) +(expandtypeattribute (media_communication_service_31_0) true) +(expandtypeattribute (media_config_prop_31_0) true) +(expandtypeattribute (media_data_file_31_0) true) +(expandtypeattribute (media_metrics_service_31_0) true) +(expandtypeattribute (media_projection_service_31_0) true) +(expandtypeattribute (media_router_service_31_0) true) +(expandtypeattribute (media_rw_data_file_31_0) true) +(expandtypeattribute (media_session_service_31_0) true) +(expandtypeattribute (media_variant_prop_31_0) true) +(expandtypeattribute (mediadrm_config_prop_31_0) true) +(expandtypeattribute (mediadrmserver_31_0) true) +(expandtypeattribute (mediadrmserver_exec_31_0) true) +(expandtypeattribute (mediadrmserver_service_31_0) true) +(expandtypeattribute (mediaextractor_31_0) true) +(expandtypeattribute (mediaextractor_exec_31_0) true) +(expandtypeattribute (mediaextractor_service_31_0) true) +(expandtypeattribute (mediaextractor_tmpfs_31_0) true) +(expandtypeattribute (mediametrics_31_0) true) +(expandtypeattribute (mediametrics_exec_31_0) true) +(expandtypeattribute (mediametrics_service_31_0) true) +(expandtypeattribute (mediaprovider_31_0) true) +(expandtypeattribute (mediaserver_31_0) true) +(expandtypeattribute (mediaserver_exec_31_0) true) +(expandtypeattribute (mediaserver_service_31_0) true) +(expandtypeattribute (mediaserver_tmpfs_31_0) true) +(expandtypeattribute (mediaswcodec_31_0) true) +(expandtypeattribute (mediaswcodec_exec_31_0) true) +(expandtypeattribute (mediatranscoding_service_31_0) true) +(expandtypeattribute (meminfo_service_31_0) true) +(expandtypeattribute (memtrackproxy_service_31_0) true) +(expandtypeattribute (metadata_block_device_31_0) true) +(expandtypeattribute (metadata_bootstat_file_31_0) true) +(expandtypeattribute (metadata_file_31_0) true) +(expandtypeattribute (method_trace_data_file_31_0) true) +(expandtypeattribute (midi_service_31_0) true) +(expandtypeattribute (mirror_data_file_31_0) true) +(expandtypeattribute (misc_block_device_31_0) true) +(expandtypeattribute (misc_logd_file_31_0) true) +(expandtypeattribute (misc_user_data_file_31_0) true) +(expandtypeattribute (mm_events_config_prop_31_0) true) +(expandtypeattribute (mmc_prop_31_0) true) +(expandtypeattribute (mnt_expand_file_31_0) true) +(expandtypeattribute (mnt_media_rw_file_31_0) true) +(expandtypeattribute (mnt_media_rw_stub_file_31_0) true) +(expandtypeattribute (mnt_pass_through_file_31_0) true) +(expandtypeattribute (mnt_product_file_31_0) true) +(expandtypeattribute (mnt_sdcard_file_31_0) true) +(expandtypeattribute (mnt_user_file_31_0) true) +(expandtypeattribute (mnt_vendor_file_31_0) true) +(expandtypeattribute (mock_ota_prop_31_0) true) +(expandtypeattribute (modprobe_31_0) true) +(expandtypeattribute (module_sdkextensions_prop_31_0) true) +(expandtypeattribute (mount_service_31_0) true) +(expandtypeattribute (mqueue_31_0) true) +(expandtypeattribute (mtp_31_0) true) +(expandtypeattribute (mtp_device_31_0) true) +(expandtypeattribute (mtp_exec_31_0) true) +(expandtypeattribute (mtpd_socket_31_0) true) +(expandtypeattribute (music_recognition_service_31_0) true) +(expandtypeattribute (nativetest_data_file_31_0) true) +(expandtypeattribute (net_data_file_31_0) true) +(expandtypeattribute (net_dns_prop_31_0) true) +(expandtypeattribute (net_radio_prop_31_0) true) +(expandtypeattribute (netd_31_0) true) +(expandtypeattribute (netd_exec_31_0) true) +(expandtypeattribute (netd_listener_service_31_0) true) +(expandtypeattribute (netd_service_31_0) true) +(expandtypeattribute (netif_31_0) true) +(expandtypeattribute (netpolicy_service_31_0) true) +(expandtypeattribute (netstats_service_31_0) true) +(expandtypeattribute (netutils_wrapper_31_0) true) +(expandtypeattribute (netutils_wrapper_exec_31_0) true) +(expandtypeattribute (network_management_service_31_0) true) +(expandtypeattribute (network_score_service_31_0) true) +(expandtypeattribute (network_stack_31_0) true) +(expandtypeattribute (network_stack_service_31_0) true) +(expandtypeattribute (network_time_update_service_31_0) true) +(expandtypeattribute (network_watchlist_data_file_31_0) true) +(expandtypeattribute (network_watchlist_service_31_0) true) +(expandtypeattribute (nfc_31_0) true) +(expandtypeattribute (nfc_data_file_31_0) true) +(expandtypeattribute (nfc_device_31_0) true) +(expandtypeattribute (nfc_logs_data_file_31_0) true) +(expandtypeattribute (nfc_prop_31_0) true) +(expandtypeattribute (nfc_service_31_0) true) +(expandtypeattribute (nnapi_ext_deny_product_prop_31_0) true) +(expandtypeattribute (node_31_0) true) +(expandtypeattribute (nonplat_service_contexts_file_31_0) true) +(expandtypeattribute (notification_service_31_0) true) +(expandtypeattribute (null_device_31_0) true) +(expandtypeattribute (oem_lock_service_31_0) true) +(expandtypeattribute (oem_unlock_prop_31_0) true) +(expandtypeattribute (oemfs_31_0) true) +(expandtypeattribute (ota_data_file_31_0) true) +(expandtypeattribute (ota_metadata_file_31_0) true) +(expandtypeattribute (ota_package_file_31_0) true) +(expandtypeattribute (ota_prop_31_0) true) +(expandtypeattribute (otadexopt_service_31_0) true) +(expandtypeattribute (otapreopt_chroot_31_0) true) +(expandtypeattribute (overlay_prop_31_0) true) +(expandtypeattribute (overlay_service_31_0) true) +(expandtypeattribute (overlayfs_file_31_0) true) +(expandtypeattribute (owntty_device_31_0) true) +(expandtypeattribute (pac_proxy_service_31_0) true) +(expandtypeattribute (package_native_service_31_0) true) +(expandtypeattribute (package_service_31_0) true) +(expandtypeattribute (packagemanager_config_prop_31_0) true) +(expandtypeattribute (packages_list_file_31_0) true) +(expandtypeattribute (pan_result_prop_31_0) true) +(expandtypeattribute (password_slot_metadata_file_31_0) true) +(expandtypeattribute (pdx_bufferhub_client_channel_socket_31_0) true) +(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_31_0) true) +(expandtypeattribute (pdx_bufferhub_dir_31_0) true) +(expandtypeattribute (pdx_display_client_channel_socket_31_0) true) +(expandtypeattribute (pdx_display_client_endpoint_socket_31_0) true) +(expandtypeattribute (pdx_display_dir_31_0) true) +(expandtypeattribute (pdx_display_manager_channel_socket_31_0) true) +(expandtypeattribute (pdx_display_manager_endpoint_socket_31_0) true) +(expandtypeattribute (pdx_display_screenshot_channel_socket_31_0) true) +(expandtypeattribute (pdx_display_screenshot_endpoint_socket_31_0) true) +(expandtypeattribute (pdx_display_vsync_channel_socket_31_0) true) +(expandtypeattribute (pdx_display_vsync_endpoint_socket_31_0) true) +(expandtypeattribute (pdx_performance_client_channel_socket_31_0) true) +(expandtypeattribute (pdx_performance_client_endpoint_socket_31_0) true) +(expandtypeattribute (pdx_performance_dir_31_0) true) +(expandtypeattribute (people_service_31_0) true) +(expandtypeattribute (perfetto_31_0) true) +(expandtypeattribute (performanced_31_0) true) +(expandtypeattribute (performanced_exec_31_0) true) +(expandtypeattribute (permission_checker_service_31_0) true) +(expandtypeattribute (permission_service_31_0) true) +(expandtypeattribute (permissionmgr_service_31_0) true) +(expandtypeattribute (persist_debug_prop_31_0) true) +(expandtypeattribute (persist_vendor_debug_wifi_prop_31_0) true) +(expandtypeattribute (persistent_data_block_service_31_0) true) +(expandtypeattribute (persistent_properties_ready_prop_31_0) true) +(expandtypeattribute (pinner_service_31_0) true) +(expandtypeattribute (pipefs_31_0) true) +(expandtypeattribute (platform_app_31_0) true) +(expandtypeattribute (platform_compat_service_31_0) true) +(expandtypeattribute (pmsg_device_31_0) true) +(expandtypeattribute (port_31_0) true) +(expandtypeattribute (port_device_31_0) true) +(expandtypeattribute (postinstall_31_0) true) +(expandtypeattribute (postinstall_apex_mnt_dir_31_0) true) +(expandtypeattribute (postinstall_file_31_0) true) +(expandtypeattribute (postinstall_mnt_dir_31_0) true) +(expandtypeattribute (power_debug_prop_31_0) true) +(expandtypeattribute (power_service_31_0) true) +(expandtypeattribute (powerctl_prop_31_0) true) +(expandtypeattribute (powerstats_service_31_0) true) +(expandtypeattribute (ppp_31_0) true) +(expandtypeattribute (ppp_device_31_0) true) +(expandtypeattribute (ppp_exec_31_0) true) +(expandtypeattribute (preloads_data_file_31_0) true) +(expandtypeattribute (preloads_media_file_31_0) true) +(expandtypeattribute (prereboot_data_file_31_0) true) +(expandtypeattribute (print_service_31_0) true) +(expandtypeattribute (priv_app_31_0) true) +(expandtypeattribute (privapp_data_file_31_0) true) +(expandtypeattribute (proc_31_0) true) +(expandtypeattribute (proc_abi_31_0) true) +(expandtypeattribute (proc_asound_31_0) true) +(expandtypeattribute (proc_bluetooth_writable_31_0) true) +(expandtypeattribute (proc_bootconfig_31_0) true) +(expandtypeattribute (proc_buddyinfo_31_0) true) +(expandtypeattribute (proc_cmdline_31_0) true) +(expandtypeattribute (proc_cpuinfo_31_0) true) +(expandtypeattribute (proc_dirty_31_0) true) +(expandtypeattribute (proc_diskstats_31_0) true) +(expandtypeattribute (proc_drop_caches_31_0) true) +(expandtypeattribute (proc_extra_free_kbytes_31_0) true) +(expandtypeattribute (proc_filesystems_31_0) true) +(expandtypeattribute (proc_fs_verity_31_0) true) +(expandtypeattribute (proc_hostname_31_0) true) +(expandtypeattribute (proc_hung_task_31_0) true) +(expandtypeattribute (proc_interrupts_31_0) true) +(expandtypeattribute (proc_iomem_31_0) true) +(expandtypeattribute (proc_kallsyms_31_0) true) +(expandtypeattribute (proc_keys_31_0) true) +(expandtypeattribute (proc_kmsg_31_0) true) +(expandtypeattribute (proc_kpageflags_31_0) true) +(expandtypeattribute (proc_loadavg_31_0) true) +(expandtypeattribute (proc_locks_31_0) true) +(expandtypeattribute (proc_lowmemorykiller_31_0) true) +(expandtypeattribute (proc_max_map_count_31_0) true) +(expandtypeattribute (proc_meminfo_31_0) true) +(expandtypeattribute (proc_min_free_order_shift_31_0) true) +(expandtypeattribute (proc_misc_31_0) true) +(expandtypeattribute (proc_modules_31_0) true) +(expandtypeattribute (proc_mounts_31_0) true) +(expandtypeattribute (proc_net_31_0) true) +(expandtypeattribute (proc_net_tcp_udp_31_0) true) +(expandtypeattribute (proc_overcommit_memory_31_0) true) +(expandtypeattribute (proc_page_cluster_31_0) true) +(expandtypeattribute (proc_pagetypeinfo_31_0) true) +(expandtypeattribute (proc_panic_31_0) true) +(expandtypeattribute (proc_perf_31_0) true) +(expandtypeattribute (proc_pid_max_31_0) true) +(expandtypeattribute (proc_pipe_conf_31_0) true) +(expandtypeattribute (proc_pressure_cpu_31_0) true) +(expandtypeattribute (proc_pressure_io_31_0) true) +(expandtypeattribute (proc_pressure_mem_31_0) true) +(expandtypeattribute (proc_qtaguid_ctrl_31_0) true) +(expandtypeattribute (proc_qtaguid_stat_31_0) true) +(expandtypeattribute (proc_random_31_0) true) +(expandtypeattribute (proc_sched_31_0) true) +(expandtypeattribute (proc_security_31_0) true) +(expandtypeattribute (proc_slabinfo_31_0) true) +(expandtypeattribute (proc_stat_31_0) true) +(expandtypeattribute (proc_swaps_31_0) true) +(expandtypeattribute (proc_sysrq_31_0) true) +(expandtypeattribute (proc_timer_31_0) true) +(expandtypeattribute (proc_tty_drivers_31_0) true) +(expandtypeattribute (proc_uid_concurrent_active_time_31_0) true) +(expandtypeattribute (proc_uid_concurrent_policy_time_31_0) true) +(expandtypeattribute (proc_uid_cpupower_31_0) true) +(expandtypeattribute (proc_uid_cputime_removeuid_31_0) true) +(expandtypeattribute (proc_uid_cputime_showstat_31_0) true) +(expandtypeattribute (proc_uid_io_stats_31_0) true) +(expandtypeattribute (proc_uid_procstat_set_31_0) true) +(expandtypeattribute (proc_uid_time_in_state_31_0) true) +(expandtypeattribute (proc_uptime_31_0) true) +(expandtypeattribute (proc_vendor_sched_31_0) true) +(expandtypeattribute (proc_version_31_0) true) +(expandtypeattribute (proc_vmallocinfo_31_0) true) +(expandtypeattribute (proc_vmstat_31_0) true) +(expandtypeattribute (proc_zoneinfo_31_0) true) +(expandtypeattribute (processinfo_service_31_0) true) +(expandtypeattribute (procstats_service_31_0) true) +(expandtypeattribute (profman_31_0) true) +(expandtypeattribute (profman_dump_data_file_31_0) true) +(expandtypeattribute (profman_exec_31_0) true) +(expandtypeattribute (properties_device_31_0) true) +(expandtypeattribute (properties_serial_31_0) true) +(expandtypeattribute (property_contexts_file_31_0) true) +(expandtypeattribute (property_data_file_31_0) true) +(expandtypeattribute (property_info_31_0) true) +(expandtypeattribute (property_service_version_prop_31_0) true) +(expandtypeattribute (property_socket_31_0) true) +(expandtypeattribute (provisioned_prop_31_0) true) +(expandtypeattribute (pstorefs_31_0) true) +(expandtypeattribute (ptmx_device_31_0) true) +(expandtypeattribute (qemu_hw_prop_31_0) true) +(expandtypeattribute (qemu_sf_lcd_density_prop_31_0) true) +(expandtypeattribute (qtaguid_device_31_0) true) +(expandtypeattribute (racoon_31_0) true) +(expandtypeattribute (racoon_exec_31_0) true) +(expandtypeattribute (racoon_socket_31_0) true) +(expandtypeattribute (radio_31_0) true) +(expandtypeattribute (radio_control_prop_31_0) true) +(expandtypeattribute (radio_core_data_file_31_0) true) +(expandtypeattribute (radio_data_file_31_0) true) +(expandtypeattribute (radio_device_31_0) true) +(expandtypeattribute (radio_prop_31_0) true) +(expandtypeattribute (radio_service_31_0) true) +(expandtypeattribute (ram_device_31_0) true) +(expandtypeattribute (random_device_31_0) true) +(expandtypeattribute (reboot_readiness_service_31_0) true) +(expandtypeattribute (rebootescrow_hal_prop_31_0) true) +(expandtypeattribute (recovery_31_0) true) +(expandtypeattribute (recovery_block_device_31_0) true) +(expandtypeattribute (recovery_config_prop_31_0) true) +(expandtypeattribute (recovery_data_file_31_0) true) +(expandtypeattribute (recovery_persist_31_0) true) +(expandtypeattribute (recovery_persist_exec_31_0) true) +(expandtypeattribute (recovery_refresh_31_0) true) +(expandtypeattribute (recovery_refresh_exec_31_0) true) +(expandtypeattribute (recovery_service_31_0) true) +(expandtypeattribute (recovery_socket_31_0) true) +(expandtypeattribute (registry_service_31_0) true) +(expandtypeattribute (remoteprovisioning_service_31_0) true) +(expandtypeattribute (resourcecache_data_file_31_0) true) +(expandtypeattribute (restorecon_prop_31_0) true) +(expandtypeattribute (restrictions_service_31_0) true) +(expandtypeattribute (retaildemo_prop_31_0) true) +(expandtypeattribute (rild_debug_socket_31_0) true) +(expandtypeattribute (rild_socket_31_0) true) +(expandtypeattribute (ringtone_file_31_0) true) +(expandtypeattribute (role_service_31_0) true) +(expandtypeattribute (rollback_service_31_0) true) +(expandtypeattribute (root_block_device_31_0) true) +(expandtypeattribute (rootfs_31_0) true) +(expandtypeattribute (rpmsg_device_31_0) true) +(expandtypeattribute (rs_31_0) true) +(expandtypeattribute (rs_exec_31_0) true) +(expandtypeattribute (rss_hwm_reset_31_0) true) +(expandtypeattribute (rtc_device_31_0) true) +(expandtypeattribute (rttmanager_service_31_0) true) +(expandtypeattribute (runas_31_0) true) +(expandtypeattribute (runas_app_31_0) true) +(expandtypeattribute (runas_exec_31_0) true) +(expandtypeattribute (runtime_event_log_tags_file_31_0) true) +(expandtypeattribute (runtime_service_31_0) true) +(expandtypeattribute (safemode_prop_31_0) true) +(expandtypeattribute (same_process_hal_file_31_0) true) +(expandtypeattribute (samplingprofiler_service_31_0) true) +(expandtypeattribute (scheduling_policy_service_31_0) true) +(expandtypeattribute (sdcard_block_device_31_0) true) +(expandtypeattribute (sdcardd_31_0) true) +(expandtypeattribute (sdcardd_exec_31_0) true) +(expandtypeattribute (sdcardfs_31_0) true) +(expandtypeattribute (seapp_contexts_file_31_0) true) +(expandtypeattribute (search_service_31_0) true) +(expandtypeattribute (search_ui_service_31_0) true) +(expandtypeattribute (sec_key_att_app_id_provider_service_31_0) true) +(expandtypeattribute (secure_element_31_0) true) +(expandtypeattribute (secure_element_device_31_0) true) +(expandtypeattribute (secure_element_service_31_0) true) +(expandtypeattribute (securityfs_31_0) true) +(expandtypeattribute (selinuxfs_31_0) true) +(expandtypeattribute (sendbug_config_prop_31_0) true) +(expandtypeattribute (sensor_privacy_service_31_0) true) +(expandtypeattribute (sensors_device_31_0) true) +(expandtypeattribute (sensorservice_service_31_0) true) +(expandtypeattribute (sepolicy_file_31_0) true) +(expandtypeattribute (serial_device_31_0) true) +(expandtypeattribute (serial_service_31_0) true) +(expandtypeattribute (serialno_prop_31_0) true) +(expandtypeattribute (server_configurable_flags_data_file_31_0) true) +(expandtypeattribute (service_contexts_file_31_0) true) +(expandtypeattribute (service_manager_service_31_0) true) +(expandtypeattribute (service_manager_vndservice_31_0) true) +(expandtypeattribute (servicediscovery_service_31_0) true) +(expandtypeattribute (servicemanager_31_0) true) +(expandtypeattribute (servicemanager_exec_31_0) true) +(expandtypeattribute (settings_service_31_0) true) +(expandtypeattribute (sgdisk_31_0) true) +(expandtypeattribute (sgdisk_exec_31_0) true) +(expandtypeattribute (shared_relro_31_0) true) +(expandtypeattribute (shared_relro_file_31_0) true) +(expandtypeattribute (shell_31_0) true) +(expandtypeattribute (shell_data_file_31_0) true) +(expandtypeattribute (shell_exec_31_0) true) +(expandtypeattribute (shell_prop_31_0) true) +(expandtypeattribute (shell_test_data_file_31_0) true) +(expandtypeattribute (shm_31_0) true) +(expandtypeattribute (shortcut_manager_icons_31_0) true) +(expandtypeattribute (shortcut_service_31_0) true) +(expandtypeattribute (simpleperf_31_0) true) +(expandtypeattribute (simpleperf_app_runner_31_0) true) +(expandtypeattribute (simpleperf_app_runner_exec_31_0) true) +(expandtypeattribute (slice_service_31_0) true) +(expandtypeattribute (slideshow_31_0) true) +(expandtypeattribute (smartspace_service_31_0) true) +(expandtypeattribute (snapshotctl_log_data_file_31_0) true) +(expandtypeattribute (snapuserd_socket_31_0) true) +(expandtypeattribute (soc_prop_31_0) true) +(expandtypeattribute (socket_device_31_0) true) +(expandtypeattribute (socket_hook_prop_31_0) true) +(expandtypeattribute (sockfs_31_0) true) +(expandtypeattribute (sota_prop_31_0) true) +(expandtypeattribute (soundtrigger_middleware_service_31_0) true) +(expandtypeattribute (speech_recognition_service_31_0) true) +(expandtypeattribute (sqlite_log_prop_31_0) true) +(expandtypeattribute (staged_install_file_31_0) true) +(expandtypeattribute (staging_data_file_31_0) true) +(expandtypeattribute (stats_data_file_31_0) true) +(expandtypeattribute (statsd_31_0) true) +(expandtypeattribute (statsd_exec_31_0) true) +(expandtypeattribute (statsdw_socket_31_0) true) +(expandtypeattribute (statusbar_service_31_0) true) +(expandtypeattribute (storage_config_prop_31_0) true) +(expandtypeattribute (storage_file_31_0) true) +(expandtypeattribute (storage_stub_file_31_0) true) +(expandtypeattribute (storaged_service_31_0) true) +(expandtypeattribute (storagemanager_config_prop_31_0) true) +(expandtypeattribute (storagestats_service_31_0) true) +(expandtypeattribute (su_31_0) true) +(expandtypeattribute (su_exec_31_0) true) +(expandtypeattribute (super_block_device_31_0) true) +(expandtypeattribute (surfaceflinger_31_0) true) +(expandtypeattribute (surfaceflinger_color_prop_31_0) true) +(expandtypeattribute (surfaceflinger_display_prop_31_0) true) +(expandtypeattribute (surfaceflinger_prop_31_0) true) +(expandtypeattribute (surfaceflinger_service_31_0) true) +(expandtypeattribute (surfaceflinger_tmpfs_31_0) true) +(expandtypeattribute (suspend_prop_31_0) true) +(expandtypeattribute (swap_block_device_31_0) true) +(expandtypeattribute (sysfs_31_0) true) +(expandtypeattribute (sysfs_android_usb_31_0) true) +(expandtypeattribute (sysfs_batteryinfo_31_0) true) +(expandtypeattribute (sysfs_block_31_0) true) +(expandtypeattribute (sysfs_bluetooth_writable_31_0) true) +(expandtypeattribute (sysfs_devfreq_cur_31_0) true) +(expandtypeattribute (sysfs_devfreq_dir_31_0) true) +(expandtypeattribute (sysfs_devices_block_31_0) true) +(expandtypeattribute (sysfs_devices_cs_etm_31_0) true) +(expandtypeattribute (sysfs_devices_system_cpu_31_0) true) +(expandtypeattribute (sysfs_dm_31_0) true) +(expandtypeattribute (sysfs_dm_verity_31_0) true) +(expandtypeattribute (sysfs_dma_heap_31_0) true) +(expandtypeattribute (sysfs_dmabuf_stats_31_0) true) +(expandtypeattribute (sysfs_dt_firmware_android_31_0) true) +(expandtypeattribute (sysfs_extcon_31_0) true) +(expandtypeattribute (sysfs_fs_ext4_features_31_0) true) +(expandtypeattribute (sysfs_fs_f2fs_31_0) true) +(expandtypeattribute (sysfs_fs_incfs_features_31_0) true) +(expandtypeattribute (sysfs_fs_incfs_metrics_31_0) true) +(expandtypeattribute (sysfs_hwrandom_31_0) true) +(expandtypeattribute (sysfs_ion_31_0) true) +(expandtypeattribute (sysfs_ipv4_31_0) true) +(expandtypeattribute (sysfs_kernel_notes_31_0) true) +(expandtypeattribute (sysfs_leds_31_0) true) +(expandtypeattribute (sysfs_loop_31_0) true) +(expandtypeattribute (sysfs_lowmemorykiller_31_0) true) +(expandtypeattribute (sysfs_net_31_0) true) +(expandtypeattribute (sysfs_nfc_power_writable_31_0) true) +(expandtypeattribute (sysfs_power_31_0) true) +(expandtypeattribute (sysfs_rtc_31_0) true) +(expandtypeattribute (sysfs_suspend_stats_31_0) true) +(expandtypeattribute (sysfs_switch_31_0) true) +(expandtypeattribute (sysfs_thermal_31_0) true) +(expandtypeattribute (sysfs_transparent_hugepage_31_0) true) +(expandtypeattribute (sysfs_uhid_31_0) true) +(expandtypeattribute (sysfs_uio_31_0) true) +(expandtypeattribute (sysfs_usb_31_0) true) +(expandtypeattribute (sysfs_usermodehelper_31_0) true) +(expandtypeattribute (sysfs_vendor_sched_31_0) true) +(expandtypeattribute (sysfs_vibrator_31_0) true) +(expandtypeattribute (sysfs_wake_lock_31_0) true) +(expandtypeattribute (sysfs_wakeup_31_0) true) +(expandtypeattribute (sysfs_wakeup_reasons_31_0) true) +(expandtypeattribute (sysfs_wlan_fwpath_31_0) true) +(expandtypeattribute (sysfs_zram_31_0) true) +(expandtypeattribute (sysfs_zram_uevent_31_0) true) +(expandtypeattribute (system_app_31_0) true) +(expandtypeattribute (system_app_data_file_31_0) true) +(expandtypeattribute (system_app_service_31_0) true) +(expandtypeattribute (system_asan_options_file_31_0) true) +(expandtypeattribute (system_block_device_31_0) true) +(expandtypeattribute (system_boot_reason_prop_31_0) true) +(expandtypeattribute (system_bootstrap_lib_file_31_0) true) +(expandtypeattribute (system_config_service_31_0) true) +(expandtypeattribute (system_data_file_31_0) true) +(expandtypeattribute (system_data_root_file_31_0) true) +(expandtypeattribute (system_event_log_tags_file_31_0) true) +(expandtypeattribute (system_file_31_0) true) +(expandtypeattribute (system_group_file_31_0) true) +(expandtypeattribute (system_jvmti_agent_prop_31_0) true) +(expandtypeattribute (system_lib_file_31_0) true) +(expandtypeattribute (system_linker_config_file_31_0) true) +(expandtypeattribute (system_linker_exec_31_0) true) +(expandtypeattribute (system_lmk_prop_31_0) true) +(expandtypeattribute (system_ndebug_socket_31_0) true) +(expandtypeattribute (system_net_netd_hwservice_31_0) true) +(expandtypeattribute (system_passwd_file_31_0) true) +(expandtypeattribute (system_prop_31_0) true) +(expandtypeattribute (system_seccomp_policy_file_31_0) true) +(expandtypeattribute (system_security_cacerts_file_31_0) true) +(expandtypeattribute (system_server_31_0) true) +(expandtypeattribute (system_server_dumper_service_31_0) true) +(expandtypeattribute (system_server_tmpfs_31_0) true) +(expandtypeattribute (system_suspend_control_internal_service_31_0) true) +(expandtypeattribute (system_suspend_control_service_31_0) true) +(expandtypeattribute (system_suspend_hwservice_31_0) true) +(expandtypeattribute (system_trace_prop_31_0) true) +(expandtypeattribute (system_unsolzygote_socket_31_0) true) +(expandtypeattribute (system_update_service_31_0) true) +(expandtypeattribute (system_wifi_keystore_hwservice_31_0) true) +(expandtypeattribute (system_wpa_socket_31_0) true) +(expandtypeattribute (system_zoneinfo_file_31_0) true) +(expandtypeattribute (systemkeys_data_file_31_0) true) +(expandtypeattribute (systemsound_config_prop_31_0) true) +(expandtypeattribute (task_profiles_api_file_31_0) true) +(expandtypeattribute (task_profiles_file_31_0) true) +(expandtypeattribute (task_service_31_0) true) +(expandtypeattribute (tcpdump_exec_31_0) true) +(expandtypeattribute (tee_31_0) true) +(expandtypeattribute (tee_data_file_31_0) true) +(expandtypeattribute (tee_device_31_0) true) +(expandtypeattribute (telecom_service_31_0) true) +(expandtypeattribute (telephony_config_prop_31_0) true) +(expandtypeattribute (telephony_status_prop_31_0) true) +(expandtypeattribute (test_boot_reason_prop_31_0) true) +(expandtypeattribute (test_harness_prop_31_0) true) +(expandtypeattribute (testharness_service_31_0) true) +(expandtypeattribute (tethering_service_31_0) true) +(expandtypeattribute (textclassification_service_31_0) true) +(expandtypeattribute (textclassifier_data_file_31_0) true) +(expandtypeattribute (textservices_service_31_0) true) +(expandtypeattribute (texttospeech_service_31_0) true) +(expandtypeattribute (theme_prop_31_0) true) +(expandtypeattribute (thermal_service_31_0) true) +(expandtypeattribute (time_prop_31_0) true) +(expandtypeattribute (timedetector_service_31_0) true) +(expandtypeattribute (timezone_service_31_0) true) +(expandtypeattribute (timezonedetector_service_31_0) true) +(expandtypeattribute (tmpfs_31_0) true) +(expandtypeattribute (tombstone_config_prop_31_0) true) +(expandtypeattribute (tombstone_data_file_31_0) true) +(expandtypeattribute (tombstone_wifi_data_file_31_0) true) +(expandtypeattribute (tombstoned_31_0) true) +(expandtypeattribute (tombstoned_crash_socket_31_0) true) +(expandtypeattribute (tombstoned_exec_31_0) true) +(expandtypeattribute (tombstoned_intercept_socket_31_0) true) +(expandtypeattribute (tombstoned_java_trace_socket_31_0) true) +(expandtypeattribute (toolbox_31_0) true) +(expandtypeattribute (toolbox_exec_31_0) true) +(expandtypeattribute (trace_data_file_31_0) true) +(expandtypeattribute (traced_31_0) true) +(expandtypeattribute (traced_consumer_socket_31_0) true) +(expandtypeattribute (traced_enabled_prop_31_0) true) +(expandtypeattribute (traced_lazy_prop_31_0) true) +(expandtypeattribute (traced_perf_31_0) true) +(expandtypeattribute (traced_perf_socket_31_0) true) +(expandtypeattribute (traced_probes_31_0) true) +(expandtypeattribute (traced_producer_socket_31_0) true) +(expandtypeattribute (traced_tmpfs_31_0) true) +(expandtypeattribute (traceur_app_31_0) true) +(expandtypeattribute (translation_service_31_0) true) +(expandtypeattribute (trust_service_31_0) true) +(expandtypeattribute (tty_device_31_0) true) +(expandtypeattribute (tun_device_31_0) true) +(expandtypeattribute (tv_input_service_31_0) true) +(expandtypeattribute (tv_tuner_resource_mgr_service_31_0) true) +(expandtypeattribute (tzdatacheck_31_0) true) +(expandtypeattribute (tzdatacheck_exec_31_0) true) +(expandtypeattribute (ueventd_31_0) true) +(expandtypeattribute (ueventd_tmpfs_31_0) true) +(expandtypeattribute (uhid_device_31_0) true) +(expandtypeattribute (uimode_service_31_0) true) +(expandtypeattribute (uio_device_31_0) true) +(expandtypeattribute (uncrypt_31_0) true) +(expandtypeattribute (uncrypt_exec_31_0) true) +(expandtypeattribute (uncrypt_socket_31_0) true) +(expandtypeattribute (unencrypted_data_file_31_0) true) +(expandtypeattribute (unlabeled_31_0) true) +(expandtypeattribute (untrusted_app_25_31_0) true) +(expandtypeattribute (untrusted_app_27_31_0) true) +(expandtypeattribute (untrusted_app_29_31_0) true) +(expandtypeattribute (untrusted_app_31_0) true) +(expandtypeattribute (update_engine_31_0) true) +(expandtypeattribute (update_engine_data_file_31_0) true) +(expandtypeattribute (update_engine_exec_31_0) true) +(expandtypeattribute (update_engine_log_data_file_31_0) true) +(expandtypeattribute (update_engine_service_31_0) true) +(expandtypeattribute (update_engine_stable_service_31_0) true) +(expandtypeattribute (update_verifier_31_0) true) +(expandtypeattribute (update_verifier_exec_31_0) true) +(expandtypeattribute (updatelock_service_31_0) true) +(expandtypeattribute (uri_grants_service_31_0) true) +(expandtypeattribute (usagestats_service_31_0) true) +(expandtypeattribute (usb_config_prop_31_0) true) +(expandtypeattribute (usb_control_prop_31_0) true) +(expandtypeattribute (usb_device_31_0) true) +(expandtypeattribute (usb_prop_31_0) true) +(expandtypeattribute (usb_serial_device_31_0) true) +(expandtypeattribute (usb_service_31_0) true) +(expandtypeattribute (usbaccessory_device_31_0) true) +(expandtypeattribute (usbd_31_0) true) +(expandtypeattribute (usbd_exec_31_0) true) +(expandtypeattribute (usbfs_31_0) true) +(expandtypeattribute (use_memfd_prop_31_0) true) +(expandtypeattribute (user_profile_data_file_31_0) true) +(expandtypeattribute (user_profile_root_file_31_0) true) +(expandtypeattribute (user_service_31_0) true) +(expandtypeattribute (userdata_block_device_31_0) true) +(expandtypeattribute (userdata_sysdev_31_0) true) +(expandtypeattribute (usermodehelper_31_0) true) +(expandtypeattribute (userspace_reboot_config_prop_31_0) true) +(expandtypeattribute (userspace_reboot_exported_prop_31_0) true) +(expandtypeattribute (userspace_reboot_metadata_file_31_0) true) +(expandtypeattribute (uwb_service_31_0) true) +(expandtypeattribute (vcn_management_service_31_0) true) +(expandtypeattribute (vd_device_31_0) true) +(expandtypeattribute (vdc_31_0) true) +(expandtypeattribute (vdc_exec_31_0) true) +(expandtypeattribute (vehicle_hal_prop_31_0) true) +(expandtypeattribute (vendor_apex_file_31_0) true) +(expandtypeattribute (vendor_app_file_31_0) true) +(expandtypeattribute (vendor_cgroup_desc_file_31_0) true) +(expandtypeattribute (vendor_configs_file_31_0) true) +(expandtypeattribute (vendor_data_file_31_0) true) +(expandtypeattribute (vendor_default_prop_31_0) true) +(expandtypeattribute (vendor_file_31_0) true) +(expandtypeattribute (vendor_framework_file_31_0) true) +(expandtypeattribute (vendor_hal_file_31_0) true) +(expandtypeattribute (vendor_idc_file_31_0) true) +(expandtypeattribute (vendor_init_31_0) true) +(expandtypeattribute (vendor_kernel_modules_31_0) true) +(expandtypeattribute (vendor_keychars_file_31_0) true) +(expandtypeattribute (vendor_keylayout_file_31_0) true) +(expandtypeattribute (vendor_misc_writer_31_0) true) +(expandtypeattribute (vendor_misc_writer_exec_31_0) true) +(expandtypeattribute (vendor_modprobe_31_0) true) +(expandtypeattribute (vendor_overlay_file_31_0) true) +(expandtypeattribute (vendor_public_framework_file_31_0) true) +(expandtypeattribute (vendor_public_lib_file_31_0) true) +(expandtypeattribute (vendor_security_patch_level_prop_31_0) true) +(expandtypeattribute (vendor_service_contexts_file_31_0) true) +(expandtypeattribute (vendor_shell_31_0) true) +(expandtypeattribute (vendor_shell_exec_31_0) true) +(expandtypeattribute (vendor_socket_hook_prop_31_0) true) +(expandtypeattribute (vendor_task_profiles_file_31_0) true) +(expandtypeattribute (vendor_toolbox_exec_31_0) true) +(expandtypeattribute (vfat_31_0) true) +(expandtypeattribute (vibrator_manager_service_31_0) true) +(expandtypeattribute (vibrator_service_31_0) true) +(expandtypeattribute (video_device_31_0) true) +(expandtypeattribute (virtual_ab_prop_31_0) true) +(expandtypeattribute (virtual_touchpad_31_0) true) +(expandtypeattribute (virtual_touchpad_exec_31_0) true) +(expandtypeattribute (virtual_touchpad_service_31_0) true) +(expandtypeattribute (virtualization_service_31_0) true) +(expandtypeattribute (vndbinder_device_31_0) true) +(expandtypeattribute (vndk_prop_31_0) true) +(expandtypeattribute (vndk_sp_file_31_0) true) +(expandtypeattribute (vndservice_contexts_file_31_0) true) +(expandtypeattribute (vndservicemanager_31_0) true) +(expandtypeattribute (voiceinteraction_service_31_0) true) +(expandtypeattribute (vold_31_0) true) +(expandtypeattribute (vold_config_prop_31_0) true) +(expandtypeattribute (vold_data_file_31_0) true) +(expandtypeattribute (vold_device_31_0) true) +(expandtypeattribute (vold_exec_31_0) true) +(expandtypeattribute (vold_metadata_file_31_0) true) +(expandtypeattribute (vold_post_fs_data_prop_31_0) true) +(expandtypeattribute (vold_prepare_subdirs_31_0) true) +(expandtypeattribute (vold_prepare_subdirs_exec_31_0) true) +(expandtypeattribute (vold_prop_31_0) true) +(expandtypeattribute (vold_service_31_0) true) +(expandtypeattribute (vold_status_prop_31_0) true) +(expandtypeattribute (vpn_data_file_31_0) true) +(expandtypeattribute (vpn_management_service_31_0) true) +(expandtypeattribute (vr_hwc_31_0) true) +(expandtypeattribute (vr_hwc_exec_31_0) true) +(expandtypeattribute (vr_hwc_service_31_0) true) +(expandtypeattribute (vr_manager_service_31_0) true) +(expandtypeattribute (vrflinger_vsync_service_31_0) true) +(expandtypeattribute (vts_config_prop_31_0) true) +(expandtypeattribute (vts_status_prop_31_0) true) +(expandtypeattribute (wallpaper_file_31_0) true) +(expandtypeattribute (wallpaper_service_31_0) true) +(expandtypeattribute (watchdog_device_31_0) true) +(expandtypeattribute (watchdog_metadata_file_31_0) true) +(expandtypeattribute (watchdogd_31_0) true) +(expandtypeattribute (watchdogd_exec_31_0) true) +(expandtypeattribute (webview_zygote_31_0) true) +(expandtypeattribute (webview_zygote_exec_31_0) true) +(expandtypeattribute (webview_zygote_tmpfs_31_0) true) +(expandtypeattribute (webviewupdate_service_31_0) true) +(expandtypeattribute (wifi_config_prop_31_0) true) +(expandtypeattribute (wifi_data_file_31_0) true) +(expandtypeattribute (wifi_hal_prop_31_0) true) +(expandtypeattribute (wifi_key_31_0) true) +(expandtypeattribute (wifi_log_prop_31_0) true) +(expandtypeattribute (wifi_prop_31_0) true) +(expandtypeattribute (wifi_service_31_0) true) +(expandtypeattribute (wifiaware_service_31_0) true) +(expandtypeattribute (wificond_31_0) true) +(expandtypeattribute (wificond_exec_31_0) true) +(expandtypeattribute (wifinl80211_service_31_0) true) +(expandtypeattribute (wifip2p_service_31_0) true) +(expandtypeattribute (wifiscanner_service_31_0) true) +(expandtypeattribute (window_service_31_0) true) +(expandtypeattribute (wpa_socket_31_0) true) +(expandtypeattribute (wpantund_31_0) true) +(expandtypeattribute (wpantund_exec_31_0) true) +(expandtypeattribute (wpantund_service_31_0) true) +(expandtypeattribute (zero_device_31_0) true) +(expandtypeattribute (zoneinfo_data_file_31_0) true) +(expandtypeattribute (zram_config_prop_31_0) true) +(expandtypeattribute (zram_control_prop_31_0) true) +(expandtypeattribute (zygote_31_0) true) +(expandtypeattribute (zygote_config_prop_31_0) true) +(expandtypeattribute (zygote_exec_31_0) true) +(expandtypeattribute (zygote_socket_31_0) true) +(expandtypeattribute (zygote_tmpfs_31_0) true) +(typeattributeset DockObserver_service_31_0 (DockObserver_service)) +(typeattributeset IProxyService_service_31_0 (IProxyService_service)) +(typeattributeset aac_drc_prop_31_0 (aac_drc_prop)) +(typeattributeset aaudio_config_prop_31_0 (aaudio_config_prop)) +(typeattributeset ab_update_gki_prop_31_0 (ab_update_gki_prop)) +(typeattributeset accessibility_service_31_0 (accessibility_service)) +(typeattributeset account_service_31_0 (account_service)) +(typeattributeset activity_service_31_0 (activity_service)) +(typeattributeset activity_task_service_31_0 (activity_task_service)) +(typeattributeset adb_data_file_31_0 (adb_data_file)) +(typeattributeset adb_keys_file_31_0 (adb_keys_file)) +(typeattributeset adb_service_31_0 (adb_service)) +(typeattributeset adbd_31_0 (adbd)) +(typeattributeset adbd_config_prop_31_0 (adbd_config_prop)) +(typeattributeset adbd_exec_31_0 (adbd_exec)) +(typeattributeset adbd_socket_31_0 (adbd_socket)) +(typeattributeset aidl_lazy_test_server_31_0 (aidl_lazy_test_server)) +(typeattributeset aidl_lazy_test_server_exec_31_0 (aidl_lazy_test_server_exec)) +(typeattributeset aidl_lazy_test_service_31_0 (aidl_lazy_test_service)) +(typeattributeset alarm_service_31_0 (alarm_service)) +(typeattributeset anr_data_file_31_0 (anr_data_file)) +(typeattributeset apc_service_31_0 (apc_service)) +(typeattributeset apex_appsearch_data_file_31_0 (apex_appsearch_data_file)) +(typeattributeset apex_data_file_31_0 (apex_data_file)) +(typeattributeset apex_info_file_31_0 (apex_info_file)) +(typeattributeset apex_metadata_file_31_0 (apex_metadata_file)) +(typeattributeset apex_mnt_dir_31_0 (apex_mnt_dir)) +(typeattributeset apex_module_data_file_31_0 (apex_module_data_file)) +(typeattributeset apex_ota_reserved_file_31_0 (apex_ota_reserved_file)) +(typeattributeset apex_permission_data_file_31_0 (apex_permission_data_file)) +(typeattributeset apex_rollback_data_file_31_0 (apex_rollback_data_file)) +(typeattributeset apex_scheduling_data_file_31_0 (apex_scheduling_data_file)) +(typeattributeset apex_service_31_0 (apex_service)) +(typeattributeset apex_wifi_data_file_31_0 (apex_wifi_data_file)) +(typeattributeset apexd_31_0 (apexd)) +(typeattributeset apexd_config_prop_31_0 (apexd_config_prop)) +(typeattributeset apexd_exec_31_0 (apexd_exec)) +(typeattributeset apexd_prop_31_0 (apexd_prop)) +(typeattributeset apk_data_file_31_0 (apk_data_file)) +(typeattributeset apk_private_data_file_31_0 (apk_private_data_file)) +(typeattributeset apk_private_tmp_file_31_0 (apk_private_tmp_file)) +(typeattributeset apk_tmp_file_31_0 (apk_tmp_file)) +(typeattributeset apk_verity_prop_31_0 (apk_verity_prop)) +(typeattributeset app_binding_service_31_0 (app_binding_service)) +(typeattributeset app_data_file_31_0 (app_data_file)) +(typeattributeset app_fuse_file_31_0 (app_fuse_file)) +(typeattributeset app_fusefs_31_0 (app_fusefs)) +(typeattributeset app_hibernation_service_31_0 (app_hibernation_service)) +(typeattributeset app_integrity_service_31_0 (app_integrity_service)) +(typeattributeset app_prediction_service_31_0 (app_prediction_service)) +(typeattributeset app_search_service_31_0 (app_search_service)) +(typeattributeset app_zygote_31_0 (app_zygote)) +(typeattributeset app_zygote_tmpfs_31_0 (app_zygote_tmpfs)) +(typeattributeset appcompat_data_file_31_0 (appcompat_data_file)) +(typeattributeset appdomain_tmpfs_31_0 (appdomain_tmpfs)) +(typeattributeset appops_service_31_0 (appops_service)) +(typeattributeset appwidget_service_31_0 (appwidget_service)) +(typeattributeset arm64_memtag_prop_31_0 (arm64_memtag_prop)) +(typeattributeset art_apex_dir_31_0 (art_apex_dir)) +(typeattributeset asec_apk_file_31_0 (asec_apk_file)) +(typeattributeset asec_image_file_31_0 (asec_image_file)) +(typeattributeset asec_public_file_31_0 (asec_public_file)) +(typeattributeset ashmem_device_31_0 (ashmem_device)) +(typeattributeset ashmem_libcutils_device_31_0 (ashmem_libcutils_device)) +(typeattributeset assetatlas_service_31_0 (assetatlas_service)) +(typeattributeset atrace_31_0 (atrace)) +(typeattributeset audio_config_prop_31_0 (audio_config_prop)) +(typeattributeset audio_data_file_31_0 (audio_data_file)) +(typeattributeset audio_device_31_0 (audio_device)) +(typeattributeset audio_prop_31_0 (audio_prop)) +(typeattributeset audio_service_31_0 (audio_service)) +(typeattributeset audiohal_data_file_31_0 (audiohal_data_file)) +(typeattributeset audioserver_31_0 (audioserver)) +(typeattributeset audioserver_data_file_31_0 (audioserver_data_file)) +(typeattributeset audioserver_service_31_0 (audioserver_service)) +(typeattributeset audioserver_tmpfs_31_0 (audioserver_tmpfs)) +(typeattributeset auth_service_31_0 (auth_service)) +(typeattributeset authorization_service_31_0 (authorization_service)) +(typeattributeset autofill_service_31_0 (autofill_service)) +(typeattributeset backup_data_file_31_0 (backup_data_file)) +(typeattributeset backup_service_31_0 (backup_service)) +(typeattributeset battery_service_31_0 (battery_service)) +(typeattributeset batteryproperties_service_31_0 (batteryproperties_service)) +(typeattributeset batterystats_service_31_0 (batterystats_service)) +(typeattributeset binder_cache_bluetooth_server_prop_31_0 (binder_cache_bluetooth_server_prop)) +(typeattributeset binder_cache_system_server_prop_31_0 (binder_cache_system_server_prop)) +(typeattributeset binder_cache_telephony_server_prop_31_0 (binder_cache_telephony_server_prop)) +(typeattributeset binder_calls_stats_service_31_0 (binder_calls_stats_service)) +(typeattributeset binder_device_31_0 (binder_device)) +(typeattributeset binderfs_31_0 (binderfs)) +(typeattributeset binderfs_logs_31_0 (binderfs_logs)) +(typeattributeset binderfs_logs_proc_31_0 (binderfs_logs_proc)) +(typeattributeset binfmt_miscfs_31_0 (binfmt_miscfs)) +(typeattributeset biometric_service_31_0 (biometric_service)) +(typeattributeset blkid_31_0 (blkid)) +(typeattributeset blkid_untrusted_31_0 (blkid_untrusted)) +(typeattributeset blob_store_service_31_0 (blob_store_service)) +(typeattributeset block_device_31_0 (block_device)) +(typeattributeset bluetooth_31_0 (bluetooth)) +(typeattributeset bluetooth_a2dp_offload_prop_31_0 (bluetooth_a2dp_offload_prop)) +(typeattributeset bluetooth_audio_hal_prop_31_0 (bluetooth_audio_hal_prop)) +(typeattributeset bluetooth_data_file_31_0 (bluetooth_data_file)) +(typeattributeset bluetooth_efs_file_31_0 (bluetooth_efs_file)) +(typeattributeset bluetooth_logs_data_file_31_0 (bluetooth_logs_data_file)) +(typeattributeset bluetooth_manager_service_31_0 (bluetooth_manager_service)) +(typeattributeset bluetooth_prop_31_0 (bluetooth_prop)) +(typeattributeset bluetooth_service_31_0 (bluetooth_service)) +(typeattributeset bluetooth_socket_31_0 (bluetooth_socket)) +(typeattributeset boot_block_device_31_0 (boot_block_device)) +(typeattributeset boot_status_prop_31_0 (boot_status_prop)) +(typeattributeset bootanim_31_0 (bootanim)) +(typeattributeset bootanim_config_prop_31_0 (bootanim_config_prop)) +(typeattributeset bootanim_exec_31_0 (bootanim_exec)) +(typeattributeset bootanim_system_prop_31_0 (bootanim_system_prop)) +(typeattributeset bootchart_data_file_31_0 (bootchart_data_file)) +(typeattributeset bootloader_boot_reason_prop_31_0 (bootloader_boot_reason_prop)) +(typeattributeset bootloader_prop_31_0 (bootloader_prop)) +(typeattributeset bootstat_31_0 (bootstat)) +(typeattributeset bootstat_data_file_31_0 (bootstat_data_file)) +(typeattributeset bootstat_exec_31_0 (bootstat_exec)) +(typeattributeset boottime_prop_31_0 (boottime_prop)) +(typeattributeset boottime_public_prop_31_0 (boottime_public_prop)) +(typeattributeset boottrace_data_file_31_0 (boottrace_data_file)) +(typeattributeset bpf_progs_loaded_prop_31_0 (bpf_progs_loaded_prop)) +(typeattributeset bq_config_prop_31_0 (bq_config_prop)) +(typeattributeset broadcastradio_service_31_0 (broadcastradio_service)) +(typeattributeset bufferhubd_31_0 (bufferhubd)) +(typeattributeset bufferhubd_exec_31_0 (bufferhubd_exec)) +(typeattributeset bugreport_service_31_0 (bugreport_service)) +(typeattributeset build_bootimage_prop_31_0 (build_bootimage_prop)) +(typeattributeset build_config_prop_31_0 (build_config_prop)) +(typeattributeset build_odm_prop_31_0 (build_odm_prop)) +(typeattributeset build_prop_31_0 (build_prop)) +(typeattributeset build_vendor_prop_31_0 (build_vendor_prop)) +(typeattributeset cache_backup_file_31_0 (cache_backup_file)) +(typeattributeset cache_block_device_31_0 (cache_block_device)) +(typeattributeset cache_file_31_0 (cache_file)) +(typeattributeset cache_private_backup_file_31_0 (cache_private_backup_file)) +(typeattributeset cache_recovery_file_31_0 (cache_recovery_file)) +(typeattributeset cacheinfo_service_31_0 (cacheinfo_service)) +(typeattributeset camera2_extensions_prop_31_0 (camera2_extensions_prop)) +(typeattributeset camera_calibration_prop_31_0 (camera_calibration_prop)) +(typeattributeset camera_config_prop_31_0 (camera_config_prop)) +(typeattributeset camera_data_file_31_0 (camera_data_file)) +(typeattributeset camera_device_31_0 (camera_device)) +(typeattributeset cameraproxy_service_31_0 (cameraproxy_service)) +(typeattributeset cameraserver_31_0 (cameraserver)) +(typeattributeset cameraserver_exec_31_0 (cameraserver_exec)) +(typeattributeset cameraserver_service_31_0 (cameraserver_service)) +(typeattributeset cameraserver_tmpfs_31_0 (cameraserver_tmpfs)) +(typeattributeset camerax_extensions_prop_31_0 (camerax_extensions_prop)) +(typeattributeset cgroup_31_0 (cgroup)) +(typeattributeset cgroup_desc_api_file_31_0 (cgroup_desc_api_file)) +(typeattributeset cgroup_desc_file_31_0 (cgroup_desc_file)) +(typeattributeset cgroup_rc_file_31_0 (cgroup_rc_file)) +(typeattributeset cgroup_v2_31_0 (cgroup_v2)) +(typeattributeset charger_31_0 (charger)) +(typeattributeset charger_config_prop_31_0 (charger_config_prop)) +(typeattributeset charger_exec_31_0 (charger_exec)) +(typeattributeset charger_prop_31_0 (charger_prop)) +(typeattributeset charger_status_prop_31_0 (charger_status_prop)) +(typeattributeset clipboard_service_31_0 (clipboard_service)) +(typeattributeset codec2_config_prop_31_0 (codec2_config_prop)) +(typeattributeset cold_boot_done_prop_31_0 (cold_boot_done_prop)) +(typeattributeset color_display_service_31_0 (color_display_service)) +(typeattributeset companion_device_service_31_0 (companion_device_service)) +(typeattributeset config_prop_31_0 (config_prop)) +(typeattributeset configfs_31_0 (configfs)) +(typeattributeset connectivity_service_31_0 (connectivity_service)) +(typeattributeset connmetrics_service_31_0 (connmetrics_service)) +(typeattributeset console_device_31_0 (console_device)) +(typeattributeset consumer_ir_service_31_0 (consumer_ir_service)) +(typeattributeset content_capture_service_31_0 (content_capture_service)) +(typeattributeset content_service_31_0 (content_service)) +(typeattributeset content_suggestions_service_31_0 (content_suggestions_service)) +(typeattributeset contexthub_service_31_0 (contexthub_service)) +(typeattributeset coredump_file_31_0 (coredump_file)) +(typeattributeset country_detector_service_31_0 (country_detector_service)) +(typeattributeset coverage_service_31_0 (coverage_service)) +(typeattributeset cppreopt_prop_31_0 (cppreopt_prop)) +(typeattributeset cpu_variant_prop_31_0 (cpu_variant_prop)) +(typeattributeset cpuinfo_service_31_0 (cpuinfo_service)) +(typeattributeset crash_dump_31_0 (crash_dump)) +(typeattributeset crash_dump_exec_31_0 (crash_dump_exec)) +(typeattributeset credstore_31_0 (credstore)) +(typeattributeset credstore_data_file_31_0 (credstore_data_file)) +(typeattributeset credstore_exec_31_0 (credstore_exec)) +(typeattributeset credstore_service_31_0 (credstore_service)) +(typeattributeset crossprofileapps_service_31_0 (crossprofileapps_service)) +(typeattributeset ctl_adbd_prop_31_0 (ctl_adbd_prop)) +(typeattributeset ctl_apexd_prop_31_0 (ctl_apexd_prop)) +(typeattributeset ctl_bootanim_prop_31_0 (ctl_bootanim_prop)) +(typeattributeset ctl_bugreport_prop_31_0 (ctl_bugreport_prop)) +(typeattributeset ctl_console_prop_31_0 (ctl_console_prop)) +(typeattributeset ctl_default_prop_31_0 (ctl_default_prop)) +(typeattributeset ctl_dumpstate_prop_31_0 (ctl_dumpstate_prop)) +(typeattributeset ctl_fuse_prop_31_0 (ctl_fuse_prop)) +(typeattributeset ctl_gsid_prop_31_0 (ctl_gsid_prop)) +(typeattributeset ctl_interface_restart_prop_31_0 (ctl_interface_restart_prop)) +(typeattributeset ctl_interface_start_prop_31_0 (ctl_interface_start_prop)) +(typeattributeset ctl_interface_stop_prop_31_0 (ctl_interface_stop_prop)) +(typeattributeset ctl_mdnsd_prop_31_0 (ctl_mdnsd_prop)) +(typeattributeset ctl_restart_prop_31_0 (ctl_restart_prop)) +(typeattributeset ctl_rildaemon_prop_31_0 (ctl_rildaemon_prop)) +(typeattributeset ctl_sigstop_prop_31_0 (ctl_sigstop_prop)) +(typeattributeset ctl_start_prop_31_0 (ctl_start_prop)) +(typeattributeset ctl_stop_prop_31_0 (ctl_stop_prop)) +(typeattributeset dalvik_config_prop_31_0 (dalvik_config_prop)) +(typeattributeset dalvik_prop_31_0 (dalvik_prop)) +(typeattributeset dalvik_runtime_prop_31_0 (dalvik_runtime_prop)) +(typeattributeset dalvikcache_data_file_31_0 (dalvikcache_data_file)) +(typeattributeset dataloader_manager_service_31_0 (dataloader_manager_service)) +(typeattributeset dbinfo_service_31_0 (dbinfo_service)) +(typeattributeset dck_prop_31_0 (dck_prop)) +(typeattributeset debug_prop_31_0 (debug_prop)) +(typeattributeset debugfs_31_0 (debugfs)) +(typeattributeset debugfs_bootreceiver_tracing_31_0 (debugfs_bootreceiver_tracing)) +(typeattributeset debugfs_kprobes_31_0 (debugfs_kprobes)) +(typeattributeset debugfs_mm_events_tracing_31_0 (debugfs_mm_events_tracing)) +(typeattributeset debugfs_mmc_31_0 (debugfs_mmc)) +(typeattributeset debugfs_restriction_prop_31_0 (debugfs_restriction_prop)) +(typeattributeset debugfs_trace_marker_31_0 (debugfs_trace_marker)) +(typeattributeset debugfs_tracing_31_0 (debugfs_tracing)) +(typeattributeset debugfs_tracing_debug_31_0 (debugfs_tracing_debug)) +(typeattributeset debugfs_tracing_instances_31_0 (debugfs_tracing_instances)) +(typeattributeset debugfs_tracing_printk_formats_31_0 (debugfs_tracing_printk_formats)) +(typeattributeset debugfs_wakeup_sources_31_0 (debugfs_wakeup_sources)) +(typeattributeset debugfs_wifi_tracing_31_0 (debugfs_wifi_tracing)) +(typeattributeset debuggerd_prop_31_0 (debuggerd_prop)) +(typeattributeset default_android_hwservice_31_0 (default_android_hwservice)) +(typeattributeset default_android_service_31_0 (default_android_service)) +(typeattributeset default_android_vndservice_31_0 (default_android_vndservice)) +(typeattributeset default_prop_31_0 (default_prop)) +(typeattributeset dev_cpu_variant_31_0 (dev_cpu_variant)) +(typeattributeset device_31_0 (device)) +(typeattributeset device_config_activity_manager_native_boot_prop_31_0 (device_config_activity_manager_native_boot_prop)) +(typeattributeset device_config_boot_count_prop_31_0 (device_config_boot_count_prop)) +(typeattributeset device_config_input_native_boot_prop_31_0 (device_config_input_native_boot_prop)) +(typeattributeset device_config_media_native_prop_31_0 (device_config_media_native_prop)) +(typeattributeset device_config_netd_native_prop_31_0 (device_config_netd_native_prop)) +(typeattributeset device_config_reset_performed_prop_31_0 (device_config_reset_performed_prop)) +(typeattributeset device_config_runtime_native_boot_prop_31_0 (device_config_runtime_native_boot_prop)) +(typeattributeset device_config_runtime_native_prop_31_0 (device_config_runtime_native_prop)) +(typeattributeset device_config_service_31_0 (device_config_service)) +(typeattributeset device_identifiers_service_31_0 (device_identifiers_service)) +(typeattributeset device_logging_prop_31_0 (device_logging_prop)) +(typeattributeset device_policy_service_31_0 (device_policy_service)) +(typeattributeset device_state_service_31_0 (device_state_service)) +(typeattributeset deviceidle_service_31_0 (deviceidle_service)) +(typeattributeset devicestoragemonitor_service_31_0 (devicestoragemonitor_service)) +(typeattributeset devpts_31_0 (devpts)) +(typeattributeset dhcp_31_0 (dhcp)) +(typeattributeset dhcp_data_file_31_0 (dhcp_data_file)) +(typeattributeset dhcp_exec_31_0 (dhcp_exec)) +(typeattributeset dhcp_prop_31_0 (dhcp_prop)) +(typeattributeset diskstats_service_31_0 (diskstats_service)) +(typeattributeset display_service_31_0 (display_service)) +(typeattributeset dm_device_31_0 (dm_device)) +(typeattributeset dm_user_device_31_0 (dm_user_device)) +(typeattributeset dmabuf_heap_device_31_0 (dmabuf_heap_device)) +(typeattributeset dmabuf_system_heap_device_31_0 (dmabuf_system_heap_device)) +(typeattributeset dmabuf_system_secure_heap_device_31_0 (dmabuf_system_secure_heap_device)) +(typeattributeset dnsmasq_31_0 (dnsmasq)) +(typeattributeset dnsmasq_exec_31_0 (dnsmasq_exec)) +(typeattributeset dnsproxyd_socket_31_0 (dnsproxyd_socket)) +(typeattributeset dnsresolver_service_31_0 (dnsresolver_service)) +(typeattributeset domain_verification_service_31_0 (domain_verification_service)) +(typeattributeset dreams_service_31_0 (dreams_service)) +(typeattributeset drm_data_file_31_0 (drm_data_file)) +(typeattributeset drm_service_config_prop_31_0 (drm_service_config_prop)) +(typeattributeset drmserver_31_0 (drmserver)) +(typeattributeset drmserver_exec_31_0 (drmserver_exec)) +(typeattributeset drmserver_service_31_0 (drmserver_service)) +(typeattributeset drmserver_socket_31_0 (drmserver_socket)) +(typeattributeset dropbox_data_file_31_0 (dropbox_data_file)) +(typeattributeset dropbox_service_31_0 (dropbox_service)) +(typeattributeset dumpstate_31_0 (dumpstate)) +(typeattributeset dumpstate_exec_31_0 (dumpstate_exec)) +(typeattributeset dumpstate_options_prop_31_0 (dumpstate_options_prop)) +(typeattributeset dumpstate_prop_31_0 (dumpstate_prop)) +(typeattributeset dumpstate_service_31_0 (dumpstate_service)) +(typeattributeset dumpstate_socket_31_0 (dumpstate_socket)) +(typeattributeset dynamic_system_prop_31_0 (dynamic_system_prop)) +(typeattributeset e2fs_31_0 (e2fs)) +(typeattributeset e2fs_exec_31_0 (e2fs_exec)) +(typeattributeset efs_file_31_0 (efs_file)) +(typeattributeset emergency_affordance_service_31_0 (emergency_affordance_service)) +(typeattributeset ephemeral_app_31_0 (ephemeral_app)) +(typeattributeset ethernet_service_31_0 (ethernet_service)) +(typeattributeset exfat_31_0 (exfat)) +(typeattributeset exported3_system_prop_31_0 (exported3_system_prop)) +(typeattributeset exported_bluetooth_prop_31_0 (exported_bluetooth_prop)) +(typeattributeset exported_camera_prop_31_0 (exported_camera_prop)) +(typeattributeset exported_config_prop_31_0 (exported_config_prop)) +(typeattributeset exported_default_prop_31_0 (exported_default_prop)) +(typeattributeset exported_dumpstate_prop_31_0 (exported_dumpstate_prop)) +(typeattributeset exported_overlay_prop_31_0 (exported_overlay_prop)) +(typeattributeset exported_pm_prop_31_0 (exported_pm_prop)) +(typeattributeset exported_secure_prop_31_0 (exported_secure_prop)) +(typeattributeset exported_system_prop_31_0 (exported_system_prop)) +(typeattributeset external_vibrator_service_31_0 (external_vibrator_service)) +(typeattributeset face_service_31_0 (face_service)) +(typeattributeset face_vendor_data_file_31_0 (face_vendor_data_file)) +(typeattributeset fastbootd_31_0 (fastbootd)) +(typeattributeset ffs_config_prop_31_0 (ffs_config_prop)) +(typeattributeset ffs_control_prop_31_0 (ffs_control_prop)) +(typeattributeset file_contexts_file_31_0 (file_contexts_file)) +(typeattributeset file_integrity_service_31_0 (file_integrity_service)) +(typeattributeset fingerprint_prop_31_0 (fingerprint_prop)) +(typeattributeset fingerprint_service_31_0 (fingerprint_service)) +(typeattributeset fingerprint_vendor_data_file_31_0 (fingerprint_vendor_data_file)) +(typeattributeset fingerprintd_31_0 (fingerprintd)) +(typeattributeset fingerprintd_data_file_31_0 (fingerprintd_data_file)) +(typeattributeset fingerprintd_exec_31_0 (fingerprintd_exec)) +(typeattributeset fingerprintd_service_31_0 (fingerprintd_service)) +(typeattributeset firstboot_prop_31_0 (firstboot_prop)) +(typeattributeset flags_health_check_31_0 (flags_health_check)) +(typeattributeset flags_health_check_exec_31_0 (flags_health_check_exec)) +(typeattributeset font_service_31_0 (font_service)) +(typeattributeset framework_watchdog_config_prop_31_0 (framework_watchdog_config_prop)) +(typeattributeset frp_block_device_31_0 (frp_block_device)) +(typeattributeset fs_bpf_31_0 (fs_bpf)) +(typeattributeset fs_bpf_tethering_31_0 (fs_bpf_tethering)) +(typeattributeset fsck_31_0 (fsck)) +(typeattributeset fsck_exec_31_0 (fsck_exec)) +(typeattributeset fsck_untrusted_31_0 (fsck_untrusted)) +(typeattributeset fscklogs_31_0 (fscklogs)) +(typeattributeset functionfs_31_0 (functionfs)) +(typeattributeset fuse_31_0 (fuse)) +(typeattributeset fuse_device_31_0 (fuse_device)) +(typeattributeset fusectlfs_31_0 (fusectlfs)) +(typeattributeset fwk_automotive_display_hwservice_31_0 (fwk_automotive_display_hwservice)) +(typeattributeset fwk_bufferhub_hwservice_31_0 (fwk_bufferhub_hwservice)) +(typeattributeset fwk_camera_hwservice_31_0 (fwk_camera_hwservice)) +(typeattributeset fwk_display_hwservice_31_0 (fwk_display_hwservice)) +(typeattributeset fwk_scheduler_hwservice_31_0 (fwk_scheduler_hwservice)) +(typeattributeset fwk_sensor_hwservice_31_0 (fwk_sensor_hwservice)) +(typeattributeset fwk_stats_hwservice_31_0 (fwk_stats_hwservice)) +(typeattributeset fwk_stats_service_31_0 (fwk_stats_service)) +(typeattributeset fwmarkd_socket_31_0 (fwmarkd_socket)) +(typeattributeset game_service_31_0 (game_service)) +(typeattributeset gatekeeper_data_file_31_0 (gatekeeper_data_file)) +(typeattributeset gatekeeper_service_31_0 (gatekeeper_service)) +(typeattributeset gatekeeperd_31_0 (gatekeeperd)) +(typeattributeset gatekeeperd_exec_31_0 (gatekeeperd_exec)) +(typeattributeset gfxinfo_service_31_0 (gfxinfo_service)) +(typeattributeset gmscore_app_31_0 (gmscore_app)) +(typeattributeset gnss_device_31_0 (gnss_device)) +(typeattributeset gnss_time_update_service_31_0 (gnss_time_update_service)) +(typeattributeset gps_control_31_0 (gps_control)) +(typeattributeset gpu_device_31_0 (gpu_device)) +(typeattributeset gpu_service_31_0 (gpu_service)) +(typeattributeset gpuservice_31_0 (gpuservice)) +(typeattributeset graphics_config_prop_31_0 (graphics_config_prop)) +(typeattributeset graphics_device_31_0 (graphics_device)) +(typeattributeset graphicsstats_service_31_0 (graphicsstats_service)) +(typeattributeset gsi_data_file_31_0 (gsi_data_file)) +(typeattributeset gsi_metadata_file_31_0 (gsi_metadata_file)) +(typeattributeset gsi_public_metadata_file_31_0 (gsi_public_metadata_file)) +(typeattributeset hal_atrace_hwservice_31_0 (hal_atrace_hwservice)) +(typeattributeset hal_audio_hwservice_31_0 (hal_audio_hwservice)) +(typeattributeset hal_audio_service_31_0 (hal_audio_service)) +(typeattributeset hal_audiocontrol_hwservice_31_0 (hal_audiocontrol_hwservice)) +(typeattributeset hal_audiocontrol_service_31_0 (hal_audiocontrol_service)) +(typeattributeset hal_authsecret_hwservice_31_0 (hal_authsecret_hwservice)) +(typeattributeset hal_authsecret_service_31_0 (hal_authsecret_service)) +(typeattributeset hal_bluetooth_hwservice_31_0 (hal_bluetooth_hwservice)) +(typeattributeset hal_bootctl_hwservice_31_0 (hal_bootctl_hwservice)) +(typeattributeset hal_broadcastradio_hwservice_31_0 (hal_broadcastradio_hwservice)) +(typeattributeset hal_camera_hwservice_31_0 (hal_camera_hwservice)) +(typeattributeset hal_can_bus_hwservice_31_0 (hal_can_bus_hwservice)) +(typeattributeset hal_can_controller_hwservice_31_0 (hal_can_controller_hwservice)) +(typeattributeset hal_cas_hwservice_31_0 (hal_cas_hwservice)) +(typeattributeset hal_codec2_hwservice_31_0 (hal_codec2_hwservice)) +(typeattributeset hal_configstore_ISurfaceFlingerConfigs_31_0 (hal_configstore_ISurfaceFlingerConfigs)) +(typeattributeset hal_confirmationui_hwservice_31_0 (hal_confirmationui_hwservice)) +(typeattributeset hal_contexthub_hwservice_31_0 (hal_contexthub_hwservice)) +(typeattributeset hal_drm_hwservice_31_0 (hal_drm_hwservice)) +(typeattributeset hal_dumpstate_config_prop_31_0 (hal_dumpstate_config_prop)) +(typeattributeset hal_dumpstate_hwservice_31_0 (hal_dumpstate_hwservice)) +(typeattributeset hal_evs_hwservice_31_0 (hal_evs_hwservice)) +(typeattributeset hal_face_hwservice_31_0 (hal_face_hwservice)) +(typeattributeset hal_face_service_31_0 (hal_face_service)) +(typeattributeset hal_fingerprint_hwservice_31_0 (hal_fingerprint_hwservice)) +(typeattributeset hal_fingerprint_service_31_0 (hal_fingerprint_service)) +(typeattributeset hal_gatekeeper_hwservice_31_0 (hal_gatekeeper_hwservice)) +(typeattributeset hal_gnss_hwservice_31_0 (hal_gnss_hwservice)) +(typeattributeset hal_gnss_service_31_0 (hal_gnss_service)) +(typeattributeset hal_graphics_allocator_hwservice_31_0 (hal_graphics_allocator_hwservice)) +(typeattributeset hal_graphics_composer_hwservice_31_0 (hal_graphics_composer_hwservice)) +(typeattributeset hal_graphics_composer_server_tmpfs_31_0 (hal_graphics_composer_server_tmpfs)) +(typeattributeset hal_graphics_mapper_hwservice_31_0 (hal_graphics_mapper_hwservice)) +(typeattributeset hal_health_hwservice_31_0 (hal_health_hwservice)) +(typeattributeset hal_health_storage_hwservice_31_0 (hal_health_storage_hwservice)) +(typeattributeset hal_health_storage_service_31_0 (hal_health_storage_service)) +(typeattributeset hal_identity_service_31_0 (hal_identity_service)) +(typeattributeset hal_input_classifier_hwservice_31_0 (hal_input_classifier_hwservice)) +(typeattributeset hal_instrumentation_prop_31_0 (hal_instrumentation_prop)) +(typeattributeset hal_ir_hwservice_31_0 (hal_ir_hwservice)) +(typeattributeset hal_keymaster_hwservice_31_0 (hal_keymaster_hwservice)) +(typeattributeset hal_keymint_service_31_0 (hal_keymint_service)) +(typeattributeset hal_light_hwservice_31_0 (hal_light_hwservice)) +(typeattributeset hal_light_service_31_0 (hal_light_service)) +(typeattributeset hal_lowpan_hwservice_31_0 (hal_lowpan_hwservice)) +(typeattributeset hal_memtrack_hwservice_31_0 (hal_memtrack_hwservice)) +(typeattributeset hal_memtrack_service_31_0 (hal_memtrack_service)) +(typeattributeset hal_neuralnetworks_hwservice_31_0 (hal_neuralnetworks_hwservice)) +(typeattributeset hal_neuralnetworks_service_31_0 (hal_neuralnetworks_service)) +(typeattributeset hal_nfc_hwservice_31_0 (hal_nfc_hwservice)) +(typeattributeset hal_oemlock_hwservice_31_0 (hal_oemlock_hwservice)) +(typeattributeset hal_oemlock_service_31_0 (hal_oemlock_service)) +(typeattributeset hal_omx_hwservice_31_0 (hal_omx_hwservice)) +(typeattributeset hal_power_hwservice_31_0 (hal_power_hwservice)) +(typeattributeset hal_power_service_31_0 (hal_power_service)) +(typeattributeset hal_power_stats_hwservice_31_0 (hal_power_stats_hwservice)) +(typeattributeset hal_power_stats_service_31_0 (hal_power_stats_service)) +(typeattributeset hal_rebootescrow_service_31_0 (hal_rebootescrow_service)) +(typeattributeset hal_remotelyprovisionedcomponent_service_31_0 (hal_remotelyprovisionedcomponent_service)) +(typeattributeset hal_renderscript_hwservice_31_0 (hal_renderscript_hwservice)) +(typeattributeset hal_secure_element_hwservice_31_0 (hal_secure_element_hwservice)) +(typeattributeset hal_secureclock_service_31_0 (hal_secureclock_service)) +(typeattributeset hal_sensors_hwservice_31_0 (hal_sensors_hwservice)) +(typeattributeset hal_sharedsecret_service_31_0 (hal_sharedsecret_service)) +(typeattributeset hal_telephony_hwservice_31_0 (hal_telephony_hwservice)) +(typeattributeset hal_tetheroffload_hwservice_31_0 (hal_tetheroffload_hwservice)) +(typeattributeset hal_thermal_hwservice_31_0 (hal_thermal_hwservice)) +(typeattributeset hal_tv_cec_hwservice_31_0 (hal_tv_cec_hwservice)) +(typeattributeset hal_tv_input_hwservice_31_0 (hal_tv_input_hwservice)) +(typeattributeset hal_tv_tuner_hwservice_31_0 (hal_tv_tuner_hwservice)) +(typeattributeset hal_usb_gadget_hwservice_31_0 (hal_usb_gadget_hwservice)) +(typeattributeset hal_usb_hwservice_31_0 (hal_usb_hwservice)) +(typeattributeset hal_vehicle_hwservice_31_0 (hal_vehicle_hwservice)) +(typeattributeset hal_vibrator_hwservice_31_0 (hal_vibrator_hwservice)) +(typeattributeset hal_vibrator_service_31_0 (hal_vibrator_service)) +(typeattributeset hal_vr_hwservice_31_0 (hal_vr_hwservice)) +(typeattributeset hal_weaver_hwservice_31_0 (hal_weaver_hwservice)) +(typeattributeset hal_weaver_service_31_0 (hal_weaver_service)) +(typeattributeset hal_wifi_hostapd_hwservice_31_0 (hal_wifi_hostapd_hwservice)) +(typeattributeset hal_wifi_hwservice_31_0 (hal_wifi_hwservice)) +(typeattributeset hal_wifi_supplicant_hwservice_31_0 (hal_wifi_supplicant_hwservice)) +(typeattributeset hardware_properties_service_31_0 (hardware_properties_service)) +(typeattributeset hardware_service_31_0 (hardware_service)) +(typeattributeset hci_attach_dev_31_0 (hci_attach_dev)) +(typeattributeset hdmi_config_prop_31_0 (hdmi_config_prop)) +(typeattributeset hdmi_control_service_31_0 (hdmi_control_service)) +(typeattributeset healthd_31_0 (healthd)) +(typeattributeset healthd_exec_31_0 (healthd_exec)) +(typeattributeset heapdump_data_file_31_0 (heapdump_data_file)) +(typeattributeset heapprofd_31_0 (heapprofd)) +(typeattributeset heapprofd_enabled_prop_31_0 (heapprofd_enabled_prop)) +(typeattributeset heapprofd_prop_31_0 (heapprofd_prop)) +(typeattributeset heapprofd_socket_31_0 (heapprofd_socket)) +(typeattributeset hidl_allocator_hwservice_31_0 (hidl_allocator_hwservice)) +(typeattributeset hidl_base_hwservice_31_0 (hidl_base_hwservice)) +(typeattributeset hidl_manager_hwservice_31_0 (hidl_manager_hwservice)) +(typeattributeset hidl_memory_hwservice_31_0 (hidl_memory_hwservice)) +(typeattributeset hidl_token_hwservice_31_0 (hidl_token_hwservice)) +(typeattributeset hint_service_31_0 (hint_service)) +(typeattributeset hw_random_device_31_0 (hw_random_device)) +(typeattributeset hw_timeout_multiplier_prop_31_0 (hw_timeout_multiplier_prop)) +(typeattributeset hwbinder_device_31_0 (hwbinder_device)) +(typeattributeset hwservice_contexts_file_31_0 (hwservice_contexts_file)) +(typeattributeset hwservicemanager_31_0 (hwservicemanager)) +(typeattributeset hwservicemanager_exec_31_0 (hwservicemanager_exec)) +(typeattributeset hwservicemanager_prop_31_0 (hwservicemanager_prop)) +(typeattributeset icon_file_31_0 (icon_file)) +(typeattributeset idmap_31_0 (idmap)) +(typeattributeset idmap_exec_31_0 (idmap_exec)) +(typeattributeset idmap_service_31_0 (idmap_service)) +(typeattributeset iio_device_31_0 (iio_device)) +(typeattributeset imms_service_31_0 (imms_service)) +(typeattributeset incident_31_0 (incident)) +(typeattributeset incident_data_file_31_0 (incident_data_file)) +(typeattributeset incident_helper_31_0 (incident_helper)) +(typeattributeset incident_service_31_0 (incident_service)) +(typeattributeset incidentd_31_0 (incidentd)) +(typeattributeset incremental_control_file_31_0 (incremental_control_file)) +(typeattributeset incremental_prop_31_0 (incremental_prop)) +(typeattributeset incremental_service_31_0 (incremental_service)) +(typeattributeset init_31_0 (init)) +(typeattributeset init_exec_31_0 (init_exec)) +(typeattributeset init_service_status_prop_31_0 (init_service_status_prop)) +(typeattributeset init_tmpfs_31_0 (init_tmpfs)) +(typeattributeset inotify_31_0 (inotify)) +(typeattributeset input_device_31_0 (input_device)) +(typeattributeset input_method_service_31_0 (input_method_service)) +(typeattributeset input_service_31_0 (input_service)) +(typeattributeset inputflinger_31_0 (inputflinger)) +(typeattributeset inputflinger_exec_31_0 (inputflinger_exec)) +(typeattributeset inputflinger_service_31_0 (inputflinger_service)) +(typeattributeset install_data_file_31_0 (install_data_file)) +(typeattributeset installd_31_0 (installd)) +(typeattributeset installd_exec_31_0 (installd_exec)) +(typeattributeset installd_service_31_0 (installd_service)) +(typeattributeset ion_device_31_0 (ion_device)) +(typeattributeset iorap_inode2filename_31_0 (iorap_inode2filename)) +(typeattributeset iorap_inode2filename_exec_31_0 (iorap_inode2filename_exec)) +(typeattributeset iorap_inode2filename_tmpfs_31_0 (iorap_inode2filename_tmpfs)) +(typeattributeset iorap_prefetcherd_31_0 (iorap_prefetcherd)) +(typeattributeset iorap_prefetcherd_exec_31_0 (iorap_prefetcherd_exec)) +(typeattributeset iorap_prefetcherd_tmpfs_31_0 (iorap_prefetcherd_tmpfs)) +(typeattributeset iorapd_31_0 (iorapd)) +(typeattributeset iorapd_data_file_31_0 (iorapd_data_file)) +(typeattributeset iorapd_exec_31_0 (iorapd_exec)) +(typeattributeset iorapd_service_31_0 (iorapd_service)) +(typeattributeset iorapd_tmpfs_31_0 (iorapd_tmpfs)) +(typeattributeset ipsec_service_31_0 (ipsec_service)) +(typeattributeset iris_service_31_0 (iris_service)) +(typeattributeset iris_vendor_data_file_31_0 (iris_vendor_data_file)) +(typeattributeset isolated_app_31_0 (isolated_app)) +(typeattributeset jobscheduler_service_31_0 (jobscheduler_service)) +(typeattributeset kernel_31_0 (kernel)) +(typeattributeset keychain_data_file_31_0 (keychain_data_file)) +(typeattributeset keychord_device_31_0 (keychord_device)) +(typeattributeset keyguard_config_prop_31_0 (keyguard_config_prop)) +(typeattributeset keystore2_key_contexts_file_31_0 (keystore2_key_contexts_file)) +(typeattributeset keystore_31_0 (keystore)) +(typeattributeset keystore_compat_hal_service_31_0 (keystore_compat_hal_service)) +(typeattributeset keystore_data_file_31_0 (keystore_data_file)) +(typeattributeset keystore_exec_31_0 (keystore_exec)) +(typeattributeset keystore_maintenance_service_31_0 (keystore_maintenance_service)) +(typeattributeset keystore_metrics_service_31_0 (keystore_metrics_service)) +(typeattributeset keystore_service_31_0 (keystore_service)) +(typeattributeset kmsg_debug_device_31_0 (kmsg_debug_device)) +(typeattributeset kmsg_device_31_0 (kmsg_device)) +(typeattributeset labeledfs_31_0 (labeledfs)) +(typeattributeset launcherapps_service_31_0 (launcherapps_service)) +(typeattributeset legacy_permission_service_31_0 (legacy_permission_service)) +(typeattributeset legacykeystore_service_31_0 (legacykeystore_service)) +(typeattributeset libc_debug_prop_31_0 (libc_debug_prop)) +(typeattributeset light_service_31_0 (light_service)) +(typeattributeset linkerconfig_file_31_0 (linkerconfig_file)) +(typeattributeset llkd_31_0 (llkd)) +(typeattributeset llkd_exec_31_0 (llkd_exec)) +(typeattributeset llkd_prop_31_0 (llkd_prop)) +(typeattributeset lmkd_31_0 (lmkd)) +(typeattributeset lmkd_config_prop_31_0 (lmkd_config_prop)) +(typeattributeset lmkd_exec_31_0 (lmkd_exec)) +(typeattributeset lmkd_prop_31_0 (lmkd_prop)) +(typeattributeset lmkd_socket_31_0 (lmkd_socket)) +(typeattributeset location_service_31_0 (location_service)) +(typeattributeset location_time_zone_manager_service_31_0 (location_time_zone_manager_service)) +(typeattributeset lock_settings_service_31_0 (lock_settings_service)) +(typeattributeset log_prop_31_0 (log_prop)) +(typeattributeset log_tag_prop_31_0 (log_tag_prop)) +(typeattributeset logcat_exec_31_0 (logcat_exec)) +(typeattributeset logd_31_0 (logd)) +(typeattributeset logd_exec_31_0 (logd_exec)) +(typeattributeset logd_prop_31_0 (logd_prop)) +(typeattributeset logd_socket_31_0 (logd_socket)) +(typeattributeset logdr_socket_31_0 (logdr_socket)) +(typeattributeset logdw_socket_31_0 (logdw_socket)) +(typeattributeset logpersist_31_0 (logpersist)) +(typeattributeset logpersistd_logging_prop_31_0 (logpersistd_logging_prop)) +(typeattributeset loop_control_device_31_0 (loop_control_device)) +(typeattributeset loop_device_31_0 (loop_device)) +(typeattributeset looper_stats_service_31_0 (looper_stats_service)) +(typeattributeset lowpan_device_31_0 (lowpan_device)) +(typeattributeset lowpan_prop_31_0 (lowpan_prop)) +(typeattributeset lowpan_service_31_0 (lowpan_service)) +(typeattributeset lpdump_service_31_0 (lpdump_service)) +(typeattributeset lpdumpd_prop_31_0 (lpdumpd_prop)) +(typeattributeset mac_perms_file_31_0 (mac_perms_file)) +(typeattributeset mdns_socket_31_0 (mdns_socket)) +(typeattributeset mdnsd_31_0 (mdnsd)) +(typeattributeset mdnsd_socket_31_0 (mdnsd_socket)) +(typeattributeset media_communication_service_31_0 (media_communication_service)) +(typeattributeset media_config_prop_31_0 (media_config_prop)) +(typeattributeset media_data_file_31_0 (media_data_file)) +(typeattributeset media_metrics_service_31_0 (media_metrics_service)) +(typeattributeset media_projection_service_31_0 (media_projection_service)) +(typeattributeset media_router_service_31_0 (media_router_service)) +(typeattributeset media_rw_data_file_31_0 (media_rw_data_file)) +(typeattributeset media_session_service_31_0 (media_session_service)) +(typeattributeset media_variant_prop_31_0 (media_variant_prop)) +(typeattributeset mediadrm_config_prop_31_0 (mediadrm_config_prop)) +(typeattributeset mediadrmserver_31_0 (mediadrmserver)) +(typeattributeset mediadrmserver_exec_31_0 (mediadrmserver_exec)) +(typeattributeset mediadrmserver_service_31_0 (mediadrmserver_service)) +(typeattributeset mediaextractor_31_0 (mediaextractor)) +(typeattributeset mediaextractor_exec_31_0 (mediaextractor_exec)) +(typeattributeset mediaextractor_service_31_0 (mediaextractor_service)) +(typeattributeset mediaextractor_tmpfs_31_0 (mediaextractor_tmpfs)) +(typeattributeset mediametrics_31_0 (mediametrics)) +(typeattributeset mediametrics_exec_31_0 (mediametrics_exec)) +(typeattributeset mediametrics_service_31_0 (mediametrics_service)) +(typeattributeset mediaprovider_31_0 (mediaprovider)) +(typeattributeset mediaserver_31_0 (mediaserver)) +(typeattributeset mediaserver_exec_31_0 (mediaserver_exec)) +(typeattributeset mediaserver_service_31_0 (mediaserver_service)) +(typeattributeset mediaserver_tmpfs_31_0 (mediaserver_tmpfs)) +(typeattributeset mediaswcodec_31_0 (mediaswcodec)) +(typeattributeset mediaswcodec_exec_31_0 (mediaswcodec_exec)) +(typeattributeset mediatranscoding_service_31_0 (mediatranscoding_service)) +(typeattributeset meminfo_service_31_0 (meminfo_service)) +(typeattributeset memtrackproxy_service_31_0 (memtrackproxy_service)) +(typeattributeset metadata_block_device_31_0 (metadata_block_device)) +(typeattributeset metadata_bootstat_file_31_0 (metadata_bootstat_file)) +(typeattributeset metadata_file_31_0 (metadata_file)) +(typeattributeset method_trace_data_file_31_0 (method_trace_data_file)) +(typeattributeset midi_service_31_0 (midi_service)) +(typeattributeset mirror_data_file_31_0 (mirror_data_file)) +(typeattributeset misc_block_device_31_0 (misc_block_device)) +(typeattributeset misc_logd_file_31_0 (misc_logd_file)) +(typeattributeset misc_user_data_file_31_0 (misc_user_data_file)) +(typeattributeset mm_events_config_prop_31_0 (mm_events_config_prop)) +(typeattributeset mmc_prop_31_0 (mmc_prop)) +(typeattributeset mnt_expand_file_31_0 (mnt_expand_file)) +(typeattributeset mnt_media_rw_file_31_0 (mnt_media_rw_file)) +(typeattributeset mnt_media_rw_stub_file_31_0 (mnt_media_rw_stub_file)) +(typeattributeset mnt_pass_through_file_31_0 (mnt_pass_through_file)) +(typeattributeset mnt_product_file_31_0 (mnt_product_file)) +(typeattributeset mnt_sdcard_file_31_0 (mnt_sdcard_file)) +(typeattributeset mnt_user_file_31_0 (mnt_user_file)) +(typeattributeset mnt_vendor_file_31_0 (mnt_vendor_file)) +(typeattributeset mock_ota_prop_31_0 (mock_ota_prop)) +(typeattributeset modprobe_31_0 (modprobe)) +(typeattributeset module_sdkextensions_prop_31_0 (module_sdkextensions_prop)) +(typeattributeset mount_service_31_0 (mount_service)) +(typeattributeset mqueue_31_0 (mqueue)) +(typeattributeset mtp_31_0 (mtp)) +(typeattributeset mtp_device_31_0 (mtp_device)) +(typeattributeset mtp_exec_31_0 (mtp_exec)) +(typeattributeset mtpd_socket_31_0 (mtpd_socket)) +(typeattributeset music_recognition_service_31_0 (music_recognition_service)) +(typeattributeset nativetest_data_file_31_0 (nativetest_data_file)) +(typeattributeset net_data_file_31_0 (net_data_file)) +(typeattributeset net_dns_prop_31_0 (net_dns_prop)) +(typeattributeset net_radio_prop_31_0 (net_radio_prop)) +(typeattributeset netd_31_0 (netd)) +(typeattributeset netd_exec_31_0 (netd_exec)) +(typeattributeset netd_listener_service_31_0 (netd_listener_service)) +(typeattributeset netd_service_31_0 (netd_service)) +(typeattributeset netif_31_0 (netif)) +(typeattributeset netpolicy_service_31_0 (netpolicy_service)) +(typeattributeset netstats_service_31_0 (netstats_service)) +(typeattributeset netutils_wrapper_31_0 (netutils_wrapper)) +(typeattributeset netutils_wrapper_exec_31_0 (netutils_wrapper_exec)) +(typeattributeset network_management_service_31_0 (network_management_service)) +(typeattributeset network_score_service_31_0 (network_score_service)) +(typeattributeset network_stack_31_0 (network_stack)) +(typeattributeset network_stack_service_31_0 (network_stack_service)) +(typeattributeset network_time_update_service_31_0 (network_time_update_service)) +(typeattributeset network_watchlist_data_file_31_0 (network_watchlist_data_file)) +(typeattributeset network_watchlist_service_31_0 (network_watchlist_service)) +(typeattributeset nfc_31_0 (nfc)) +(typeattributeset nfc_data_file_31_0 (nfc_data_file)) +(typeattributeset nfc_device_31_0 (nfc_device)) +(typeattributeset nfc_logs_data_file_31_0 (nfc_logs_data_file)) +(typeattributeset nfc_prop_31_0 (nfc_prop)) +(typeattributeset nfc_service_31_0 (nfc_service)) +(typeattributeset nnapi_ext_deny_product_prop_31_0 (nnapi_ext_deny_product_prop)) +(typeattributeset node_31_0 (node)) +(typeattributeset nonplat_service_contexts_file_31_0 (nonplat_service_contexts_file)) +(typeattributeset notification_service_31_0 (notification_service)) +(typeattributeset null_device_31_0 (null_device)) +(typeattributeset oem_lock_service_31_0 (oem_lock_service)) +(typeattributeset oem_unlock_prop_31_0 (oem_unlock_prop)) +(typeattributeset oemfs_31_0 (oemfs)) +(typeattributeset ota_data_file_31_0 (ota_data_file)) +(typeattributeset ota_metadata_file_31_0 (ota_metadata_file)) +(typeattributeset ota_package_file_31_0 (ota_package_file)) +(typeattributeset ota_prop_31_0 (ota_prop)) +(typeattributeset otadexopt_service_31_0 (otadexopt_service)) +(typeattributeset otapreopt_chroot_31_0 (otapreopt_chroot)) +(typeattributeset overlay_prop_31_0 (overlay_prop)) +(typeattributeset overlay_service_31_0 (overlay_service)) +(typeattributeset overlayfs_file_31_0 (overlayfs_file)) +(typeattributeset owntty_device_31_0 (owntty_device)) +(typeattributeset pac_proxy_service_31_0 (pac_proxy_service)) +(typeattributeset package_native_service_31_0 (package_native_service)) +(typeattributeset package_service_31_0 (package_service)) +(typeattributeset packagemanager_config_prop_31_0 (packagemanager_config_prop)) +(typeattributeset packages_list_file_31_0 (packages_list_file)) +(typeattributeset pan_result_prop_31_0 (pan_result_prop)) +(typeattributeset password_slot_metadata_file_31_0 (password_slot_metadata_file)) +(typeattributeset pdx_bufferhub_client_channel_socket_31_0 (pdx_bufferhub_client_channel_socket)) +(typeattributeset pdx_bufferhub_client_endpoint_socket_31_0 (pdx_bufferhub_client_endpoint_socket)) +(typeattributeset pdx_bufferhub_dir_31_0 (pdx_bufferhub_dir)) +(typeattributeset pdx_display_client_channel_socket_31_0 (pdx_display_client_channel_socket)) +(typeattributeset pdx_display_client_endpoint_socket_31_0 (pdx_display_client_endpoint_socket)) +(typeattributeset pdx_display_dir_31_0 (pdx_display_dir)) +(typeattributeset pdx_display_manager_channel_socket_31_0 (pdx_display_manager_channel_socket)) +(typeattributeset pdx_display_manager_endpoint_socket_31_0 (pdx_display_manager_endpoint_socket)) +(typeattributeset pdx_display_screenshot_channel_socket_31_0 (pdx_display_screenshot_channel_socket)) +(typeattributeset pdx_display_screenshot_endpoint_socket_31_0 (pdx_display_screenshot_endpoint_socket)) +(typeattributeset pdx_display_vsync_channel_socket_31_0 (pdx_display_vsync_channel_socket)) +(typeattributeset pdx_display_vsync_endpoint_socket_31_0 (pdx_display_vsync_endpoint_socket)) +(typeattributeset pdx_performance_client_channel_socket_31_0 (pdx_performance_client_channel_socket)) +(typeattributeset pdx_performance_client_endpoint_socket_31_0 (pdx_performance_client_endpoint_socket)) +(typeattributeset pdx_performance_dir_31_0 (pdx_performance_dir)) +(typeattributeset people_service_31_0 (people_service)) +(typeattributeset perfetto_31_0 (perfetto)) +(typeattributeset performanced_31_0 (performanced)) +(typeattributeset performanced_exec_31_0 (performanced_exec)) +(typeattributeset permission_checker_service_31_0 (permission_checker_service)) +(typeattributeset permission_service_31_0 (permission_service)) +(typeattributeset permissionmgr_service_31_0 (permissionmgr_service)) +(typeattributeset persist_debug_prop_31_0 (persist_debug_prop)) +(typeattributeset persist_vendor_debug_wifi_prop_31_0 (persist_vendor_debug_wifi_prop)) +(typeattributeset persistent_data_block_service_31_0 (persistent_data_block_service)) +(typeattributeset persistent_properties_ready_prop_31_0 (persistent_properties_ready_prop)) +(typeattributeset pinner_service_31_0 (pinner_service)) +(typeattributeset pipefs_31_0 (pipefs)) +(typeattributeset platform_app_31_0 (platform_app)) +(typeattributeset platform_compat_service_31_0 (platform_compat_service)) +(typeattributeset pmsg_device_31_0 (pmsg_device)) +(typeattributeset port_31_0 (port)) +(typeattributeset port_device_31_0 (port_device)) +(typeattributeset postinstall_31_0 (postinstall)) +(typeattributeset postinstall_apex_mnt_dir_31_0 (postinstall_apex_mnt_dir)) +(typeattributeset postinstall_file_31_0 (postinstall_file)) +(typeattributeset postinstall_mnt_dir_31_0 (postinstall_mnt_dir)) +(typeattributeset power_debug_prop_31_0 (power_debug_prop)) +(typeattributeset power_service_31_0 (power_service)) +(typeattributeset powerctl_prop_31_0 (powerctl_prop)) +(typeattributeset powerstats_service_31_0 (powerstats_service)) +(typeattributeset ppp_31_0 (ppp)) +(typeattributeset ppp_device_31_0 (ppp_device)) +(typeattributeset ppp_exec_31_0 (ppp_exec)) +(typeattributeset preloads_data_file_31_0 (preloads_data_file)) +(typeattributeset preloads_media_file_31_0 (preloads_media_file)) +(typeattributeset prereboot_data_file_31_0 (prereboot_data_file)) +(typeattributeset print_service_31_0 (print_service)) +(typeattributeset priv_app_31_0 (priv_app)) +(typeattributeset privapp_data_file_31_0 (privapp_data_file)) +(typeattributeset proc_31_0 (proc)) +(typeattributeset proc_abi_31_0 (proc_abi)) +(typeattributeset proc_asound_31_0 (proc_asound)) +(typeattributeset proc_bluetooth_writable_31_0 (proc_bluetooth_writable)) +(typeattributeset proc_bootconfig_31_0 (proc_bootconfig)) +(typeattributeset proc_buddyinfo_31_0 (proc_buddyinfo)) +(typeattributeset proc_cmdline_31_0 (proc_cmdline)) +(typeattributeset proc_cpuinfo_31_0 (proc_cpuinfo)) +(typeattributeset proc_dirty_31_0 (proc_dirty)) +(typeattributeset proc_diskstats_31_0 (proc_diskstats)) +(typeattributeset proc_drop_caches_31_0 (proc_drop_caches)) +(typeattributeset proc_extra_free_kbytes_31_0 (proc_extra_free_kbytes)) +(typeattributeset proc_filesystems_31_0 (proc_filesystems)) +(typeattributeset proc_fs_verity_31_0 (proc_fs_verity)) +(typeattributeset proc_hostname_31_0 (proc_hostname)) +(typeattributeset proc_hung_task_31_0 (proc_hung_task)) +(typeattributeset proc_interrupts_31_0 (proc_interrupts)) +(typeattributeset proc_iomem_31_0 (proc_iomem)) +(typeattributeset proc_kallsyms_31_0 (proc_kallsyms)) +(typeattributeset proc_keys_31_0 (proc_keys)) +(typeattributeset proc_kmsg_31_0 (proc_kmsg)) +(typeattributeset proc_kpageflags_31_0 (proc_kpageflags)) +(typeattributeset proc_loadavg_31_0 (proc_loadavg)) +(typeattributeset proc_locks_31_0 (proc_locks)) +(typeattributeset proc_lowmemorykiller_31_0 (proc_lowmemorykiller)) +(typeattributeset proc_max_map_count_31_0 (proc_max_map_count)) +(typeattributeset proc_meminfo_31_0 (proc_meminfo)) +(typeattributeset proc_min_free_order_shift_31_0 (proc_min_free_order_shift)) +(typeattributeset proc_misc_31_0 (proc_misc)) +(typeattributeset proc_modules_31_0 (proc_modules)) +(typeattributeset proc_mounts_31_0 (proc_mounts)) +(typeattributeset proc_net_31_0 (proc_net)) +(typeattributeset proc_net_tcp_udp_31_0 (proc_net_tcp_udp)) +(typeattributeset proc_overcommit_memory_31_0 (proc_overcommit_memory)) +(typeattributeset proc_page_cluster_31_0 (proc_page_cluster)) +(typeattributeset proc_pagetypeinfo_31_0 (proc_pagetypeinfo)) +(typeattributeset proc_panic_31_0 (proc_panic)) +(typeattributeset proc_perf_31_0 (proc_perf)) +(typeattributeset proc_pid_max_31_0 (proc_pid_max)) +(typeattributeset proc_pipe_conf_31_0 (proc_pipe_conf)) +(typeattributeset proc_pressure_cpu_31_0 (proc_pressure_cpu)) +(typeattributeset proc_pressure_io_31_0 (proc_pressure_io)) +(typeattributeset proc_pressure_mem_31_0 (proc_pressure_mem)) +(typeattributeset proc_qtaguid_ctrl_31_0 (proc_qtaguid_ctrl)) +(typeattributeset proc_qtaguid_stat_31_0 (proc_qtaguid_stat)) +(typeattributeset proc_random_31_0 (proc_random)) +(typeattributeset proc_sched_31_0 (proc_sched)) +(typeattributeset proc_security_31_0 (proc_security)) +(typeattributeset proc_slabinfo_31_0 (proc_slabinfo)) +(typeattributeset proc_stat_31_0 (proc_stat)) +(typeattributeset proc_swaps_31_0 (proc_swaps)) +(typeattributeset proc_sysrq_31_0 (proc_sysrq)) +(typeattributeset proc_timer_31_0 (proc_timer)) +(typeattributeset proc_tty_drivers_31_0 (proc_tty_drivers)) +(typeattributeset proc_uid_concurrent_active_time_31_0 (proc_uid_concurrent_active_time)) +(typeattributeset proc_uid_concurrent_policy_time_31_0 (proc_uid_concurrent_policy_time)) +(typeattributeset proc_uid_cpupower_31_0 (proc_uid_cpupower)) +(typeattributeset proc_uid_cputime_removeuid_31_0 (proc_uid_cputime_removeuid)) +(typeattributeset proc_uid_cputime_showstat_31_0 (proc_uid_cputime_showstat)) +(typeattributeset proc_uid_io_stats_31_0 (proc_uid_io_stats)) +(typeattributeset proc_uid_procstat_set_31_0 (proc_uid_procstat_set)) +(typeattributeset proc_uid_time_in_state_31_0 (proc_uid_time_in_state)) +(typeattributeset proc_uptime_31_0 (proc_uptime)) +(typeattributeset proc_vendor_sched_31_0 (proc_vendor_sched)) +(typeattributeset proc_version_31_0 (proc_version)) +(typeattributeset proc_vmallocinfo_31_0 (proc_vmallocinfo)) +(typeattributeset proc_vmstat_31_0 (proc_vmstat)) +(typeattributeset proc_zoneinfo_31_0 (proc_zoneinfo)) +(typeattributeset processinfo_service_31_0 (processinfo_service)) +(typeattributeset procstats_service_31_0 (procstats_service)) +(typeattributeset profman_31_0 (profman)) +(typeattributeset profman_dump_data_file_31_0 (profman_dump_data_file)) +(typeattributeset profman_exec_31_0 (profman_exec)) +(typeattributeset properties_device_31_0 (properties_device)) +(typeattributeset properties_serial_31_0 (properties_serial)) +(typeattributeset property_contexts_file_31_0 (property_contexts_file)) +(typeattributeset property_data_file_31_0 (property_data_file)) +(typeattributeset property_info_31_0 (property_info)) +(typeattributeset property_service_version_prop_31_0 (property_service_version_prop)) +(typeattributeset property_socket_31_0 (property_socket)) +(typeattributeset provisioned_prop_31_0 (provisioned_prop)) +(typeattributeset pstorefs_31_0 (pstorefs)) +(typeattributeset ptmx_device_31_0 (ptmx_device)) +(typeattributeset qemu_hw_prop_31_0 (qemu_hw_prop)) +(typeattributeset qemu_sf_lcd_density_prop_31_0 (qemu_sf_lcd_density_prop)) +(typeattributeset qtaguid_device_31_0 (qtaguid_device)) +(typeattributeset racoon_31_0 (racoon)) +(typeattributeset racoon_exec_31_0 (racoon_exec)) +(typeattributeset racoon_socket_31_0 (racoon_socket)) +(typeattributeset radio_31_0 (radio)) +(typeattributeset radio_control_prop_31_0 (radio_control_prop)) +(typeattributeset radio_core_data_file_31_0 (radio_core_data_file)) +(typeattributeset radio_data_file_31_0 (radio_data_file)) +(typeattributeset radio_device_31_0 (radio_device)) +(typeattributeset radio_prop_31_0 (radio_prop)) +(typeattributeset radio_service_31_0 (radio_service)) +(typeattributeset ram_device_31_0 (ram_device)) +(typeattributeset random_device_31_0 (random_device)) +(typeattributeset reboot_readiness_service_31_0 (reboot_readiness_service)) +(typeattributeset rebootescrow_hal_prop_31_0 (rebootescrow_hal_prop)) +(typeattributeset recovery_31_0 (recovery)) +(typeattributeset recovery_block_device_31_0 (recovery_block_device)) +(typeattributeset recovery_config_prop_31_0 (recovery_config_prop)) +(typeattributeset recovery_data_file_31_0 (recovery_data_file)) +(typeattributeset recovery_persist_31_0 (recovery_persist)) +(typeattributeset recovery_persist_exec_31_0 (recovery_persist_exec)) +(typeattributeset recovery_refresh_31_0 (recovery_refresh)) +(typeattributeset recovery_refresh_exec_31_0 (recovery_refresh_exec)) +(typeattributeset recovery_service_31_0 (recovery_service)) +(typeattributeset recovery_socket_31_0 (recovery_socket)) +(typeattributeset registry_service_31_0 (registry_service)) +(typeattributeset remoteprovisioning_service_31_0 (remoteprovisioning_service)) +(typeattributeset resourcecache_data_file_31_0 (resourcecache_data_file)) +(typeattributeset restorecon_prop_31_0 (restorecon_prop)) +(typeattributeset restrictions_service_31_0 (restrictions_service)) +(typeattributeset retaildemo_prop_31_0 (retaildemo_prop)) +(typeattributeset rild_debug_socket_31_0 (rild_debug_socket)) +(typeattributeset rild_socket_31_0 (rild_socket)) +(typeattributeset ringtone_file_31_0 (ringtone_file)) +(typeattributeset role_service_31_0 (role_service)) +(typeattributeset rollback_service_31_0 (rollback_service)) +(typeattributeset root_block_device_31_0 (root_block_device)) +(typeattributeset rootfs_31_0 (rootfs)) +(typeattributeset rpmsg_device_31_0 (rpmsg_device)) +(typeattributeset rs_31_0 (rs)) +(typeattributeset rs_exec_31_0 (rs_exec)) +(typeattributeset rss_hwm_reset_31_0 (rss_hwm_reset)) +(typeattributeset rtc_device_31_0 (rtc_device)) +(typeattributeset rttmanager_service_31_0 (rttmanager_service)) +(typeattributeset runas_31_0 (runas)) +(typeattributeset runas_app_31_0 (runas_app)) +(typeattributeset runas_exec_31_0 (runas_exec)) +(typeattributeset runtime_event_log_tags_file_31_0 (runtime_event_log_tags_file)) +(typeattributeset runtime_service_31_0 (runtime_service)) +(typeattributeset safemode_prop_31_0 (safemode_prop)) +(typeattributeset same_process_hal_file_31_0 (same_process_hal_file)) +(typeattributeset samplingprofiler_service_31_0 (samplingprofiler_service)) +(typeattributeset scheduling_policy_service_31_0 (scheduling_policy_service)) +(typeattributeset sdcard_block_device_31_0 (sdcard_block_device)) +(typeattributeset sdcardd_31_0 (sdcardd)) +(typeattributeset sdcardd_exec_31_0 (sdcardd_exec)) +(typeattributeset sdcardfs_31_0 (sdcardfs)) +(typeattributeset seapp_contexts_file_31_0 (seapp_contexts_file)) +(typeattributeset search_service_31_0 (search_service)) +(typeattributeset search_ui_service_31_0 (search_ui_service)) +(typeattributeset sec_key_att_app_id_provider_service_31_0 (sec_key_att_app_id_provider_service)) +(typeattributeset secure_element_31_0 (secure_element)) +(typeattributeset secure_element_device_31_0 (secure_element_device)) +(typeattributeset secure_element_service_31_0 (secure_element_service)) +(typeattributeset securityfs_31_0 (securityfs)) +(typeattributeset selinuxfs_31_0 (selinuxfs)) +(typeattributeset sendbug_config_prop_31_0 (sendbug_config_prop)) +(typeattributeset sensor_privacy_service_31_0 (sensor_privacy_service)) +(typeattributeset sensors_device_31_0 (sensors_device)) +(typeattributeset sensorservice_service_31_0 (sensorservice_service)) +(typeattributeset sepolicy_file_31_0 (sepolicy_file)) +(typeattributeset serial_device_31_0 (serial_device)) +(typeattributeset serial_service_31_0 (serial_service)) +(typeattributeset serialno_prop_31_0 (serialno_prop)) +(typeattributeset server_configurable_flags_data_file_31_0 (server_configurable_flags_data_file)) +(typeattributeset service_contexts_file_31_0 (service_contexts_file)) +(typeattributeset service_manager_service_31_0 (service_manager_service)) +(typeattributeset service_manager_vndservice_31_0 (service_manager_vndservice)) +(typeattributeset servicediscovery_service_31_0 (servicediscovery_service)) +(typeattributeset servicemanager_31_0 (servicemanager)) +(typeattributeset servicemanager_exec_31_0 (servicemanager_exec)) +(typeattributeset settings_service_31_0 (settings_service)) +(typeattributeset sgdisk_31_0 (sgdisk)) +(typeattributeset sgdisk_exec_31_0 (sgdisk_exec)) +(typeattributeset shared_relro_31_0 (shared_relro)) +(typeattributeset shared_relro_file_31_0 (shared_relro_file)) +(typeattributeset shell_31_0 (shell)) +(typeattributeset shell_data_file_31_0 (shell_data_file)) +(typeattributeset shell_exec_31_0 (shell_exec)) +(typeattributeset shell_prop_31_0 (shell_prop)) +(typeattributeset shell_test_data_file_31_0 (shell_test_data_file)) +(typeattributeset shm_31_0 (shm)) +(typeattributeset shortcut_manager_icons_31_0 (shortcut_manager_icons)) +(typeattributeset shortcut_service_31_0 (shortcut_service)) +(typeattributeset simpleperf_31_0 (simpleperf)) +(typeattributeset simpleperf_app_runner_31_0 (simpleperf_app_runner)) +(typeattributeset simpleperf_app_runner_exec_31_0 (simpleperf_app_runner_exec)) +(typeattributeset slice_service_31_0 (slice_service)) +(typeattributeset slideshow_31_0 (slideshow)) +(typeattributeset smartspace_service_31_0 (smartspace_service)) +(typeattributeset snapshotctl_log_data_file_31_0 (snapshotctl_log_data_file)) +(typeattributeset snapuserd_socket_31_0 (snapuserd_socket)) +(typeattributeset soc_prop_31_0 (soc_prop)) +(typeattributeset socket_device_31_0 (socket_device)) +(typeattributeset socket_hook_prop_31_0 (socket_hook_prop)) +(typeattributeset sockfs_31_0 (sockfs)) +(typeattributeset sota_prop_31_0 (sota_prop)) +(typeattributeset soundtrigger_middleware_service_31_0 (soundtrigger_middleware_service)) +(typeattributeset speech_recognition_service_31_0 (speech_recognition_service)) +(typeattributeset sqlite_log_prop_31_0 (sqlite_log_prop)) +(typeattributeset staged_install_file_31_0 (staged_install_file)) +(typeattributeset staging_data_file_31_0 (staging_data_file)) +(typeattributeset stats_data_file_31_0 (stats_data_file)) +(typeattributeset statsd_31_0 (statsd)) +(typeattributeset statsd_exec_31_0 (statsd_exec)) +(typeattributeset statsdw_socket_31_0 (statsdw_socket)) +(typeattributeset statusbar_service_31_0 (statusbar_service)) +(typeattributeset storage_config_prop_31_0 (storage_config_prop)) +(typeattributeset storage_file_31_0 (storage_file)) +(typeattributeset storage_stub_file_31_0 (storage_stub_file)) +(typeattributeset storaged_service_31_0 (storaged_service)) +(typeattributeset storagemanager_config_prop_31_0 (storagemanager_config_prop)) +(typeattributeset storagestats_service_31_0 (storagestats_service)) +(typeattributeset su_31_0 (su)) +(typeattributeset su_exec_31_0 (su_exec)) +(typeattributeset super_block_device_31_0 (super_block_device)) +(typeattributeset surfaceflinger_31_0 (surfaceflinger)) +(typeattributeset surfaceflinger_color_prop_31_0 (surfaceflinger_color_prop)) +(typeattributeset surfaceflinger_display_prop_31_0 (surfaceflinger_display_prop)) +(typeattributeset surfaceflinger_prop_31_0 (surfaceflinger_prop)) +(typeattributeset surfaceflinger_service_31_0 (surfaceflinger_service)) +(typeattributeset surfaceflinger_tmpfs_31_0 (surfaceflinger_tmpfs)) +(typeattributeset suspend_prop_31_0 (suspend_prop)) +(typeattributeset swap_block_device_31_0 (swap_block_device)) +(typeattributeset sysfs_31_0 (sysfs)) +(typeattributeset sysfs_android_usb_31_0 (sysfs_android_usb)) +(typeattributeset sysfs_batteryinfo_31_0 (sysfs_batteryinfo)) +(typeattributeset sysfs_block_31_0 (sysfs_block)) +(typeattributeset sysfs_bluetooth_writable_31_0 (sysfs_bluetooth_writable)) +(typeattributeset sysfs_devfreq_cur_31_0 (sysfs_devfreq_cur)) +(typeattributeset sysfs_devfreq_dir_31_0 (sysfs_devfreq_dir)) +(typeattributeset sysfs_devices_block_31_0 (sysfs_devices_block)) +(typeattributeset sysfs_devices_cs_etm_31_0 (sysfs_devices_cs_etm)) +(typeattributeset sysfs_devices_system_cpu_31_0 (sysfs_devices_system_cpu)) +(typeattributeset sysfs_dm_31_0 (sysfs_dm)) +(typeattributeset sysfs_dm_verity_31_0 (sysfs_dm_verity)) +(typeattributeset sysfs_dma_heap_31_0 (sysfs_dma_heap)) +(typeattributeset sysfs_dmabuf_stats_31_0 (sysfs_dmabuf_stats)) +(typeattributeset sysfs_dt_firmware_android_31_0 (sysfs_dt_firmware_android)) +(typeattributeset sysfs_extcon_31_0 (sysfs_extcon)) +(typeattributeset sysfs_fs_ext4_features_31_0 (sysfs_fs_ext4_features)) +(typeattributeset sysfs_fs_f2fs_31_0 (sysfs_fs_f2fs)) +(typeattributeset sysfs_fs_incfs_features_31_0 (sysfs_fs_incfs_features)) +(typeattributeset sysfs_fs_incfs_metrics_31_0 (sysfs_fs_incfs_metrics)) +(typeattributeset sysfs_hwrandom_31_0 (sysfs_hwrandom)) +(typeattributeset sysfs_ion_31_0 (sysfs_ion)) +(typeattributeset sysfs_ipv4_31_0 (sysfs_ipv4)) +(typeattributeset sysfs_kernel_notes_31_0 (sysfs_kernel_notes)) +(typeattributeset sysfs_leds_31_0 (sysfs_leds)) +(typeattributeset sysfs_loop_31_0 (sysfs_loop)) +(typeattributeset sysfs_lowmemorykiller_31_0 (sysfs_lowmemorykiller)) +(typeattributeset sysfs_net_31_0 (sysfs_net)) +(typeattributeset sysfs_nfc_power_writable_31_0 (sysfs_nfc_power_writable)) +(typeattributeset sysfs_power_31_0 (sysfs_power)) +(typeattributeset sysfs_rtc_31_0 (sysfs_rtc)) +(typeattributeset sysfs_suspend_stats_31_0 (sysfs_suspend_stats)) +(typeattributeset sysfs_switch_31_0 (sysfs_switch)) +(typeattributeset sysfs_thermal_31_0 (sysfs_thermal)) +(typeattributeset sysfs_transparent_hugepage_31_0 (sysfs_transparent_hugepage)) +(typeattributeset sysfs_uhid_31_0 (sysfs_uhid)) +(typeattributeset sysfs_uio_31_0 (sysfs_uio)) +(typeattributeset sysfs_usb_31_0 (sysfs_usb)) +(typeattributeset sysfs_usermodehelper_31_0 (sysfs_usermodehelper)) +(typeattributeset sysfs_vendor_sched_31_0 (sysfs_vendor_sched)) +(typeattributeset sysfs_vibrator_31_0 (sysfs_vibrator)) +(typeattributeset sysfs_wake_lock_31_0 (sysfs_wake_lock)) +(typeattributeset sysfs_wakeup_31_0 (sysfs_wakeup)) +(typeattributeset sysfs_wakeup_reasons_31_0 (sysfs_wakeup_reasons)) +(typeattributeset sysfs_wlan_fwpath_31_0 (sysfs_wlan_fwpath)) +(typeattributeset sysfs_zram_31_0 (sysfs_zram)) +(typeattributeset sysfs_zram_uevent_31_0 (sysfs_zram_uevent)) +(typeattributeset system_app_31_0 (system_app)) +(typeattributeset system_app_data_file_31_0 (system_app_data_file)) +(typeattributeset system_app_service_31_0 (system_app_service)) +(typeattributeset system_asan_options_file_31_0 (system_asan_options_file)) +(typeattributeset system_block_device_31_0 (system_block_device)) +(typeattributeset system_boot_reason_prop_31_0 (system_boot_reason_prop)) +(typeattributeset system_bootstrap_lib_file_31_0 (system_bootstrap_lib_file)) +(typeattributeset system_config_service_31_0 (system_config_service)) +(typeattributeset system_data_file_31_0 (system_data_file)) +(typeattributeset system_data_root_file_31_0 (system_data_root_file)) +(typeattributeset system_event_log_tags_file_31_0 (system_event_log_tags_file)) +(typeattributeset system_file_31_0 (system_file)) +(typeattributeset system_group_file_31_0 (system_group_file)) +(typeattributeset system_jvmti_agent_prop_31_0 (system_jvmti_agent_prop)) +(typeattributeset system_lib_file_31_0 (system_lib_file)) +(typeattributeset system_linker_config_file_31_0 (system_linker_config_file)) +(typeattributeset system_linker_exec_31_0 (system_linker_exec)) +(typeattributeset system_lmk_prop_31_0 (system_lmk_prop)) +(typeattributeset system_ndebug_socket_31_0 (system_ndebug_socket)) +(typeattributeset system_net_netd_hwservice_31_0 (system_net_netd_hwservice)) +(typeattributeset system_passwd_file_31_0 (system_passwd_file)) +(typeattributeset system_prop_31_0 (system_prop)) +(typeattributeset system_seccomp_policy_file_31_0 (system_seccomp_policy_file)) +(typeattributeset system_security_cacerts_file_31_0 (system_security_cacerts_file)) +(typeattributeset system_server_31_0 (system_server)) +(typeattributeset system_server_dumper_service_31_0 (system_server_dumper_service)) +(typeattributeset system_server_tmpfs_31_0 (system_server_tmpfs)) +(typeattributeset system_suspend_control_internal_service_31_0 (system_suspend_control_internal_service)) +(typeattributeset system_suspend_control_service_31_0 (system_suspend_control_service)) +(typeattributeset system_suspend_hwservice_31_0 (system_suspend_hwservice)) +(typeattributeset system_trace_prop_31_0 (system_trace_prop)) +(typeattributeset system_unsolzygote_socket_31_0 (system_unsolzygote_socket)) +(typeattributeset system_update_service_31_0 (system_update_service)) +(typeattributeset system_wifi_keystore_hwservice_31_0 (system_wifi_keystore_hwservice)) +(typeattributeset system_wpa_socket_31_0 (system_wpa_socket)) +(typeattributeset system_zoneinfo_file_31_0 (system_zoneinfo_file)) +(typeattributeset systemkeys_data_file_31_0 (systemkeys_data_file)) +(typeattributeset systemsound_config_prop_31_0 (systemsound_config_prop)) +(typeattributeset task_profiles_api_file_31_0 (task_profiles_api_file)) +(typeattributeset task_profiles_file_31_0 (task_profiles_file)) +(typeattributeset task_service_31_0 (task_service)) +(typeattributeset tcpdump_exec_31_0 (tcpdump_exec)) +(typeattributeset tee_31_0 (tee)) +(typeattributeset tee_data_file_31_0 (tee_data_file)) +(typeattributeset tee_device_31_0 (tee_device)) +(typeattributeset telecom_service_31_0 (telecom_service)) +(typeattributeset telephony_config_prop_31_0 (telephony_config_prop)) +(typeattributeset telephony_status_prop_31_0 (telephony_status_prop)) +(typeattributeset test_boot_reason_prop_31_0 (test_boot_reason_prop)) +(typeattributeset test_harness_prop_31_0 (test_harness_prop)) +(typeattributeset testharness_service_31_0 (testharness_service)) +(typeattributeset tethering_service_31_0 (tethering_service)) +(typeattributeset textclassification_service_31_0 (textclassification_service)) +(typeattributeset textclassifier_data_file_31_0 (textclassifier_data_file)) +(typeattributeset textservices_service_31_0 (textservices_service)) +(typeattributeset texttospeech_service_31_0 (texttospeech_service)) +(typeattributeset theme_prop_31_0 (theme_prop)) +(typeattributeset thermal_service_31_0 (thermal_service)) +(typeattributeset time_prop_31_0 (time_prop)) +(typeattributeset timedetector_service_31_0 (timedetector_service)) +(typeattributeset timezone_service_31_0 (timezone_service)) +(typeattributeset timezonedetector_service_31_0 (timezonedetector_service)) +(typeattributeset tmpfs_31_0 (tmpfs)) +(typeattributeset tombstone_config_prop_31_0 (tombstone_config_prop)) +(typeattributeset tombstone_data_file_31_0 (tombstone_data_file)) +(typeattributeset tombstone_wifi_data_file_31_0 (tombstone_wifi_data_file)) +(typeattributeset tombstoned_31_0 (tombstoned)) +(typeattributeset tombstoned_crash_socket_31_0 (tombstoned_crash_socket)) +(typeattributeset tombstoned_exec_31_0 (tombstoned_exec)) +(typeattributeset tombstoned_intercept_socket_31_0 (tombstoned_intercept_socket)) +(typeattributeset tombstoned_java_trace_socket_31_0 (tombstoned_java_trace_socket)) +(typeattributeset toolbox_31_0 (toolbox)) +(typeattributeset toolbox_exec_31_0 (toolbox_exec)) +(typeattributeset trace_data_file_31_0 (trace_data_file)) +(typeattributeset traced_31_0 (traced)) +(typeattributeset traced_consumer_socket_31_0 (traced_consumer_socket)) +(typeattributeset traced_enabled_prop_31_0 (traced_enabled_prop)) +(typeattributeset traced_lazy_prop_31_0 (traced_lazy_prop)) +(typeattributeset traced_perf_31_0 (traced_perf)) +(typeattributeset traced_perf_socket_31_0 (traced_perf_socket)) +(typeattributeset traced_probes_31_0 (traced_probes)) +(typeattributeset traced_producer_socket_31_0 (traced_producer_socket)) +(typeattributeset traced_tmpfs_31_0 (traced_tmpfs)) +(typeattributeset traceur_app_31_0 (traceur_app)) +(typeattributeset translation_service_31_0 (translation_service)) +(typeattributeset trust_service_31_0 (trust_service)) +(typeattributeset tty_device_31_0 (tty_device)) +(typeattributeset tun_device_31_0 (tun_device)) +(typeattributeset tv_input_service_31_0 (tv_input_service)) +(typeattributeset tv_tuner_resource_mgr_service_31_0 (tv_tuner_resource_mgr_service)) +(typeattributeset tzdatacheck_31_0 (tzdatacheck)) +(typeattributeset tzdatacheck_exec_31_0 (tzdatacheck_exec)) +(typeattributeset ueventd_31_0 (ueventd)) +(typeattributeset ueventd_tmpfs_31_0 (ueventd_tmpfs)) +(typeattributeset uhid_device_31_0 (uhid_device)) +(typeattributeset uimode_service_31_0 (uimode_service)) +(typeattributeset uio_device_31_0 (uio_device)) +(typeattributeset uncrypt_31_0 (uncrypt)) +(typeattributeset uncrypt_exec_31_0 (uncrypt_exec)) +(typeattributeset uncrypt_socket_31_0 (uncrypt_socket)) +(typeattributeset unencrypted_data_file_31_0 (unencrypted_data_file)) +(typeattributeset unlabeled_31_0 (unlabeled)) +(typeattributeset untrusted_app_25_31_0 (untrusted_app_25)) +(typeattributeset untrusted_app_27_31_0 (untrusted_app_27)) +(typeattributeset untrusted_app_29_31_0 (untrusted_app_29)) +(typeattributeset untrusted_app_31_0 (untrusted_app)) +(typeattributeset update_engine_31_0 (update_engine)) +(typeattributeset update_engine_data_file_31_0 (update_engine_data_file)) +(typeattributeset update_engine_exec_31_0 (update_engine_exec)) +(typeattributeset update_engine_log_data_file_31_0 (update_engine_log_data_file)) +(typeattributeset update_engine_service_31_0 (update_engine_service)) +(typeattributeset update_engine_stable_service_31_0 (update_engine_stable_service)) +(typeattributeset update_verifier_31_0 (update_verifier)) +(typeattributeset update_verifier_exec_31_0 (update_verifier_exec)) +(typeattributeset updatelock_service_31_0 (updatelock_service)) +(typeattributeset uri_grants_service_31_0 (uri_grants_service)) +(typeattributeset usagestats_service_31_0 (usagestats_service)) +(typeattributeset usb_config_prop_31_0 (usb_config_prop)) +(typeattributeset usb_control_prop_31_0 (usb_control_prop)) +(typeattributeset usb_device_31_0 (usb_device)) +(typeattributeset usb_prop_31_0 (usb_prop)) +(typeattributeset usb_serial_device_31_0 (usb_serial_device)) +(typeattributeset usb_service_31_0 (usb_service)) +(typeattributeset usbaccessory_device_31_0 (usbaccessory_device)) +(typeattributeset usbd_31_0 (usbd)) +(typeattributeset usbd_exec_31_0 (usbd_exec)) +(typeattributeset usbfs_31_0 (usbfs)) +(typeattributeset use_memfd_prop_31_0 (use_memfd_prop)) +(typeattributeset user_profile_data_file_31_0 (user_profile_data_file)) +(typeattributeset user_profile_root_file_31_0 (user_profile_root_file)) +(typeattributeset user_service_31_0 (user_service)) +(typeattributeset userdata_block_device_31_0 (userdata_block_device)) +(typeattributeset userdata_sysdev_31_0 (userdata_sysdev)) +(typeattributeset usermodehelper_31_0 (usermodehelper)) +(typeattributeset userspace_reboot_config_prop_31_0 (userspace_reboot_config_prop)) +(typeattributeset userspace_reboot_exported_prop_31_0 (userspace_reboot_exported_prop)) +(typeattributeset userspace_reboot_metadata_file_31_0 (userspace_reboot_metadata_file)) +(typeattributeset uwb_service_31_0 (uwb_service)) +(typeattributeset vcn_management_service_31_0 (vcn_management_service)) +(typeattributeset vd_device_31_0 (vd_device)) +(typeattributeset vdc_31_0 (vdc)) +(typeattributeset vdc_exec_31_0 (vdc_exec)) +(typeattributeset vehicle_hal_prop_31_0 (vehicle_hal_prop)) +(typeattributeset vendor_apex_file_31_0 (vendor_apex_file)) +(typeattributeset vendor_app_file_31_0 (vendor_app_file)) +(typeattributeset vendor_cgroup_desc_file_31_0 (vendor_cgroup_desc_file)) +(typeattributeset vendor_configs_file_31_0 (vendor_configs_file)) +(typeattributeset vendor_data_file_31_0 (vendor_data_file)) +(typeattributeset vendor_default_prop_31_0 (vendor_default_prop)) +(typeattributeset vendor_file_31_0 (vendor_file)) +(typeattributeset vendor_framework_file_31_0 (vendor_framework_file)) +(typeattributeset vendor_hal_file_31_0 (vendor_hal_file)) +(typeattributeset vendor_idc_file_31_0 (vendor_idc_file)) +(typeattributeset vendor_init_31_0 (vendor_init)) +(typeattributeset vendor_kernel_modules_31_0 (vendor_kernel_modules)) +(typeattributeset vendor_keychars_file_31_0 (vendor_keychars_file)) +(typeattributeset vendor_keylayout_file_31_0 (vendor_keylayout_file)) +(typeattributeset vendor_misc_writer_31_0 (vendor_misc_writer)) +(typeattributeset vendor_misc_writer_exec_31_0 (vendor_misc_writer_exec)) +(typeattributeset vendor_modprobe_31_0 (vendor_modprobe)) +(typeattributeset vendor_overlay_file_31_0 (vendor_overlay_file)) +(typeattributeset vendor_public_framework_file_31_0 (vendor_public_framework_file)) +(typeattributeset vendor_public_lib_file_31_0 (vendor_public_lib_file)) +(typeattributeset vendor_security_patch_level_prop_31_0 (vendor_security_patch_level_prop)) +(typeattributeset vendor_service_contexts_file_31_0 (vendor_service_contexts_file)) +(typeattributeset vendor_shell_31_0 (vendor_shell)) +(typeattributeset vendor_shell_exec_31_0 (vendor_shell_exec)) +(typeattributeset vendor_socket_hook_prop_31_0 (vendor_socket_hook_prop)) +(typeattributeset vendor_task_profiles_file_31_0 (vendor_task_profiles_file)) +(typeattributeset vendor_toolbox_exec_31_0 (vendor_toolbox_exec)) +(typeattributeset vfat_31_0 (vfat)) +(typeattributeset vibrator_manager_service_31_0 (vibrator_manager_service)) +(typeattributeset vibrator_service_31_0 (vibrator_service)) +(typeattributeset video_device_31_0 (video_device)) +(typeattributeset virtual_ab_prop_31_0 (virtual_ab_prop)) +(typeattributeset virtual_touchpad_31_0 (virtual_touchpad)) +(typeattributeset virtual_touchpad_exec_31_0 (virtual_touchpad_exec)) +(typeattributeset virtual_touchpad_service_31_0 (virtual_touchpad_service)) +(typeattributeset virtualization_service_31_0 (virtualization_service)) +(typeattributeset vndbinder_device_31_0 (vndbinder_device)) +(typeattributeset vndk_prop_31_0 (vndk_prop)) +(typeattributeset vndk_sp_file_31_0 (vndk_sp_file)) +(typeattributeset vndservice_contexts_file_31_0 (vndservice_contexts_file)) +(typeattributeset vndservicemanager_31_0 (vndservicemanager)) +(typeattributeset voiceinteraction_service_31_0 (voiceinteraction_service)) +(typeattributeset vold_31_0 (vold)) +(typeattributeset vold_config_prop_31_0 (vold_config_prop)) +(typeattributeset vold_data_file_31_0 (vold_data_file)) +(typeattributeset vold_device_31_0 (vold_device)) +(typeattributeset vold_exec_31_0 (vold_exec)) +(typeattributeset vold_metadata_file_31_0 (vold_metadata_file)) +(typeattributeset vold_post_fs_data_prop_31_0 (vold_post_fs_data_prop)) +(typeattributeset vold_prepare_subdirs_31_0 (vold_prepare_subdirs)) +(typeattributeset vold_prepare_subdirs_exec_31_0 (vold_prepare_subdirs_exec)) +(typeattributeset vold_prop_31_0 (vold_prop)) +(typeattributeset vold_service_31_0 (vold_service)) +(typeattributeset vold_status_prop_31_0 (vold_status_prop)) +(typeattributeset vpn_data_file_31_0 (vpn_data_file)) +(typeattributeset vpn_management_service_31_0 (vpn_management_service)) +(typeattributeset vr_hwc_31_0 (vr_hwc)) +(typeattributeset vr_hwc_exec_31_0 (vr_hwc_exec)) +(typeattributeset vr_hwc_service_31_0 (vr_hwc_service)) +(typeattributeset vr_manager_service_31_0 (vr_manager_service)) +(typeattributeset vrflinger_vsync_service_31_0 (vrflinger_vsync_service)) +(typeattributeset vts_config_prop_31_0 (vts_config_prop)) +(typeattributeset vts_status_prop_31_0 (vts_status_prop)) +(typeattributeset wallpaper_file_31_0 (wallpaper_file)) +(typeattributeset wallpaper_service_31_0 (wallpaper_service)) +(typeattributeset watchdog_device_31_0 (watchdog_device)) +(typeattributeset watchdog_metadata_file_31_0 (watchdog_metadata_file)) +(typeattributeset watchdogd_31_0 (watchdogd)) +(typeattributeset watchdogd_exec_31_0 (watchdogd_exec)) +(typeattributeset webview_zygote_31_0 (webview_zygote)) +(typeattributeset webview_zygote_exec_31_0 (webview_zygote_exec)) +(typeattributeset webview_zygote_tmpfs_31_0 (webview_zygote_tmpfs)) +(typeattributeset webviewupdate_service_31_0 (webviewupdate_service)) +(typeattributeset wifi_config_prop_31_0 (wifi_config_prop)) +(typeattributeset wifi_data_file_31_0 (wifi_data_file)) +(typeattributeset wifi_hal_prop_31_0 (wifi_hal_prop)) +(typeattributeset wifi_key_31_0 (wifi_key)) +(typeattributeset wifi_log_prop_31_0 (wifi_log_prop)) +(typeattributeset wifi_prop_31_0 (wifi_prop)) +(typeattributeset wifi_service_31_0 (wifi_service)) +(typeattributeset wifiaware_service_31_0 (wifiaware_service)) +(typeattributeset wificond_31_0 (wificond)) +(typeattributeset wificond_exec_31_0 (wificond_exec)) +(typeattributeset wifinl80211_service_31_0 (wifinl80211_service)) +(typeattributeset wifip2p_service_31_0 (wifip2p_service)) +(typeattributeset wifiscanner_service_31_0 (wifiscanner_service)) +(typeattributeset window_service_31_0 (window_service)) +(typeattributeset wpa_socket_31_0 (wpa_socket)) +(typeattributeset wpantund_31_0 (wpantund)) +(typeattributeset wpantund_exec_31_0 (wpantund_exec)) +(typeattributeset wpantund_service_31_0 (wpantund_service)) +(typeattributeset zero_device_31_0 (zero_device)) +(typeattributeset zoneinfo_data_file_31_0 (zoneinfo_data_file)) +(typeattributeset zram_config_prop_31_0 (zram_config_prop)) +(typeattributeset zram_control_prop_31_0 (zram_control_prop)) +(typeattributeset zygote_31_0 (zygote)) +(typeattributeset zygote_config_prop_31_0 (zygote_config_prop)) +(typeattributeset zygote_exec_31_0 (zygote_exec)) +(typeattributeset zygote_socket_31_0 (zygote_socket)) +(typeattributeset zygote_tmpfs_31_0 (zygote_tmpfs)) diff --git a/prebuilts/api/32.0/private/compat/31.0/31.0.compat.cil b/prebuilts/api/32.0/private/compat/31.0/31.0.compat.cil new file mode 100644 index 000000000..628abfcda --- /dev/null +++ b/prebuilts/api/32.0/private/compat/31.0/31.0.compat.cil @@ -0,0 +1 @@ +;; This file can't be empty. diff --git a/prebuilts/api/32.0/private/compat/31.0/31.0.ignore.cil b/prebuilts/api/32.0/private/compat/31.0/31.0.ignore.cil new file mode 100644 index 000000000..4e95cc6e4 --- /dev/null +++ b/prebuilts/api/32.0/private/compat/31.0/31.0.ignore.cil @@ -0,0 +1,9 @@ +;; new_objects - a collection of types that have been introduced that have no +;; analogue in older policy. Thus, we do not need to map these types to +;; previous ones. Add here to pass checkapi tests. +(type new_objects) +(typeattribute new_objects) +(typeattributeset new_objects + ( new_objects + hypervisor_prop + )) diff --git a/prebuilts/api/32.0/private/coredomain.te b/prebuilts/api/32.0/private/coredomain.te new file mode 100644 index 000000000..b7f4f5d18 --- /dev/null +++ b/prebuilts/api/32.0/private/coredomain.te @@ -0,0 +1,246 @@ +get_prop(coredomain, boot_status_prop) +get_prop(coredomain, camera_config_prop) +get_prop(coredomain, dalvik_config_prop) +get_prop(coredomain, dalvik_runtime_prop) +get_prop(coredomain, exported_pm_prop) +get_prop(coredomain, ffs_config_prop) +get_prop(coredomain, graphics_config_prop) +get_prop(coredomain, hdmi_config_prop) +get_prop(coredomain, init_service_status_private_prop) +get_prop(coredomain, lmkd_config_prop) +get_prop(coredomain, localization_prop) +get_prop(coredomain, pm_prop) +get_prop(coredomain, radio_control_prop) +get_prop(coredomain, rollback_test_prop) +get_prop(coredomain, setupwizard_prop) +get_prop(coredomain, sqlite_log_prop) +get_prop(coredomain, storagemanager_config_prop) +get_prop(coredomain, surfaceflinger_color_prop) +get_prop(coredomain, systemsound_config_prop) +get_prop(coredomain, telephony_config_prop) +get_prop(coredomain, usb_config_prop) +get_prop(coredomain, usb_control_prop) +get_prop(coredomain, userspace_reboot_config_prop) +get_prop(coredomain, vold_config_prop) +get_prop(coredomain, vts_status_prop) +get_prop(coredomain, zygote_config_prop) +get_prop(coredomain, zygote_wrap_prop) + +# TODO(b/170590987): remove this after cleaning up default_prop +get_prop(coredomain, default_prop) + +full_treble_only(` +neverallow { + coredomain + + # for chowning + -init + + # generic access to sysfs_type + -ueventd + -vold +} sysfs_leds:file *; +') + +# On TREBLE devices, a limited set of files in /vendor are accessible to +# only a few allowlisted coredomains to keep system/vendor separation. +full_treble_only(` + # Limit access to /vendor/app + neverallow { + coredomain + -appdomain + -dex2oat + -dexoptanalyzer + -idmap + -init + -installd + -heapprofd + -postinstall_dexopt + -rs # spawned by appdomain, so carryover the exception above + -system_server + -traced_perf + } vendor_app_file:dir { open read getattr search }; +') + +full_treble_only(` + neverallow { + coredomain + -appdomain + -dex2oat + -dexoptanalyzer + -idmap + -init + -installd + -heapprofd + userdebug_or_eng(`-profcollectd') + -postinstall_dexopt + -rs # spawned by appdomain, so carryover the exception above + -system_server + -traced_perf + -mediaserver + } vendor_app_file:file r_file_perms; +') + +full_treble_only(` + # Limit access to /vendor/overlay + neverallow { + coredomain + -appdomain + -idmap + -init + -installd + -iorap_inode2filename + -iorap_prefetcherd + -postinstall_dexopt + -rs # spawned by appdomain, so carryover the exception above + -system_server + -traced_perf + -app_zygote + -webview_zygote + -zygote + -heapprofd + } vendor_overlay_file:dir { getattr open read search }; +') + +full_treble_only(` + neverallow { + coredomain + -appdomain + -idmap + -init + -installd + -iorap_inode2filename + -iorap_prefetcherd + -postinstall_dexopt + -rs # spawned by appdomain, so carryover the exception above + -system_server + -traced_perf + -app_zygote + -webview_zygote + -zygote + -heapprofd + userdebug_or_eng(`-profcollectd') + } vendor_overlay_file:file open; +') + +# Core domains are not permitted to use kernel interfaces which are not +# explicitly labeled. +# TODO(b/65643247): Apply these neverallow rules to all coredomain. +full_treble_only(` + # /proc + neverallow { + coredomain + -init + -vold + } proc:file no_rw_file_perms; + + # /sys + neverallow { + coredomain + -init + -ueventd + -vold + } sysfs:file no_rw_file_perms; + + # /dev + neverallow { + coredomain + -fsck + -init + -ueventd + } device:{ blk_file file } no_rw_file_perms; + + # debugfs + neverallow { + coredomain + no_debugfs_restriction(` + -dumpstate + -init + -system_server + ') + } debugfs:file no_rw_file_perms; + + # tracefs + neverallow { + coredomain + -atrace + -dumpstate + -gpuservice + -init + -traced_perf + -traced_probes + -shell + -system_server + -traceur_app + userdebug_or_eng(`-profcollectd') + } debugfs_tracing:file no_rw_file_perms; + + # inotifyfs + neverallow { + coredomain + -init + } inotify:file no_rw_file_perms; + + # pstorefs + neverallow { + coredomain + -bootstat + -charger + -dumpstate + -healthd + userdebug_or_eng(`-incidentd') + -init + -logd + -logpersist + -recovery_persist + -recovery_refresh + -shell + -system_server + } pstorefs:file no_rw_file_perms; + + # configfs + neverallow { + coredomain + -init + -system_server + } configfs:file no_rw_file_perms; + + # functionfs + neverallow { + coredomain + -adbd + -init + -mediaprovider + -system_server + } functionfs:file no_rw_file_perms; + + # usbfs and binfmt_miscfs + neverallow { + coredomain + -init + }{ usbfs binfmt_miscfs }:file no_rw_file_perms; + + # dmabuf heaps + neverallow { + coredomain + -init + -ueventd + }{ + dmabuf_heap_device_type + -dmabuf_system_heap_device + -dmabuf_system_secure_heap_device + }:chr_file no_rw_file_perms; +') + +# Following /dev nodes must not be directly accessed by coredomain, but should +# instead be wrapped by HALs. +neverallow coredomain { + iio_device + radio_device +}:chr_file { open read append write ioctl }; + +# TODO(b/120243891): HAL permission to tee_device is included into coredomain +# on non-Treble devices. +full_treble_only(` + neverallow coredomain tee_device:chr_file { open read append write ioctl }; +') diff --git a/prebuilts/api/32.0/private/cppreopts.te b/prebuilts/api/32.0/private/cppreopts.te new file mode 100644 index 000000000..1192ba676 --- /dev/null +++ b/prebuilts/api/32.0/private/cppreopts.te @@ -0,0 +1,31 @@ +# cppreopts +# +# This command copies preopted files from the system_b partition to the data +# partition. This domain ensures that we are only copying into specific +# directories. + +type cppreopts, domain, mlstrustedsubject, coredomain; +type cppreopts_exec, system_file_type, exec_type, file_type; + +# Technically not a daemon but we do want the transition from init domain to +# cppreopts to occur. +init_daemon_domain(cppreopts) +domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename); + +# Allow cppreopts copy files into the dalvik-cache +allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write }; +allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink }; + +# Allow cppreopts to execute itself using #!/system/bin/sh +allow cppreopts shell_exec:file rx_file_perms; + +# Allow us to run find on /postinstall +allow cppreopts system_file:dir { open read }; + +# Allow running the cp command using cppreopts permissions. Needed so we can +# write into dalvik-cache +allow cppreopts toolbox_exec:file rx_file_perms; + +# Silence the denial when /postinstall cannot be mounted, e.g., system_other +# is wiped, but cppreopts.sh still runs. +dontaudit cppreopts postinstall_mnt_dir:dir search; diff --git a/prebuilts/api/32.0/private/crash_dump.te b/prebuilts/api/32.0/private/crash_dump.te new file mode 100644 index 000000000..9233a4dae --- /dev/null +++ b/prebuilts/api/32.0/private/crash_dump.te @@ -0,0 +1,62 @@ +typeattribute crash_dump coredomain; + +# Crash dump does not need to access devices passed across exec(). +dontaudit crash_dump { devpts dev_type }:chr_file { read write }; + +allow crash_dump { + domain + -apexd + -bpfloader + -crash_dump + -init + -kernel + -keystore + -llkd + -logd + -ueventd + -vendor_init + -vold +}:process { ptrace signal sigchld sigstop sigkill }; + +# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?) +userdebug_or_eng(` + allow crash_dump { + apexd + keystore + llkd + logd + vold + }:process { ptrace signal sigchld sigstop sigkill }; +') + +### +### neverallow assertions +### + +# ptrace neverallow assertions are spread throughout the other policy +# files, so we avoid adding redundant assertions here + +neverallow crash_dump { + apexd + userdebug_or_eng(`-apexd') + bpfloader + init + kernel + keystore + userdebug_or_eng(`-keystore') + llkd + userdebug_or_eng(`-llkd') + logd + userdebug_or_eng(`-logd') + ueventd + vendor_init + vold + userdebug_or_eng(`-vold') +}:process { signal sigstop sigkill }; + +neverallow crash_dump self:process ptrace; +neverallow crash_dump gpu_device:chr_file *; + +# Read ART APEX data directory +allow crash_dump apex_art_data_file:dir { getattr search }; +allow crash_dump apex_art_data_file:file r_file_perms; diff --git a/prebuilts/api/32.0/private/credstore.te b/prebuilts/api/32.0/private/credstore.te new file mode 100644 index 000000000..8d87e2f33 --- /dev/null +++ b/prebuilts/api/32.0/private/credstore.te @@ -0,0 +1,6 @@ +typeattribute credstore coredomain; + +init_daemon_domain(credstore) + +# talk to Identity Credential +hal_client_domain(credstore, hal_identity) diff --git a/prebuilts/api/32.0/private/crosvm.te b/prebuilts/api/32.0/private/crosvm.te new file mode 100644 index 000000000..5d7080a49 --- /dev/null +++ b/prebuilts/api/32.0/private/crosvm.te @@ -0,0 +1,16 @@ +type crosvm, domain, coredomain; +type crosvm_exec, system_file_type, exec_type, file_type; +type crosvm_tmpfs, file_type; + +# Let crosvm create temporary files. +tmpfs_domain(crosvm) + +# Let crosvm receive file descriptors from virtmanager. +allow crosvm virtmanager:fd use; + +# Let crosvm open /dev/kvm. +allow crosvm kvm_device:chr_file rw_file_perms; + +# Most other domains shouldn't access /dev/kvm. +neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr; +neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr; diff --git a/prebuilts/api/32.0/private/derive_classpath.te b/prebuilts/api/32.0/private/derive_classpath.te new file mode 100644 index 000000000..2299ba092 --- /dev/null +++ b/prebuilts/api/32.0/private/derive_classpath.te @@ -0,0 +1,25 @@ + +# Domain for derive_classpath +type derive_classpath, domain, coredomain; +type derive_classpath_exec, system_file_type, exec_type, file_type; +init_daemon_domain(derive_classpath) + +# Read /apex +allow derive_classpath apex_mnt_dir:dir r_dir_perms; + +# Create /data/system/environ/classpath file +allow derive_classpath environ_system_data_file:dir rw_dir_perms; +allow derive_classpath environ_system_data_file:file create_file_perms; + +# b/183079517 fails on gphone targets otherwise +allow derive_classpath unlabeled:dir search; + +# Allow derive_classpath to write the classpath into ota dexopt +# - Read the ota's apex dir +allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms; +# - Report the BCP to the ota's dexopt +allow derive_classpath postinstall_dexopt:dir search; +allow derive_classpath postinstall_dexopt:fd use; +allow derive_classpath postinstall_dexopt:file read; +allow derive_classpath postinstall_dexopt:lnk_file read; +allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms; diff --git a/prebuilts/api/32.0/private/derive_sdk.te b/prebuilts/api/32.0/private/derive_sdk.te new file mode 100644 index 000000000..1f60e3446 --- /dev/null +++ b/prebuilts/api/32.0/private/derive_sdk.te @@ -0,0 +1,12 @@ + +# Domain for derive_sdk +type derive_sdk, domain, coredomain; +type derive_sdk_exec, system_file_type, exec_type, file_type; +init_daemon_domain(derive_sdk) + +# Read /apex +allow derive_sdk apex_mnt_dir:dir r_dir_perms; + +# Prop rules: writable by derive_sdk, readable by bootclasspath (apps) +set_prop(derive_sdk, module_sdkextensions_prop) +neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set; diff --git a/prebuilts/api/32.0/private/dex2oat.te b/prebuilts/api/32.0/private/dex2oat.te new file mode 100644 index 000000000..e7cdd5f12 --- /dev/null +++ b/prebuilts/api/32.0/private/dex2oat.te @@ -0,0 +1,110 @@ +# dex2oat +type dex2oat, domain, coredomain; +type dex2oat_exec, system_file_type, exec_type, file_type; + +userfaultfd_use(dex2oat) + +r_dir_file(dex2oat, apk_data_file) +# Access to /vendor/app +r_dir_file(dex2oat, vendor_app_file) +# Access /vendor/framework +allow dex2oat vendor_framework_file:dir { getattr search }; +allow dex2oat vendor_framework_file:file { getattr open read map }; + +allow dex2oat tmpfs:file { read getattr map }; + +r_dir_file(dex2oat, dalvikcache_data_file) +allow dex2oat dalvikcache_data_file:file write; +allow dex2oat installd:fd use; + +# Acquire advisory lock on /system/framework/arm/* +allow dex2oat system_file:file lock; +allow dex2oat postinstall_file:file lock; + +# Read already open asec_apk_file file descriptors passed by installd. +# Also allow reading unlabeled files, to allow for upgrading forward +# locked APKs. +allow dex2oat asec_apk_file:file { read map }; +allow dex2oat unlabeled:file { read map }; +allow dex2oat oemfs:file { read map }; +allow dex2oat apk_tmp_file:dir search; +allow dex2oat apk_tmp_file:file r_file_perms; +allow dex2oat user_profile_data_file:file { getattr read lock map }; + +# Allow dex2oat to compile app's secondary dex files which were reported back to +# the framework. +allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map }; + +# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime. +allow dex2oat apex_module_data_file:dir search; + +# Allow dex2oat to use file descriptors passed from odrefresh. +allow dex2oat odrefresh:fd use; + +# Allow dex2oat to use devpts and file descriptors passed from odsign +allow dex2oat odsign_devpts:chr_file { read write }; +allow dex2oat odsign:fd use; + +# Allow dex2oat to write to file descriptors from odrefresh for files +# in the staging area. +allow dex2oat apex_art_staging_data_file:dir r_dir_perms; +allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink }; + +# Allow dex2oat to read artifacts from odrefresh. +allow dex2oat apex_art_data_file:dir r_dir_perms; +allow dex2oat apex_art_data_file:file r_file_perms; + +# Allow dex2oat to read runtime native flag properties. +get_prop(dex2oat, device_config_runtime_native_prop) +get_prop(dex2oat, device_config_runtime_native_boot_prop) + +# Allow dex2oat to read /apex/apex-info-list.xml +allow dex2oat apex_info_file:file r_file_perms; + +################## +# A/B OTA Dexopt # +################## + +# Allow dex2oat to use file descriptors from otapreopt. +allow dex2oat postinstall_dexopt:fd use; + +# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker). +allow dex2oat postinstall_file:dir r_dir_perms; +allow dex2oat postinstall_file:filesystem getattr; +allow dex2oat postinstall_file:lnk_file { getattr read }; +allow dex2oat postinstall_file:file read; +# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so). +# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX. +allow dex2oat postinstall_file:file { execute getattr open }; + +# Allow dex2oat access to /postinstall/apex. +allow dex2oat postinstall_apex_mnt_dir:dir { getattr search }; +allow dex2oat postinstall_apex_mnt_dir:file r_file_perms; + +# Allow dex2oat access to files in /data/ota. +allow dex2oat ota_data_file:dir ra_dir_perms; +allow dex2oat ota_data_file:file r_file_perms; + +# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images, +# where the oat file is symlinked to the original file in /system. +allow dex2oat ota_data_file:lnk_file { create read }; + +# It would be nice to tie this down, but currently, because of how images are written, we can't +# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to +# create them itself (and make them world-readable). +allow dex2oat ota_data_file:file { create w_file_perms setattr }; + +############### +# APEX Update # +############### + +# /dev/zero is inherited. +allow dex2oat apexd:fd use; + +# Allow dex2oat to use file descriptors from preinstall. + +############## +# Neverallow # +############## + +neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open; diff --git a/prebuilts/api/32.0/private/dexoptanalyzer.te b/prebuilts/api/32.0/private/dexoptanalyzer.te new file mode 100644 index 000000000..8eb1d2905 --- /dev/null +++ b/prebuilts/api/32.0/private/dexoptanalyzer.te @@ -0,0 +1,56 @@ +# dexoptanalyzer +type dexoptanalyzer, domain, coredomain, mlstrustedsubject; +type dexoptanalyzer_exec, system_file_type, exec_type, file_type; +type dexoptanalyzer_tmpfs, file_type; + +r_dir_file(dexoptanalyzer, apk_data_file) +# Access to /vendor/app +r_dir_file(dexoptanalyzer, vendor_app_file) + +# Reading an APK opens a ZipArchive, which unpack to tmpfs. +# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their +# own label, which differs from other labels created by other processes. +# This allows to distinguish in policy files created by dexoptanalyzer vs other +# processes. +tmpfs_domain(dexoptanalyzer) + +userfaultfd_use(dexoptanalyzer) + +# Allow dexoptanalyzer to read files in the dalvik cache. +allow dexoptanalyzer dalvikcache_data_file:dir { getattr search }; +allow dexoptanalyzer dalvikcache_data_file:file r_file_perms; + +# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot +# app_data_file the oat file is symlinked to the original file in /system. +allow dexoptanalyzer dalvikcache_data_file:lnk_file read; + +# Allow dexoptanalyzer to read files in the ART APEX data directory. +allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search }; +allow dexoptanalyzer apex_art_data_file:file r_file_perms; + +# Allow dexoptanalyzer to use file descriptors from odrefresh. +allow dexoptanalyzer odrefresh:fd use; + +# Use devpts and fd from odsign (which exec()'s odrefresh) +allow dexoptanalyzer odsign:fd use; +allow dexoptanalyzer odsign_devpts:chr_file { read write }; + +allow dexoptanalyzer installd:fd use; +allow dexoptanalyzer installd:fifo_file { getattr write }; + +# Acquire advisory lock on /system/framework/arm/* +allow dexoptanalyzer system_file:file lock; + +# Allow reading secondary dex files that were reported by the app to the +# package manager. +allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map }; + +# Allow testing /data/user/0 which symlinks to /data/data +allow dexoptanalyzer system_data_file:lnk_file { getattr }; + +# Allow query ART device config properties +get_prop(dexoptanalyzer, device_config_runtime_native_prop) +get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop) + +# Allow dexoptanalyzer to read /apex/apex-info-list.xml +allow dexoptanalyzer apex_info_file:file r_file_perms; diff --git a/prebuilts/api/32.0/private/dhcp.te b/prebuilts/api/32.0/private/dhcp.te new file mode 100644 index 000000000..8ec9111d6 --- /dev/null +++ b/prebuilts/api/32.0/private/dhcp.te @@ -0,0 +1,7 @@ +typeattribute dhcp coredomain; + +init_daemon_domain(dhcp) +type_transition dhcp system_data_file:{ dir file } dhcp_data_file; + +set_prop(dhcp, dhcp_prop) +set_prop(dhcp, pan_result_prop) diff --git a/prebuilts/api/32.0/private/dnsmasq.te b/prebuilts/api/32.0/private/dnsmasq.te new file mode 100644 index 000000000..96084b490 --- /dev/null +++ b/prebuilts/api/32.0/private/dnsmasq.te @@ -0,0 +1 @@ +typeattribute dnsmasq coredomain; diff --git a/prebuilts/api/32.0/private/domain.te b/prebuilts/api/32.0/private/domain.te new file mode 100644 index 000000000..78aaf55d6 --- /dev/null +++ b/prebuilts/api/32.0/private/domain.te @@ -0,0 +1,546 @@ +# Transition to crash_dump when /system/bin/crash_dump* is executed. +# This occurs when the process crashes. +# We do not apply this to the su domain to avoid interfering with +# tests (b/114136122) +domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump); +allow domain crash_dump:process sigchld; + +# Allow every process to check the heapprofd.enable properties to determine +# whether to load the heap profiling library. This does not necessarily enable +# heap profiling, as initialization will fail if it does not have the +# necessary SELinux permissions. +get_prop(domain, heapprofd_prop); +# Allow heap profiling on debug builds. +userdebug_or_eng(`can_profile_heap({ + domain + -bpfloader + -init + -kernel + -keystore + -llkd + -logd + -logpersist + -recovery + -recovery_persist + -recovery_refresh + -ueventd + -vendor_init + -vold +})') + +# As above, allow perf profiling most processes on debug builds. +# zygote is excluded as system-wide profiling could end up with it +# (unexpectedly) holding an open fd across a fork. +userdebug_or_eng(`can_profile_perf({ + domain + -bpfloader + -init + -kernel + -keystore + -llkd + -logd + -logpersist + -recovery + -recovery_persist + -recovery_refresh + -ueventd + -vendor_init + -vold + -zygote +})') + +# Everyone can access the IncFS list of features. +r_dir_file(domain, sysfs_fs_incfs_features); + +# Path resolution access in cgroups. +allow domain cgroup:dir search; +allow { domain -appdomain -rs } cgroup:dir w_dir_perms; +allow { domain -appdomain -rs } cgroup:file w_file_perms; + +allow domain cgroup_v2:dir search; +allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms; +allow { domain -appdomain -rs } cgroup_v2:file w_file_perms; + +allow domain cgroup_rc_file:dir search; +allow domain cgroup_rc_file:file r_file_perms; +allow domain task_profiles_file:file r_file_perms; +allow domain task_profiles_api_file:file r_file_perms; +allow domain vendor_task_profiles_file:file r_file_perms; + +# Allow all domains to read sys.use_memfd to determine +# if memfd support can be used if device supports it +get_prop(domain, use_memfd_prop); + +# Read access to sdkextensions props +get_prop(domain, module_sdkextensions_prop) + +# Read access to bq configuration values +get_prop(domain, bq_config_prop); + +# For now, everyone can access core property files +# Device specific properties are not granted by default +not_compatible_property(` + # DO NOT ADD ANY PROPERTIES HERE + get_prop(domain, core_property_type) + get_prop(domain, exported3_system_prop) + get_prop(domain, vendor_default_prop) +') +compatible_property_only(` + # DO NOT ADD ANY PROPERTIES HERE + get_prop({coredomain appdomain shell}, core_property_type) + get_prop({coredomain appdomain shell}, exported3_system_prop) + get_prop({coredomain appdomain shell}, exported_camera_prop) + get_prop({coredomain shell}, userspace_reboot_exported_prop) + get_prop({coredomain shell}, userspace_reboot_log_prop) + get_prop({coredomain shell}, userspace_reboot_test_prop) + get_prop({domain -coredomain -appdomain}, vendor_default_prop) +') + +# Allow access to fsverity keyring. +allow domain kernel:key search; +# Allow access to keys in the fsverity keyring that were installed at boot. +allow domain fsverity_init:key search; +# For testing purposes, allow access to keys installed with su. +userdebug_or_eng(` + allow domain su:key search; +') + +# Allow access to linkerconfig file +allow domain linkerconfig_file:dir search; +allow domain linkerconfig_file:file r_file_perms; + +# Allow all processes to check for the existence of the boringssl_self_test_marker files. +allow domain boringssl_self_test_marker:dir search; + +# Limit ability to ptrace or read sensitive /proc/pid files of processes +# with other UIDs to these allowlisted domains. +neverallow { + domain + -vold + userdebug_or_eng(`-llkd') + -dumpstate + userdebug_or_eng(`-incidentd') + userdebug_or_eng(`-profcollectd') + -storaged + -system_server +} self:global_capability_class_set sys_ptrace; + +# Limit ability to generate hardware unique device ID attestations to priv_apps +neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id; +neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id; +neverallow { domain -system_server } *:keystore2_key use_dev_id; +neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock }; + +neverallow { + domain + -init + -vendor_init + userdebug_or_eng(`-domain') +} debugfs_tracing_debug:file no_rw_file_perms; + +# System_server owns dropbox data, and init creates/restorecons the directory +# Disallow direct access by other processes. +neverallow { domain -init -system_server } dropbox_data_file:dir *; +neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read }; + +### +# Services should respect app sandboxes +neverallow { + domain + -appdomain + -installd # creation of sandbox +} { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; + +# Only the following processes should be directly accessing private app +# directories. +neverallow { + domain + -adbd + -appdomain + -app_zygote + -dexoptanalyzer + -installd + -iorap_inode2filename + -iorap_prefetcherd + -profman + -rs # spawned by appdomain, so carryover the exception above + -runas + -system_server + -viewcompiler + -zygote +} { privapp_data_file app_data_file }:dir *; + +# Only apps should be modifying app data. installd is exempted for +# restorecon and package install/uninstall. +neverallow { + domain + -appdomain + -installd + -rs # spawned by appdomain, so carryover the exception above +} { privapp_data_file app_data_file }:dir ~r_dir_perms; + +neverallow { + domain + -appdomain + -app_zygote + -installd + -iorap_prefetcherd + -rs # spawned by appdomain, so carryover the exception above +} { privapp_data_file app_data_file }:file_class_set open; + +neverallow { + domain + -appdomain + -installd # creation of sandbox +} { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; + +neverallow { + domain + -installd +} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto }; + +# The staging directory contains APEX and APK files. It is important to ensure +# that these files cannot be accessed by other domains to ensure that the files +# do not change between system_server staging the files and apexd processing +# the files. +neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *; +neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *; +neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms; +# apexd needs the link and unlink permissions, so list every `no_w_file_perms` +# except for `link` and `unlink`. +neverallow { domain -init -system_server } staging_data_file:file + { append create relabelfrom rename setattr write no_x_file_perms }; + +neverallow { + domain + -appdomain # for oemfs + -bootanim # for oemfs + -recovery # for /tmp/update_binary in tmpfs +} { fs_type -rootfs }:file execute; + +# +# Assert that, to the extent possible, we're not loading executable content from +# outside the rootfs or /system partition except for a few allowlisted domains. +# Executable files loaded from /data is a persistence vector +# we want to avoid. See +# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. +# +neverallow { + domain + -appdomain + with_asan(`-asan_extract') + -iorap_prefetcherd + -shell + userdebug_or_eng(`-su') + -system_server_startup # for memfd backed executable regions + -app_zygote + -webview_zygote + -zygote + userdebug_or_eng(`-mediaextractor') + userdebug_or_eng(`-mediaswcodec') +} { + file_type + -system_file_type + -system_lib_file + -system_linker_exec + -vendor_file_type + -exec_type + -postinstall_file +}:file execute; + +# Only init is allowed to write cgroup.rc file +neverallow { + domain + -init + -vendor_init +} cgroup_rc_file:file no_w_file_perms; + +# Only authorized processes should be writing to files in /data/dalvik-cache +neverallow { + domain + -init # TODO: limit init to relabelfrom for files + -zygote + -installd + -postinstall_dexopt + -cppreopts + -dex2oat + -otapreopt_slot +} dalvikcache_data_file:file no_w_file_perms; + +neverallow { + domain + -init + -installd + -postinstall_dexopt + -cppreopts + -dex2oat + -zygote + -otapreopt_slot +} dalvikcache_data_file:dir no_w_dir_perms; + +# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it +# contains boot class path and system server AOT artifacts following an ART APEX Mainline update. +neverallow { + domain + # art processes + -odrefresh + -odsign + # others + -apexd + -init + -vold_prepare_subdirs +} apex_art_data_file:file no_w_file_perms; + +neverallow { + domain + # art processes + -odrefresh + -odsign + # others + -apexd + -init + -vold_prepare_subdirs +} apex_art_data_file:dir no_w_dir_perms; + +# Protect most domains from executing arbitrary content from /data. +neverallow { + domain + -appdomain +} { + data_file_type + -apex_art_data_file + -dalvikcache_data_file + -system_data_file # shared libs in apks + -apk_data_file +}:file no_x_file_perms; + +# Minimize dac_override and dac_read_search. +# Instead of granting them it is usually better to add the domain to +# a Unix group or change the permissions of a file. +define(`dac_override_allowed', `{ + apexd + dnsmasq + dumpstate + init + installd + userdebug_or_eng(`llkd') + lmkd + migrate_legacy_obb_data + netd + postinstall_dexopt + recovery + rss_hwm_reset + sdcardd + tee + ueventd + uncrypt + vendor_init + vold + vold_prepare_subdirs + zygote +}') +neverallow ~dac_override_allowed self:global_capability_class_set dac_override; +# Since the kernel checks dac_read_search before dac_override, domains that +# have dac_override should also have dac_read_search to eliminate spurious +# denials. Some domains have dac_read_search without having dac_override, so +# this list should be a superset of the one above. +neverallow ~{ + dac_override_allowed + iorap_inode2filename + iorap_prefetcherd + traced_perf + traced_probes + heapprofd +} self:global_capability_class_set dac_read_search; + +# Limit what domains can mount filesystems or change their mount flags. +# sdcard_type / vfat is exempt as a larger set of domains need +# this capability, including device-specific domains. +neverallow { + domain + -apexd + recovery_only(`-fastbootd') + -init + -kernel + -otapreopt_chroot + -recovery + -update_engine + -vold + -zygote +} { fs_type + -sdcard_type +}:filesystem { mount remount relabelfrom relabelto }; + +enforce_debugfs_restriction(` + neverallow { + domain userdebug_or_eng(`-init') + } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto }; +') + +# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. +neverallow { + domain + userdebug_or_eng(`-domain') + -kernel + -gsid + -init + -recovery + -ueventd + -healthd + -uncrypt + -tee + -hal_bootctl_server + -fastbootd +} self:global_capability_class_set sys_rawio; + +# Limit directory operations that doesn't need to do app data isolation. +neverallow { + domain + -init + -installd + -zygote +} mirror_data_file:dir *; + +# This property is being removed. Remove remaining access. +neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set; +neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read; + +# Only core domains are allowed to access package_manager properties +neverallow { domain -init -system_server } pm_prop:property_service set; +neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; + +# Do not allow reading the last boot timestamp from system properties +neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; + +# Kprobes should only be used by adb root +neverallow { domain -init -vendor_init } debugfs_kprobes:file *; + +# On TREBLE devices, most coredomains should not access vendor_files. +# TODO(b/71553434): Remove exceptions here. +full_treble_only(` + neverallow { + coredomain + -appdomain + -bootanim + -crash_dump + -heapprofd + userdebug_or_eng(`-profcollectd') + -init + -iorap_inode2filename + -iorap_prefetcherd + -kernel + -traced_perf + -ueventd + } vendor_file:file { no_w_file_perms no_x_file_perms open }; +') + +# Vendor domains are not permitted to initiate communications to core domain sockets +full_treble_only(` + neverallow_establish_socket_comms({ + domain + -coredomain + -appdomain + -socket_between_core_and_vendor_violators + }, { + coredomain + -logd # Logging by writing to logd Unix domain socket is public API + -netd # netdomain needs this + -mdnsd # netdomain needs this + userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds + -init + -tombstoned # linker to tombstoned + userdebug_or_eng(`-heapprofd') + userdebug_or_eng(`-traced_perf') + }); +') + +full_treble_only(` + # Do not allow system components access to /vendor files except for the + # ones allowed here. + neverallow { + coredomain + # TODO(b/37168747): clean up fwk access to /vendor + -crash_dump + -init # starts vendor executables + -iorap_inode2filename + -iorap_prefetcherd + -kernel # loads /vendor/firmware + -heapprofd + userdebug_or_eng(`-profcollectd') + -shell + -system_executes_vendor_violators + -traced_perf # library/binary access for symbolization + -ueventd # reads /vendor/ueventd.rc + -vold # loads incremental fs driver + } { + vendor_file_type + -same_process_hal_file + -vendor_app_file + -vendor_apex_file + -vendor_configs_file + -vendor_service_contexts_file + -vendor_framework_file + -vendor_idc_file + -vendor_keychars_file + -vendor_keylayout_file + -vendor_overlay_file + -vendor_public_framework_file + -vendor_public_lib_file + -vendor_task_profiles_file + -vndk_sp_file + }:file *; +') + +# mlsvendorcompat is only for compatibility support for older vendor +# images, and should not be granted to any domain in current policy. +# (Every domain is allowed self:fork, so this will trigger if the +# intsersection of domain & mlsvendorcompat is not empty.) +neverallow domain mlsvendorcompat:process fork; + +# Only init and otapreopt_chroot should be mounting filesystems on locations +# labeled system or vendor (/product and /vendor respectively). +neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton; + +# Only allow init and vendor_init to read/write mm_events properties +# NOTE: dumpstate is allowed to read any system property +neverallow { + domain + -init + -vendor_init + -dumpstate +} mm_events_config_prop:file no_rw_file_perms; + +# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize +# kernel traces. Addresses are not disclosed, they are repalced with symbol +# names (if available). Traces don't disclose KASLR. +neverallow { + domain + -init + userdebug_or_eng(`-profcollectd') + -vendor_init + -traced_probes + -traced_perf +} proc_kallsyms:file { open read }; + +# debugfs_kcov type is not included in this neverallow statement since the KCOV +# tool uses it for kernel fuzzing. +# vendor_modprobe is also exempted since the kernel modules it loads may create +# debugfs files in its context. +enforce_debugfs_restriction(` + neverallow { + domain + -vendor_modprobe + userdebug_or_eng(` + -init + -hal_dumpstate + ') + } { debugfs_type + userdebug_or_eng(`-debugfs_kcov') + -tracefs_type + }:file no_rw_file_perms; +') + + +###Mediaserverwrapper 64 Bit Property addition +get_prop(domain, vendor_medsrv_set_64b) + diff --git a/prebuilts/api/32.0/private/drmserver.te b/prebuilts/api/32.0/private/drmserver.te new file mode 100644 index 000000000..8449c3ec3 --- /dev/null +++ b/prebuilts/api/32.0/private/drmserver.te @@ -0,0 +1,9 @@ +typeattribute drmserver coredomain; + +init_daemon_domain(drmserver) + +type_transition drmserver apk_data_file:sock_file drmserver_socket; + +typeattribute drmserver_socket coredomain_socket; + +get_prop(drmserver, drm_service_config_prop) diff --git a/prebuilts/api/32.0/private/dumpstate.te b/prebuilts/api/32.0/private/dumpstate.te new file mode 100644 index 000000000..4fad5852f --- /dev/null +++ b/prebuilts/api/32.0/private/dumpstate.te @@ -0,0 +1,118 @@ +typeattribute dumpstate coredomain; +type dumpstate_tmpfs, file_type; + +init_daemon_domain(dumpstate) + +# Execute and transition to the vdc domain +domain_auto_trans(dumpstate, vdc_exec, vdc) + +# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables +allow dumpstate system_file:file lock; + +allow dumpstate storaged_exec:file rx_file_perms; + +# /data/misc/a11ytrace for accessibility traces +userdebug_or_eng(` + allow dumpstate accessibility_trace_data_file:dir r_dir_perms; + allow dumpstate accessibility_trace_data_file:file r_file_perms; +') + +# /data/misc/wmtrace for wm traces +userdebug_or_eng(` + allow dumpstate wm_trace_data_file:dir r_dir_perms; + allow dumpstate wm_trace_data_file:file r_file_perms; +') + +# Allow dumpstate to make binder calls to incidentd +binder_call(dumpstate, incidentd) + +# Allow dumpstate to make binder calls to storaged service +binder_call(dumpstate, storaged) + +# Allow dumpstate to make binder calls to statsd +binder_call(dumpstate, statsd) + +# Allow dumpstate to talk to gpuservice over binder +binder_call(dumpstate, gpuservice); + +# Allow dumpstate to talk to idmap over binder +binder_call(dumpstate, idmap); + +# Allow dumpstate to talk to profcollectd over binder +userdebug_or_eng(` + binder_call(dumpstate, profcollectd) +') + +# Collect metrics on boot time created by init +get_prop(dumpstate, boottime_prop) + +# Signal native processes to dump their stack. +allow dumpstate { + mediatranscoding + statsd + netd +}:process signal; + +userdebug_or_eng(` + allow dumpstate keystore:process signal; +') + +# For collecting bugreports. +no_debugfs_restriction(` + allow dumpstate debugfs_wakeup_sources:file r_file_perms; +') + +allow dumpstate dev_type:blk_file getattr; +allow dumpstate webview_zygote:process signal; +allow dumpstate sysfs_dmabuf_stats:file r_file_perms; +dontaudit dumpstate update_engine:binder call; + +# Read files in /proc +allow dumpstate { + proc_net_tcp_udp + proc_pid_max +}:file r_file_perms; + +# For comminucating with the system process to do confirmation ui. +binder_call(dumpstate, incidentcompanion_service) + +# Set properties. +# dumpstate_prop is used to share state with the Shell app. +set_prop(dumpstate, dumpstate_prop) +set_prop(dumpstate, exported_dumpstate_prop) + +# dumpstate_options_prop is used to pass extra command-line args. +set_prop(dumpstate, dumpstate_options_prop) + +# Allow dumpstate to kill vendor dumpstate service by init +set_prop(dumpstate, ctl_dumpstate_prop) + +# For dumping dynamic partition information. +set_prop(dumpstate, lpdumpd_prop) +binder_call(dumpstate, lpdumpd) + +# For dumping hypervisor information. +get_prop(dumpstate, hypervisor_prop) + +# For dumping device-mapper and snapshot information. +allow dumpstate gsid_exec:file rx_file_perms; +set_prop(dumpstate, ctl_gsid_prop) +binder_call(dumpstate, gsid) + +r_dir_file(dumpstate, ota_metadata_file) + +# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace +# is being recorded, the command above will serialize it into +# /data/misc/perfetto-traces/bugreport/*.pftrace . +domain_auto_trans(dumpstate, perfetto_exec, perfetto) +allow dumpstate perfetto:process signal; +allow dumpstate perfetto_traces_data_file:dir { search }; +allow dumpstate perfetto_traces_bugreport_data_file:dir rw_dir_perms; +allow dumpstate perfetto_traces_bugreport_data_file:file { r_file_perms unlink }; + +# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null +# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport +# zip file. These rules are to allow perfetto.te to inherit dumpstate's +# /dev/null. +allow perfetto dumpstate_tmpfs:file rw_file_perms; +allow perfetto dumpstate:fd use; diff --git a/prebuilts/api/32.0/private/ephemeral_app.te b/prebuilts/api/32.0/private/ephemeral_app.te new file mode 100644 index 000000000..e00489179 --- /dev/null +++ b/prebuilts/api/32.0/private/ephemeral_app.te @@ -0,0 +1,95 @@ +### +### Ephemeral apps. +### +### This file defines the security policy for apps with the ephemeral +### feature. +### +### The ephemeral_app domain is a reduced permissions sandbox allowing +### ephemeral applications to be safely installed and run. Non ephemeral +### applications may also opt-in to ephemeral to take advantage of the +### additional security features. +### +### PackageManager flags an app as ephemeral at install time. + +typeattribute ephemeral_app coredomain; + +net_domain(ephemeral_app) +app_domain(ephemeral_app) + +# Allow ephemeral apps to read/write files in visible storage if provided fds +allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append}; + +# Some apps ship with shared libraries and binaries that they write out +# to their sandbox directory and then execute. +allow ephemeral_app privapp_data_file:file { r_file_perms execute }; +allow ephemeral_app app_data_file:file { r_file_perms execute }; + +# Follow priv-app symlinks. This is used for dynamite functionality. +allow ephemeral_app privapp_data_file:lnk_file r_file_perms; + +# Allow the renderscript compiler to be run. +domain_auto_trans(ephemeral_app, rs_exec, rs) + +# Allow loading and deleting shared libraries created by trusted system +# components within an application home directory. +allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink }; + +# services +allow ephemeral_app audioserver_service:service_manager find; +allow ephemeral_app cameraserver_service:service_manager find; +allow ephemeral_app mediaserver_service:service_manager find; +allow ephemeral_app mediaextractor_service:service_manager find; +allow ephemeral_app mediametrics_service:service_manager find; +allow ephemeral_app mediadrmserver_service:service_manager find; +allow ephemeral_app drmserver_service:service_manager find; +allow ephemeral_app radio_service:service_manager find; +allow ephemeral_app ephemeral_app_api_service:service_manager find; + +# Write app-specific trace data to the Perfetto traced damon. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(ephemeral_app) + +# Allow profiling if the app opts in by being marked profileable/debuggable. +can_profile_heap(ephemeral_app) +can_profile_perf(ephemeral_app) + +# allow ephemeral apps to use UDP sockets provided by the system server but not +# modify them other than to connect +allow ephemeral_app system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +allow ephemeral_app ashmem_device:chr_file rw_file_perms; + +### +### neverallow rules +### + +neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans; + +# Receive or send uevent messages. +neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; + +# Receive or send generic netlink messages +neverallow ephemeral_app domain:netlink_socket *; + +# Too much leaky information in debugfs. It's a security +# best practice to ensure these files aren't readable. +neverallow ephemeral_app debugfs:file read; + +# execute gpu_device +neverallow ephemeral_app gpu_device:chr_file execute; + +# access files in /sys with the default sysfs label +neverallow ephemeral_app sysfs:file *; + +# Avoid reads from generically labeled /proc files +# Create a more specific label if needed +neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms }; + +# Directly access external storage +neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create}; +neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search; + +# Avoid reads to proc_net, it contains too much device wide information about +# ongoing connections. +neverallow ephemeral_app proc_net:file no_rw_file_perms; diff --git a/prebuilts/api/32.0/private/fastbootd.te b/prebuilts/api/32.0/private/fastbootd.te new file mode 100644 index 000000000..40b3945b5 --- /dev/null +++ b/prebuilts/api/32.0/private/fastbootd.te @@ -0,0 +1,47 @@ +typeattribute fastbootd coredomain; + +# The allow rules are only included in the recovery policy. +# Otherwise fastbootd is only allowed the domain rules. +recovery_only(` + # Reboot the device + set_prop(fastbootd, powerctl_prop) + + # Read serial number of the device from system properties + get_prop(fastbootd, serialno_prop) + + # Set sys.usb.ffs.ready. + get_prop(fastbootd, ffs_config_prop) + set_prop(fastbootd, ffs_control_prop) + + userdebug_or_eng(` + get_prop(fastbootd, persistent_properties_ready_prop) + ') + + set_prop(fastbootd, gsid_prop) + + # Determine allocation scheme (whether B partitions needs to be + # at the second half of super. + get_prop(fastbootd, virtual_ab_prop) + + # Needed for TCP protocol + allow fastbootd node:tcp_socket node_bind; + allow fastbootd port:tcp_socket name_bind; + allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept }; + + # Start snapuserd for merging VABC updates + set_prop(fastbootd, ctl_snapuserd_prop) + + # Needed to communicate with snapuserd to complete merges. + allow fastbootd snapuserd_socket:sock_file write; + allow fastbootd snapuserd:unix_stream_socket connectto; + allow fastbootd dm_user_device:dir r_dir_perms; + + # Get fastbootd protocol property + get_prop(fastbootd, fastbootd_protocol_prop) + + # Mount /metadata to interact with Virtual A/B snapshots. + allow fastbootd labeledfs:filesystem { mount unmount }; + + # Needed for reading boot properties. + allow fastbootd proc_bootconfig:file r_file_perms; +') diff --git a/prebuilts/api/32.0/private/file.te b/prebuilts/api/32.0/private/file.te new file mode 100644 index 000000000..a024600fb --- /dev/null +++ b/prebuilts/api/32.0/private/file.te @@ -0,0 +1,64 @@ +# /proc/config.gz +type config_gz, fs_type, proc_type; + +# /data/misc/storaged +type storaged_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/wmtrace for wm traces +type wm_trace_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/a11ytrace for accessibility traces +type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/perfetto-traces for perfetto traces +type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports. +type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/perfetto-configs for perfetto configs +type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type; + +# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds. +type debugfs_kcov, fs_type, debugfs_type; + +# App executable files in /data/data directories +type app_exec_data_file, file_type, data_file_type, core_data_file_type; +typealias app_exec_data_file alias rs_data_file; + +# /data/misc_[ce|de]/rollback : Used by installd to store snapshots +# of application data. +type rollback_data_file, file_type, data_file_type, core_data_file_type; + +# /data/gsi/ota +type ota_image_data_file, file_type, data_file_type, core_data_file_type; + +# /data/gsi_persistent_data +type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/emergencynumberdb +type emergency_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/profcollectd +type profcollectd_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/apexdata/com.android.art +type apex_art_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/apexdata/com.android.art/staging +type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type; + +# /data/font/files +type font_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/odrefresh +type odrefresh_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/odsign +type odsign_data_file, file_type, data_file_type, core_data_file_type; + +# /data/system/environ +type environ_system_data_file, file_type, data_file_type, core_data_file_type; + +# /dev/kvm +type kvm_device, dev_type; diff --git a/prebuilts/api/32.0/private/file_contexts b/prebuilts/api/32.0/private/file_contexts new file mode 100644 index 000000000..d61bf0f44 --- /dev/null +++ b/prebuilts/api/32.0/private/file_contexts @@ -0,0 +1,816 @@ +########################################### +# Root +/ u:object_r:rootfs:s0 + +# Data files +/adb_keys u:object_r:adb_keys_file:s0 +/build\.prop u:object_r:rootfs:s0 +/default\.prop u:object_r:rootfs:s0 +/fstab\..* u:object_r:rootfs:s0 +/init\..* u:object_r:rootfs:s0 +/res(/.*)? u:object_r:rootfs:s0 +/selinux_version u:object_r:rootfs:s0 +/ueventd\..* u:object_r:rootfs:s0 +/verity_key u:object_r:rootfs:s0 + +# Executables +/init u:object_r:init_exec:s0 +/sbin(/.*)? u:object_r:rootfs:s0 + +# For kernel modules +/lib(/.*)? u:object_r:rootfs:s0 + +# Empty directories +/lost\+found u:object_r:rootfs:s0 +/acct u:object_r:cgroup:s0 +/config u:object_r:rootfs:s0 +/data_mirror u:object_r:mirror_data_file:s0 +/debug_ramdisk u:object_r:tmpfs:s0 +/mnt u:object_r:tmpfs:s0 +/proc u:object_r:rootfs:s0 +/second_stage_resources u:object_r:tmpfs:s0 +/sys u:object_r:sysfs:s0 +/apex u:object_r:apex_mnt_dir:s0 + +# Postinstall directories +/postinstall u:object_r:postinstall_mnt_dir:s0 +/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0 + +/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0 + +# Symlinks +/bin u:object_r:rootfs:s0 +/bugreports u:object_r:rootfs:s0 +/charger u:object_r:rootfs:s0 +/d u:object_r:rootfs:s0 +/etc u:object_r:rootfs:s0 +/sdcard u:object_r:rootfs:s0 + +# SELinux policy files +/vendor_file_contexts u:object_r:file_contexts_file:s0 +/nonplat_file_contexts u:object_r:file_contexts_file:s0 +/plat_file_contexts u:object_r:file_contexts_file:s0 +/product_file_contexts u:object_r:file_contexts_file:s0 +/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0 +/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0 +/plat_sepolicy\.cil u:object_r:sepolicy_file:s0 +/plat_property_contexts u:object_r:property_contexts_file:s0 +/product_property_contexts u:object_r:property_contexts_file:s0 +/nonplat_property_contexts u:object_r:property_contexts_file:s0 +/vendor_property_contexts u:object_r:property_contexts_file:s0 +/seapp_contexts u:object_r:seapp_contexts_file:s0 +/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0 +/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0 +/plat_seapp_contexts u:object_r:seapp_contexts_file:s0 +/sepolicy u:object_r:sepolicy_file:s0 +/plat_service_contexts u:object_r:service_contexts_file:s0 +/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0 +/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0 +/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0 +# Use nonplat_service_contexts_file to allow servicemanager to read it +# on non full-treble devices. +/vendor_service_contexts u:object_r:nonplat_service_contexts_file:s0 +/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0 +/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0 +/vndservice_contexts u:object_r:vndservice_contexts_file:s0 + +########################## +# Devices +# +/dev(/.*)? u:object_r:device:s0 +/dev/adf[0-9]* u:object_r:graphics_device:s0 +/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0 +/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0 +/dev/ashmem u:object_r:ashmem_device:s0 +/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0 +/dev/audio.* u:object_r:audio_device:s0 +/dev/binder u:object_r:binder_device:s0 +/dev/block(/.*)? u:object_r:block_device:s0 +/dev/block/dm-[0-9]+ u:object_r:dm_device:s0 +/dev/block/loop[0-9]* u:object_r:loop_device:s0 +/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0 +/dev/block/vold/.+ u:object_r:vold_device:s0 +/dev/block/ram[0-9]* u:object_r:ram_device:s0 +/dev/block/zram[0-9]* u:object_r:ram_device:s0 +/dev/boringssl/selftest(/.*)? u:object_r:boringssl_self_test_marker:s0 +/dev/bus/usb(.*)? u:object_r:usb_device:s0 +/dev/console u:object_r:console_device:s0 +/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0 +/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0 +/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0 +/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0 +/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dm-user(/.*)? u:object_r:dm_user_device:s0 +/dev/device-mapper u:object_r:dm_device:s0 +/dev/eac u:object_r:audio_device:s0 +/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0 +/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0 +/dev/fscklogs(/.*)? u:object_r:fscklogs:s0 +/dev/fuse u:object_r:fuse_device:s0 +/dev/gnss[0-9]+ u:object_r:gnss_device:s0 +/dev/graphics(/.*)? u:object_r:graphics_device:s0 +/dev/hw_random u:object_r:hw_random_device:s0 +/dev/hwbinder u:object_r:hwbinder_device:s0 +/dev/input(/.*)? u:object_r:input_device:s0 +/dev/iio:device[0-9]+ u:object_r:iio_device:s0 +/dev/ion u:object_r:ion_device:s0 +/dev/keychord u:object_r:keychord_device:s0 +/dev/loop-control u:object_r:loop_control_device:s0 +/dev/modem.* u:object_r:radio_device:s0 +/dev/mtp_usb u:object_r:mtp_device:s0 +/dev/pmsg0 u:object_r:pmsg_device:s0 +/dev/pn544 u:object_r:nfc_device:s0 +/dev/port u:object_r:port_device:s0 +/dev/ppp u:object_r:ppp_device:s0 +/dev/ptmx u:object_r:ptmx_device:s0 +/dev/pvrsrvkm u:object_r:gpu_device:s0 +/dev/kmsg u:object_r:kmsg_device:s0 +/dev/kmsg_debug u:object_r:kmsg_debug_device:s0 +/dev/kvm u:object_r:kvm_device:s0 +/dev/null u:object_r:null_device:s0 +/dev/nvhdcp1 u:object_r:video_device:s0 +/dev/random u:object_r:random_device:s0 +/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0 +/dev/rproc_user u:object_r:rpmsg_device:s0 +/dev/rtc[0-9] u:object_r:rtc_device:s0 +/dev/snd(/.*)? u:object_r:audio_device:s0 +/dev/socket(/.*)? u:object_r:socket_device:s0 +/dev/socket/adbd u:object_r:adbd_socket:s0 +/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0 +/dev/socket/dumpstate u:object_r:dumpstate_socket:s0 +/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0 +/dev/socket/lmkd u:object_r:lmkd_socket:s0 +/dev/socket/logd u:object_r:logd_socket:s0 +/dev/socket/logdr u:object_r:logdr_socket:s0 +/dev/socket/logdw u:object_r:logdw_socket:s0 +/dev/socket/statsdw u:object_r:statsdw_socket:s0 +/dev/socket/mdns u:object_r:mdns_socket:s0 +/dev/socket/mdnsd u:object_r:mdnsd_socket:s0 +/dev/socket/mtpd u:object_r:mtpd_socket:s0 +/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0 +/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0 +/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0 +/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0 +/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0 +/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0 +/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0 +/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0 +/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0 +/dev/socket/property_service u:object_r:property_socket:s0 +/dev/socket/racoon u:object_r:racoon_socket:s0 +/dev/socket/recovery u:object_r:recovery_socket:s0 +/dev/socket/rild u:object_r:rild_socket:s0 +/dev/socket/rild-debug u:object_r:rild_debug_socket:s0 +/dev/socket/snapuserd u:object_r:snapuserd_socket:s0 +/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0 +/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0 +/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0 +/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0 +/dev/socket/traced_perf u:object_r:traced_perf_socket:s0 +/dev/socket/traced_producer u:object_r:traced_producer_socket:s0 +/dev/socket/heapprofd u:object_r:heapprofd_socket:s0 +/dev/socket/uncrypt u:object_r:uncrypt_socket:s0 +/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0 +/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0 +/dev/socket/zygote u:object_r:zygote_socket:s0 +/dev/socket/zygote_secondary u:object_r:zygote_socket:s0 +/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0 +/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0 +/dev/spdif_out.* u:object_r:audio_device:s0 +/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0 +/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0 +/dev/tty u:object_r:owntty_device:s0 +/dev/tty[0-9]* u:object_r:tty_device:s0 +/dev/ttyS[0-9]* u:object_r:serial_device:s0 +/dev/ttyUSB[0-9]* u:object_r:usb_serial_device:s0 +/dev/ttyACM[0-9]* u:object_r:usb_serial_device:s0 +/dev/tun u:object_r:tun_device:s0 +/dev/uhid u:object_r:uhid_device:s0 +/dev/uinput u:object_r:uhid_device:s0 +/dev/uio[0-9]* u:object_r:uio_device:s0 +/dev/urandom u:object_r:random_device:s0 +/dev/usb_accessory u:object_r:usbaccessory_device:s0 +/dev/v4l-touch[0-9]* u:object_r:input_device:s0 +/dev/vhost-vsock u:object_r:kvm_device:s0 +/dev/video[0-9]* u:object_r:video_device:s0 +/dev/vndbinder u:object_r:vndbinder_device:s0 +/dev/watchdog u:object_r:watchdog_device:s0 +/dev/xt_qtaguid u:object_r:qtaguid_device:s0 +/dev/zero u:object_r:zero_device:s0 +/dev/__properties__ u:object_r:properties_device:s0 +/dev/__properties__/property_info u:object_r:property_info:s0 +############################# +# Linker configuration +# +/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0 +############################# +# System files +# +/system(/.*)? u:object_r:system_file:s0 +/system/apex/com.android.art u:object_r:art_apex_dir:s0 +/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0 +/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0 +/system/bin/mm_events u:object_r:mm_events_exec:s0 +/system/bin/atrace u:object_r:atrace_exec:s0 +/system/bin/auditctl u:object_r:auditctl_exec:s0 +/system/bin/bcc u:object_r:rs_exec:s0 +/system/bin/blank_screen u:object_r:blank_screen_exec:s0 +/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0 +/system/bin/charger u:object_r:charger_exec:s0 +/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0 +/system/bin/e2fsdroid u:object_r:e2fs_exec:s0 +/system/bin/mke2fs u:object_r:e2fs_exec:s0 +/system/bin/e2fsck -- u:object_r:fsck_exec:s0 +/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0 +/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0 +/system/bin/init u:object_r:init_exec:s0 +# TODO(/123600489): merge mini-keyctl into toybox +/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0 +/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0 +/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0 +/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0 +/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0 +/system/bin/newfs_msdos u:object_r:fsck_exec:s0 +/system/bin/tcpdump -- u:object_r:tcpdump_exec:s0 +/system/bin/tune2fs -- u:object_r:fsck_exec:s0 +/system/bin/resize2fs -- u:object_r:fsck_exec:s0 +/system/bin/toolbox -- u:object_r:toolbox_exec:s0 +/system/bin/toybox -- u:object_r:toolbox_exec:s0 +/system/bin/ld\.mc u:object_r:rs_exec:s0 +/system/bin/logcat -- u:object_r:logcat_exec:s0 +/system/bin/logcatd -- u:object_r:logcat_exec:s0 +/system/bin/sh -- u:object_r:shell_exec:s0 +/system/bin/run-as -- u:object_r:runas_exec:s0 +/system/bin/bootanimation u:object_r:bootanim_exec:s0 +/system/bin/bootstat u:object_r:bootstat_exec:s0 +/system/bin/app_process32 u:object_r:zygote_exec:s0 +/system/bin/app_process64 u:object_r:zygote_exec:s0 +/system/bin/servicemanager u:object_r:servicemanager_exec:s0 +/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0 +/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0 +/system/bin/gpuservice u:object_r:gpuservice_exec:s0 +/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0 +/system/bin/performanced u:object_r:performanced_exec:s0 +/system/bin/drmserver u:object_r:drmserver_exec:s0 +/system/bin/dumpstate u:object_r:dumpstate_exec:s0 +/system/bin/incident u:object_r:incident_exec:s0 +/system/bin/incidentd u:object_r:incidentd_exec:s0 +/system/bin/incident_helper u:object_r:incident_helper_exec:s0 +/system/bin/iw u:object_r:iw_exec:s0 +/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0 +/system/bin/vold u:object_r:vold_exec:s0 +/system/bin/netd u:object_r:netd_exec:s0 +/system/bin/wificond u:object_r:wificond_exec:s0 +/system/bin/audioserver u:object_r:audioserver_exec:s0 +/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0 +/system/bin/mediaserver u:object_r:mediaserver_exec:s0 +/system/bin/mediaserverwrapper u:object_r:mediaserverwrapper_exec:s0 +/system/bin/mediaserver64 u:object_r:mediaserver_exec:s0 +/system/bin/mediametrics u:object_r:mediametrics_exec:s0 +/system/bin/cameraserver u:object_r:cameraserver_exec:s0 +/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0 +/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0 +/system/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0 +/system/bin/mediatuner u:object_r:mediatuner_exec:s0 +/system/bin/mdnsd u:object_r:mdnsd_exec:s0 +/system/bin/installd u:object_r:installd_exec:s0 +/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0 +/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0 +/system/bin/credstore u:object_r:credstore_exec:s0 +/system/bin/keystore u:object_r:keystore_exec:s0 +/system/bin/keystore2 u:object_r:keystore_exec:s0 +/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0 +/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0 +/system/bin/tombstoned u:object_r:tombstoned_exec:s0 +/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0 +/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0 +/system/bin/sdcard u:object_r:sdcardd_exec:s0 +/system/bin/snapshotctl u:object_r:snapshotctl_exec:s0 +/system/bin/dhcpcd u:object_r:dhcp_exec:s0 +/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0 +/system/bin/mtpd u:object_r:mtp_exec:s0 +/system/bin/pppd u:object_r:ppp_exec:s0 +/system/bin/racoon u:object_r:racoon_exec:s0 +/system/xbin/su u:object_r:su_exec:s0 +/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0 +/system/bin/healthd u:object_r:healthd_exec:s0 +/system/bin/clatd u:object_r:clatd_exec:s0 +/system/bin/linker(64)? u:object_r:system_linker_exec:s0 +/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0 +/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0 +/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0 +/system/bin/llkd u:object_r:llkd_exec:s0 +/system/bin/lmkd u:object_r:lmkd_exec:s0 +/system/bin/usbd u:object_r:usbd_exec:s0 +/system/bin/inputflinger u:object_r:inputflinger_exec:s0 +/system/bin/logd u:object_r:logd_exec:s0 +/system/bin/lpdumpd u:object_r:lpdumpd_exec:s0 +/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0 +/system/bin/perfetto u:object_r:perfetto_exec:s0 +/system/bin/traced u:object_r:traced_exec:s0 +/system/bin/traced_perf u:object_r:traced_perf_exec:s0 +/system/bin/traced_probes u:object_r:traced_probes_exec:s0 +/system/bin/heapprofd u:object_r:heapprofd_exec:s0 +/system/bin/uncrypt u:object_r:uncrypt_exec:s0 +/system/bin/update_verifier u:object_r:update_verifier_exec:s0 +/system/bin/logwrapper u:object_r:system_file:s0 +/system/bin/vdc u:object_r:vdc_exec:s0 +/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0 +/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0 +/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0 +/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0 +/system/bin/iorapd u:object_r:iorapd_exec:s0 +/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0 +/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0 +/system/bin/sgdisk u:object_r:sgdisk_exec:s0 +/system/bin/blkid u:object_r:blkid_exec:s0 +/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0 +/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0 +/system/bin/idmap u:object_r:idmap_exec:s0 +/system/bin/idmap2(d)? u:object_r:idmap_exec:s0 +/system/bin/update_engine u:object_r:update_engine_exec:s0 +/system/bin/profcollectd u:object_r:profcollectd_exec:s0 +/system/bin/profcollectctl u:object_r:profcollectd_exec:s0 +/system/bin/storaged u:object_r:storaged_exec:s0 +/system/bin/wpantund u:object_r:wpantund_exec:s0 +/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0 +/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0 +/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0 +/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0 +/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0 +/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0 +/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0 +/system/etc/group u:object_r:system_group_file:s0 +/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0 +/system/etc/passwd u:object_r:system_passwd_file:s0 +/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0 +/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0 +/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0 +/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0 +/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0 +/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0 +/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0 +/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0 +/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0 +/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0 +/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0 +/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0 +/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0 +/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0 +/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0 +/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0 +/system/bin/adbd u:object_r:adbd_exec:s0 +/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0 +/system/bin/stats u:object_r:stats_exec:s0 +/system/bin/statsd u:object_r:statsd_exec:s0 +/system/bin/bpfloader u:object_r:bpfloader_exec:s0 +/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0 +/system/bin/watchdogd u:object_r:watchdogd_exec:s0 +/system/bin/apexd u:object_r:apexd_exec:s0 +/system/bin/gsid u:object_r:gsid_exec:s0 +/system/bin/simpleperf u:object_r:simpleperf_exec:s0 +/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0 +/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0 +/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0 +/system/bin/snapuserd u:object_r:snapuserd_exec:s0 +/system/bin/odsign u:object_r:odsign_exec:s0 +/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0 + +############################# +# Vendor files +# +/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0 +/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0 +/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0 +/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0 +/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0 +/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0 +/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0 + +/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0 + +/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0 + +/(vendor|system/vendor)/manifest\.xml u:object_r:vendor_configs_file:s0 +/(vendor|system/vendor)/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0 +/(vendor|system/vendor)/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0 +/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0 +/(vendor|system/vendor)/priv-app(/.*)? u:object_r:vendor_app_file:s0 +/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0 +/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0 + +/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0 +/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0 +/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0 + +# HAL location +/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0 + +/(vendor|system/vendor)/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0 + +/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0 + +############################# +# OEM and ODM files +# +/(odm|vendor/odm)(/.*)? u:object_r:vendor_file:s0 +/(odm|vendor/odm)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0 +/(odm|vendor/odm)/lib(64)?/hw u:object_r:vendor_hal_file:s0 +/(odm|vendor/odm)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0 +/(odm|vendor/odm)/bin/sh u:object_r:vendor_shell_exec:s0 +/(odm|vendor/odm)/etc(/.*)? u:object_r:vendor_configs_file:s0 +/(odm|vendor/odm)/app(/.*)? u:object_r:vendor_app_file:s0 +/(odm|vendor/odm)/priv-app(/.*)? u:object_r:vendor_app_file:s0 +/(odm|vendor/odm)/overlay(/.*)? u:object_r:vendor_overlay_file:s0 +/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0 + +# Input configuration +/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0 +/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0 +/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0 + +/oem(/.*)? u:object_r:oemfs:s0 +/oem/overlay(/.*)? u:object_r:vendor_overlay_file:s0 + +# The precompiled monolithic sepolicy will be under /odm only when +# BOARD_USES_ODMIMAGE is true: a separate odm.img is built. +/odm/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0 +/odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0 + +/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil u:object_r:sepolicy_file:s0 +/(odm|vendor/odm)/etc/selinux/odm_file_contexts u:object_r:file_contexts_file:s0 +/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0 +/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0 +/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0 +/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0 +/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0 + +############################# +# Product files +# +/(product|system/product)(/.*)? u:object_r:system_file:s0 +/(product|system/product)/etc/group u:object_r:system_group_file:s0 +/(product|system/product)/etc/passwd u:object_r:system_passwd_file:s0 +/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0 + +/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0 +/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0 +/(product|system/product)/etc/selinux/product_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0 +/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0 +/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0 +/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0 +/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0 + +/(product|system/product)/lib(64)?(/.*)? u:object_r:system_lib_file:s0 + +############################# +# SystemExt files +# +/(system_ext|system/system_ext)(/.*)? u:object_r:system_file:s0 +/(system_ext|system/system_ext)/etc/group u:object_r:system_group_file:s0 +/(system_ext|system/system_ext)/etc/passwd u:object_r:system_passwd_file:s0 +/(system_ext|system/system_ext)/overlay(/.*)? u:object_r:vendor_overlay_file:s0 + +/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts u:object_r:file_contexts_file:s0 +/(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts u:object_r:hwservice_contexts_file:s0 +/(system_ext|system/system_ext)/etc/selinux/system_ext_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0 +/(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts u:object_r:property_contexts_file:s0 +/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0 +/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0 +/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0 +/(system_ext|system/system_ext)/etc/selinux/userdebug_plat_sepolicy\.cil u:object_r:sepolicy_file:s0 + +/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0 +/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0 + +/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0 + +############################# +# VendorDlkm files +# This includes VENDOR Dynamically Loadable Kernel Modules and other misc files. +# +/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)(/.*)? u:object_r:vendor_file:s0 + +############################# +# OdmDlkm files +# This includes ODM Dynamically Loadable Kernel Modules and other misc files. +# +/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)(/.*)? u:object_r:vendor_file:s0 + +############################# +# Vendor files from /(product|system/product)/vendor_overlay +# +# NOTE: For additional vendor file contexts for vendor overlay files, +# use device specific file_contexts. +# +/(product|system/product)/vendor_overlay/[0-9]+/.* u:object_r:vendor_file:s0 + +############################# +# Data files +# +# NOTE: When modifying existing label rules, changes may also need to +# propagate to the "Expanded data files" section. +# +/data u:object_r:system_data_root_file:s0 +/data/(.*)? u:object_r:system_data_file:s0 +/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0 +/data/system/packages\.list u:object_r:packages_list_file:s0 +/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0 +/data/backup(/.*)? u:object_r:backup_data_file:s0 +/data/secure/backup(/.*)? u:object_r:backup_data_file:s0 +/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0 +/data/system/unsolzygotesocket u:object_r:system_unsolzygote_socket:s0 +/data/drm(/.*)? u:object_r:drm_data_file:s0 +/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0 +/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0 +/data/ota(/.*)? u:object_r:ota_data_file:s0 +/data/ota_package(/.*)? u:object_r:ota_package_file:s0 +/data/adb(/.*)? u:object_r:adb_data_file:s0 +/data/anr(/.*)? u:object_r:anr_data_file:s0 +/data/apex(/.*)? u:object_r:apex_data_file:s0 +/data/apex/active/(.*)? u:object_r:staging_data_file:s0 +/data/apex/backup/(.*)? u:object_r:staging_data_file:s0 +/data/apex/decompressed/(.*)? u:object_r:staging_data_file:s0 +/data/apex/ota_reserved(/.*)? u:object_r:apex_ota_reserved_file:s0 +/data/app(/.*)? u:object_r:apk_data_file:s0 +# Traditional /data/app/[packageName]-[randomString]/base.apk location +/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +# /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout +/data/app/[^/]+/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0 +/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +/data/app-private(/.*)? u:object_r:apk_private_data_file:s0 +/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0 +/data/gsi(/.*)? u:object_r:gsi_data_file:s0 +/data/gsi_persistent_data u:object_r:gsi_persistent_data_file:s0 +/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0 +/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0 +/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0 +/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0 +/data/local/tmp(/.*)? u:object_r:shell_data_file:s0 +/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0 +/data/local/traces(/.*)? u:object_r:trace_data_file:s0 +/data/media(/.*)? u:object_r:media_rw_data_file:s0 +/data/mediadrm(/.*)? u:object_r:media_data_file:s0 +/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0 +/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0 +# This directory was removed after Q Beta 2, but we need to preserve labels for upgrading devices. +/data/pkg_staging(/.*)? u:object_r:staging_data_file:s0 +/data/property(/.*)? u:object_r:property_data_file:s0 +/data/preloads(/.*)? u:object_r:preloads_data_file:s0 +/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0 +/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0 +/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0 +/data/app-staging(/.*)? u:object_r:staging_data_file:s0 +# Ensure we have the same labels as /data/app or /data/apex/active +# to avoid restorecon conflicts +/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0 +/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0 +/data/fonts/files(/.*)? u:object_r:font_data_file:s0 + +# Misc data +/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0 +/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0 +/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0 +/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0 +/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0 +/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_scheduling_data_file:s0 +/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0 +/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0 +/data/misc/apns(/.*)? u:object_r:radio_data_file:s0 +/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0 +/data/misc/audio(/.*)? u:object_r:audio_data_file:s0 +/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0 +/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0 +/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0 +/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0 +/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0 +/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0 +/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0 +/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0 +/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0 +/data/misc/camera(/.*)? u:object_r:camera_data_file:s0 +/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0 +/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0 +/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0 +/data/misc/emergencynumberdb(/.*)? u:object_r:emergency_data_file:s0 +/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0 +/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0 +/data/misc/installd(/.*)? u:object_r:install_data_file:s0 +/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0 +/data/misc/credstore(/.*)? u:object_r:credstore_data_file:s0 +/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0 +/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0 +/data/misc/media(/.*)? u:object_r:media_data_file:s0 +/data/misc/net(/.*)? u:object_r:net_data_file:s0 +/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0 +/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0 +/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0 +/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0 +/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0 +/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0 +/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0 +/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0 +/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0 +/data/misc/radio(/.*)? u:object_r:radio_core_data_file:s0 +/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0 +/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0 +/data/misc/sms(/.*)? u:object_r:radio_data_file:s0 +/data/misc/snapshotctl_log(/.*)? u:object_r:snapshotctl_log_data_file:s0 +/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0 +/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0 +/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0 +/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0 +/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0 +/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0 +/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0 +/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0 +/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0 +/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0 +/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0 +/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0 +/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0 +/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0 +/data/misc/vold(/.*)? u:object_r:vold_data_file:s0 +/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0 +/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0 +/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0 +/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0 +/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0 +/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0 +/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0 +# TODO(calin) label profile reference differently so that only +# profman run as a special user can write to them +/data/misc/profiles/cur(/[0-9]+)? u:object_r:user_profile_root_file:s0 +/data/misc/profiles/cur/[0-9]+/.* u:object_r:user_profile_data_file:s0 +/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0 +/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0 +/data/vendor(/.*)? u:object_r:vendor_data_file:s0 +/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0 +/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0 + +# storaged proto files +/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0 +/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0 + +# Fingerprint data +/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0 + +# Fingerprint vendor data file +/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:fingerprint_vendor_data_file:s0 + +# Face vendor data file +/data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0 +/data/vendor_ce/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0 + +# Iris vendor data file +/data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0 + +# Bootchart data +/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0 + +# App data snapshots (managed by installd). +/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0 +/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0 + +# Apex data directories +/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0 +/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0 +/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)? u:object_r:apex_appsearch_data_file:s0 +/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0 +/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0 +/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0 +/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0 + +# Apex rollback directories +/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0 +/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0 + +# Incremental directories +/data/incremental(/.*)? u:object_r:apk_data_file:s0 +/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0 +/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0 +/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0 + +############################# +# Expanded data files +# +/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0 +/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0 +/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0 +/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +# /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout +/mnt/expand/[^/]+/app/[^/]+/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0 +/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0 +/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0 +/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0 + +# coredump directory for userdebug/eng devices +/cores(/.*)? u:object_r:coredump_file:s0 + +# Wallpaper files +/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0 +/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0 +/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0 +/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0 + +# Ringtone files +/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0 + +# ShortcutManager icons, e.g. +# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png +/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0 + +# User icon files +/data/system/users/[0-9]+/photo\.png u:object_r:icon_file:s0 + +# vold per-user data +/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0 +/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0 + +# iorapd per-user data +/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0 + +# Backup service persistent per-user bookkeeping +/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0 +# Backup service temporary per-user data for inter-change with apps +/data/system_ce/[0-9]+/backup_stage(/.*)? u:object_r:backup_data_file:s0 + +############################# +# efs files +# +/efs(/.*)? u:object_r:efs_file:s0 + +############################# +# Cache files +# +/cache(/.*)? u:object_r:cache_file:s0 +/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0 +# General backup/restore interchange with apps +/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0 +# LocalTransport (backup) uses this subtree +/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0 + +############################# +# Overlayfs support directories +# +/cache/overlay(/.*)? u:object_r:overlayfs_file:s0 +/mnt/scratch(/.*)? u:object_r:overlayfs_file:s0 + +/data/cache(/.*)? u:object_r:cache_file:s0 +/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0 +# General backup/restore interchange with apps +/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0 +# LocalTransport (backup) uses this subtree +/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0 + +############################# +# Metadata files +# +/metadata(/.*)? u:object_r:metadata_file:s0 +/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0 +/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0 +/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0 +/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0 +/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0 +/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0 +/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0 +/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0 +/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0 +/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0 +/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0 +/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0 +/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0 +/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0 + +############################# +# asec containers +/mnt/asec(/.*)? u:object_r:asec_apk_file:s0 +/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0 +/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0 +/data/app-asec(/.*)? u:object_r:asec_image_file:s0 + +############################# +# external storage +/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0 +/mnt/user(/.*)? u:object_r:mnt_user_file:s0 +/mnt/pass_through(/.*)? u:object_r:mnt_pass_through_file:s0 +/mnt/sdcard u:object_r:mnt_sdcard_file:s0 +/mnt/runtime(/.*)? u:object_r:storage_file:s0 +/storage(/.*)? u:object_r:storage_file:s0 + +############################# +# mount point for read-write vendor partitions +/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0 + +############################# +# mount point for read-write product partitions +/mnt/product(/.*)? u:object_r:mnt_product_file:s0 + +############################# +# /postinstall file contexts +/(system|product)/bin/check_dynamic_partitions u:object_r:postinstall_exec:s0 +/(system|product)/bin/otapreopt_script u:object_r:postinstall_exec:s0 +/(system|product)/bin/otapreopt u:object_r:postinstall_dexopt_exec:s0 diff --git a/prebuilts/api/32.0/private/file_contexts_asan b/prebuilts/api/32.0/private/file_contexts_asan new file mode 100644 index 000000000..fd083c221 --- /dev/null +++ b/prebuilts/api/32.0/private/file_contexts_asan @@ -0,0 +1,16 @@ +/data/asan/system/lib(/.*)? u:object_r:system_lib_file:s0 +/data/asan/system/lib64(/.*)? u:object_r:system_lib_file:s0 +/data/asan/vendor/lib(/.*)? u:object_r:system_lib_file:s0 +/data/asan/vendor/lib64(/.*)? u:object_r:system_lib_file:s0 +/data/asan/odm/lib(/.*)? u:object_r:system_lib_file:s0 +/data/asan/odm/lib64(/.*)? u:object_r:system_lib_file:s0 +/data/asan/product/lib(/.*)? u:object_r:system_lib_file:s0 +/data/asan/product/lib64(/.*)? u:object_r:system_lib_file:s0 +/data/asan/system/system_ext/lib(/.*)? u:object_r:system_lib_file:s0 +/data/asan/system/system_ext/lib64(/.*)? u:object_r:system_lib_file:s0 +/system/asan.options u:object_r:system_asan_options_file:s0 +/system/bin/asan_extract u:object_r:asan_extract_exec:s0 +/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0 +/system/bin/asan/app_process u:object_r:zygote_exec:s0 +/system/bin/asan/app_process32 u:object_r:zygote_exec:s0 +/system/bin/asan/app_process64 u:object_r:zygote_exec:s0 diff --git a/prebuilts/api/32.0/private/file_contexts_overlayfs b/prebuilts/api/32.0/private/file_contexts_overlayfs new file mode 100644 index 000000000..e472fade5 --- /dev/null +++ b/prebuilts/api/32.0/private/file_contexts_overlayfs @@ -0,0 +1,9 @@ +############################# +# Overlayfs support directories for userdebug/eng devices +# +/cache/overlay/(system|product)/upper u:object_r:system_file:s0 +/cache/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0 +/cache/overlay/oem/upper u:object_r:vendor_file:s0 +/mnt/scratch/overlay/(system|product)/upper u:object_r:system_file:s0 +/mnt/scratch/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0 +/mnt/scratch/overlay/oem/upper u:object_r:vendor_file:s0 diff --git a/prebuilts/api/32.0/private/fingerprintd.te b/prebuilts/api/32.0/private/fingerprintd.te new file mode 100644 index 000000000..eb73ef8cc --- /dev/null +++ b/prebuilts/api/32.0/private/fingerprintd.te @@ -0,0 +1,3 @@ +typeattribute fingerprintd coredomain; + +init_daemon_domain(fingerprintd) diff --git a/prebuilts/api/32.0/private/flags_health_check.te b/prebuilts/api/32.0/private/flags_health_check.te new file mode 100644 index 000000000..6b15a3513 --- /dev/null +++ b/prebuilts/api/32.0/private/flags_health_check.te @@ -0,0 +1,33 @@ +typeattribute flags_health_check coredomain; + +init_daemon_domain(flags_health_check) + +set_prop(flags_health_check, device_config_boot_count_prop) +set_prop(flags_health_check, device_config_reset_performed_prop) +set_prop(flags_health_check, device_config_runtime_native_boot_prop) +set_prop(flags_health_check, device_config_runtime_native_prop) +set_prop(flags_health_check, device_config_input_native_boot_prop) +set_prop(flags_health_check, device_config_lmkd_native_prop) +set_prop(flags_health_check, device_config_netd_native_prop) +set_prop(flags_health_check, device_config_activity_manager_native_boot_prop) +set_prop(flags_health_check, device_config_media_native_prop) +set_prop(flags_health_check, device_config_profcollect_native_boot_prop) +set_prop(flags_health_check, device_config_statsd_native_prop) +set_prop(flags_health_check, device_config_statsd_native_boot_prop) +set_prop(flags_health_check, device_config_storage_native_boot_prop) +set_prop(flags_health_check, device_config_swcodec_native_prop) +set_prop(flags_health_check, device_config_sys_traced_prop) +set_prop(flags_health_check, device_config_window_manager_native_boot_prop) +set_prop(flags_health_check, device_config_configuration_prop) +set_prop(flags_health_check, device_config_connectivity_prop) + +# system property device_config_boot_count_prop is used for deciding when to perform server +# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a +# wrong timing, trigger server configurable flag related disaster recovery, which will override +# server configured values of all flags with default values. +neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set; + +# system property device_config_reset_performed_prop is used for indicating whether server +# configurable flags have been reset during booting. Mistakenly modified by unrelated components can +# cause bad server configurable flags synced back to device. +neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set; diff --git a/prebuilts/api/32.0/private/fs_use b/prebuilts/api/32.0/private/fs_use new file mode 100644 index 000000000..93d7f1b24 --- /dev/null +++ b/prebuilts/api/32.0/private/fs_use @@ -0,0 +1,27 @@ +# Label inodes via getxattr. +fs_use_xattr yaffs2 u:object_r:labeledfs:s0; +fs_use_xattr jffs2 u:object_r:labeledfs:s0; +fs_use_xattr ext2 u:object_r:labeledfs:s0; +fs_use_xattr ext3 u:object_r:labeledfs:s0; +fs_use_xattr ext4 u:object_r:labeledfs:s0; +fs_use_xattr xfs u:object_r:labeledfs:s0; +fs_use_xattr btrfs u:object_r:labeledfs:s0; +fs_use_xattr f2fs u:object_r:labeledfs:s0; +fs_use_xattr squashfs u:object_r:labeledfs:s0; +fs_use_xattr overlay u:object_r:labeledfs:s0; +fs_use_xattr erofs u:object_r:labeledfs:s0; +fs_use_xattr incremental-fs u:object_r:labeledfs:s0; +fs_use_xattr virtiofs u:object_r:labeledfs:s0; + +# Label inodes from task label. +fs_use_task pipefs u:object_r:pipefs:s0; +fs_use_task sockfs u:object_r:sockfs:s0; + +# Label inodes from combination of task label and fs label. +# Define type_transition rules if you want per-domain types. +fs_use_trans devpts u:object_r:devpts:s0; +fs_use_trans tmpfs u:object_r:tmpfs:s0; +fs_use_trans devtmpfs u:object_r:device:s0; +fs_use_trans shm u:object_r:shm:s0; +fs_use_trans mqueue u:object_r:mqueue:s0; + diff --git a/prebuilts/api/32.0/private/fsck.te b/prebuilts/api/32.0/private/fsck.te new file mode 100644 index 000000000..f8e09b645 --- /dev/null +++ b/prebuilts/api/32.0/private/fsck.te @@ -0,0 +1,5 @@ +typeattribute fsck coredomain; + +init_daemon_domain(fsck) + +allow fsck metadata_block_device:blk_file rw_file_perms; diff --git a/prebuilts/api/32.0/private/fsck_untrusted.te b/prebuilts/api/32.0/private/fsck_untrusted.te new file mode 100644 index 000000000..9a57bf027 --- /dev/null +++ b/prebuilts/api/32.0/private/fsck_untrusted.te @@ -0,0 +1 @@ +typeattribute fsck_untrusted coredomain; diff --git a/prebuilts/api/32.0/private/fsverity_init.te b/prebuilts/api/32.0/private/fsverity_init.te new file mode 100644 index 000000000..42d142f02 --- /dev/null +++ b/prebuilts/api/32.0/private/fsverity_init.te @@ -0,0 +1,25 @@ +type fsverity_init, domain, coredomain; +type fsverity_init_exec, exec_type, file_type, system_file_type; + +init_daemon_domain(fsverity_init) + +# Allow to read /proc/keys for searching key id. +allow fsverity_init proc_keys:file r_file_perms; + +# Kernel only prints the keys that can be accessed and only kernel keyring is needed here. +dontaudit fsverity_init init:key view; +dontaudit fsverity_init vold:key view; +allow fsverity_init kernel:key { view search write setattr }; +allow fsverity_init fsverity_init:key { view search write }; + +# Allow init to write to /proc/sys/fs/verity/require_signatures +allow fsverity_init proc_fs_verity:file w_file_perms; + +# Read the on-device signing certificate, to be able to add it to the keyring +allow fsverity_init odsign:fd use; +allow fsverity_init odsign_data_file:file { getattr read }; + +# When kernel requests an algorithm, the crypto API first looks for an +# already registered algorithm with that name. If it fails, the kernel creates +# an implementation of the algorithm from templates. +dontaudit fsverity_init kernel:system module_request; diff --git a/prebuilts/api/32.0/private/fwk_bufferhub.te b/prebuilts/api/32.0/private/fwk_bufferhub.te new file mode 100644 index 000000000..6b69cca61 --- /dev/null +++ b/prebuilts/api/32.0/private/fwk_bufferhub.te @@ -0,0 +1,8 @@ +type fwk_bufferhub, domain, coredomain; +type fwk_bufferhub_exec, system_file_type, exec_type, file_type; + +hal_client_domain(fwk_bufferhub, hal_graphics_allocator) +allow fwk_bufferhub ion_device:chr_file r_file_perms; + +hal_server_domain(fwk_bufferhub, hal_bufferhub) +init_daemon_domain(fwk_bufferhub) diff --git a/prebuilts/api/32.0/private/gatekeeperd.te b/prebuilts/api/32.0/private/gatekeeperd.te new file mode 100644 index 000000000..2fb88a3bb --- /dev/null +++ b/prebuilts/api/32.0/private/gatekeeperd.te @@ -0,0 +1,6 @@ +typeattribute gatekeeperd coredomain; + +init_daemon_domain(gatekeeperd) + +# For checking whether GSI is running +get_prop(gatekeeperd, gsid_prop) diff --git a/prebuilts/api/32.0/private/genfs_contexts b/prebuilts/api/32.0/private/genfs_contexts new file mode 100644 index 000000000..13bfb46e1 --- /dev/null +++ b/prebuilts/api/32.0/private/genfs_contexts @@ -0,0 +1,381 @@ +# Label inodes with the fs label. +genfscon rootfs / u:object_r:rootfs:s0 +# proc labeling can be further refined (longest matching prefix). +genfscon proc / u:object_r:proc:s0 +genfscon proc /asound u:object_r:proc_asound:s0 +genfscon proc /bootconfig u:object_r:proc_bootconfig:s0 +genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0 +genfscon proc /cmdline u:object_r:proc_cmdline:s0 +genfscon proc /config.gz u:object_r:config_gz:s0 +genfscon proc /diskstats u:object_r:proc_diskstats:s0 +genfscon proc /filesystems u:object_r:proc_filesystems:s0 +genfscon proc /interrupts u:object_r:proc_interrupts:s0 +genfscon proc /iomem u:object_r:proc_iomem:s0 +genfscon proc /kallsyms u:object_r:proc_kallsyms:s0 +genfscon proc /keys u:object_r:proc_keys:s0 +genfscon proc /kmsg u:object_r:proc_kmsg:s0 +genfscon proc /loadavg u:object_r:proc_loadavg:s0 +genfscon proc /locks u:object_r:proc_locks:s0 +genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0 +genfscon proc /meminfo u:object_r:proc_meminfo:s0 +genfscon proc /misc u:object_r:proc_misc:s0 +genfscon proc /modules u:object_r:proc_modules:s0 +genfscon proc /mounts u:object_r:proc_mounts:s0 +genfscon proc /net u:object_r:proc_net:s0 +genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0 +genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0 +genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0 +genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0 +genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 +genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0 +genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0 +genfscon proc /pressure/io u:object_r:proc_pressure_io:s0 +genfscon proc /pressure/memory u:object_r:proc_pressure_mem:s0 +genfscon proc /slabinfo u:object_r:proc_slabinfo:s0 +genfscon proc /softirqs u:object_r:proc_timer:s0 +genfscon proc /stat u:object_r:proc_stat:s0 +genfscon proc /swaps u:object_r:proc_swaps:s0 +genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0 +genfscon proc /kpageflags u:object_r:proc_kpageflags:s0 +genfscon proc /sys/abi/swp u:object_r:proc_abi:s0 +genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0 +genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 +genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 +genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 +genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0 +genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0 +genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0 +genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0 +genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0 +genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0 +genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0 +genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0 +genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0 +genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0 +genfscon proc /sys/kernel/perf_cpu_time_max_percent u:object_r:proc_perf:s0 +genfscon proc /sys/kernel/perf_event_mlock_kb u:object_r:proc_perf:s0 +genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0 +genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/random u:object_r:proc_random:s0 +genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 +genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0 +genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 +genfscon proc /sys/net u:object_r:proc_net:s0 +genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 +genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0 +genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0 +genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 +genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0 +genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0 +genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0 +genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0 +genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0 +genfscon proc /timer_list u:object_r:proc_timer:s0 +genfscon proc /timer_stats u:object_r:proc_timer:s0 +genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0 +genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0 +genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0 +genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0 +genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0 +genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0 +genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0 +genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0 +genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0 +genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0 +genfscon proc /uptime u:object_r:proc_uptime:s0 +genfscon proc /version u:object_r:proc_version:s0 +genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0 +genfscon proc /vmstat u:object_r:proc_vmstat:s0 +genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0 +genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0 + +genfscon fusectl / u:object_r:fusectlfs:s0 + +# selinuxfs booleans can be individually labeled. +genfscon selinuxfs / u:object_r:selinuxfs:s0 +genfscon cgroup / u:object_r:cgroup:s0 +genfscon cgroup2 / u:object_r:cgroup_v2:s0 +# sysfs labels can be set by userspace. +genfscon sysfs / u:object_r:sysfs:s0 +genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0 +genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0 +genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /class/block u:object_r:sysfs_block:s0 +genfscon sysfs /class/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /class/net u:object_r:sysfs_net:s0 +genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /class/rfkill/rfkill1/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /class/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /class/switch u:object_r:sysfs_switch:s0 +genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0 +genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0 +genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0 +genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0 +genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0 +genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0 +genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0 +genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0 +genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0 +genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0 +genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0 +genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0 +genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0 +genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0 +genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0 +genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0 +genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0 +genfscon sysfs /power/state u:object_r:sysfs_power:s0 +genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0 +genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0 +genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0 +genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0 +genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0 +genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0 +genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0 +genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0 +genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0 +genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0 +genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0 +genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0 +genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0 +genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0 +genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0 +genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0 +genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0 +genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0 +genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0 + +genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0 +genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0 +genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs / u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0 +genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0 +genfscon tracefs /trace u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0 +genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0 + +genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0 +genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0 +genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0 +genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0 +genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0 +genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0 +genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0 +genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0 +genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0 +genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0 +genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0 +genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0 +genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0 + +genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0 + +genfscon tracefs /events/header_page u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0 + +genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0 +genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0 +genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0 +genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0 +genfscon tracefs /options/record-tgid u:object_r:debugfs_tracing:s0 +genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sched/sched_waking/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/power/clock_enable/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/power/clock_disable/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/dma_fence/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ion/ion_stat/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/oom/mark_victim/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/cpuhp/cpuhp_pause/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/clk/clk_enable/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0 + +genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/options/record-tgid u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0 + +genfscon debugfs /kcov u:object_r:debugfs_kcov:s0 + +genfscon securityfs / u:object_r:securityfs:s0 + +genfscon binder /binder u:object_r:binder_device:s0 +genfscon binder /hwbinder u:object_r:hwbinder_device:s0 +genfscon binder /vndbinder u:object_r:vndbinder_device:s0 +genfscon binder /binder_logs u:object_r:binderfs_logs:s0 +genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0 + +genfscon inotifyfs / u:object_r:inotify:s0 +genfscon vfat / u:object_r:vfat:s0 +genfscon binder / u:object_r:binderfs:s0 +genfscon exfat / u:object_r:exfat:s0 +genfscon debugfs / u:object_r:debugfs:s0 +genfscon fuse / u:object_r:fuse:s0 +genfscon configfs / u:object_r:configfs:s0 +genfscon sdcardfs / u:object_r:sdcardfs:s0 +genfscon esdfs / u:object_r:sdcardfs:s0 +genfscon pstore / u:object_r:pstorefs:s0 +genfscon functionfs / u:object_r:functionfs:s0 +genfscon usbfs / u:object_r:usbfs:s0 +genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0 +genfscon bpf / u:object_r:fs_bpf:s0 +genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0 diff --git a/prebuilts/api/32.0/private/gki_apex_prepostinstall.te b/prebuilts/api/32.0/private/gki_apex_prepostinstall.te new file mode 100644 index 000000000..115538930 --- /dev/null +++ b/prebuilts/api/32.0/private/gki_apex_prepostinstall.te @@ -0,0 +1,23 @@ +# GKI pre- & post-install hooks. +# +# Allow to run pre- and post-install hooks for GKI APEXes + +type gki_apex_prepostinstall, domain, coredomain; +type gki_apex_prepostinstall_exec, system_file_type, exec_type, file_type; + +# Execute /system/bin/sh. +allow gki_apex_prepostinstall shell_exec:file rx_file_perms; + +# Execute various toolsbox utilities. +allow gki_apex_prepostinstall toolbox_exec:file rx_file_perms; + +# Allow preinstall.sh to execute update_engine_stable_client binary. +allow gki_apex_prepostinstall gki_apex_prepostinstall_exec:file execute_no_trans; + +# Allow preinstall hook to communicate with update_engine to execute update. +binder_use(gki_apex_prepostinstall) +allow gki_apex_prepostinstall update_engine_stable_service:service_manager find; +binder_call(gki_apex_prepostinstall, update_engine) + +# /dev/zero is inherited although it is not used. See b/126787589. +allow gki_apex_prepostinstall apexd:fd use; diff --git a/prebuilts/api/32.0/private/gmscore_app.te b/prebuilts/api/32.0/private/gmscore_app.te new file mode 100644 index 000000000..571d155cd --- /dev/null +++ b/prebuilts/api/32.0/private/gmscore_app.te @@ -0,0 +1,140 @@ +### +### A domain for further sandboxing the PrebuiltGMSCore app. +### +typeattribute gmscore_app coredomain; + +app_domain(gmscore_app) + +allow gmscore_app sysfs_type:dir search; +# Read access to /sys/class/net/wlan*/address +r_dir_file(gmscore_app, sysfs_net) +# Read access to /sys/block/zram*/mm_stat +r_dir_file(gmscore_app, sysfs_zram) + +r_dir_file(gmscore_app, rootfs) + +# Allow GMS core to open kernel config for OTA matching through libvintf +allow gmscore_app config_gz:file { open read getattr }; + +# Allow GMS core to communicate with update_engine for A/B update. +binder_call(gmscore_app, update_engine) +allow gmscore_app update_engine_service:service_manager find; + +# Allow GMS core to communicate with dumpsys storaged. +binder_call(gmscore_app, storaged) +allow gmscore_app storaged_service:service_manager find; + +# Allow GMS core to access system_update_service (e.g. to publish pending +# system update info). +allow gmscore_app system_update_service:service_manager find; + +# Allow GMS core to communicate with statsd. +binder_call(gmscore_app, statsd) + +# Allow GMS core to generate unique hardware IDs +allow gmscore_app keystore:keystore_key gen_unique_id; +allow gmscore_app keystore:keystore2_key gen_unique_id; + +# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check +allow gmscore_app selinuxfs:file r_file_perms; + +# suppress denials for non-API accesses. +dontaudit gmscore_app exec_type:file r_file_perms; +dontaudit gmscore_app device:dir r_dir_perms; +dontaudit gmscore_app fs_bpf:dir r_dir_perms; +dontaudit gmscore_app net_dns_prop:file r_file_perms; +dontaudit gmscore_app proc:file r_file_perms; +dontaudit gmscore_app proc_interrupts:file r_file_perms; +dontaudit gmscore_app proc_modules:file r_file_perms; +dontaudit gmscore_app proc_net:file r_file_perms; +dontaudit gmscore_app proc_stat:file r_file_perms; +dontaudit gmscore_app proc_version:file r_file_perms; +dontaudit gmscore_app sysfs:dir r_dir_perms; +dontaudit gmscore_app sysfs:file r_file_perms; +dontaudit gmscore_app sysfs_android_usb:file r_file_perms; +dontaudit gmscore_app sysfs_dm:file r_file_perms; +dontaudit gmscore_app sysfs_loop:file r_file_perms; +dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms; +dontaudit gmscore_app mirror_data_file:dir search; +dontaudit gmscore_app mnt_vendor_file:dir search; + +# Access the network +net_domain(gmscore_app) + +# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7) +allow gmscore_app self:process ptrace; + +# Allow loading executable code from writable priv-app home +# directories. This is a W^X violation, however, it needs +# to be supported for now for the following reasons. +# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367) +# 1) com.android.opengl.shaders_cache +# 2) com.android.skia.shaders_cache +# 3) com.android.renderscript.cache +# * /data/user_de/0/com.google.android.gms/app_chimera +# TODO: Tighten (b/112357170) +allow gmscore_app privapp_data_file:file execute; + +# Chrome Crashpad uses the the dynamic linker to load native executables +# from an APK (b/112050209, crbug.com/928422) +allow gmscore_app system_linker_exec:file execute_no_trans; + +allow gmscore_app privapp_data_file:lnk_file create_file_perms; + +# /proc access +allow gmscore_app proc_vmstat:file r_file_perms; + +# Allow interaction with gpuservice +binder_call(gmscore_app, gpuservice) +allow gmscore_app gpu_service:service_manager find; + +# find services that expose both @SystemAPI and normal APIs. +allow gmscore_app app_api_service:service_manager find; +allow gmscore_app system_api_service:service_manager find; +allow gmscore_app audioserver_service:service_manager find; +allow gmscore_app cameraserver_service:service_manager find; +allow gmscore_app drmserver_service:service_manager find; +allow gmscore_app mediadrmserver_service:service_manager find; +allow gmscore_app mediaextractor_service:service_manager find; +allow gmscore_app mediametrics_service:service_manager find; +allow gmscore_app mediaserver_service:service_manager find; +allow gmscore_app network_watchlist_service:service_manager find; +allow gmscore_app nfc_service:service_manager find; +allow gmscore_app oem_lock_service:service_manager find; +allow gmscore_app persistent_data_block_service:service_manager find; +allow gmscore_app radio_service:service_manager find; +allow gmscore_app recovery_service:service_manager find; +allow gmscore_app stats_service:service_manager find; + +# Used by Finsky / Android "Verify Apps" functionality when +# running "adb install foo.apk". +allow gmscore_app shell_data_file:file r_file_perms; +allow gmscore_app shell_data_file:dir r_dir_perms; + +# Write to /cache. +allow gmscore_app { cache_file cache_recovery_file }:dir create_dir_perms; +allow gmscore_app { cache_file cache_recovery_file }:file create_file_perms; +# /cache is a symlink to /data/cache on some devices. Allow reading the link. +allow gmscore_app cache_file:lnk_file r_file_perms; + +# Write to /data/ota_package for OTA packages. +allow gmscore_app ota_package_file:dir rw_dir_perms; +allow gmscore_app ota_package_file:file create_file_perms; + +# Used by Finsky / Android "Verify Apps" functionality when +# running "adb install foo.apk". +allow gmscore_app shell_data_file:file r_file_perms; +allow gmscore_app shell_data_file:dir r_dir_perms; + +# b/18504118: Allow reads from /data/anr/traces.txt +allow gmscore_app anr_data_file:file r_file_perms; + +# b/148974132: com.android.vending needs this +allow gmscore_app priv_app:tcp_socket { read write }; + +# b/168059475 Allow GMSCore to read Virtual AB properties to determine +# if device supports VAB. +get_prop(gmscore_app, virtual_ab_prop) + +# b/186488185: Allow GMSCore to read dck properties +get_prop(gmscore_app, dck_prop) diff --git a/prebuilts/api/32.0/private/gpuservice.te b/prebuilts/api/32.0/private/gpuservice.te new file mode 100644 index 000000000..2e4254ca4 --- /dev/null +++ b/prebuilts/api/32.0/private/gpuservice.te @@ -0,0 +1,66 @@ +# gpuservice - server for gpu stats and other gpu related services +typeattribute gpuservice coredomain; +type gpuservice_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(gpuservice) + +binder_call(gpuservice, adbd) +binder_call(gpuservice, shell) +binder_call(gpuservice, system_server) +binder_use(gpuservice) + +# Access the GPU. +allow gpuservice gpu_device:chr_file rw_file_perms; + +# GPU service will need to load GPU driver, for example Vulkan driver in order +# to get the capability of the driver. +allow gpuservice same_process_hal_file:file { open read getattr execute map }; +allow gpuservice ion_device:chr_file r_file_perms; +get_prop(gpuservice, hwservicemanager_prop) +hwbinder_use(gpuservice) + +# Access /dev/graphics/fb0. +allow gpuservice graphics_device:dir search; +allow gpuservice graphics_device:chr_file rw_file_perms; + +# Needed for dumpsys pipes. +allow gpuservice shell:fifo_file write; + +# Needed for perfetto producer. +perfetto_producer(gpuservice) + +# Use socket supplied by adbd, for cmd gpu vkjson etc. +allow gpuservice adbd:unix_stream_socket { read write getattr }; + +# Needed for interactive shell +allow gpuservice devpts:chr_file { read write getattr }; + +# Needed for dumpstate to dumpsys gpu. +allow gpuservice dumpstate:fd use; +allow gpuservice dumpstate:fifo_file write; + +# Needed for stats callback registration to statsd. +allow gpuservice stats_service:service_manager find; +allow gpuservice statsmanager_service:service_manager find; +# TODO(b/146461633): remove this once native pullers talk to StatsManagerService +binder_call(gpuservice, statsd); + +# Needed for reading tracepoint ids in order to attach bpf programs. +allow gpuservice debugfs_tracing:file r_file_perms; +allow gpuservice self:perf_event { cpu kernel open write }; +neverallow gpuservice self:perf_event ~{ cpu kernel open write }; + +# Needed for interact with bpf fs. +allow gpuservice fs_bpf:dir search; +allow gpuservice fs_bpf:file read; + +# Needed for enable the bpf program and read the map. +allow gpuservice bpfloader:bpf { map_read prog_run }; + +# Needed for getting a prop to ensure bpf programs loaded. +get_prop(gpuservice, bpf_progs_loaded_prop) + +add_service(gpuservice, gpu_service) + +# Only uncomment below line when in development +# userdebug_or_eng(`permissive gpuservice;') diff --git a/prebuilts/api/32.0/private/gsid.te b/prebuilts/api/32.0/private/gsid.te new file mode 100644 index 000000000..8a13cb173 --- /dev/null +++ b/prebuilts/api/32.0/private/gsid.te @@ -0,0 +1,200 @@ +# gsid - Manager for GSI Installation + +type gsid, domain; +type gsid_exec, exec_type, file_type, system_file_type; +typeattribute gsid coredomain; + +init_daemon_domain(gsid) + +binder_use(gsid) +binder_service(gsid) +add_service(gsid, gsi_service) + +# Manage DSU metadata encryption key through vold. +allow gsid vold_service:service_manager find; +binder_call(gsid, vold) + +set_prop(gsid, gsid_prop) + +# Needed to create/delete device-mapper nodes, and read/write to them. +allow gsid dm_device:chr_file rw_file_perms; +allow gsid dm_device:blk_file rw_file_perms; +allow gsid self:global_capability_class_set sys_admin; +dontaudit gsid self:global_capability_class_set dac_override; + +# On FBE devices (not using dm-default-key), gsid will use loop devices to map +# images rather than device-mapper. +allow gsid loop_control_device:chr_file rw_file_perms; +allow gsid loop_device:blk_file rw_file_perms; +allowxperm gsid loop_device:blk_file ioctl { + LOOP_GET_STATUS64 + LOOP_SET_STATUS64 + LOOP_SET_FD + LOOP_SET_BLOCK_SIZE + LOOP_SET_DIRECT_IO + LOOP_CLR_FD + BLKFLSBUF +}; + +# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking. +# This requires traversing /sys/block/dm-N/slaves/* and reading the list of +# file names. +r_dir_file(gsid, sysfs_dm) + +# libfiemap_writer needs to read /sys/fs/f2fs/<dev>/features to determine +# whether pin_file support is enabled. +r_dir_file(gsid, sysfs_fs_f2fs) + +# Needed to read fstab, which is used to validate that system verity does not +# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed +# to get the A/B slot suffix). +allow gsid proc_cmdline:file r_file_perms; +allow gsid sysfs_dt_firmware_android:dir r_dir_perms; +allow gsid sysfs_dt_firmware_android:file r_file_perms; + +# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/* +allow gsid block_device:dir r_dir_perms; + +# liblp queries these block alignment properties. +allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl { + BLKIOMIN + BLKALIGNOFF +}; + +# When installing images to an sdcard, gsid needs to be able to stat() the +# block device. gsid also calls realpath() to remove symlinks. +allow gsid mnt_media_rw_file:dir r_dir_perms; +allow gsid mnt_media_rw_stub_file:dir r_dir_perms; + +# When installing images to an sdcard, gsid must bypass sdcardfs and install +# directly to vfat, which supports the FIBMAP ioctl. +allow gsid vfat:dir create_dir_perms; +allow gsid vfat:file create_file_perms; +allow gsid sdcard_block_device:blk_file r_file_perms; +# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this +# requirement, but the kernel does not implement FIEMAP support for VFAT. +allow gsid self:global_capability_class_set sys_rawio; + +# Allow rules for gsi_tool. +userdebug_or_eng(` + # gsi_tool passes the system image over the adb connection, via stdin. + allow gsid adbd:fd use; + # Needed when running gsi_tool through "su root" rather than adb root. + allow gsid adbd:unix_stream_socket rw_socket_perms; + # gsi_tool passes a FIFO to gsid if invoked with pipe redirection. + allow gsid { shell su }:fifo_file r_file_perms; + # Allow installing images from /storage/emulated/... + allow gsid sdcard_type:file r_file_perms; +') + +neverallow { + domain + -gsid + -init + -update_engine_common + -recovery + -fastbootd +} gsid_prop:property_service set; + +# gsid needs to store images on /data, but cannot use file I/O. If it did, the +# underlying blocks would be encrypted, and we couldn't mount the GSI image in +# first-stage init. So instead of directly writing to /data, we: +# +# 1. fallocate a file large enough to hold the signed GSI +# 2. extract its block layout with FIEMAP +# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata +# 4. write system_gsi into that dm device +# +# To make this process work, we need to unwrap the device-mapper stacking for +# userdata to reach the underlying block device. To verify the result we use +# stat(), which requires read access. +allow gsid userdata_block_device:blk_file r_file_perms; + +# gsid uses /metadata/gsi to communicate GSI boot information to first-stage +# init. It cannot use userdata since data cannot be decrypted during this +# stage. +# +# gsid uses /metadata/gsi to store three files: +# install_status - A short string indicating whether a GSI image is bootable. +# lp_metadata - LpMetadata blob describing the block ranges on userdata +# where system_gsi resides. +# booted - An empty file that, if exists, indicates that a GSI is +# currently running. +# +allow gsid metadata_file:dir { search getattr }; +allow gsid { + gsi_metadata_file_type +}:dir create_dir_perms; + +allow gsid { + ota_metadata_file +}:dir rw_dir_perms; + +allow gsid { + gsi_metadata_file_type + ota_metadata_file +}:file create_file_perms; + +# Allow restorecon to fix context of gsi_public_metadata_file. +allow gsid file_contexts_file:file r_file_perms; +allow gsid gsi_metadata_file:file relabelfrom; +allow gsid gsi_public_metadata_file:file relabelto; + +allow gsid { + gsi_data_file + ota_image_data_file +}:dir rw_dir_perms; +allow gsid { + gsi_data_file + ota_image_data_file +}:file create_file_perms; +allowxperm gsid { + gsi_data_file + ota_image_data_file +}:file ioctl { + FS_IOC_FIEMAP + FS_IOC_GETFLAGS +}; + +allow gsid system_server:binder call; + +# Prevent most processes from writing to gsi_metadata_file_type, but allow +# adding rules for path resolution of gsi_public_metadata_file and reading +# gsi_public_metadata_file. +neverallow { + domain + -init + -gsid + -fastbootd +} gsi_metadata_file_type:dir no_w_dir_perms; + +neverallow { + domain + -init + -gsid + -fastbootd +} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *; + +neverallow { + domain + -init + -gsid + -fastbootd +} gsi_public_metadata_file:file_class_set ~{ r_file_perms }; + +# Prevent apps from accessing gsi_metadata_file_type. +neverallow { + appdomain + -shell +} gsi_metadata_file_type:dir_file_class_set *; + +neverallow { + domain + -init + -gsid +} gsi_data_file:dir_file_class_set *; + +neverallow { + domain + -gsid +} gsi_data_file:file_class_set ~{ relabelto getattr }; diff --git a/prebuilts/api/32.0/private/hal_allocator_default.te b/prebuilts/api/32.0/private/hal_allocator_default.te new file mode 100644 index 000000000..7aa28aa29 --- /dev/null +++ b/prebuilts/api/32.0/private/hal_allocator_default.te @@ -0,0 +1,5 @@ +type hal_allocator_default, domain, coredomain; +hal_server_domain(hal_allocator_default, hal_allocator) + +type hal_allocator_default_exec, system_file_type, exec_type, file_type; +init_daemon_domain(hal_allocator_default) diff --git a/prebuilts/api/32.0/private/hal_lazy_test.te b/prebuilts/api/32.0/private/hal_lazy_test.te new file mode 100644 index 000000000..93cf2350b --- /dev/null +++ b/prebuilts/api/32.0/private/hal_lazy_test.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice) +') diff --git a/prebuilts/api/32.0/private/halclientdomain.te b/prebuilts/api/32.0/private/halclientdomain.te new file mode 100644 index 000000000..9dcd3ee38 --- /dev/null +++ b/prebuilts/api/32.0/private/halclientdomain.te @@ -0,0 +1,13 @@ +### +### Rules for all domains which are clients of a HAL +### + +# Find out whether a HAL in passthrough/in-process mode or +# binderized/out-of-process mode +hwbinder_use(halclientdomain) + +# Used to wait for hwservicemanager +get_prop(halclientdomain, hwservicemanager_prop) + +# Wait for HAL server to be up (used by getService) +allow halclientdomain hidl_manager_hwservice:hwservice_manager find; diff --git a/prebuilts/api/32.0/private/halserverdomain.te b/prebuilts/api/32.0/private/halserverdomain.te new file mode 100644 index 000000000..f36e0e7d8 --- /dev/null +++ b/prebuilts/api/32.0/private/halserverdomain.te @@ -0,0 +1,12 @@ +### +### Rules for all domains which offer a HAL service over HwBinder +### + +# Register the HAL service with hwservicemanager +hwbinder_use(halserverdomain) + +# Find HAL implementations +allow halserverdomain system_file:dir r_dir_perms; + +# Used to wait for hwservicemanager +get_prop(halserverdomain, hwservicemanager_prop) diff --git a/prebuilts/api/32.0/private/healthd.te b/prebuilts/api/32.0/private/healthd.te new file mode 100644 index 000000000..93bc3d8fc --- /dev/null +++ b/prebuilts/api/32.0/private/healthd.te @@ -0,0 +1,12 @@ +typeattribute healthd coredomain; + +init_daemon_domain(healthd) + +# Allow healthd to serve health HAL +hal_server_domain(healthd, hal_health) + +# Healthd needs to tell init to continue the boot +# process when running in charger mode. +set_prop(healthd, system_prop) +set_prop(healthd, exported_system_prop) +set_prop(healthd, exported3_system_prop) diff --git a/prebuilts/api/32.0/private/heapprofd.te b/prebuilts/api/32.0/private/heapprofd.te new file mode 100644 index 000000000..246f936d4 --- /dev/null +++ b/prebuilts/api/32.0/private/heapprofd.te @@ -0,0 +1,77 @@ +# Android heap profiling daemon. go/heapprofd. +# +# On user builds, this daemon is responsible for receiving the initial +# profiling configuration, finding matching target processes (if profiling by +# process name), and sending the activation signal to them (+ setting system +# properties for new processes to start profiling from startup). When profiling +# is triggered in a process, it spawns a private heapprofd subprocess (in its +# own SELinux domain), which will exclusively handle profiling of its parent. +# +# On debug builds, this central daemon performs profiling for all target +# processes (which talk directly to this daemon). +type heapprofd_exec, exec_type, file_type, system_file_type; +type heapprofd_tmpfs, file_type; + +init_daemon_domain(heapprofd) +tmpfs_domain(heapprofd) + +# Allow apps in other MLS contexts (for multi-user) to access +# shared memory buffers created by heapprofd. +typeattribute heapprofd_tmpfs mlstrustedobject; + +set_prop(heapprofd, heapprofd_prop); + +# Necessary for /proc/[pid]/cmdline access & sending signals. +typeattribute heapprofd mlstrustedsubject; + +# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and +# SIGCHLD, which are controlled by separate permissions. +allow heapprofd self:capability kill; + +# When scanning /proc/[pid]/cmdline to find matching processes for by-name +# profiling, only allowlisted domains will be allowed by SELinux. Avoid +# spamming logs with denials for entries that we can not access. +dontaudit heapprofd domain:dir { search open }; + +# Write trace data to the Perfetto traced daemon. This requires connecting to +# its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(heapprofd) + +# When handling profiling for all processes, heapprofd needs to read +# executables/libraries/etc to do stack unwinding. +r_dir_file(heapprofd, nativetest_data_file) +r_dir_file(heapprofd, system_file_type) +r_dir_file(heapprofd, apex_art_data_file) +r_dir_file(heapprofd, apk_data_file) +r_dir_file(heapprofd, dalvikcache_data_file) +r_dir_file(heapprofd, vendor_file_type) +r_dir_file(heapprofd, shell_test_data_file) +# Some dex files are not world-readable. +# We are still constrained by the SELinux rules above. +allow heapprofd self:global_capability_class_set dac_read_search; + +# For checking profileability. +allow heapprofd packages_list_file:file r_file_perms; + +# This is going to happen on user but is benign because central heapprofd +# does not actually need these permission. +# If the dac_read_search capability check is rejected, the kernel then tries +# to perform a dac_override capability check, so we need to dontaudit that +# as well. +dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override }; + +never_profile_heap(`{ + bpfloader + init + kernel + keystore + llkd + logd + ueventd + vendor_init + vold +}') + +full_treble_only(` + neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms }; +') diff --git a/prebuilts/api/32.0/private/hidl_lazy_test_server.te b/prebuilts/api/32.0/private/hidl_lazy_test_server.te new file mode 100644 index 000000000..04e8c9fbe --- /dev/null +++ b/prebuilts/api/32.0/private/hidl_lazy_test_server.te @@ -0,0 +1,8 @@ +type hidl_lazy_test_server, domain; +type hidl_lazy_test_server_exec, exec_type, file_type, system_file_type; + +userdebug_or_eng(` + typeattribute hidl_lazy_test_server coredomain; + init_daemon_domain(hidl_lazy_test_server) + hal_server_domain(hidl_lazy_test_server, hal_lazy_test) +') diff --git a/prebuilts/api/32.0/private/hwservice.te b/prebuilts/api/32.0/private/hwservice.te new file mode 100644 index 000000000..b7ba4d7bf --- /dev/null +++ b/prebuilts/api/32.0/private/hwservice.te @@ -0,0 +1 @@ +type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice; diff --git a/prebuilts/api/32.0/private/hwservice_contexts b/prebuilts/api/32.0/private/hwservice_contexts new file mode 100644 index 000000000..5b6e79dee --- /dev/null +++ b/prebuilts/api/32.0/private/hwservice_contexts @@ -0,0 +1,85 @@ +android.frameworks.automotive.display::IAutomotiveDisplayProxyService u:object_r:fwk_automotive_display_hwservice:s0 +android.frameworks.bufferhub::IBufferHub u:object_r:fwk_bufferhub_hwservice:s0 +android.frameworks.cameraservice.service::ICameraService u:object_r:fwk_camera_hwservice:s0 +android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0 +android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0 +android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0 +android.frameworks.stats::IStats u:object_r:fwk_stats_hwservice:s0 +android.hardware.atrace::IAtraceDevice u:object_r:hal_atrace_hwservice:s0 +android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0 +android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0 +android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0 +android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0 +android.hardware.automotive.can::ICanController u:object_r:hal_can_controller_hwservice:s0 +android.hardware.automotive.can::ICanBus u:object_r:hal_can_bus_hwservice:s0 +android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0 +android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0 +android.hardware.biometrics.face::IBiometricsFace u:object_r:hal_face_hwservice:s0 +android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 +android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0 +android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0 +android.hardware.bluetooth.audio::IBluetoothAudioProvidersFactory u:object_r:hal_audio_hwservice:s0 +android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0 +android.hardware.broadcastradio::IBroadcastRadio u:object_r:hal_broadcastradio_hwservice:s0 +android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0 +android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0 +android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0 +android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0 +android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0 +android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0 +android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0 +android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0 +android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0 +android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0 +android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0 +android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0 +android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0 +android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0 +android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0 +android.hardware.health.storage::IStorage u:object_r:hal_health_storage_hwservice:s0 +android.hardware.input.classifier::IInputClassifier u:object_r:hal_input_classifier_hwservice:s0 +android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0 +android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0 +android.hardware.tests.lazy::ILazy u:object_r:hal_lazy_test_hwservice:s0 +android.hardware.light::ILight u:object_r:hal_light_hwservice:s0 +android.hardware.lowpan::ILowpanDevice u:object_r:hal_lowpan_hwservice:s0 +android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0 +android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0 +android.hardware.media.c2::IComponentStore u:object_r:hal_codec2_hwservice:s0 +android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0 +android.hardware.neuralnetworks::IDevice u:object_r:hal_neuralnetworks_hwservice:s0 +android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0 +android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0 +android.hardware.power::IPower u:object_r:hal_power_hwservice:s0 +android.hardware.power.stats::IPowerStats u:object_r:hal_power_stats_hwservice:s0 +android.hardware.radio.config::IRadioConfig u:object_r:hal_telephony_hwservice:s0 +android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0 +android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0 +android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0 +android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0 +android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0 +android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0 +android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0 +android.hardware.tetheroffload.config::IOffloadConfig u:object_r:hal_tetheroffload_hwservice:s0 +android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_tetheroffload_hwservice:s0 +android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0 +android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0 +android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0 +android.hardware.tv.tuner::ITuner u:object_r:hal_tv_tuner_hwservice:s0 +android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0 +android.hardware.usb.gadget::IUsbGadget u:object_r:hal_usb_gadget_hwservice:s0 +android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0 +android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0 +android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0 +android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0 +android.hardware.wifi.hostapd::IHostapd u:object_r:hal_wifi_hostapd_hwservice:s0 +android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0 +android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0 +android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0 +android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0 +android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0 +android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0 +android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0 +android.system.suspend::ISystemSuspend u:object_r:system_suspend_hwservice:s0 +android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0 +* u:object_r:default_android_hwservice:s0 diff --git a/prebuilts/api/32.0/private/hwservicemanager.te b/prebuilts/api/32.0/private/hwservicemanager.te new file mode 100644 index 000000000..e1fde43f2 --- /dev/null +++ b/prebuilts/api/32.0/private/hwservicemanager.te @@ -0,0 +1,9 @@ +typeattribute hwservicemanager coredomain; + +init_daemon_domain(hwservicemanager) + +add_hwservice(hwservicemanager, hidl_manager_hwservice) +add_hwservice(hwservicemanager, hidl_token_hwservice) + +set_prop(hwservicemanager, ctl_interface_start_prop) +set_prop(hwservicemanager, hwservicemanager_prop) diff --git a/prebuilts/api/32.0/private/idmap.te b/prebuilts/api/32.0/private/idmap.te new file mode 100644 index 000000000..c982783b9 --- /dev/null +++ b/prebuilts/api/32.0/private/idmap.te @@ -0,0 +1,3 @@ +typeattribute idmap coredomain; + +init_daemon_domain(idmap) diff --git a/prebuilts/api/32.0/private/incident.te b/prebuilts/api/32.0/private/incident.te new file mode 100644 index 000000000..db9ae8638 --- /dev/null +++ b/prebuilts/api/32.0/private/incident.te @@ -0,0 +1,37 @@ +typeattribute incident coredomain; + +type incident_exec, system_file_type, exec_type, file_type; + +# switch to incident domain for incident command +domain_auto_trans(shell, incident_exec, incident) +domain_auto_trans(dumpstate, incident_exec, incident) + +# allow incident access to stdout from its parent shell. +allow incident shell:fd use; + +# allow incident to communicate with dumpstate, and write incident report to +# /data/data/com.android.shell/files/bugreports/tmp_incident_report +allow incident dumpstate:fd use; +allow incident dumpstate:unix_stream_socket { read write }; +allow incident shell_data_file:file write; + +# allow incident be able to output data for CTS to fetch. +allow incident devpts:chr_file { read write }; + +# allow incident to communicate use, read and write over the adb +# connection. +allow incident adbd:fd use; +allow incident adbd:unix_stream_socket { read write }; + +# allow adbd to reap incident +allow incident adbd:process { sigchld }; + +# Allow the incident command to talk to the incidentd over the binder, and get +# back the incident report data from a ParcelFileDescriptor. +binder_use(incident) +allow incident incident_service:service_manager find; +binder_call(incident, incidentd) +allow incident incidentd:fifo_file write; + +# only allow incident being called by shell or dumpstate +neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans }; diff --git a/prebuilts/api/32.0/private/incident_helper.te b/prebuilts/api/32.0/private/incident_helper.te new file mode 100644 index 000000000..b45385568 --- /dev/null +++ b/prebuilts/api/32.0/private/incident_helper.te @@ -0,0 +1,14 @@ +typeattribute incident_helper coredomain; + +type incident_helper_exec, system_file_type, exec_type, file_type; + +# switch to incident_helper domain for incident_helper command +domain_auto_trans(incidentd, incident_helper_exec, incident_helper) + +# use pipe to transmit data from/to incidentd/incident_helper for parsing +allow incident_helper { shell incident incidentd dumpstate }:fd use; +allow incident_helper { shell incident incidentd dumpstate }:fifo_file { getattr read write }; +allow incident_helper incidentd:unix_stream_socket { read write }; + +# only allow incidentd and shell to call incident_helper +neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans }; diff --git a/prebuilts/api/32.0/private/incidentd.te b/prebuilts/api/32.0/private/incidentd.te new file mode 100644 index 000000000..918ffda83 --- /dev/null +++ b/prebuilts/api/32.0/private/incidentd.te @@ -0,0 +1,213 @@ +typeattribute incidentd coredomain; +typeattribute incidentd mlstrustedsubject; + +init_daemon_domain(incidentd) +type incidentd_exec, system_file_type, exec_type, file_type; +binder_use(incidentd) +wakelock_use(incidentd) + +# Allow incidentd to scan through /proc/pid for all processes +r_dir_file(incidentd, domain) + +# Allow incidentd to kill incident_helper when timeout +allow incidentd incident_helper:process sigkill; + +# Allow executing files on system, such as: +# /system/bin/toolbox +# /system/bin/logcat +# /system/bin/dumpsys +allow incidentd system_file:file execute_no_trans; +allow incidentd toolbox_exec:file rx_file_perms; + +# section id 1002, allow reading kernel version /proc/version +allow incidentd proc_version:file r_file_perms; + +# section id 1116, allow accessing statsd socket +unix_socket_send(incidentd, statsdw, statsd) + +# section id 2001, allow reading /proc/pagetypeinfo +allow incidentd proc_pagetypeinfo:file r_file_perms; + +# section id 2002, allow reading /d/wakeup_sources +no_debugfs_restriction(` + allow incidentd debugfs_wakeup_sources:file r_file_perms; +') + +# section id 2003, allow executing top +allow incidentd proc_meminfo:file { open read }; + +# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state +allow incidentd sysfs_devices_system_cpu:file r_file_perms; + +# section id 2005, allow reading ps dump in full +allow incidentd domain:process getattr; + +# section id 2006, allow reading /sys/class/power_supply/bms/battery_type +allow incidentd sysfs_batteryinfo:dir { search }; +allow incidentd sysfs_batteryinfo:file r_file_perms; + +# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops +userdebug_or_eng(`allow incidentd pstorefs:dir search'); +userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms'); + +# section id 3023, allow obtaining stats report +allow incidentd stats_service:service_manager find; +binder_call(incidentd, statsd) + +# section id 3026, allow reading /data/misc/perfetto-traces. +allow incidentd perfetto_traces_data_file:dir r_dir_perms; +allow incidentd perfetto_traces_data_file:file r_file_perms; + +# section id 3052, allow accessing nfc_service +allow incidentd nfc_service:service_manager find; + +# Create and write into /data/misc/incidents +allow incidentd incident_data_file:dir rw_dir_perms; +allow incidentd incident_data_file:file create_file_perms; + +# Enable incidentd to get stack traces. +binder_use(incidentd) +hwbinder_use(incidentd) +allow incidentd hwservicemanager:hwservice_manager { list }; +get_prop(incidentd, hwservicemanager_prop) +allow incidentd hidl_manager_hwservice:hwservice_manager { find }; + +# Read files in /proc +allow incidentd { + proc_cmdline + proc_pid_max + proc_pipe_conf + proc_stat +}:file r_file_perms; + +# Signal java processes to dump their stack and get the results +allow incidentd { appdomain ephemeral_app system_server }:process signal; + +# Signal native processes to dump their stack. +# This list comes from native_processes_to_dump in incidentd/utils.c +allow incidentd { + # This list comes from native_processes_to_dump in dumputils/dump_utils.cpp + audioserver + cameraserver + drmserver + inputflinger + mediadrmserver + mediaextractor + mediametrics + mediaserver + sdcardd + statsd + surfaceflinger + + # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp + hal_audio_server + hal_bluetooth_server + hal_camera_server + hal_codec2_server + hal_face_server + hal_graphics_allocator_server + hal_graphics_composer_server + hal_health_server + hal_omx_server + hal_sensors_server + hal_vr_server +}:process signal; + +# Allow incidentd to make binder calls to any binder service +binder_call(incidentd, system_server) +binder_call(incidentd, appdomain) + +# Reading /proc/PID/maps of other processes +userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }'); +# incidentd has capability sys_ptrace, but should only use that capability for +# accessing sensitive /proc/PID files, never for using ptrace attach. +neverallow incidentd *:process ptrace; + +allow incidentd self:global_capability_class_set { + # Send signals to processes + kill +}; + +# Connect to tombstoned to intercept dumps. +unix_socket_connect(incidentd, tombstoned_intercept, tombstoned) + +# Run a shell. +allow incidentd shell_exec:file rx_file_perms; + +# For running am, incident-helper-cmd and similar framework commands. +# Run /system/bin/app_process. +allow incidentd zygote_exec:file { rx_file_perms }; +# Access the runtime feature flag properties. +get_prop(incidentd, device_config_runtime_native_prop) +get_prop(incidentd, device_config_runtime_native_boot_prop) +# Access odsign verification status. +get_prop(incidentd, odsign_prop) +# ART locks profile files. +allow incidentd system_file:file lock; +# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected. +dontaudit incidentd dalvikcache_data_file:dir r_dir_perms; +dontaudit incidentd apex_module_data_file:dir r_dir_perms; +dontaudit incidentd apex_art_data_file:dir r_dir_perms; +dontaudit incidentd tmpfs:file rwx_file_perms; + +# logd access - work to be done is a PII safe log (possibly an event log?) +userdebug_or_eng(`read_logd(incidentd)') +# TODO control_logd(incidentd) + +# Access /data/misc/logd +r_dir_file(incidentd, misc_logd_file) + +# Allow incidentd to find these standard groups of services. +# Others can be allowlisted individually. +allow incidentd { + system_server_service + app_api_service + system_api_service + -tracingproxy_service +}:service_manager find; + +# Only incidentd can publish the binder service +add_service(incidentd, incident_service) + +# Allow pipes only from dumpstate and incident +allow incidentd { dumpstate incident }:fd use; +allow incidentd { dumpstate incident }:fifo_file write; + +# Allow incident to call back to incident with status updates. +binder_call(incidentd, incident) + +# Read device serial number from system properties +# This is used to track reports from lab testing devices +userdebug_or_eng(` + get_prop(incidentd, serialno_prop) +') + +# Read ro.boot.bootreason, persist.sys.boot.bootreason +# This is used to track reports from lab testing devices +userdebug_or_eng(` + get_prop(incidentd, bootloader_boot_reason_prop); + get_prop(incidentd, system_boot_reason_prop); + get_prop(incidentd, last_boot_reason_prop); +') + +### +### neverallow rules +### +# only incidentd and the other root services in limited circumstances +# can get to the files in /data/misc/incidents +# +# write, execute, append are forbidden almost everywhere +neverallow { domain -incidentd -init -vold } incident_data_file:file { + w_file_perms + x_file_perms + create + rename + setattr + unlink + append +}; +# read is also allowed by system_server, for when the file is handed to dropbox +neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms; +# limited access to the directory itself +neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms; + diff --git a/prebuilts/api/32.0/private/init.te b/prebuilts/api/32.0/private/init.te new file mode 100644 index 000000000..200780dfb --- /dev/null +++ b/prebuilts/api/32.0/private/init.te @@ -0,0 +1,117 @@ +typeattribute init coredomain; + +tmpfs_domain(init) + +# Transitions to seclabel processes in init.rc +domain_trans(init, rootfs, healthd) +domain_trans(init, rootfs, slideshow) +domain_auto_trans(init, charger_exec, charger) +domain_auto_trans(init, e2fs_exec, e2fs) +domain_auto_trans(init, bpfloader_exec, bpfloader) + +recovery_only(` + # Files in recovery image are labeled as rootfs. + domain_trans(init, rootfs, adbd) + domain_trans(init, rootfs, charger) + domain_trans(init, rootfs, fastbootd) + domain_trans(init, rootfs, recovery) + domain_trans(init, rootfs, linkerconfig) + domain_trans(init, rootfs, snapuserd) +') +domain_trans(init, shell_exec, shell) +domain_trans(init, init_exec, ueventd) +domain_trans(init, init_exec, vendor_init) +domain_trans(init, { rootfs toolbox_exec }, modprobe) +userdebug_or_eng(` + # case where logpersistd is actually logcat -f in logd context (nee: logcatd) + domain_auto_trans(init, logcat_exec, logpersist) + + # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng + allow init su:process transition; + dontaudit init su:process noatsecure; + allow init su:process { siginh rlimitinh }; +') + +# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path. +# This is useful in case of remounting ext4 userdata into checkpointing mode, +# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto) +# that userdata is mounted onto. +allow init sysfs_dm:file read; + +# Allow init to modify the properties of loop devices. +allow init sysfs_loop:dir r_dir_perms; +allow init sysfs_loop:file rw_file_perms; + +# Allow init to examine the properties of block devices. +allow init sysfs_block_type:file { getattr read }; +# Allow init access /dev/block +allow init bdev_type:dir r_dir_perms; +allow init bdev_type:blk_file getattr; + +# Allow init to write to the drop_caches file. +allow init proc_drop_caches:file rw_file_perms; + +# Allow the BoringSSL self test to request a reboot upon failure +set_prop(init, powerctl_prop) + +# Only init is allowed to set userspace reboot related properties. +set_prop(init, userspace_reboot_exported_prop) +neverallow { domain -init } userspace_reboot_exported_prop:property_service set; + +# Second-stage init performs a test for whether the kernel has SELinux hooks +# for the perf_event_open() syscall. This is done by testing for the syscall +# outcomes corresponding to this policy. +# TODO(b/137092007): this can be removed once the platform stops supporting +# kernels that precede the perf_event_open hooks (Android common kernels 4.4 +# and 4.9). +allow init self:perf_event { open cpu }; +allow init self:global_capability2_class_set perfmon; +neverallow init self:perf_event { kernel tracepoint read write }; +dontaudit init self:perf_event { kernel tracepoint read write }; + +# Allow init to communicate with snapuserd to transition Virtual A/B devices +# from the first-stage daemon to the second-stage. +allow init snapuserd_socket:sock_file write; +allow init snapuserd:unix_stream_socket connectto; +# Allow for libsnapshot's use of flock() on /metadata/ota. +allow init ota_metadata_file:dir lock; + +# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling +# /dev/block. +allow init vd_device:blk_file relabelto; + +# Only init is allowed to set the sysprop indicating whether perf_event_open() +# SELinux hooks were detected. +set_prop(init, init_perf_lsm_hooks_prop) +neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set; + +# Only init can write vts.native_server.on +set_prop(init, vts_status_prop) +neverallow { domain -init } vts_status_prop:property_service set; + +# Only init can write normal ro.boot. properties +neverallow { domain -init } bootloader_prop:property_service set; + +# Only init can write ro.boot.hypervisor properties +neverallow { domain -init } hypervisor_prop:property_service set; + +# Only init can write hal.instrumentation.enable +neverallow { domain -init } hal_instrumentation_prop:property_service set; + +# Only init can write ro.property_service.version +neverallow { domain -init } property_service_version_prop:property_service set; + +# Only init can set keystore.boot_level +neverallow { domain -init } keystore_listen_prop:property_service set; + +# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing. +allow init debugfs_bootreceiver_tracing:file w_file_perms; + +# chown/chmod on devices. +allow init { + dev_type + -hw_random_device + -keychord_device + -kvm_device + -port_device +}:chr_file setattr; diff --git a/prebuilts/api/32.0/private/initial_sid_contexts b/prebuilts/api/32.0/private/initial_sid_contexts new file mode 100644 index 000000000..98190510f --- /dev/null +++ b/prebuilts/api/32.0/private/initial_sid_contexts @@ -0,0 +1,27 @@ +sid kernel u:r:kernel:s0 +sid security u:object_r:kernel:s0 +sid unlabeled u:object_r:unlabeled:s0 +sid fs u:object_r:labeledfs:s0 +sid file u:object_r:unlabeled:s0 +sid file_labels u:object_r:unlabeled:s0 +sid init u:object_r:unlabeled:s0 +sid any_socket u:object_r:unlabeled:s0 +sid port u:object_r:port:s0 +sid netif u:object_r:netif:s0 +sid netmsg u:object_r:unlabeled:s0 +sid node u:object_r:node:s0 +sid igmp_packet u:object_r:unlabeled:s0 +sid icmp_socket u:object_r:unlabeled:s0 +sid tcp_socket u:object_r:unlabeled:s0 +sid sysctl_modprobe u:object_r:unlabeled:s0 +sid sysctl u:object_r:proc:s0 +sid sysctl_fs u:object_r:unlabeled:s0 +sid sysctl_kernel u:object_r:unlabeled:s0 +sid sysctl_net u:object_r:unlabeled:s0 +sid sysctl_net_unix u:object_r:unlabeled:s0 +sid sysctl_vm u:object_r:unlabeled:s0 +sid sysctl_dev u:object_r:unlabeled:s0 +sid kmod u:object_r:unlabeled:s0 +sid policy u:object_r:unlabeled:s0 +sid scmp_packet u:object_r:unlabeled:s0 +sid devnull u:object_r:null_device:s0 diff --git a/prebuilts/api/32.0/private/initial_sids b/prebuilts/api/32.0/private/initial_sids new file mode 100644 index 000000000..91ac816ba --- /dev/null +++ b/prebuilts/api/32.0/private/initial_sids @@ -0,0 +1,35 @@ +# FLASK + +# +# Define initial security identifiers +# + +sid kernel +sid security +sid unlabeled +sid fs +sid file +sid file_labels +sid init +sid any_socket +sid port +sid netif +sid netmsg +sid node +sid igmp_packet +sid icmp_socket +sid tcp_socket +sid sysctl_modprobe +sid sysctl +sid sysctl_fs +sid sysctl_kernel +sid sysctl_net +sid sysctl_net_unix +sid sysctl_vm +sid sysctl_dev +sid kmod +sid policy +sid scmp_packet +sid devnull + +# FLASK diff --git a/prebuilts/api/32.0/private/inputflinger.te b/prebuilts/api/32.0/private/inputflinger.te new file mode 100644 index 000000000..9696b491b --- /dev/null +++ b/prebuilts/api/32.0/private/inputflinger.te @@ -0,0 +1,3 @@ +typeattribute inputflinger coredomain; + +init_daemon_domain(inputflinger) diff --git a/prebuilts/api/32.0/private/installd.te b/prebuilts/api/32.0/private/installd.te new file mode 100644 index 000000000..726e5aa03 --- /dev/null +++ b/prebuilts/api/32.0/private/installd.te @@ -0,0 +1,48 @@ +typeattribute installd coredomain; + +init_daemon_domain(installd) + +# Run migrate_legacy_obb_data.sh in its own sandbox. +domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data) +allow installd shell_exec:file rx_file_perms; + +# Run dex2oat in its own sandbox. +domain_auto_trans(installd, dex2oat_exec, dex2oat) + +# Run dexoptanalyzer in its own sandbox. +domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer) + +# Run viewcompiler in its own sandbox. +domain_auto_trans(installd, viewcompiler_exec, viewcompiler) + +# Run profman in its own sandbox. +domain_auto_trans(installd, profman_exec, profman) + +# Run idmap in its own sandbox. +domain_auto_trans(installd, idmap_exec, idmap) + +# For collecting bugreports. +allow installd dumpstate:fd use; +allow installd dumpstate:fifo_file r_file_perms; + +# Delete /system/bin/bcc generated artifacts +allow installd app_exec_data_file:file unlink; + +# Capture userdata snapshots to /data/misc_[ce|de]/rollback and +# subsequently restore them. +allow installd rollback_data_file:dir create_dir_perms; +allow installd rollback_data_file:file create_file_perms; + +# Allow installd to access the runtime feature flag properties. +get_prop(installd, device_config_runtime_native_prop) +get_prop(installd, device_config_runtime_native_boot_prop) + +# Allow installd to access apk verity feature flag (for legacy case). +get_prop(installd, apk_verity_prop) + +# Allow installd to access odsign verification status +get_prop(installd, odsign_prop) + +# Allow installd to delete files in /data/staging +allow installd staging_data_file:file unlink; +allow installd staging_data_file:dir { open read remove_name rmdir search write }; diff --git a/prebuilts/api/32.0/private/iorap_inode2filename.te b/prebuilts/api/32.0/private/iorap_inode2filename.te new file mode 100644 index 000000000..5acb26212 --- /dev/null +++ b/prebuilts/api/32.0/private/iorap_inode2filename.te @@ -0,0 +1,11 @@ +typeattribute iorap_inode2filename coredomain; + +# Grant access to open most of the files under / +allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms; +allow iorap_inode2filename apex_data_file:file { getattr }; +allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search }; +allow iorap_inode2filename dalvikcache_data_file:file { getattr }; +allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read }; +allow iorap_inode2filename dexoptanalyzer_exec:file { getattr }; +allow iorap_inode2filename storaged_data_file:dir { getattr open read search }; +allow iorap_inode2filename storaged_data_file:file { getattr }; diff --git a/prebuilts/api/32.0/private/iorap_prefecherd.te b/prebuilts/api/32.0/private/iorap_prefecherd.te new file mode 100644 index 000000000..9ddb512c9 --- /dev/null +++ b/prebuilts/api/32.0/private/iorap_prefecherd.te @@ -0,0 +1,4 @@ +typeattribute iorap_prefetcherd coredomain; + +init_daemon_domain(iorap_prefetcherd) +tmpfs_domain(iorap_prefetcherd) diff --git a/prebuilts/api/32.0/private/iorapd.te b/prebuilts/api/32.0/private/iorapd.te new file mode 100644 index 000000000..73acec9c9 --- /dev/null +++ b/prebuilts/api/32.0/private/iorapd.te @@ -0,0 +1,10 @@ +typeattribute iorapd coredomain; + +init_daemon_domain(iorapd) +tmpfs_domain(iorapd) + +domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd) +domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename) + +# Allow iorapd to access the runtime native boot feature flag properties. +get_prop(iorapd, device_config_runtime_native_boot_prop) diff --git a/prebuilts/api/32.0/private/isolated_app.te b/prebuilts/api/32.0/private/isolated_app.te new file mode 100644 index 000000000..71749c00f --- /dev/null +++ b/prebuilts/api/32.0/private/isolated_app.te @@ -0,0 +1,153 @@ +### +### Services with isolatedProcess=true in their manifest. +### +### This file defines the rules for isolated apps. An "isolated +### app" is an APP with UID between AID_ISOLATED_START (99000) +### and AID_ISOLATED_END (99999). +### + +typeattribute isolated_app coredomain; + +app_domain(isolated_app) + +# Access already open app data files received over Binder or local socket IPC. +allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map }; + +# Allow access to network sockets received over IPC. New socket creation is not +# permitted. +allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl }; + +allow isolated_app activity_service:service_manager find; +allow isolated_app display_service:service_manager find; +allow isolated_app webviewupdate_service:service_manager find; + +# Google Breakpad (crash reporter for Chrome) relies on ptrace +# functionality. Without the ability to ptrace, the crash reporter +# tool is broken. +# b/20150694 +# https://code.google.com/p/chromium/issues/detail?id=475270 +allow isolated_app self:process ptrace; + +# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps +# by other processes. Open should never be allowed, and is blocked by +# neverallow rules below. +# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs +# is modified to change the secontext when accessing the lower filesystem. +allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map }; + +# For webviews, isolated_app processes can be forked from the webview_zygote +# in addition to the zygote. Allow access to resources inherited from the +# webview_zygote process. These rules are specialized copies of the ones in app.te. +# Inherit FDs from the webview_zygote. +allow isolated_app webview_zygote:fd use; +# Notify webview_zygote of child death. +allow isolated_app webview_zygote:process sigchld; +# Inherit logd write socket. +allow isolated_app webview_zygote:unix_dgram_socket write; +# Read system properties managed by webview_zygote. +allow isolated_app webview_zygote_tmpfs:file read; + +# Inherit FDs from the app_zygote. +allow isolated_app app_zygote:fd use; +# Notify app_zygote of child death. +allow isolated_app app_zygote:process sigchld; +# Inherit logd write socket. +allow isolated_app app_zygote:unix_dgram_socket write; + +# TODO (b/63631799) fix this access +# suppress denials to /data/local/tmp +dontaudit isolated_app shell_data_file:dir search; + +# Write app-specific trace data to the Perfetto traced damon. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(isolated_app) + +# Allow profiling if the main app has been marked as profileable or +# debuggable. +can_profile_heap(isolated_app) +can_profile_perf(isolated_app) + +##### +##### Neverallow +##### + +# Isolated apps should not directly open app data files themselves. +neverallow isolated_app { app_data_file privapp_data_file }:file open; + +# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) +# TODO: are there situations where isolated_apps write to this file? +# TODO: should we tighten these restrictions further? +neverallow isolated_app anr_data_file:file ~{ open append }; +neverallow isolated_app anr_data_file:dir ~search; + +# Isolated apps must not be permitted to use HwBinder +neverallow isolated_app hwbinder_device:chr_file *; +neverallow isolated_app *:hwservice_manager *; + +# Isolated apps must not be permitted to use VndBinder +neverallow isolated_app vndbinder_device:chr_file *; + +# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager +# except the find actions for services allowlisted below. +neverallow isolated_app *:service_manager ~find; + +# b/17487348 +# Isolated apps can only access three services, +# activity_service, display_service, webviewupdate_service. +neverallow isolated_app { + service_manager_type + -activity_service + -display_service + -webviewupdate_service +}:service_manager find; + +# Isolated apps shouldn't be able to access the driver directly. +neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; + +# Do not allow isolated_app access to /cache +neverallow isolated_app cache_file:dir ~{ r_dir_perms }; +neverallow isolated_app cache_file:file ~{ read getattr }; + +# Do not allow isolated_app to access external storage, except for files passed +# via file descriptors (b/32896414). +neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr; +neverallow isolated_app { storage_file mnt_user_file }:file_class_set *; +neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *; +neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map }; + +# Do not allow USB access +neverallow isolated_app { usb_device usbaccessory_device }:chr_file *; + +# Restrict the webview_zygote control socket. +neverallow isolated_app webview_zygote:sock_file write; + +# Limit the /sys files which isolated_app can access. This is important +# for controlling isolated_app attack surface. +neverallow isolated_app { + sysfs_type + -sysfs_devices_system_cpu + -sysfs_transparent_hugepage + -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852) + -sysfs_fs_incfs_features +}:file no_rw_file_perms; + +# No creation of sockets families other than AF_UNIX sockets. +# List taken from system/sepolicy/public/global_macros - socket_class_set +# excluding unix_stream_socket and unix_dgram_socket. +# Many of these are socket families which have never and will never +# be compiled into the Android kernel. +neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{ + socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket + key_socket appletalk_socket netlink_route_socket + netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket + netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket + netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket + netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket + netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket + netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket + netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket + rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket + bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket + ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket + qipcrtr_socket smc_socket xdp_socket +} create; diff --git a/prebuilts/api/32.0/private/iw.te b/prebuilts/api/32.0/private/iw.te new file mode 100644 index 000000000..adc8c9632 --- /dev/null +++ b/prebuilts/api/32.0/private/iw.te @@ -0,0 +1,4 @@ +type iw, domain, coredomain; +type iw_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(iw) diff --git a/prebuilts/api/32.0/private/kernel.te b/prebuilts/api/32.0/private/kernel.te new file mode 100644 index 000000000..534116343 --- /dev/null +++ b/prebuilts/api/32.0/private/kernel.te @@ -0,0 +1,33 @@ +typeattribute kernel coredomain; + +domain_auto_trans(kernel, init_exec, init) +domain_auto_trans(kernel, snapuserd_exec, snapuserd) + +# Allow the kernel to read otapreopt_chroot's file descriptors and files under +# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex. +allow kernel otapreopt_chroot:fd use; +allow kernel postinstall_file:file read; + +# The following sections are for the transition period during a Virtual A/B +# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct +# context, and with properly labelled devices. This must be done before +# enabling enforcement, eg, in permissive mode while still in the kernel +# context. +allow kernel tmpfs:blk_file { getattr relabelfrom }; +allow kernel tmpfs:chr_file { getattr relabelfrom }; +allow kernel tmpfs:lnk_file { getattr relabelfrom }; +allow kernel tmpfs:dir { open read relabelfrom }; + +allow kernel block_device:blk_file relabelto; +allow kernel block_device:lnk_file relabelto; +allow kernel dm_device:chr_file relabelto; +allow kernel dm_device:blk_file relabelto; +allow kernel dm_user_device:dir { read open search relabelto }; +allow kernel dm_user_device:chr_file relabelto; +allow kernel kmsg_device:chr_file relabelto; +allow kernel null_device:chr_file relabelto; +allow kernel random_device:chr_file relabelto; +allow kernel snapuserd_exec:file relabelto; + +allow kernel kmsg_device:chr_file write; +allow kernel gsid:fd use; diff --git a/prebuilts/api/32.0/private/keys.conf b/prebuilts/api/32.0/private/keys.conf new file mode 100644 index 000000000..362e73df7 --- /dev/null +++ b/prebuilts/api/32.0/private/keys.conf @@ -0,0 +1,28 @@ +# +# Maps an arbitrary tag [TAGNAME] with the string contents found in +# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and +# name it after the base file name of the pem file. +# +# Each tag (section) then allows one to specify any string found in +# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another +# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string. +# + +[@PLATFORM] +ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem + +[@MEDIA] +ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem + +[@NETWORK_STACK] +ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem + +[@SHARED] +ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem + +# Example of ALL TARGET_BUILD_VARIANTS +[@RELEASE] +ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem +USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem +USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem + diff --git a/prebuilts/api/32.0/private/keystore.te b/prebuilts/api/32.0/private/keystore.te new file mode 100644 index 000000000..884222412 --- /dev/null +++ b/prebuilts/api/32.0/private/keystore.te @@ -0,0 +1,36 @@ +typeattribute keystore coredomain; + +init_daemon_domain(keystore) + +# talk to keymaster +hal_client_domain(keystore, hal_keymaster) + +# talk to confirmationui +hal_client_domain(keystore, hal_confirmationui) + +# talk to keymint +hal_client_domain(keystore, hal_keymint) + +# This is used for the ConfirmationUI async callback. +allow keystore platform_app:binder call; + +# Allow to check whether security logging is enabled. +get_prop(keystore, device_logging_prop) + +# Allow keystore to write to statsd. +unix_socket_send(keystore, statsdw, statsd) + +# Keystore need access to the keystore_key context files to load the keystore key backend. +allow keystore keystore2_key_contexts_file:file r_file_perms; + +get_prop(keystore, keystore_listen_prop) + +# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they +# can call keystore methods on those references. +allow keystore vold:binder transfer; +allow keystore wait_for_keymaster:binder transfer; + +# Only keystore can set keystore.crash_count system property. Since init is allowed to set any +# system property, an exception is added for init as well. +set_prop(keystore, keystore_crash_prop) +neverallow { domain -keystore -init } keystore_crash_prop:property_service set; diff --git a/prebuilts/api/32.0/private/keystore2_key_contexts b/prebuilts/api/32.0/private/keystore2_key_contexts new file mode 100644 index 000000000..3833971fc --- /dev/null +++ b/prebuilts/api/32.0/private/keystore2_key_contexts @@ -0,0 +1,28 @@ +# Keystore 2.0 key contexts. +# This file defines Keystore 2.0 namespaces and maps them to labels. +# Format: +# <namespace> <label> +# +# <namespace> must be an integer in the interval [0 ... 2^31) +# su_key is a keystore_key namespace for the su domain intended for native tests. +0 u:object_r:su_key:s0 + +# shell_key is a keystore_key namespace for the shell domain intended for native tests. +1 u:object_r:shell_key:s0 + +# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs. +100 u:object_r:vold_key:s0 + +# odsign_key is a keystore2_key namespace for the on-device signing daemon. +101 u:object_r:odsign_key:s0 + +# wifi_key is a keystore2_key namespace for the WI-FI subsystem. It replaces the WIFI_UID +# namespace in keystore. +102 u:object_r:wifi_key:s0 + +# locksettings_key is a keystore2_key namespace for the LockSettingsService. +103 u:object_r:locksettings_key:s0 + +# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot. +120 u:object_r:resume_on_reboot_key:s0 + diff --git a/prebuilts/api/32.0/private/keystore_keys.te b/prebuilts/api/32.0/private/keystore_keys.te new file mode 100644 index 000000000..2f9760850 --- /dev/null +++ b/prebuilts/api/32.0/private/keystore_keys.te @@ -0,0 +1,22 @@ +# Specify keystore2_key namespaces in this file. +# Please keep the names in alphabetical order and comment each new entry. + +# A keystore2_key namespace for the shell domain. Mainly used for native tests. +type shell_key, keystore2_key_type; + +# A keystore2 namespace for the su domain. Mainly used for native tests. +type su_key, keystore2_key_type; + +# A keystore2 namespace for vold. Vold need special permission to handle +# its own Keymint blobs. +type vold_key, keystore2_key_type; + +# A keystore2 namespace for the on-device signing daemon. +type odsign_key, keystore2_key_type; + +# A keystore2 namespace for LockSettingsService. +type locksettings_key, keystore2_key_type; + +# A keystore2 namespace for resume on reboot. +type resume_on_reboot_key, keystore2_key_type; + diff --git a/prebuilts/api/32.0/private/linkerconfig.te b/prebuilts/api/32.0/private/linkerconfig.te new file mode 100644 index 000000000..268810233 --- /dev/null +++ b/prebuilts/api/32.0/private/linkerconfig.te @@ -0,0 +1,27 @@ +type linkerconfig, domain, coredomain; +type linkerconfig_exec, exec_type, file_type, system_file_type; + +init_daemon_domain(linkerconfig) + +## Read and write linkerconfig subdirectory. +allow linkerconfig linkerconfig_file:dir create_dir_perms; +allow linkerconfig linkerconfig_file:file create_file_perms; + +# Allow linkerconfig to log to the kernel. +allow linkerconfig kmsg_device:chr_file w_file_perms; + +# Allow linkerconfig to be invoked with logwrapper from init. +allow linkerconfig devpts:chr_file { read write }; + +# Allow linkerconfig to scan for apex modules +allow linkerconfig apex_mnt_dir:dir r_dir_perms; + +# Allow linkerconfig to read apex-info-list.xml +allow linkerconfig apex_info_file:file r_file_perms; + +# Allow linkerconfig to be called in the otapreopt_chroot +allow linkerconfig otapreopt_chroot:fd use; +allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms; +allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms; + +neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms; diff --git a/prebuilts/api/32.0/private/llkd.te b/prebuilts/api/32.0/private/llkd.te new file mode 100644 index 000000000..f218dec7c --- /dev/null +++ b/prebuilts/api/32.0/private/llkd.te @@ -0,0 +1,53 @@ +# llkd Live LocK Daemon +typeattribute llkd coredomain; + +init_daemon_domain(llkd) + +get_prop(llkd, llkd_prop) + +allow llkd self:global_capability_class_set kill; +userdebug_or_eng(` + allow llkd self:global_capability_class_set { sys_ptrace sys_admin }; + allow llkd self:global_capability_class_set { dac_override dac_read_search }; +') + +# llkd optionally locks itself in memory, to prevent it from being +# swapped out and unable to discover a kernel in live-lock state. +allow llkd self:global_capability_class_set ipc_lock; + +# Send kill signals to _anyone_ suffering from Live Lock +allow llkd domain:process sigkill; + +# read stack to check for Live Lock +userdebug_or_eng(` + allow llkd { + domain + -apexd + -kernel + -keystore + -init + -llkd + -ueventd + -vendor_init + }:process ptrace; +') + +# live lock watchdog process allowed to look through /proc/ +allow llkd domain:dir r_dir_perms; +allow llkd domain:file r_file_perms; +allow llkd domain:lnk_file read; +# Set /proc/sys/kernel/hung_task_* +allow llkd proc_hung_task:file rw_file_perms; + +# live lock watchdog process allowed to dump process trace and +# reboot because orderly shutdown may not be possible. +allow llkd proc_sysrq:file w_file_perms; +allow llkd kmsg_device:chr_file w_file_perms; + +### neverallow rules + +neverallow { domain -init } llkd:process { dyntransition transition }; +neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace; + +# never honor LD_PRELOAD +neverallow * llkd:process noatsecure; diff --git a/prebuilts/api/32.0/private/lmkd.te b/prebuilts/api/32.0/private/lmkd.te new file mode 100644 index 000000000..aee1b7f19 --- /dev/null +++ b/prebuilts/api/32.0/private/lmkd.te @@ -0,0 +1,18 @@ +typeattribute lmkd coredomain; + +init_daemon_domain(lmkd) + +# Set sys.lmk.* properties. +set_prop(lmkd, system_lmk_prop) + +# Set lmkd.* properties. +set_prop(lmkd, lmkd_prop) + +# Get persist.device_config.lmk_native.* properties. +get_prop(lmkd, device_config_lmkd_native_prop) + +allow lmkd fs_bpf:dir search; +allow lmkd fs_bpf:file read; +allow lmkd bpfloader:bpf map_read; + +neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set; diff --git a/prebuilts/api/32.0/private/logd.te b/prebuilts/api/32.0/private/logd.te new file mode 100644 index 000000000..7112c4f83 --- /dev/null +++ b/prebuilts/api/32.0/private/logd.te @@ -0,0 +1,41 @@ +typeattribute logd coredomain; + +init_daemon_domain(logd) + +# Access device logging gating property +get_prop(logd, device_logging_prop) + +# logd is not allowed to write anywhere other than /data/misc/logd, and then +# only on userdebug or eng builds +neverallow logd { + file_type + -runtime_event_log_tags_file + userdebug_or_eng(`-coredump_file -misc_logd_file') + with_native_coverage(`-method_trace_data_file') +}:file { create write append }; + +# protect the event-log-tags file +neverallow { + domain + -appdomain # covered below + -bootstat + -dumpstate + -init + -logd + userdebug_or_eng(`-logpersist') + -servicemanager + -system_server + -surfaceflinger + -zygote +} runtime_event_log_tags_file:file no_rw_file_perms; + +neverallow { + appdomain + -bluetooth + -platform_app + -priv_app + -radio + -shell + userdebug_or_eng(`-su') + -system_app +} runtime_event_log_tags_file:file no_rw_file_perms; diff --git a/prebuilts/api/32.0/private/logpersist.te b/prebuilts/api/32.0/private/logpersist.te new file mode 100644 index 000000000..ab2c9c63f --- /dev/null +++ b/prebuilts/api/32.0/private/logpersist.te @@ -0,0 +1,30 @@ +typeattribute logpersist coredomain; + +# android debug log storage in logpersist domains (eng and userdebug only) +userdebug_or_eng(` + + r_dir_file(logpersist, cgroup) + r_dir_file(logpersist, cgroup_v2) + + allow logpersist misc_logd_file:file create_file_perms; + allow logpersist misc_logd_file:dir rw_dir_perms; + + allow logpersist self:global_capability_class_set sys_nice; + allow logpersist pstorefs:dir search; + allow logpersist pstorefs:file r_file_perms; + + control_logd(logpersist) + unix_socket_connect(logpersist, logdr, logd) + read_runtime_log_tags(logpersist) + +') + +# logpersist is allowed to write to /data/misc/log for userdebug and eng builds +neverallow logpersist { + file_type + userdebug_or_eng(`-misc_logd_file -coredump_file') + with_native_coverage(`-method_trace_data_file') +}:file { create write append }; +neverallow { domain -init -dumpstate -incidentd userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms; +neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms; +neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write }; diff --git a/prebuilts/api/32.0/private/lpdumpd.te b/prebuilts/api/32.0/private/lpdumpd.te new file mode 100644 index 000000000..9f5f87ebd --- /dev/null +++ b/prebuilts/api/32.0/private/lpdumpd.te @@ -0,0 +1,37 @@ +type lpdumpd, domain, coredomain; +type lpdumpd_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(lpdumpd) + +# Allow lpdumpd to register itself as a service. +binder_use(lpdumpd) +add_service(lpdumpd, lpdump_service) + +# Allow lpdumpd to find the super partition block device. +allow lpdumpd block_device:dir r_dir_perms; + +# Allow lpdumpd to read super partition metadata. +allow lpdumpd super_block_device_type:blk_file r_file_perms; + +# Allow lpdumpd to read fstab. +allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms; +allow lpdumpd sysfs_dt_firmware_android:file r_file_perms; +read_fstab(lpdumpd) + +### Neverallow rules + +# Disallow other domains to get lpdump_service and call lpdumpd. +neverallow { + domain + -dumpstate + -lpdumpd + -shell +} lpdump_service:service_manager find; + +neverallow { + domain + -dumpstate + -lpdumpd + -shell + -servicemanager +} lpdumpd:binder call; diff --git a/prebuilts/api/32.0/private/mac_permissions.xml b/prebuilts/api/32.0/private/mac_permissions.xml new file mode 100644 index 000000000..7fc37c13e --- /dev/null +++ b/prebuilts/api/32.0/private/mac_permissions.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="utf-8"?> +<policy> + +<!-- + + * A signature is a hex encoded X.509 certificate or a tag defined in + keys.conf and is required for each signer tag. The signature can + either appear as a set of attached cert child tags or as an attribute. + * A signer tag must contain a seinfo tag XOR multiple package stanzas. + * Each signer/package tag is allowed to contain one seinfo tag. This tag + represents additional info that each app can use in setting a SELinux security + context on the eventual process as well as the apps data directory. + * seinfo assignments are made according to the following rules: + - Stanzas with package name refinements will be checked first. + - Stanzas w/o package name refinements will be checked second. + - The "default" seinfo label is automatically applied. + + * valid stanzas can take one of the following forms: + + // single cert protecting seinfo + <signer signature="@PLATFORM" > + <seinfo value="platform" /> + </signer> + + // multiple certs protecting seinfo (all contained certs must match) + <signer> + <cert signature="@PLATFORM1"/> + <cert signature="@PLATFORM2"/> + <seinfo value="platform" /> + </signer> + + // single cert protecting explicitly named app + <signer signature="@PLATFORM" > + <package name="com.android.foo"> + <seinfo value="bar" /> + </package> + </signer> + + // multiple certs protecting explicitly named app (all certs must match) + <signer> + <cert signature="@PLATFORM1"/> + <cert signature="@PLATFORM2"/> + <package name="com.android.foo"> + <seinfo value="bar" /> + </package> + </signer> +--> + + <!-- Platform dev key in AOSP --> + <signer signature="@PLATFORM" > + <seinfo value="platform" /> + </signer> + + <!-- Media key in AOSP --> + <signer signature="@MEDIA" > + <seinfo value="media" /> + </signer> + + <signer signature="@NETWORK_STACK" > + <seinfo value="network_stack" /> + </signer> +</policy> diff --git a/prebuilts/api/32.0/private/mdnsd.te b/prebuilts/api/32.0/private/mdnsd.te new file mode 100644 index 000000000..98e95dab3 --- /dev/null +++ b/prebuilts/api/32.0/private/mdnsd.te @@ -0,0 +1,12 @@ +# mdns daemon + +typeattribute mdnsd coredomain; +typeattribute mdnsd mlstrustedsubject; + +type mdnsd_exec, system_file_type, exec_type, file_type; +init_daemon_domain(mdnsd) + +net_domain(mdnsd) + +# Read from /proc/net +r_dir_file(mdnsd, proc_net_type) diff --git a/prebuilts/api/32.0/private/mediadrmserver.te b/prebuilts/api/32.0/private/mediadrmserver.te new file mode 100644 index 000000000..4e511a819 --- /dev/null +++ b/prebuilts/api/32.0/private/mediadrmserver.te @@ -0,0 +1,8 @@ +typeattribute mediadrmserver coredomain; + +init_daemon_domain(mediadrmserver) + +# allocate and use graphic buffers +hal_client_domain(mediadrmserver, hal_graphics_allocator) +auditallow mediadrmserver hal_graphics_allocator_server:binder call; + diff --git a/prebuilts/api/32.0/private/mediaextractor.te b/prebuilts/api/32.0/private/mediaextractor.te new file mode 100644 index 000000000..7bcf5c82f --- /dev/null +++ b/prebuilts/api/32.0/private/mediaextractor.te @@ -0,0 +1,10 @@ +typeattribute mediaextractor coredomain; + +init_daemon_domain(mediaextractor) +tmpfs_domain(mediaextractor) +allow mediaextractor appdomain_tmpfs:file { getattr map read write }; +allow mediaextractor mediaserver_tmpfs:file { getattr map read write }; +allow mediaextractor system_server_tmpfs:file { getattr map read write }; + +get_prop(mediaextractor, device_config_media_native_prop) +get_prop(mediaextractor, device_config_swcodec_native_prop) diff --git a/prebuilts/api/32.0/private/mediametrics.te b/prebuilts/api/32.0/private/mediametrics.te new file mode 100644 index 000000000..5a6f2e1df --- /dev/null +++ b/prebuilts/api/32.0/private/mediametrics.te @@ -0,0 +1,8 @@ +typeattribute mediametrics coredomain; + +init_daemon_domain(mediametrics) + +# Needed for stats callback registration to statsd. +allow mediametrics stats_service:service_manager find; +allow mediametrics statsmanager_service:service_manager find; +binder_call(mediametrics, statsd) diff --git a/prebuilts/api/32.0/private/mediaprovider.te b/prebuilts/api/32.0/private/mediaprovider.te new file mode 100644 index 000000000..78bbdb064 --- /dev/null +++ b/prebuilts/api/32.0/private/mediaprovider.te @@ -0,0 +1,48 @@ +### +### A domain for android.process.media, which contains both +### MediaProvider and DownloadProvider and associated services. +### + +typeattribute mediaprovider coredomain; +app_domain(mediaprovider) + +# DownloadProvider accesses the network. +net_domain(mediaprovider) + +# DownloadProvider uses /cache. +allow mediaprovider cache_file:dir create_dir_perms; +allow mediaprovider cache_file:file create_file_perms; +# /cache is a symlink to /data/cache on some devices. Allow reading the link. +allow mediaprovider cache_file:lnk_file r_file_perms; +# mediaprovider searches through /cache looking for orphans +# Ignore denials to /cache/recovery and /cache/backup. +dontaudit mediaprovider cache_private_backup_file:dir getattr; +dontaudit mediaprovider cache_recovery_file:dir getattr; + +# Access external sdcards through /mnt/media_rw +allow mediaprovider { mnt_media_rw_file }:dir search; + +allow mediaprovider app_api_service:service_manager find; +allow mediaprovider audioserver_service:service_manager find; +allow mediaprovider cameraserver_service:service_manager find; +allow mediaprovider drmserver_service:service_manager find; +allow mediaprovider mediaextractor_service:service_manager find; +allow mediaprovider mediaserver_service:service_manager find; + +# Allow MediaProvider to read/write cached ringtones (opened by system). +allow mediaprovider ringtone_file:file { getattr read write }; + +# MtpServer uses /dev/mtp_usb +allow mediaprovider mtp_device:chr_file rw_file_perms; + +# MtpServer uses /dev/usb-ffs/mtp +allow mediaprovider functionfs:dir search; +allow mediaprovider functionfs:file rw_file_perms; +allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC; + +# MtpServer sets sys.usb.ffs.mtp.ready +get_prop(mediaprovider, ffs_config_prop) +set_prop(mediaprovider, ffs_control_prop) + +# DownloadManager may retrieve DRM status +get_prop(mediaprovider, drm_service_config_prop) diff --git a/prebuilts/api/32.0/private/mediaprovider_app.te b/prebuilts/api/32.0/private/mediaprovider_app.te new file mode 100644 index 000000000..742da1f12 --- /dev/null +++ b/prebuilts/api/32.0/private/mediaprovider_app.te @@ -0,0 +1,61 @@ +### +### A domain for further sandboxing the MediaProvider mainline module. +### +type mediaprovider_app, domain, coredomain; + +app_domain(mediaprovider_app) + +# Access to /mnt/pass_through. +r_dir_file(mediaprovider_app, mnt_pass_through_file) + +# Allow MediaProvider to host a FUSE daemon for external storage +allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr }; + +# Allow MediaProvider to read/write media_rw_data_file files and dirs +allow mediaprovider_app media_rw_data_file:file create_file_perms; +allow mediaprovider_app media_rw_data_file:dir create_dir_perms; + +# Talk to the DRM service +allow mediaprovider_app drmserver_service:service_manager find; + +# Talk to the MediaServer service +allow mediaprovider_app mediaserver_service:service_manager find; + +# Talk to the MediaCodec APIs that log media metrics +allow mediaprovider_app mediametrics_service:service_manager find; + +# Talk to regular app services +allow mediaprovider_app app_api_service:service_manager find; + +# Talk to the GPU service +binder_call(mediaprovider_app, gpuservice) + +# Talk to statsd +allow mediaprovider_app statsmanager_service:service_manager find; +binder_call(mediaprovider_app, statsd) + +# read pipe-max-size configuration +allow mediaprovider_app proc_pipe_conf:file r_file_perms; + +# Allow MediaProvider to set extended attributes (such as quota project ID) +# on media files. +allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl { + FS_IOC_FSGETXATTR + FS_IOC_FSSETXATTR + FS_IOC_GETFLAGS + FS_IOC_SETFLAGS +}; + +# Access external sdcards through /mnt/media_rw +allow mediaprovider_app { mnt_media_rw_file }:dir search; + +allow mediaprovider_app proc_filesystems:file r_file_perms; + +#Allow MediaProvider to see if sdcardfs is in use +get_prop(mediaprovider_app, storage_config_prop) + +get_prop(mediaprovider_app, drm_service_config_prop) + +allow mediaprovider_app gpu_device:dir search; + +dontaudit mediaprovider_app sysfs_vendor_sched:dir search; diff --git a/prebuilts/api/32.0/private/mediaserver.te b/prebuilts/api/32.0/private/mediaserver.te new file mode 100644 index 000000000..6fe460ca5 --- /dev/null +++ b/prebuilts/api/32.0/private/mediaserver.te @@ -0,0 +1,20 @@ +typeattribute mediaserver coredomain; + +init_daemon_domain(mediaserver) +tmpfs_domain(mediaserver) +allow mediaserver appdomain_tmpfs:file { getattr map read write }; + +# allocate and use graphic buffers +hal_client_domain(mediaserver, hal_graphics_allocator) +hal_client_domain(mediaserver, hal_configstore) +hal_client_domain(mediaserver, hal_drm) +hal_client_domain(mediaserver, hal_omx) +hal_client_domain(mediaserver, hal_codec2) + +set_prop(mediaserver, audio_prop) + +get_prop(mediaserver, drm_service_config_prop) +get_prop(mediaserver, media_config_prop) + +# Allow mediaserver to start media.transcoding service via ctl.start. +set_prop(mediaserver, ctl_mediatranscoding_prop); diff --git a/prebuilts/api/32.0/private/mediaserverwrapper.te b/prebuilts/api/32.0/private/mediaserverwrapper.te new file mode 100644 index 000000000..354338ee2 --- /dev/null +++ b/prebuilts/api/32.0/private/mediaserverwrapper.te @@ -0,0 +1,9 @@ +type mediaserverwrapper, domain, coredomain; +type mediaserverwrapper_exec, system_file_type, exec_type, file_type; +type mediaserverwrapper_tmpfs, file_type; +init_daemon_domain(mediaserverwrapper) +domain_auto_trans(mediaserverwrapper, mediaserver_exec, mediaserver); +allow mediaserverwrapper mediaserver_exec:file { execute open read getattr map execute_no_trans }; +allow mediaserver mediaserverwrapper:fd use; +# Let vendor_init set vendor_medsrv_set_64b. +set_prop(vendor_init, vendor_medsrv_set_64b)
\ No newline at end of file diff --git a/prebuilts/api/32.0/private/mediaswcodec.te b/prebuilts/api/32.0/private/mediaswcodec.te new file mode 100644 index 000000000..02079c113 --- /dev/null +++ b/prebuilts/api/32.0/private/mediaswcodec.te @@ -0,0 +1,6 @@ +typeattribute mediaswcodec coredomain; + +init_daemon_domain(mediaswcodec) + +get_prop(mediaswcodec, device_config_media_native_prop) +get_prop(mediaswcodec, device_config_swcodec_native_prop) diff --git a/prebuilts/api/32.0/private/mediatranscoding.te b/prebuilts/api/32.0/private/mediatranscoding.te new file mode 100644 index 000000000..2a43cf9b5 --- /dev/null +++ b/prebuilts/api/32.0/private/mediatranscoding.te @@ -0,0 +1,64 @@ +# mediatranscoding - daemon for transcoding video and image. +type mediatranscoding, domain; +type mediatranscoding_exec, system_file_type, exec_type, file_type; +type mediatranscoding_tmpfs, file_type; +typeattribute mediatranscoding coredomain; + +init_daemon_domain(mediatranscoding) +tmpfs_domain(mediatranscoding) +allow mediatranscoding appdomain_tmpfs:file { getattr map read write }; + +binder_use(mediatranscoding) +binder_call(mediatranscoding, binderservicedomain) +binder_call(mediatranscoding, appdomain) +binder_service(mediatranscoding) + +add_service(mediatranscoding, mediatranscoding_service) + +hal_client_domain(mediatranscoding, hal_graphics_allocator) +hal_client_domain(mediatranscoding, hal_configstore) +hal_client_domain(mediatranscoding, hal_omx) +hal_client_domain(mediatranscoding, hal_codec2) + +allow mediatranscoding mediaserver_service:service_manager find; +allow mediatranscoding mediametrics_service:service_manager find; +allow mediatranscoding mediaextractor_service:service_manager find; +allow mediatranscoding package_native_service:service_manager find; +allow mediatranscoding thermal_service:service_manager find; + +allow mediatranscoding system_server:fd use; +allow mediatranscoding activity_service:service_manager find; + +# allow mediatranscoding service read/write permissions for file sources +allow mediatranscoding sdcardfs:file { getattr read write }; +allow mediatranscoding media_rw_data_file:file { getattr read write }; +allow mediatranscoding apk_data_file:file { getattr read }; +allow mediatranscoding app_data_file:file { getattr read write }; +allow mediatranscoding shell_data_file:file { getattr read write }; + +# allow mediatranscoding service write permission to statsd socket +unix_socket_send(mediatranscoding, statsdw, statsd) + +# Allow mediatranscoding to access the DMA-BUF system heap +allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms; + +allow mediatranscoding gpu_device:dir search; + +# Allow mediatranscoding service to access media-related system properties +get_prop(mediatranscoding, media_config_prop) + +# mediatranscoding should never execute any executable without a +# domain transition +neverallow mediatranscoding { file_type fs_type }:file execute_no_trans; + +# The goal of the mediaserver split is to place media processing code into +# restrictive sandboxes with limited responsibilities and thus limited +# permissions. Example: Audioserver is only responsible for controlling audio +# hardware and processing audio content. Cameraserver does the same for camera +# hardware/content. Etc. +# +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/prebuilts/api/32.0/private/mediatuner.te b/prebuilts/api/32.0/private/mediatuner.te new file mode 100644 index 000000000..413d2e545 --- /dev/null +++ b/prebuilts/api/32.0/private/mediatuner.te @@ -0,0 +1,30 @@ +# mediatuner - mediatuner daemon +type mediatuner, domain; +type mediatuner_exec, system_file_type, exec_type, file_type; + +typeattribute mediatuner coredomain; + +init_daemon_domain(mediatuner) +hal_client_domain(mediatuner, hal_tv_tuner) + +binder_use(mediatuner) +binder_call(mediatuner, appdomain) +binder_service(mediatuner) + +add_service(mediatuner, mediatuner_service) +allow mediatuner system_server:fd use; +allow mediatuner tv_tuner_resource_mgr_service:service_manager find; +allow mediatuner package_native_service:service_manager find; +binder_call(mediatuner, system_server) + +### +### neverallow rules +### + +# mediatuner should never execute any executable without a +# domain transition +neverallow mediatuner { file_type fs_type }:file execute_no_trans; + +# do not allow privileged socket ioctl commands +neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; + diff --git a/prebuilts/api/32.0/private/migrate_legacy_obb_data.te b/prebuilts/api/32.0/private/migrate_legacy_obb_data.te new file mode 100644 index 000000000..b2a1fb10a --- /dev/null +++ b/prebuilts/api/32.0/private/migrate_legacy_obb_data.te @@ -0,0 +1,28 @@ +type migrate_legacy_obb_data, domain, coredomain; +type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type; + +allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms; +allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms; + +allow migrate_legacy_obb_data shell_exec:file rx_file_perms; + +allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms; + +allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid }; + +allow migrate_legacy_obb_data mnt_user_file:dir search; +allow migrate_legacy_obb_data mnt_user_file:lnk_file read; +allow migrate_legacy_obb_data storage_file:dir search; +allow migrate_legacy_obb_data storage_file:lnk_file read; + +allow migrate_legacy_obb_data sdcard_type:dir create_dir_perms; +allow migrate_legacy_obb_data sdcard_type:file create_file_perms; + +# TODO: This should not be necessary. We don't deliberately hand over +# any open file descriptors to this domain, so anything that triggers this +# should be a candidate for O_CLOEXEC. +allow migrate_legacy_obb_data installd:fd use; + +# This rule is required to let this process read /proc/{parent_pid}/mount. +# TODO: Why is this required ? +allow migrate_legacy_obb_data installd:file read; diff --git a/prebuilts/api/32.0/private/mls b/prebuilts/api/32.0/private/mls new file mode 100644 index 000000000..955c27b00 --- /dev/null +++ b/prebuilts/api/32.0/private/mls @@ -0,0 +1,116 @@ +################################################# +# MLS policy constraints +# + +# +# Process constraints +# + +# Process transition: Require equivalence unless the subject is trusted. +mlsconstrain process { transition dyntransition } + ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); + +# Process read operations: No read up unless trusted. +mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } + (l1 dom l2 or t1 == mlstrustedsubject); + +# Process write operations: Require equivalence unless trusted. +mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } + (l1 eq l2 or t1 == mlstrustedsubject); + +# +# Socket constraints +# + +# Create/relabel operations: Subject must be equivalent to object unless +# the subject is trusted. Sockets inherit the range of their creator. +mlsconstrain socket_class_set { create relabelfrom relabelto } + ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); + +# Datagram send: Sender must be equivalent to the receiver unless one of them +# is trusted. +mlsconstrain unix_dgram_socket { sendto } + (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + +# Stream connect: Client must be equivalent to server unless one of them +# is trusted. +mlsconstrain unix_stream_socket { connectto } + (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + +# +# Directory/file constraints +# + +# Create/relabel operations: Subject must be equivalent to object unless +# the subject is trusted. Also, files should always be single-level. +# Do NOT exempt mlstrustedobject types from this constraint. +mlsconstrain dir_file_class_set { create relabelfrom relabelto } + (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); + +# +# Userfaultfd constraints +# +# To enforce that anonymous inodes are self contained in the application's process. +mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod } + (l1 eq l2); + +# +# Constraints for app data files only. +# + +# Only constrain open, not read/write, so already open fds can be used. +# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. +# Subject must dominate object unless the subject is trusted. +mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir } + (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject); +mlsconstrain { file sock_file } { open setattr unlink link rename } + ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); + +# For symlinks in app data files, require equivalence in order to manipulate or follow (read). +mlsconstrain { lnk_file } { open setattr unlink link rename read } + ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject); +# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this. +# TODO: Migrate to equivalence when it's no longer needed. +mlsconstrain { lnk_file } { open setattr unlink link rename read } + ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); + +# +# Constraints for file types other than app data files. +# + +# Read operations: Subject must dominate object unless the subject +# or the object is trusted. +mlsconstrain dir { read getattr search } + (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject + or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) ); + +mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } + (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +# Write operations: Subject must be equivalent to the object unless the +# subject or the object is trusted. +mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } + (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } + (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +# Special case for FIFOs. +# These can be unnamed pipes, in which case they will be labeled with the +# creating process' label. Thus we also have an exemption when the "object" +# is a domain type, so that processes can communicate via unnamed pipes +# passed by binder or local socket IPC. +mlsconstrain fifo_file { read getattr } + (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); + +mlsconstrain fifo_file { write setattr append unlink link rename } + (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); + +# +# Binder IPC constraints +# +# Presently commented out, as apps are expected to call one another. +# This would only make sense if apps were assigned categories +# based on allowable communications rather than per-app categories. +#mlsconstrain binder call +# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); diff --git a/prebuilts/api/32.0/private/mls_decl b/prebuilts/api/32.0/private/mls_decl new file mode 100644 index 000000000..dd53bea7e --- /dev/null +++ b/prebuilts/api/32.0/private/mls_decl @@ -0,0 +1,10 @@ +######################################### +# MLS declarations +# + +# Generate the desired number of sensitivities and categories. +gen_sens(mls_num_sens) +gen_cats(mls_num_cats) + +# Generate level definitions for each sensitivity and category. +gen_levels(mls_num_sens,mls_num_cats) diff --git a/prebuilts/api/32.0/private/mls_macros b/prebuilts/api/32.0/private/mls_macros new file mode 100644 index 000000000..83e05425b --- /dev/null +++ b/prebuilts/api/32.0/private/mls_macros @@ -0,0 +1,54 @@ +######################################## +# +# gen_cats(N) +# +# declares categores c0 to c(N-1) +# +define(`decl_cats',`dnl +category c$1; +ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl +') + +define(`gen_cats',`decl_cats(0,decr($1))') + +######################################## +# +# gen_sens(N) +# +# declares sensitivites s0 to s(N-1) with dominance +# in increasing numeric order with s0 lowest, s(N-1) highest +# +define(`decl_sens',`dnl +sensitivity s$1; +ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl +') + +define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')') + +define(`gen_sens',` +# Each sensitivity has a name and zero or more aliases. +decl_sens(0,decr($1)) + +# Define the ordering of the sensitivity levels (least to greatest) +dominance { gen_dominance(0,decr($1)) } +') + +######################################## +# +# gen_levels(N,M) +# +# levels from s0 to (N-1) with categories c0 to (M-1) +# +define(`decl_levels',`dnl +level s$1:c0.c$3; +ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl +') + +define(`gen_levels',`decl_levels(0,decr($1),decr($2))') + +######################################## +# +# Basic level names for system low and high +# +define(`mls_systemlow',`s0') +define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)') diff --git a/prebuilts/api/32.0/private/mlstrustedsubject.te b/prebuilts/api/32.0/private/mlstrustedsubject.te new file mode 100644 index 000000000..22482d9b7 --- /dev/null +++ b/prebuilts/api/32.0/private/mlstrustedsubject.te @@ -0,0 +1,30 @@ +# MLS override can't be used to access private app data. + +# Apps should not normally be mlstrustedsubject, but if they must be +# they cannot use this to access app private data files; their own app +# data files must use a different label. + +neverallow { + mlstrustedsubject + -installd + -iorap_prefetcherd + -iorap_inode2filename +} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append }; + +neverallow { + mlstrustedsubject + -installd + -iorap_prefetcherd + -iorap_inode2filename +} { app_data_file privapp_data_file }:dir ~{ read getattr search }; + +neverallow { + mlstrustedsubject + -installd + -iorap_prefetcherd + -iorap_inode2filename + -system_server + -adbd + -runas + -zygote +} { app_data_file privapp_data_file }:dir { read getattr search }; diff --git a/prebuilts/api/32.0/private/mm_events.te b/prebuilts/api/32.0/private/mm_events.te new file mode 100644 index 000000000..4875d4032 --- /dev/null +++ b/prebuilts/api/32.0/private/mm_events.te @@ -0,0 +1,14 @@ +type mm_events, domain, coredomain; +type mm_events_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(mm_events) + +allow mm_events shell_exec:file rx_file_perms; + +# Allow running the sleep command to rate limit attempts +# to arm mm_events on failure. +allow mm_events toolbox_exec:file rx_file_perms; + +allow mm_events perfetto_exec:file rx_file_perms; + +domain_auto_trans(mm_events, perfetto_exec, perfetto) diff --git a/prebuilts/api/32.0/private/modprobe.te b/prebuilts/api/32.0/private/modprobe.te new file mode 100644 index 000000000..98586756f --- /dev/null +++ b/prebuilts/api/32.0/private/modprobe.te @@ -0,0 +1 @@ +typeattribute modprobe coredomain; diff --git a/prebuilts/api/32.0/private/mtp.te b/prebuilts/api/32.0/private/mtp.te new file mode 100644 index 000000000..732e111ed --- /dev/null +++ b/prebuilts/api/32.0/private/mtp.te @@ -0,0 +1,3 @@ +typeattribute mtp coredomain; + +init_daemon_domain(mtp) diff --git a/prebuilts/api/32.0/private/netd.te b/prebuilts/api/32.0/private/netd.te new file mode 100644 index 000000000..670a4bf79 --- /dev/null +++ b/prebuilts/api/32.0/private/netd.te @@ -0,0 +1,44 @@ +typeattribute netd coredomain; + +init_daemon_domain(netd) + +# Allow netd to spawn dnsmasq in it's own domain +domain_auto_trans(netd, dnsmasq_exec, dnsmasq) + +# Allow netd to start clatd in its own domain and kill it +domain_auto_trans(netd, clatd_exec, clatd) +allow netd clatd:process signal; + +# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write +# the map created by bpfloader +allow netd bpfloader:bpf { prog_run map_read map_write }; + +# in order to invoke side effect of close() on such a socket calling synchronize_rcu() +# TODO: Remove this permission when 4.9 kernel is deprecated. +allow netd self:key_socket create; + +set_prop(netd, ctl_mdnsd_prop) +set_prop(netd, netd_stable_secret_prop) + +get_prop(netd, adbd_config_prop) +get_prop(netd, bpf_progs_loaded_prop) +get_prop(netd, hwservicemanager_prop) +get_prop(netd, device_config_netd_native_prop) + +# Allow netd to write to statsd. +unix_socket_send(netd, statsdw, statsd) + +# Allow netd to send callbacks to network_stack +binder_call(netd, network_stack) + +# Allow netd to send dump info to dumpstate +allow netd dumpstate:fd use; +allow netd dumpstate:fifo_file { getattr write }; + +# persist.netd.stable_secret contains RFC 7217 secret key which should never be +# leaked to other processes. Make sure it never leaks. +neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms; + +# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret, +# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy. +neverallow { domain -netd -init } netd_stable_secret_prop:property_service set; diff --git a/prebuilts/api/32.0/private/netutils_wrapper.te b/prebuilts/api/32.0/private/netutils_wrapper.te new file mode 100644 index 000000000..ca3b51585 --- /dev/null +++ b/prebuilts/api/32.0/private/netutils_wrapper.te @@ -0,0 +1,44 @@ +typeattribute netutils_wrapper coredomain; + +r_dir_file(netutils_wrapper, system_file); + +# For netutils (ip, iptables, tc) +allow netutils_wrapper self:global_capability_class_set net_raw; + +allow netutils_wrapper system_file:file { execute execute_no_trans }; +allow netutils_wrapper proc_net_type:file { open read getattr }; +allow netutils_wrapper self:rawip_socket create_socket_perms; +allow netutils_wrapper self:udp_socket create_socket_perms; +allow netutils_wrapper self:global_capability_class_set net_admin; +# ip utils need everything but ioctl +allow netutils_wrapper self:netlink_route_socket ~ioctl; +allow netutils_wrapper self:netlink_xfrm_socket ~ioctl; + +# For netutils (ndc) to be able to talk to netd +allow netutils_wrapper netd_service:service_manager find; +allow netutils_wrapper dnsresolver_service:service_manager find; +binder_use(netutils_wrapper); +binder_call(netutils_wrapper, netd); + +# For vendor code that update the iptables rules at runtime. They need to reload +# the whole chain including the xt_bpf rules. They need to access to the pinned +# program when reloading the rule. +allow netutils_wrapper fs_bpf:dir search; +allow netutils_wrapper fs_bpf:file { read write }; +allow netutils_wrapper bpfloader:bpf prog_run; + +# For /data/misc/net access to ndc and ip +r_dir_file(netutils_wrapper, net_data_file) + +domain_auto_trans({ + domain + -coredomain + -appdomain +}, netutils_wrapper_exec, netutils_wrapper) + +# suppress spurious denials +dontaudit netutils_wrapper self:global_capability_class_set sys_resource; +dontaudit netutils_wrapper sysfs_type:file read; + +# netutils wrapper may only use the following capabilities. +neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw }; diff --git a/prebuilts/api/32.0/private/network_stack.te b/prebuilts/api/32.0/private/network_stack.te new file mode 100644 index 000000000..09a98b534 --- /dev/null +++ b/prebuilts/api/32.0/private/network_stack.te @@ -0,0 +1,62 @@ +# Networking service app +typeattribute network_stack coredomain, mlstrustedsubject; + +app_domain(network_stack); +net_domain(network_stack); + +allow network_stack self:global_capability_class_set { + net_admin + net_bind_service + net_broadcast + net_raw +}; + +# Allow access to net_admin ioctl, DHCP server uses SIOCSARP +allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls; + +# The DhcpClient uses packet_sockets +allow network_stack self:packet_socket create_socket_perms_no_ioctl; + +# Monitor neighbors via netlink. +allow network_stack self:netlink_route_socket nlmsg_write; + +allow network_stack app_api_service:service_manager find; +allow network_stack dnsresolver_service:service_manager find; +allow network_stack netd_service:service_manager find; +allow network_stack network_watchlist_service:service_manager find; +allow network_stack radio_service:service_manager find; +allow network_stack system_config_service:service_manager find; +allow network_stack radio_data_file:dir create_dir_perms; +allow network_stack radio_data_file:file create_file_perms; + +binder_call(network_stack, netd); + +# in order to invoke side effect of close() on such a socket calling synchronize_rcu() +# TODO: Remove this permission when 4.9 kernel is deprecated. +allow network_stack self:key_socket create; +# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100 +# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ... +dontaudit network_stack self:key_socket getopt; + +# Grant read permission of connectivity namespace system property prefix. +get_prop(network_stack, device_config_connectivity_prop) + +# Create/use netlink_tcpdiag_socket to get tcp info +allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +############### Tethering Service app - Tethering.apk ############## +hal_client_domain(network_stack, hal_tetheroffload) +# Create and share netlink_netfilter_sockets for tetheroffload. +allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl; +allow network_stack network_stack_service:service_manager find; +# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF. +allow network_stack { fs_bpf fs_bpf_tethering }:dir search; +allow network_stack { fs_bpf fs_bpf_tethering }:file { read write }; +allow network_stack bpfloader:bpf { map_read map_write prog_run }; + +# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps. +# Unfortunately init/vendor_init have all sorts of extra privs +neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr; +neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *; + +neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr }; +neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr }; diff --git a/prebuilts/api/32.0/private/nfc.te b/prebuilts/api/32.0/private/nfc.te new file mode 100644 index 000000000..f1a08f7a4 --- /dev/null +++ b/prebuilts/api/32.0/private/nfc.te @@ -0,0 +1,35 @@ +# nfc subsystem +typeattribute nfc coredomain, mlstrustedsubject; +app_domain(nfc) +net_domain(nfc) + +binder_service(nfc) +add_service(nfc, nfc_service) + +hal_client_domain(nfc, hal_nfc) + +# Data file accesses. +allow nfc nfc_data_file:dir create_dir_perms; +allow nfc nfc_data_file:notdevfile_class_set create_file_perms; +allow nfc nfc_logs_data_file:dir rw_dir_perms; +allow nfc nfc_logs_data_file:file create_file_perms; + +# SoundPool loading and playback +allow nfc audioserver_service:service_manager find; +allow nfc drmserver_service:service_manager find; +allow nfc mediametrics_service:service_manager find; +allow nfc mediaextractor_service:service_manager find; +allow nfc mediaserver_service:service_manager find; + +allow nfc radio_service:service_manager find; +allow nfc app_api_service:service_manager find; +allow nfc system_api_service:service_manager find; +allow nfc vr_manager_service:service_manager find; +allow nfc secure_element_service:service_manager find; + +set_prop(nfc, nfc_prop); + +# already open bugreport file descriptors may be shared with +# the nfc process, from a file in +# /data/data/com.android.shell/files/bugreports/bugreport-*. +allow nfc shell_data_file:file read; diff --git a/prebuilts/api/32.0/private/odrefresh.te b/prebuilts/api/32.0/private/odrefresh.te new file mode 100644 index 000000000..3db1ae8c2 --- /dev/null +++ b/prebuilts/api/32.0/private/odrefresh.te @@ -0,0 +1,60 @@ +# odrefresh +type odrefresh, domain, coredomain; +type odrefresh_exec, system_file_type, exec_type, file_type; + +# Allow odrefresh to create files and directories for on device signing. +allow odrefresh apex_module_data_file:dir { getattr search }; +allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom }; +allow odrefresh apex_art_data_file:file create_file_perms; + +# Allow odrefresh to create data files (typically for metrics before statsd starts). +allow odrefresh odrefresh_data_file:dir create_dir_perms; +allow odrefresh odrefresh_data_file:file create_file_perms; + +userfaultfd_use(odrefresh) + +# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh +# sets up files here and passes file descriptors for dex2oat to write to. +allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto }; +allow odrefresh apex_art_staging_data_file:file create_file_perms; + +# Run dex2oat in its own sandbox. +domain_auto_trans(odrefresh, dex2oat_exec, dex2oat) + +# Allow odrefresh to kill dex2oat if compilation times out. +allow odrefresh dex2oat:process sigkill; + +# Run dexoptanalyzer in its own sandbox. +domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer) + +# Allow odrefresh to kill dexoptanalyzer if analysis times out. +allow odrefresh dexoptanalyzer:process sigkill; + +# Use devpts and fd from odsign (which exec()'s odrefresh) +allow odrefresh odsign_devpts:chr_file { read write }; +allow odrefresh odsign:fd use; + +# Do not audit unused resources from parent processes (adb, shell, su). +# These appear to be unnecessary for odrefresh. +dontaudit odrefresh { adbd shell }:fd use; +dontaudit odrefresh devpts:chr_file rw_file_perms; +dontaudit odrefresh adbd:unix_stream_socket { getattr read write }; + +# Allow odrefresh to read /apex/apex-info-list.xml to determine +# whether current apex is in /system or /data. +allow odrefresh apex_info_file:file r_file_perms; + +# No other processes should be creating files in the staging area. +neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open; + +# No processes other than init, odrefresh and system_server access +# odrefresh_data_files. +neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *; +neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *; + +# Allow updating boot animation status. +set_prop(odrefresh, bootanim_system_prop) + +# Allow query ART device config properties +get_prop(odrefresh, device_config_runtime_native_prop) +get_prop(odrefresh, device_config_runtime_native_boot_prop) diff --git a/prebuilts/api/32.0/private/odsign.te b/prebuilts/api/32.0/private/odsign.te new file mode 100644 index 000000000..c6c7808b6 --- /dev/null +++ b/prebuilts/api/32.0/private/odsign.te @@ -0,0 +1,62 @@ +# odsign - on-device signing. +type odsign, domain; + +# odsign - Binary for signing ART artifacts. +typeattribute odsign coredomain; + +type odsign_exec, exec_type, file_type, system_file_type; + +# Allow init to start odsign +init_daemon_domain(odsign) + +# Allow using persistent storage in /data/odsign +allow odsign odsign_data_file:dir create_dir_perms; +allow odsign odsign_data_file:file create_file_perms; + +# Create and use pty created by android_fork_execvp(). +create_pty(odsign) + +# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files +allowxperm odsign apex_art_data_file:file ioctl { + FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS +}; + +# talk to binder services (for keystore) +binder_use(odsign); + +# talk to keystore specifically +use_keystore(odsign); + +# Use our dedicated keystore key +allow odsign odsign_key:keystore2_key { + delete + get_info + rebind + use +}; + +# talk to keymaster +hal_client_domain(odsign, hal_keymaster) + +# For ART apex data dir access +allow odsign apex_module_data_file:dir { getattr search }; + +allow odsign apex_art_data_file:dir { rw_dir_perms rmdir }; +allow odsign apex_art_data_file:file { rw_file_perms unlink }; + +# Run odrefresh to refresh ART artifacts +domain_auto_trans(odsign, odrefresh_exec, odrefresh) + +# Run fsverity_init to add key to fsverity keyring +domain_auto_trans(odsign, fsverity_init_exec, fsverity_init) + +# only odsign can set odsign sysprop +set_prop(odsign, odsign_prop) +neverallow { domain -odsign -init } odsign_prop:property_service set; + +# Allow odsign to stop itself +set_prop(odsign, ctl_odsign_prop) + +# Neverallows +neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *; +neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *; diff --git a/prebuilts/api/32.0/private/otapreopt_chroot.te b/prebuilts/api/32.0/private/otapreopt_chroot.te new file mode 100644 index 000000000..ea9d4ee9f --- /dev/null +++ b/prebuilts/api/32.0/private/otapreopt_chroot.te @@ -0,0 +1,98 @@ +# otapreopt_chroot executable +typeattribute otapreopt_chroot coredomain; +type otapreopt_chroot_exec, exec_type, file_type, system_file_type; + +# Chroot preparation and execution. +# We need to create an unshared mount namespace, and then mount /data. +allow otapreopt_chroot postinstall_file:dir { search mounton }; +allow otapreopt_chroot apex_mnt_dir:dir mounton; +allow otapreopt_chroot device:dir mounton; +allow otapreopt_chroot linkerconfig_file:dir mounton; +allow otapreopt_chroot rootfs:dir mounton; +allow otapreopt_chroot sysfs:dir mounton; +allow otapreopt_chroot system_data_root_file:dir mounton; +allow otapreopt_chroot system_file:dir mounton; +allow otapreopt_chroot vendor_file:dir mounton; +allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot }; + +# This is required to mount /vendor and mount/unmount ext4 images from +# APEX packages in /postinstall/apex. +allow otapreopt_chroot block_device:dir search; +allow otapreopt_chroot labeledfs:filesystem { mount unmount }; +# This is required for dynamic partitions. +allow otapreopt_chroot dm_device:chr_file rw_file_perms; + +# This is required to unmount flattened APEX packages under +# /postinstall/system/apex (which are bind-mounted in /postinstall/apex). +allow otapreopt_chroot postinstall_file:filesystem unmount; +# Mounting /vendor can have this side-effect. Ignore denial. +dontaudit otapreopt_chroot kernel:process setsched; + +# Allow otapreopt_chroot to read SELinux policy files. +allow otapreopt_chroot file_contexts_file:file r_file_perms; + +# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex. +allow otapreopt_chroot postinstall_file:dir r_dir_perms; +# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property. +get_prop(otapreopt_chroot, apexd_prop) + +# Allow otapreopt to use file descriptors from update-engine. It will +# close them immediately. +allow otapreopt_chroot postinstall:fd use; +allow otapreopt_chroot update_engine:fd use; +allow otapreopt_chroot update_engine:fifo_file write; + +# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox. +domain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt) +domain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig) +domain_auto_trans(otapreopt_chroot, apexd_exec, apexd) + +# Allow otapreopt_chroot to control linkerconfig +allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto }; +allow otapreopt_chroot linkerconfig_file:file create_file_perms; + +# Allow otapreopt_chroot to create loop devices with /dev/loop-control. +allow otapreopt_chroot loop_control_device:chr_file rw_file_perms; +# Allow otapreopt_chroot to access loop devices. +allow otapreopt_chroot loop_device:blk_file rw_file_perms; +allowxperm otapreopt_chroot loop_device:blk_file ioctl { + LOOP_CONFIGURE + LOOP_GET_STATUS64 + LOOP_SET_STATUS64 + LOOP_SET_FD + LOOP_SET_BLOCK_SIZE + LOOP_SET_DIRECT_IO + LOOP_CLR_FD + BLKFLSBUF +}; + +# Allow otapreopt_chroot to configure read-ahead of loop devices. +allow otapreopt_chroot sysfs_loop:dir r_dir_perms; +allow otapreopt_chroot sysfs_loop:file rw_file_perms; + +# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex. +allow otapreopt_chroot tmpfs:filesystem mount; +# Allow otapreopt_chroot to restore the security context of /postinstall/apex. +allow otapreopt_chroot tmpfs:dir relabelfrom; +allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto; + +# Allow otapreopt_chroot to manipulate directory /postinstall/apex. +allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms; +allow otapreopt_chroot postinstall_apex_mnt_dir:file create_file_perms; +# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex. +allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton; + +# Allow otapreopt_chroot to access /dev/block (needed to detach loop +# devices used by ext4 images from APEX packages). +allow otapreopt_chroot block_device:dir r_dir_perms; + +# Allow to access the linker through the symlink. +allow otapreopt_chroot postinstall_file:lnk_file r_file_perms; + +# Allow otapreopt_chroot to read ro.cold_boot_done prop. +# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly. +# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount. +get_prop(otapreopt_chroot, cold_boot_done_prop) + +# allow otapreopt_chroot to run the linkerconfig from the new image. +allow otapreopt_chroot linkerconfig_exec:file rx_file_perms; diff --git a/prebuilts/api/32.0/private/otapreopt_slot.te b/prebuilts/api/32.0/private/otapreopt_slot.te new file mode 100644 index 000000000..27a3b0e08 --- /dev/null +++ b/prebuilts/api/32.0/private/otapreopt_slot.te @@ -0,0 +1,28 @@ +# This command set moves the artifact corresponding to the current slot +# from /data/ota to /data/dalvik-cache. + +type otapreopt_slot, domain, mlstrustedsubject, coredomain; +type otapreopt_slot_exec, system_file_type, exec_type, file_type; + +# Technically not a daemon but we do want the transition from init domain to +# cppreopts to occur. +init_daemon_domain(otapreopt_slot) + +# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up +# the directory afterwards. For logging of aggregate size, we need getattr. +allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir }; +allow otapreopt_slot ota_data_file:{ file lnk_file } getattr; +# (du follows symlinks) +allow otapreopt_slot ota_data_file:lnk_file read; + +# Delete old content of the dalvik-cache. +allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write }; +allow otapreopt_slot dalvikcache_data_file:file { getattr unlink }; +allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink }; + +# Allow cppreopts to execute itself using #!/system/bin/sh +allow otapreopt_slot shell_exec:file rx_file_perms; + +# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions. +# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache. +allow otapreopt_slot toolbox_exec:file rx_file_perms; diff --git a/prebuilts/api/32.0/private/perfetto.te b/prebuilts/api/32.0/private/perfetto.te new file mode 100644 index 000000000..f9693dabf --- /dev/null +++ b/prebuilts/api/32.0/private/perfetto.te @@ -0,0 +1,102 @@ +# Perfetto command-line client. Can be used only from the domains that are +# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto). +# This command line client accesses the privileged socket of the traced +# daemon. + +type perfetto_exec, system_file_type, exec_type, file_type; +type perfetto_tmpfs, file_type; + +tmpfs_domain(perfetto); + +# Allow to access traced's privileged consumer socket. +unix_socket_connect(perfetto, traced_consumer, traced) + +# Connect to the Perfetto traced daemon as a producer. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(perfetto) + +# Allow to write and unlink traces into /data/misc/perfetto-traces. +allow perfetto perfetto_traces_data_file:dir rw_dir_perms; +allow perfetto perfetto_traces_data_file:file create_file_perms; + +# Allow to access binder to pass the traces to Dropbox. +binder_use(perfetto) +binder_call(perfetto, system_server) +allow perfetto dropbox_service:service_manager find; + +# Allow perfetto to read the trace config from /data/misc/perfetto-configs. +# shell and adb can write files into that directory. +allow perfetto perfetto_configs_data_file:dir r_dir_perms; +allow perfetto perfetto_configs_data_file:file r_file_perms; + +# Allow perfetto to read the trace config from statsd, mm_events and shell +# (both root and non-root) on stdin and also to write the resulting trace to +# stdout. +allow perfetto { statsd mm_events shell su }:fd use; +allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write }; + +# Allow to communicate use, read and write over the adb connection. +allow perfetto adbd:fd use; +allow perfetto adbd:unix_stream_socket { read write }; + +# Allow adbd to reap perfetto. +allow perfetto adbd:process { sigchld }; + +# Allow perfetto to write to statsd. +unix_socket_send(perfetto, statsdw, statsd) + +# Allow to access /dev/pts when launched in an adb shell. +allow perfetto devpts:chr_file rw_file_perms; + +# Allow perfetto to ask incidentd to start a report. +allow perfetto incident_service:service_manager find; +binder_call(perfetto, incidentd) + +# perfetto log formatter calls isatty() on its stderr. Denial when running +# under adbd is harmless. Avoid generating denial logs. +dontaudit perfetto adbd:unix_stream_socket getattr; +dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls; +# As above, when adbd is running in "su" domain (only the ioctl is denied in +# practice). +dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls; +# Similarly, CTS tests end up hitting a denial on shell pipes. +dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls; + +### +### Neverallow rules +### +### perfetto should NEVER do any of this + +# Disallow mapping executable memory (execstack and exec are already disallowed +# globally in domain.te). +neverallow perfetto self:process execmem; + +# Block device access. +neverallow perfetto dev_type:blk_file { read write }; + +# ptrace any other process +neverallow perfetto domain:process ptrace; + +# Disallows access to other /data files. +neverallow perfetto { + data_file_type + -system_data_file + -system_data_root_file + # TODO(b/72998741) Remove exemption. Further restricted in a subsequent + # neverallow. Currently only getattr and search are allowed. + -vendor_data_file + -zoneinfo_data_file + -perfetto_traces_data_file + -perfetto_configs_data_file + with_native_coverage(`-method_trace_data_file') +}:dir *; +neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search }; +neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms; +neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *; +neverallow perfetto { + data_file_type + -zoneinfo_data_file + -perfetto_traces_data_file + -perfetto_configs_data_file + with_native_coverage(`-method_trace_data_file') +}:file ~write; diff --git a/prebuilts/api/32.0/private/performanced.te b/prebuilts/api/32.0/private/performanced.te new file mode 100644 index 000000000..792826e02 --- /dev/null +++ b/prebuilts/api/32.0/private/performanced.te @@ -0,0 +1,3 @@ +typeattribute performanced coredomain; + +init_daemon_domain(performanced) diff --git a/prebuilts/api/32.0/private/permissioncontroller_app.te b/prebuilts/api/32.0/private/permissioncontroller_app.te new file mode 100644 index 000000000..5f8187530 --- /dev/null +++ b/prebuilts/api/32.0/private/permissioncontroller_app.te @@ -0,0 +1,22 @@ +### +### A domain for further sandboxing the GooglePermissionController app. +### +type permissioncontroller_app, domain, coredomain; + +app_domain(permissioncontroller_app) + +allow permissioncontroller_app app_api_service:service_manager find; +allow permissioncontroller_app system_api_service:service_manager find; + +# Allow interaction with gpuservice +binder_call(permissioncontroller_app, gpuservice) + +allow permissioncontroller_app radio_service:service_manager find; + +# Allow the app to request and collect incident reports. +# (Also requires DUMP and PACKAGE_USAGE_STATS permissions) +allow permissioncontroller_app incident_service:service_manager find; +binder_call(permissioncontroller_app, incidentd) +allow permissioncontroller_app incidentd:fifo_file { read write }; + +allow permissioncontroller_app gpu_device:dir search; diff --git a/prebuilts/api/32.0/private/platform_app.te b/prebuilts/api/32.0/private/platform_app.te new file mode 100644 index 000000000..f746f1cc4 --- /dev/null +++ b/prebuilts/api/32.0/private/platform_app.te @@ -0,0 +1,110 @@ +### +### Apps signed with the platform key. +### + +typeattribute platform_app coredomain; + +app_domain(platform_app) + +# Access the network. +net_domain(platform_app) +# Access bluetooth. +bluetooth_domain(platform_app) +# Read from /data/local/tmp or /data/data/com.android.shell. +allow platform_app shell_data_file:dir search; +allow platform_app shell_data_file:file { open getattr read }; +allow platform_app icon_file:file { open getattr read }; +# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files +# created by system server. +allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms; +allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms; +allow platform_app apk_private_data_file:dir search; +# ASEC +allow platform_app asec_apk_file:dir create_dir_perms; +allow platform_app asec_apk_file:file create_file_perms; + +# Access to /data/media. +allow platform_app media_rw_data_file:dir create_dir_perms; +allow platform_app media_rw_data_file:file create_file_perms; + +# Write to /cache. +allow platform_app cache_file:dir create_dir_perms; +allow platform_app cache_file:file create_file_perms; + +# Direct access to vold-mounted storage under /mnt/media_rw +# This is a performance optimization that allows platform apps to bypass the FUSE layer +allow platform_app mnt_media_rw_file:dir r_dir_perms; +allow platform_app sdcard_type:dir create_dir_perms; +allow platform_app sdcard_type:file create_file_perms; + +# com.android.systemui +allow platform_app rootfs:dir getattr; + +# com.android.captiveportallogin reads /proc/vmstat +allow platform_app { + proc_vmstat +}:file r_file_perms; + +# /proc/net access. +# TODO(b/9496886) Audit access for removal. +r_dir_file(platform_app, proc_net_type) +userdebug_or_eng(` + auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read }; +') + +allow platform_app audioserver_service:service_manager find; +allow platform_app cameraserver_service:service_manager find; +allow platform_app drmserver_service:service_manager find; +allow platform_app mediaserver_service:service_manager find; +allow platform_app mediametrics_service:service_manager find; +allow platform_app mediaextractor_service:service_manager find; +allow platform_app mediadrmserver_service:service_manager find; +allow platform_app persistent_data_block_service:service_manager find; +allow platform_app radio_service:service_manager find; +allow platform_app thermal_service:service_manager find; +allow platform_app timezone_service:service_manager find; +allow platform_app app_api_service:service_manager find; +allow platform_app system_api_service:service_manager find; +allow platform_app vr_manager_service:service_manager find; +allow platform_app stats_service:service_manager find; + +# Allow platform apps to log via statsd. +binder_call(platform_app, statsd) + +# Access to /data/preloads +allow platform_app preloads_data_file:file r_file_perms; +allow platform_app preloads_data_file:dir r_dir_perms; +allow platform_app preloads_media_file:file r_file_perms; +allow platform_app preloads_media_file:dir r_dir_perms; + +read_runtime_log_tags(platform_app) + +# allow platform apps to use UDP sockets provided by the system server but not +# modify them other than to connect +allow platform_app system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +# allow platform apps to connect to the property service +set_prop(platform_app, test_boot_reason_prop) + +# allow platform apps to read keyguard.no_require_sim +get_prop(platform_app, keyguard_config_prop) + +# allow platform apps to read qemu.hw.mainkeys +get_prop(platform_app, qemu_hw_prop) + +# allow platform apps to create symbolic link +allow platform_app app_data_file:lnk_file create_file_perms; + +# suppress denials caused by debugfs_tracing +dontaudit platform_app debugfs_tracing:file rw_file_perms; + +# Allow platform apps to act as Perfetto producers. +perfetto_producer(platform_app) + +### +### Neverallow rules +### + +# app domains which access /dev/fuse should not run as platform_app +neverallow platform_app fuse_device:chr_file *; diff --git a/prebuilts/api/32.0/private/policy_capabilities b/prebuilts/api/32.0/private/policy_capabilities new file mode 100644 index 000000000..9290e3ab3 --- /dev/null +++ b/prebuilts/api/32.0/private/policy_capabilities @@ -0,0 +1,20 @@ +# Enable new networking controls. +policycap network_peer_controls; + +# Enable open permission check. +policycap open_perms; + +# Enable separate security classes for +# all network address families previously +# mapped to the socket class and for +# ICMP and SCTP sockets previously mapped +# to the rawip_socket class. +policycap extended_socket_class; + +# Enable NoNewPrivileges support. Requires libsepol 2.7+ +# and kernel 4.14 (estimated). +# +# Checks enabled; +# process2: nnp_transition, nosuid_transition +# +policycap nnp_nosuid_transition; diff --git a/prebuilts/api/32.0/private/port_contexts b/prebuilts/api/32.0/private/port_contexts new file mode 100644 index 000000000..b473c0c9b --- /dev/null +++ b/prebuilts/api/32.0/private/port_contexts @@ -0,0 +1,3 @@ +# portcon statements go here, e.g. +# portcon tcp 80 u:object_r:http_port:s0 + diff --git a/prebuilts/api/32.0/private/postinstall.te b/prebuilts/api/32.0/private/postinstall.te new file mode 100644 index 000000000..7060c59bd --- /dev/null +++ b/prebuilts/api/32.0/private/postinstall.te @@ -0,0 +1,5 @@ +typeattribute postinstall coredomain; +type postinstall_exec, system_file_type, exec_type, file_type; +domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot) + +allow postinstall rootfs:dir r_dir_perms; diff --git a/prebuilts/api/32.0/private/postinstall_dexopt.te b/prebuilts/api/32.0/private/postinstall_dexopt.te new file mode 100644 index 000000000..2fdc94123 --- /dev/null +++ b/prebuilts/api/32.0/private/postinstall_dexopt.te @@ -0,0 +1,88 @@ +# Domain for the otapreopt executable, running under postinstall_dexopt +# +# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such, +# this is derived and adapted from installd.te. + +type postinstall_dexopt, domain, coredomain, mlstrustedsubject; +type postinstall_dexopt_exec, system_file_type, exec_type, file_type; +type postinstall_dexopt_tmpfs, file_type; + +# Run dex2oat/patchoat in its own sandbox. +# We have to manually transition, as we don't have an entrypoint. +# - Case where dex2oat is in a non-flattened APEX, which has retained +# the correct type (`dex2oat_exec`). +domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat) +# - Case where dex2oat is in a flattened APEX, which has been tagged +# with the `postinstall_file` type by update_engine. +domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat) + +# Run derive_classpath to get the current BCP. +domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath) +# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into +tmpfs_domain(postinstall_dexopt); +allow postinstall_dexopt postinstall_dexopt_tmpfs:file open; + +allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid }; + +allow postinstall_dexopt postinstall_file:filesystem getattr; +allow postinstall_dexopt postinstall_file:dir { getattr read search }; +allow postinstall_dexopt postinstall_file:lnk_file { getattr read }; +allow postinstall_dexopt proc_filesystems:file { getattr open read }; +allow postinstall_dexopt rootfs:file r_file_perms; + +allow postinstall_dexopt tmpfs:file read; + +# Allow access odsign verification status +get_prop(postinstall_dexopt, odsign_prop) + +# Allow access to /postinstall/apex. +allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search }; + +# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access +# here and having to relabel the directory. + +# Read app data (APKs) as input to dex2oat. +r_dir_file(postinstall_dexopt, apk_data_file) +# Read vendor app data (APKs) as input to dex2oat. +r_dir_file(postinstall_dexopt, vendor_app_file) +# Read vendor overlay files (APKs) as input to dex2oat. +r_dir_file(postinstall_dexopt, vendor_overlay_file) +# Access to app oat directory. +r_dir_file(postinstall_dexopt, dalvikcache_data_file) + +# Read profile data. +allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search }; +allow postinstall_dexopt user_profile_data_file:file r_file_perms; +# Suppress deletion denial (we do not want to update the profile). +dontaudit postinstall_dexopt user_profile_data_file:file { write }; + +# Write to /data/ota(/*). Create symlinks in /data/ota(/*) +allow postinstall_dexopt ota_data_file:dir create_dir_perms; +allow postinstall_dexopt ota_data_file:file create_file_perms; +allow postinstall_dexopt ota_data_file:lnk_file create_file_perms; + +# Need to write .b files, which are dalvikcache_data_file, not ota_data_file. +# TODO: See whether we can apply ota_data_file? +allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms; +allow postinstall_dexopt dalvikcache_data_file:file create_file_perms; + +# Allow labeling of files under /data/app/com.example/oat/ +# TODO: Restrict to .b suffix? +allow postinstall_dexopt dalvikcache_data_file:dir relabelto; +allow postinstall_dexopt dalvikcache_data_file:file { relabelto link }; + +# Check validity of SELinux context before use. +selinux_check_context(postinstall_dexopt) +selinux_check_access(postinstall_dexopt) + + +# Postinstall wants to know about our child. +allow postinstall_dexopt postinstall:process sigchld; + +# Allow otapreopt to use file descriptors from otapreopt_chroot. +# TODO: Probably we can actually close file descriptors... +allow postinstall_dexopt otapreopt_chroot:fd use; + +# Allow postinstall_dexopt to access the runtime feature flag properties. +get_prop(postinstall_dexopt, device_config_runtime_native_prop) +get_prop(postinstall_dexopt, device_config_runtime_native_boot_prop) diff --git a/prebuilts/api/32.0/private/ppp.te b/prebuilts/api/32.0/private/ppp.te new file mode 100644 index 000000000..968b221b6 --- /dev/null +++ b/prebuilts/api/32.0/private/ppp.te @@ -0,0 +1,3 @@ +typeattribute ppp coredomain; + +domain_auto_trans(mtp, ppp_exec, ppp) diff --git a/prebuilts/api/32.0/private/preloads_copy.te b/prebuilts/api/32.0/private/preloads_copy.te new file mode 100644 index 000000000..ba54b70ac --- /dev/null +++ b/prebuilts/api/32.0/private/preloads_copy.te @@ -0,0 +1,18 @@ +type preloads_copy, domain, coredomain; +type preloads_copy_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(preloads_copy) + +allow preloads_copy shell_exec:file rx_file_perms; +allow preloads_copy toolbox_exec:file rx_file_perms; +allow preloads_copy preloads_data_file:dir create_dir_perms; +allow preloads_copy preloads_data_file:file create_file_perms; +allow preloads_copy preloads_media_file:dir create_dir_perms; +allow preloads_copy preloads_media_file:file create_file_perms; + +# Allow to copy from /postinstall +allow preloads_copy system_file:dir r_dir_perms; + +# Silence the denial when /postinstall cannot be mounted, e.g., system_other +# is wiped, but preloads_copy.sh still runs. +dontaudit preloads_copy postinstall_mnt_dir:dir search; diff --git a/prebuilts/api/32.0/private/preopt2cachename.te b/prebuilts/api/32.0/private/preopt2cachename.te new file mode 100644 index 000000000..dcfba14d5 --- /dev/null +++ b/prebuilts/api/32.0/private/preopt2cachename.te @@ -0,0 +1,17 @@ +# preopt2cachename executable +# +# This executable translates names from the preopted versions the build system +# creates to the names the runtime expects in the data directory. + +type preopt2cachename, domain, coredomain; +type preopt2cachename_exec, system_file_type, exec_type, file_type; + +# Allow write to stdout. +allow preopt2cachename cppreopts:fd use; +allow preopt2cachename cppreopts:fifo_file { getattr read write }; + +# Allow write to logcat. +allow preopt2cachename proc_net_type:file r_file_perms; +userdebug_or_eng(` + auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read }; +') diff --git a/prebuilts/api/32.0/private/priv_app.te b/prebuilts/api/32.0/private/priv_app.te new file mode 100644 index 000000000..3ceb7a305 --- /dev/null +++ b/prebuilts/api/32.0/private/priv_app.te @@ -0,0 +1,262 @@ +### +### A domain for further sandboxing privileged apps. +### + +typeattribute priv_app coredomain; +app_domain(priv_app) + +# Access the network. +net_domain(priv_app) +# Access bluetooth. +bluetooth_domain(priv_app) + +# Allow the allocation and use of ptys +# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm +create_pty(priv_app) + +# Allow loading executable code from writable priv-app home +# directories. This is a W^X violation, however, it needs +# to be supported for now for the following reasons. +# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367) +# 1) com.android.opengl.shaders_cache +# 2) com.android.skia.shaders_cache +# 3) com.android.renderscript.cache +# * /data/user_de/0/com.google.android.gms/app_chimera +# TODO: Tighten (b/112357170) +allow priv_app privapp_data_file:file execute; + +# Chrome Crashpad uses the the dynamic linker to load native executables +# from an APK (b/112050209, crbug.com/928422) +allow priv_app system_linker_exec:file execute_no_trans; + +allow priv_app privapp_data_file:lnk_file create_file_perms; + +# Priv apps can find services that expose both @SystemAPI and normal APIs. +allow priv_app app_api_service:service_manager find; +allow priv_app system_api_service:service_manager find; + +allow priv_app audioserver_service:service_manager find; +allow priv_app cameraserver_service:service_manager find; +allow priv_app drmserver_service:service_manager find; +allow priv_app mediadrmserver_service:service_manager find; +allow priv_app mediaextractor_service:service_manager find; +allow priv_app mediametrics_service:service_manager find; +allow priv_app mediaserver_service:service_manager find; +allow priv_app music_recognition_service:service_manager find; +allow priv_app network_watchlist_service:service_manager find; +allow priv_app nfc_service:service_manager find; +allow priv_app oem_lock_service:service_manager find; +allow priv_app persistent_data_block_service:service_manager find; +allow priv_app radio_service:service_manager find; +allow priv_app recovery_service:service_manager find; +allow priv_app stats_service:service_manager find; + +# Write to /cache. +allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms; +allow priv_app { cache_file cache_recovery_file }:file create_file_perms; +# /cache is a symlink to /data/cache on some devices. Allow reading the link. +allow priv_app cache_file:lnk_file r_file_perms; + +# Access to /data/media. +allow priv_app media_rw_data_file:dir create_dir_perms; +allow priv_app media_rw_data_file:file create_file_perms; + +# Used by Finsky / Android "Verify Apps" functionality when +# running "adb install foo.apk". +allow priv_app shell_data_file:file r_file_perms; +allow priv_app shell_data_file:dir r_dir_perms; + +# Allow traceur to pass file descriptors through a content provider to betterbug +allow priv_app trace_data_file:file { getattr read }; + +# Allow betterbug to read profile reports generated by profcollect. +userdebug_or_eng(` + allow priv_app profcollectd_data_file:file r_file_perms; +') + +# Allow the bug reporting frontend to read the presence and timestamp of the +# trace attached to the bugreport (but not its contents, which will go in the +# usual bugreport .zip file). This is used by the bug reporting UI to tell if +# the bugreport will contain a system trace or not while the bugreport is still +# in progress. +allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms; +allow priv_app perfetto_traces_bugreport_data_file:file { getattr }; +# Required to traverse the parent dir (/data/misc/perfetto-traces). +allow priv_app perfetto_traces_data_file:dir { search }; + +# Allow verifier to access staged apks. +allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; +allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; + +# For AppFuse. +allow priv_app vold:fd use; +allow priv_app fuse_device:chr_file { read write }; + +# /proc access +allow priv_app { + proc_vmstat +}:file r_file_perms; + +allow priv_app sysfs_type:dir search; +# Read access to /sys/class/net/wlan*/address +r_dir_file(priv_app, sysfs_net) +# Read access to /sys/block/zram*/mm_stat +r_dir_file(priv_app, sysfs_zram) + +r_dir_file(priv_app, rootfs) + +# access the mac address +allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR; + +# Allow com.android.vending to communicate with statsd. +binder_call(priv_app, statsd) + +# Allow Phone to read/write cached ringtones (opened by system). +allow priv_app ringtone_file:file { getattr read write }; + +# Access to /data/preloads +allow priv_app preloads_data_file:file r_file_perms; +allow priv_app preloads_data_file:dir r_dir_perms; +allow priv_app preloads_media_file:file r_file_perms; +allow priv_app preloads_media_file:dir r_dir_perms; + +read_runtime_log_tags(priv_app) + +# Write app-specific trace data to the Perfetto traced damon. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(priv_app) + +# Allow priv_apps to request and collect incident reports. +# (Also requires DUMP and PACKAGE_USAGE_STATS permissions) +allow priv_app incident_service:service_manager find; +binder_call(priv_app, incidentd) +allow priv_app incidentd:fifo_file { read write }; + +# Allow profiling if the app opts in by being marked profileable/debuggable. +can_profile_heap(priv_app) +can_profile_perf(priv_app) + +# Allow priv_apps to check whether Dynamic System Update is enabled +get_prop(priv_app, dynamic_system_prop) + +# suppress denials for non-API accesses. +dontaudit priv_app exec_type:file getattr; +dontaudit priv_app device:dir read; +dontaudit priv_app fs_bpf:dir search; +dontaudit priv_app net_dns_prop:file read; +dontaudit priv_app proc:file read; +dontaudit priv_app proc_interrupts:file read; +dontaudit priv_app proc_modules:file read; +dontaudit priv_app proc_net:file read; +dontaudit priv_app proc_stat:file read; +dontaudit priv_app proc_version:file read; +dontaudit priv_app sysfs:dir read; +dontaudit priv_app sysfs:file read; +dontaudit priv_app sysfs_android_usb:file read; +dontaudit priv_app sysfs_dm:file r_file_perms; +dontaudit priv_app { wifi_prop wifi_hal_prop }:file read; + +# allow privileged apps to use UDP sockets provided by the system server but not +# modify them other than to connect +allow priv_app system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +# allow apps like Phonesky to check the file signature of an apk installed on +# the Incremental File System, fill missing blocks and get the app status and loading progress +allowxperm priv_app apk_data_file:file ioctl { + INCFS_IOCTL_READ_SIGNATURE + INCFS_IOCTL_FILL_BLOCKS + INCFS_IOCTL_GET_BLOCK_COUNT + INCFS_IOCTL_GET_FILLED_BLOCKS +}; + +# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System +allow priv_app incremental_control_file:file { read getattr ioctl }; + +# allow apps like Phonesky to request permission to fill blocks of an apk file +# on the Incremental File System. +allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL; + +# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled +get_prop(priv_app, incremental_prop) + +# Required for Phonesky to be able to read APEX files under /data/apex/active/. +allow priv_app apex_data_file:dir search; +allow priv_app staging_data_file:file r_file_perms; +# Required for Phonesky to be able to read staged files under /data/app-staging. +allow priv_app staging_data_file:dir r_dir_perms; + +# allow priv app to access the system app data files for ContentProvider case. +allow priv_app system_app_data_file:file { read getattr }; + +# Allow the renderscript compiler to be run. +domain_auto_trans(priv_app, rs_exec, rs) + +# Allow loading and deleting executable shared libraries +# within an application home directory. Such shared libraries would be +# created by things like renderscript or via other mechanisms. +allow priv_app app_exec_data_file:file { r_file_perms execute unlink }; + +### +### neverallow rules +### + +# Receive or send uevent messages. +neverallow priv_app domain:netlink_kobject_uevent_socket *; + +# Receive or send generic netlink messages +neverallow priv_app domain:netlink_socket *; + +# Read or write kernel printk buffer +neverallow priv_app kmsg_device:chr_file no_rw_file_perms; + +# Too much leaky information in debugfs. It's a security +# best practice to ensure these files aren't readable. +neverallow priv_app debugfs:file read; + +# Do not allow privileged apps to register services. +# Only trusted components of Android should be registering +# services. +neverallow priv_app service_manager_type:service_manager add; + +# Do not allow privileged apps to connect to the property service +# or set properties. b/10243159 +neverallow priv_app property_socket:sock_file write; +neverallow priv_app init:unix_stream_socket connectto; +neverallow priv_app property_type:property_service set; + +# Do not allow priv_app to be assigned mlstrustedsubject. +# This would undermine the per-user isolation model being +# enforced via levelFrom=user in seapp_contexts and the mls +# constraints. As there is no direct way to specify a neverallow +# on attribute assignment, this relies on the fact that fork +# permission only makes sense within a domain (hence should +# never be granted to any other domain within mlstrustedsubject) +# and priv_app is allowed fork permission to itself. +neverallow priv_app mlstrustedsubject:process fork; + +# Do not allow priv_app to hard link to any files. +# In particular, if priv_app links to other app data +# files, installd will not be able to guarantee the deletion +# of the linked to file. Hard links also contribute to security +# bugs, so we want to ensure priv_app never has this +# capability. +neverallow priv_app file_type:file link; + +# priv apps should not be able to open trace data files, they should depend +# upon traceur to pass a file descriptor which they can then read +neverallow priv_app trace_data_file:dir *; +neverallow priv_app trace_data_file:file { no_w_file_perms open }; + +# Do not allow priv_app access to cgroups. +neverallow priv_app cgroup:file *; +neverallow priv_app cgroup_v2:file *; + +# Do not allow loading executable code from non-privileged +# application home directories. Code loading across a security boundary +# is dangerous and allows a full compromise of a privileged process +# by an unprivileged process. b/112357170 +neverallow priv_app app_data_file:file no_x_file_perms; + +# Do not follow untrusted app provided symlinks +neverallow priv_app app_data_file:lnk_file { open read getattr }; diff --git a/prebuilts/api/32.0/private/profcollectd.te b/prebuilts/api/32.0/private/profcollectd.te new file mode 100644 index 000000000..efde321ea --- /dev/null +++ b/prebuilts/api/32.0/private/profcollectd.te @@ -0,0 +1,61 @@ +# profcollectd - hardware profile collection daemon +type profcollectd, domain, coredomain, mlstrustedsubject; +type profcollectd_exec, system_file_type, exec_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(profcollectd) + + # profcollectd opens a file for writing in /data/misc/profcollectd. + allow profcollectd profcollectd_data_file:file create_file_perms; + allow profcollectd profcollectd_data_file:dir create_dir_perms; + + # Allow profcollectd full use of perf_event_open(2), to enable system wide profiling. + allow profcollectd self:perf_event { cpu kernel open read write }; + + # Allow profcollectd to scan through /proc/pid for all processes. + r_dir_file(profcollectd, domain) + + # Allow profcollectd to read executable binaries. + allow profcollectd system_file_type:file r_file_perms; + allow profcollectd vendor_file_type:file r_file_perms; + + # Allow profcollectd to search for and read kernel modules. + allow profcollectd vendor_file:dir r_dir_perms; + allow profcollectd vendor_kernel_modules:file r_file_perms; + + # Allow profcollectd to read system bootstrap libs. + allow profcollectd system_bootstrap_lib_file:dir search; + allow profcollectd system_bootstrap_lib_file:file r_file_perms; + + # Allow profcollectd to access tracefs. + allow profcollectd debugfs_tracing:dir r_dir_perms; + allow profcollectd debugfs_tracing:file rw_file_perms; + allow profcollectd debugfs_tracing_debug:dir r_dir_perms; + allow profcollectd debugfs_tracing_debug:file rw_file_perms; + + # Allow profcollectd to write to perf_event_paranoid under /proc. + allow profcollectd proc_perf:file write; + + # Allow profcollectd to access cs_etm sysfs. + r_dir_file(profcollectd, sysfs_devices_cs_etm) + + # Allow profcollectd to ptrace. + allow profcollectd self:global_capability_class_set sys_ptrace; + + # Allow profcollectd to read its system properties. + get_prop(profcollectd, device_config_profcollect_native_boot_prop) + set_prop(profcollectd, profcollectd_node_id_prop) + + # Allow profcollectd to publish a binder service and make binder calls. + binder_use(profcollectd) + add_service(profcollectd, profcollectd_service) + + # Allow to temporarily lift the kptr_restrict setting and get kernel start address + # by reading /proc/kallsyms, get module start address by reading /proc/modules. + set_prop(profcollectd, lower_kptr_restrict_prop) + allow profcollectd proc_kallsyms:file r_file_perms; + allow profcollectd proc_modules:file r_file_perms; + + # Allow profcollectd to read kernel build id. + allow profcollectd sysfs_kernel_notes:file r_file_perms; +') diff --git a/prebuilts/api/32.0/private/profman.te b/prebuilts/api/32.0/private/profman.te new file mode 100644 index 000000000..f61d05efe --- /dev/null +++ b/prebuilts/api/32.0/private/profman.te @@ -0,0 +1 @@ +typeattribute profman coredomain; diff --git a/prebuilts/api/32.0/private/property.te b/prebuilts/api/32.0/private/property.te new file mode 100644 index 000000000..fdc320612 --- /dev/null +++ b/prebuilts/api/32.0/private/property.te @@ -0,0 +1,609 @@ +# Properties used only in /system +system_internal_prop(adbd_prop) +system_internal_prop(ctl_snapuserd_prop) +system_internal_prop(device_config_lmkd_native_prop) +system_internal_prop(device_config_profcollect_native_boot_prop) +system_internal_prop(device_config_statsd_native_prop) +system_internal_prop(device_config_statsd_native_boot_prop) +system_internal_prop(device_config_storage_native_boot_prop) +system_internal_prop(device_config_sys_traced_prop) +system_internal_prop(device_config_window_manager_native_boot_prop) +system_internal_prop(device_config_configuration_prop) +system_internal_prop(device_config_connectivity_prop) +system_internal_prop(device_config_swcodec_native_prop) +system_internal_prop(fastbootd_protocol_prop) +system_internal_prop(gsid_prop) +system_internal_prop(init_perf_lsm_hooks_prop) +system_internal_prop(init_service_status_private_prop) +system_internal_prop(init_svc_debug_prop) +system_internal_prop(keystore_crash_prop) +system_internal_prop(keystore_listen_prop) +system_internal_prop(last_boot_reason_prop) +system_internal_prop(localization_prop) +system_internal_prop(lower_kptr_restrict_prop) +system_internal_prop(net_464xlat_fromvendor_prop) +system_internal_prop(net_connectivity_prop) +system_internal_prop(netd_stable_secret_prop) +system_internal_prop(odsign_prop) +system_internal_prop(perf_drop_caches_prop) +system_internal_prop(pm_prop) +system_internal_prop(profcollectd_node_id_prop) +system_internal_prop(radio_cdma_ecm_prop) +system_internal_prop(rollback_test_prop) +system_internal_prop(setupwizard_prop) +system_internal_prop(system_adbd_prop) +system_internal_prop(traced_perf_enabled_prop) +system_internal_prop(userspace_reboot_log_prop) +system_internal_prop(userspace_reboot_test_prop) +system_internal_prop(verity_status_prop) +system_internal_prop(zygote_wrap_prop) +system_internal_prop(ctl_mediatranscoding_prop) +system_internal_prop(ctl_odsign_prop) +vendor_restricted_prop(vendor_medsrv_set_64b) + +### +### Neverallow rules +### + +treble_sysprop_neverallow(` + +enforce_sysprop_owner(` + neverallow domain { + property_type + -system_property_type + -product_property_type + -vendor_property_type + }:file no_rw_file_perms; +') + +neverallow { domain -coredomain } { + system_property_type + system_internal_property_type + -system_restricted_property_type + -system_public_property_type +}:file no_rw_file_perms; + +neverallow { domain -coredomain } { + system_property_type + -system_public_property_type +}:property_service set; + +# init is in coredomain, but should be able to read/write all props. +# dumpstate is also in coredomain, but should be able to read all props. +neverallow { coredomain -init -dumpstate } { + vendor_property_type + vendor_internal_property_type + -vendor_restricted_property_type + -vendor_public_property_type +}:file no_rw_file_perms; + +neverallow { coredomain -init } { + vendor_property_type + -vendor_public_property_type +}:property_service set; + +') + +# There is no need to perform ioctl or advisory locking operations on +# property files. If this neverallow is being triggered, it is +# likely that the policy is using r_file_perms directly instead of +# the get_prop() macro. +neverallow domain property_type:file { ioctl lock }; + +neverallow * { + core_property_type + -audio_prop + -config_prop + -cppreopt_prop + -dalvik_prop + -debuggerd_prop + -debug_prop + -dhcp_prop + -dumpstate_prop + -fingerprint_prop + -logd_prop + -net_radio_prop + -nfc_prop + -ota_prop + -pan_result_prop + -persist_debug_prop + -powerctl_prop + -radio_prop + -restorecon_prop + -shell_prop + -system_prop + -usb_prop + -vold_prop +}:file no_rw_file_perms; + +# sigstop property is only used for debugging; should only be set by su which is permissive +# for userdebug/eng +neverallow { + domain + -init + -vendor_init +} ctl_sigstop_prop:property_service set; + +# Don't audit legacy ctl. property handling. We only want the newer permission check to appear +# in the audit log +dontaudit domain { + ctl_bootanim_prop + ctl_bugreport_prop + ctl_console_prop + ctl_default_prop + ctl_dumpstate_prop + ctl_fuse_prop + ctl_mdnsd_prop + ctl_rildaemon_prop +}:property_service set; + +neverallow { + domain + -init +} init_svc_debug_prop:property_service set; + +neverallow { + domain + -init + -dumpstate + userdebug_or_eng(`-su') +} init_svc_debug_prop:file no_rw_file_perms; + +compatible_property_only(` +# Prevent properties from being set + neverallow { + domain + -coredomain + -appdomain + -vendor_init + } { + core_property_type + extended_core_property_type + exported_config_prop + exported_default_prop + exported_dumpstate_prop + exported_system_prop + exported3_system_prop + usb_control_prop + -nfc_prop + -powerctl_prop + -radio_prop + }:property_service set; + + neverallow { + domain + -coredomain + -appdomain + -hal_nfc_server + } { + nfc_prop + }:property_service set; + + neverallow { + domain + -coredomain + -appdomain + -hal_telephony_server + -vendor_init + } { + radio_control_prop + }:property_service set; + + neverallow { + domain + -coredomain + -appdomain + -hal_telephony_server + } { + radio_prop + }:property_service set; + + neverallow { + domain + -coredomain + -bluetooth + -hal_bluetooth_server + } { + bluetooth_prop + }:property_service set; + + neverallow { + domain + -coredomain + -bluetooth + -hal_bluetooth_server + -vendor_init + } { + exported_bluetooth_prop + }:property_service set; + + neverallow { + domain + -coredomain + -hal_camera_server + -cameraserver + -vendor_init + } { + exported_camera_prop + }:property_service set; + + neverallow { + domain + -coredomain + -hal_wifi_server + -wificond + } { + wifi_prop + }:property_service set; + + neverallow { + domain + -init + -dumpstate + -hal_wifi_server + -wificond + -vendor_init + } { + wifi_hal_prop + }:property_service set; + +# Prevent properties from being read + neverallow { + domain + -coredomain + -appdomain + -vendor_init + } { + core_property_type + dalvik_config_prop + extended_core_property_type + exported3_system_prop + systemsound_config_prop + -debug_prop + -logd_prop + -nfc_prop + -powerctl_prop + -radio_prop + }:file no_rw_file_perms; + + neverallow { + domain + -coredomain + -appdomain + -hal_nfc_server + } { + nfc_prop + }:file no_rw_file_perms; + + neverallow { + domain + -coredomain + -appdomain + -hal_telephony_server + } { + radio_prop + }:file no_rw_file_perms; + + neverallow { + domain + -coredomain + -bluetooth + -hal_bluetooth_server + } { + bluetooth_prop + }:file no_rw_file_perms; + + neverallow { + domain + -coredomain + -hal_wifi_server + -wificond + } { + wifi_prop + }:file no_rw_file_perms; + + neverallow { + domain + -coredomain + -vendor_init + } { + suspend_prop + }:property_service set; +') + +compatible_property_only(` + # Neverallow coredomain to set vendor properties + neverallow { + coredomain + -init + -system_writes_vendor_properties_violators + } { + property_type + -system_property_type + -extended_core_property_type + }:property_service set; +') + +neverallow { + domain + -coredomain + -vendor_init +} { + ffs_config_prop + ffs_control_prop +}:file no_rw_file_perms; + +neverallow { + domain + -init + -system_server +} { + userspace_reboot_log_prop +}:property_service set; + +neverallow { + # Only allow init and system_server to set system_adbd_prop + domain + -init + -system_server +} { + system_adbd_prop +}:property_service set; + +# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port +neverallow { + domain + -init + -vendor_init + -adbd + -system_server +} { + adbd_config_prop +}:property_service set; + +neverallow { + # Only allow init and adbd to set adbd_prop + domain + -init + -adbd +} { + adbd_prop +}:property_service set; + +neverallow { + # Only allow init and shell to set userspace_reboot_test_prop + domain + -init + -shell +} { + userspace_reboot_test_prop +}:property_service set; + +neverallow { + domain + -init + -system_server + -vendor_init +} { + surfaceflinger_color_prop +}:property_service set; + +neverallow { + domain + -init +} { + libc_debug_prop +}:property_service set; + +# Allow the shell to set MTE props, so that non-root users with adb shell +# access can control the settings on their device. +neverallow { + domain + -init + -shell +} { + arm64_memtag_prop +}:property_service set; + +neverallow { + domain + -init + -system_server + -vendor_init +} zram_control_prop:property_service set; + +neverallow { + domain + -init + -system_server + -vendor_init +} dalvik_runtime_prop:property_service set; + +neverallow { + domain + -coredomain + -vendor_init +} { + usb_config_prop + usb_control_prop +}:property_service set; + +neverallow { + domain + -init + -system_server +} { + provisioned_prop + retaildemo_prop +}:property_service set; + +neverallow { + domain + -coredomain + -vendor_init +} { + provisioned_prop + retaildemo_prop +}:file no_rw_file_perms; + +neverallow { + domain + -init +} { + init_service_status_private_prop + init_service_status_prop +}:property_service set; + +neverallow { + domain + -init + -radio + -appdomain + -hal_telephony_server + not_compatible_property(`-vendor_init') +} telephony_status_prop:property_service set; + +neverallow { + domain + -init + -vendor_init +} { + graphics_config_prop +}:property_service set; + +neverallow { + domain + -init + -surfaceflinger +} { + surfaceflinger_display_prop +}:property_service set; + +neverallow { + domain + -coredomain + -appdomain + -vendor_init +} packagemanager_config_prop:file no_rw_file_perms; + +neverallow { + domain + -coredomain + -vendor_init +} keyguard_config_prop:file no_rw_file_perms; + +neverallow { + domain + -init +} { + localization_prop +}:property_service set; + +neverallow { + domain + -init + -vendor_init + -dumpstate + -system_app +} oem_unlock_prop:file no_rw_file_perms; + +neverallow { + domain + -coredomain + -vendor_init +} storagemanager_config_prop:file no_rw_file_perms; + +neverallow { + domain + -init + -vendor_init + -dumpstate + -appdomain +} sendbug_config_prop:file no_rw_file_perms; + +neverallow { + domain + -init + -vendor_init + -dumpstate + -appdomain +} camera_calibration_prop:file no_rw_file_perms; + +neverallow { + domain + -init + -dumpstate + -hal_dumpstate_server + not_compatible_property(`-vendor_init') +} hal_dumpstate_config_prop:file no_rw_file_perms; + +neverallow { + domain + -init + userdebug_or_eng(`-profcollectd') + userdebug_or_eng(`-traced_probes') + userdebug_or_eng(`-traced_perf') +} { + lower_kptr_restrict_prop +}:property_service set; + +neverallow { + domain + -init +} zygote_wrap_prop:property_service set; + +neverallow { + domain + -init +} verity_status_prop:property_service set; + +neverallow { + domain + -init +} setupwizard_prop:property_service set; + +# ro.product.property_source_order is useless after initialization of ro.product.* props. +# So making it accessible only from init and vendor_init. +neverallow { + domain + -init + -dumpstate + -vendor_init +} build_config_prop:file no_rw_file_perms; + +neverallow { + domain + -init + -shell +} sqlite_log_prop:property_service set; + +neverallow { + domain + -coredomain + -appdomain +} sqlite_log_prop:file no_rw_file_perms; + +neverallow { + domain + -init +} default_prop:property_service set; + +# Only one of system_property_type and vendor_property_type can be assigned. +# Property types having both attributes won't be accessible from anywhere. +neverallow domain system_and_vendor_property_type:{file property_service} *; + +neverallow { + # Only allow init and shell to set rollback_test_prop + domain + -init + -shell +} rollback_test_prop:property_service set; + +neverallow { + # Only allow init and profcollectd to access profcollectd_node_id_prop + domain + -init + -dumpstate + -profcollectd +} profcollectd_node_id_prop:file r_file_perms; + diff --git a/prebuilts/api/32.0/private/property_contexts b/prebuilts/api/32.0/private/property_contexts new file mode 100644 index 000000000..f8c887a9b --- /dev/null +++ b/prebuilts/api/32.0/private/property_contexts @@ -0,0 +1,1234 @@ +########################## +# property service keys +# +# +net.rmnet u:object_r:net_radio_prop:s0 +net.gprs u:object_r:net_radio_prop:s0 +net.ppp u:object_r:net_radio_prop:s0 +net.qmi u:object_r:net_radio_prop:s0 +net.lte u:object_r:net_radio_prop:s0 +net.cdma u:object_r:net_radio_prop:s0 +net.dns u:object_r:net_dns_prop:s0 +ril. u:object_r:radio_prop:s0 +ro.ril. u:object_r:radio_prop:s0 +gsm. u:object_r:radio_prop:s0 +persist.radio u:object_r:radio_prop:s0 + +net. u:object_r:system_prop:s0 +dev. u:object_r:system_prop:s0 +ro.runtime. u:object_r:system_prop:s0 +ro.runtime.firstboot u:object_r:firstboot_prop:s0 +hw. u:object_r:system_prop:s0 +ro.hw. u:object_r:system_prop:s0 +sys. u:object_r:system_prop:s0 +sys.audio. u:object_r:audio_prop:s0 +sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0 +sys.cppreopt u:object_r:cppreopt_prop:s0 +sys.lpdumpd u:object_r:lpdumpd_prop:s0 +sys.powerctl u:object_r:powerctl_prop:s0 +service. u:object_r:system_prop:s0 +dhcp. u:object_r:dhcp_prop:s0 +dhcp.bt-pan.result u:object_r:pan_result_prop:s0 +bluetooth. u:object_r:bluetooth_prop:s0 + +debug. u:object_r:debug_prop:s0 +debug.db. u:object_r:debuggerd_prop:s0 +dumpstate. u:object_r:dumpstate_prop:s0 +dumpstate.options u:object_r:dumpstate_options_prop:s0 +init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0 +llk. u:object_r:llkd_prop:s0 +khungtask. u:object_r:llkd_prop:s0 +ro.llk. u:object_r:llkd_prop:s0 +ro.khungtask. u:object_r:llkd_prop:s0 +log. u:object_r:log_prop:s0 +log.tag u:object_r:log_tag_prop:s0 +log.tag.WifiHAL u:object_r:wifi_log_prop:s0 +security.perf_harden u:object_r:shell_prop:s0 +security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0 +service.adb.root u:object_r:shell_prop:s0 +service.adb.tls.port u:object_r:adbd_prop:s0 +persist.adb.wifi. u:object_r:adbd_prop:s0 +persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0 + +persist.audio. u:object_r:audio_prop:s0 +persist.bluetooth. u:object_r:bluetooth_prop:s0 +persist.nfc_cfg. u:object_r:nfc_prop:s0 +persist.debug. u:object_r:persist_debug_prop:s0 +logd. u:object_r:logd_prop:s0 +persist.logd. u:object_r:logd_prop:s0 +ro.logd. u:object_r:logd_prop:s0 +persist.logd.security u:object_r:device_logging_prop:s0 +persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0 +logd.logpersistd u:object_r:logpersistd_logging_prop:s0 +persist.log.tag u:object_r:log_tag_prop:s0 +persist.mmc. u:object_r:mmc_prop:s0 +persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0 +persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0 +persist.profcollectd.node_id u:object_r:profcollectd_node_id_prop:s0 exact string +persist.sys. u:object_r:system_prop:s0 +persist.sys.safemode u:object_r:safemode_prop:s0 +persist.sys.theme u:object_r:theme_prop:s0 +persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0 +ro.sys.safemode u:object_r:safemode_prop:s0 +persist.sys.audit_safemode u:object_r:safemode_prop:s0 +persist.sys.dalvik.jvmtiagent u:object_r:system_jvmti_agent_prop:s0 +persist.service. u:object_r:system_prop:s0 +persist.service.bdroid. u:object_r:bluetooth_prop:s0 +persist.security. u:object_r:system_prop:s0 +persist.traced.enable u:object_r:traced_enabled_prop:s0 +traced.lazy. u:object_r:traced_lazy_prop:s0 +persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0 +persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0 +persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0 +persist.vendor.overlay. u:object_r:overlay_prop:s0 +ril.cdma.inecmmode u:object_r:radio_cdma_ecm_prop:s0 exact bool +ro.boot.vendor.overlay. u:object_r:overlay_prop:s0 +ro.boottime. u:object_r:boottime_prop:s0 +ro.serialno u:object_r:serialno_prop:s0 +ro.boot.btmacaddr u:object_r:bluetooth_prop:s0 +ro.boot.serialno u:object_r:serialno_prop:s0 +ro.bt. u:object_r:bluetooth_prop:s0 +ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0 +persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0 +sys.boot.reason u:object_r:system_boot_reason_prop:s0 +sys.boot.reason.last u:object_r:last_boot_reason_prop:s0 +pm. u:object_r:pm_prop:s0 +test.sys.boot.reason u:object_r:test_boot_reason_prop:s0 +test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0 +sys.lmk. u:object_r:system_lmk_prop:s0 +sys.trace. u:object_r:system_trace_prop:s0 +wrap. u:object_r:zygote_wrap_prop:s0 prefix string + +# Suspend service properties +suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint +suspend.base_sleep_time_millis u:object_r:suspend_prop:s0 exact uint +suspend.backoff_threshold_count u:object_r:suspend_prop:s0 exact uint +suspend.short_suspend_threshold_millis u:object_r:suspend_prop:s0 exact uint +suspend.sleep_time_scale_factor u:object_r:suspend_prop:s0 exact double +suspend.failed_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool +suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool + +# Fastbootd protocol control property +fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp + +# adbd protoctl configuration property +service.adb.tcp.port u:object_r:adbd_config_prop:s0 exact int +service.adb.transport u:object_r:adbd_config_prop:s0 exact string + +# Boolean property set by system server upon boot indicating +# if device is fully owned by organization instead of being +# a personal device. +ro.organization_owned u:object_r:device_logging_prop:s0 + +# selinux non-persistent properties +selinux.restorecon_recursive u:object_r:restorecon_prop:s0 + +# default property context +* u:object_r:default_prop:s0 + +# data partition encryption properties +vold. u:object_r:vold_prop:s0 +ro.crypto. u:object_r:vold_prop:s0 + +# ro.build.fingerprint is either set in /system/build.prop, or is +# set at runtime by system_server. +ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string + +ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0 + +# ctl properties +ctl.bootanim u:object_r:ctl_bootanim_prop:s0 +ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0 +ctl.fuse_ u:object_r:ctl_fuse_prop:s0 +ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0 +ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0 +ctl.bugreport u:object_r:ctl_bugreport_prop:s0 +ctl.console u:object_r:ctl_console_prop:s0 +ctl. u:object_r:ctl_default_prop:s0 + +# Don't allow uncontrolled access to all services +ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0 +ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0 +ctl.start$ u:object_r:ctl_start_prop:s0 +ctl.stop$ u:object_r:ctl_stop_prop:s0 +ctl.restart$ u:object_r:ctl_restart_prop:s0 +ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0 +ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0 +ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0 + + # Restrict access to starting/stopping adbd +ctl.start$adbd u:object_r:ctl_adbd_prop:s0 +ctl.stop$adbd u:object_r:ctl_adbd_prop:s0 +ctl.restart$adbd u:object_r:ctl_adbd_prop:s0 + +# Restrict access to starting/stopping gsid. +ctl.start$gsid u:object_r:ctl_gsid_prop:s0 +ctl.stop$gsid u:object_r:ctl_gsid_prop:s0 +ctl.restart$gsid u:object_r:ctl_gsid_prop:s0 + +# Restrict access to stopping apexd. +ctl.stop$apexd u:object_r:ctl_apexd_prop:s0 + +# Restrict access to stopping odsign +ctl.stop$odsign u:object_r:ctl_odsign_prop:s0 + +# Restrict access to starting media.transcoding. +ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0 + +# Restrict access to restart dumpstate +ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0 + +# Restrict access to control snapuserd +ctl.start$snapuserd u:object_r:ctl_snapuserd_prop:s0 +ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0 +ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0 + +# NFC properties +nfc. u:object_r:nfc_prop:s0 + +# These properties are not normally set by processes other than init. +# They are only distinguished here for setting by qemu-props on the +# emulator/goldfish. +config. u:object_r:config_prop:s0 +ro.config. u:object_r:config_prop:s0 +dalvik. u:object_r:dalvik_prop:s0 +ro.dalvik. u:object_r:dalvik_prop:s0 + +# qemu_hw_prop is read/written by both system and vendor. +qemu.hw.mainkeys u:object_r:qemu_hw_prop:s0 exact string + +# qemu_sf_lcd_density_prop is read/written by both system and vendor. +qemu.sf.lcd_density u:object_r:qemu_sf_lcd_density_prop:s0 exact int + +# Shared between system server and wificond +wifi. u:object_r:wifi_prop:s0 +wlan. u:object_r:wifi_prop:s0 + +# Lowpan properties +lowpan. u:object_r:lowpan_prop:s0 +ro.lowpan. u:object_r:lowpan_prop:s0 + +# heapprofd properties +heapprofd. u:object_r:heapprofd_prop:s0 + +# hwservicemanager properties +hwservicemanager. u:object_r:hwservicemanager_prop:s0 + +# Common default properties for vendor, odm, vendor_dlkm, and odm_dlkm. +init.svc.odm. u:object_r:vendor_default_prop:s0 +init.svc.vendor. u:object_r:vendor_default_prop:s0 +ro.hardware. u:object_r:vendor_default_prop:s0 +ro.odm. u:object_r:vendor_default_prop:s0 +ro.vendor. u:object_r:vendor_default_prop:s0 +ro.vendor_dlkm. u:object_r:vendor_default_prop:s0 +ro.odm_dlkm. u:object_r:vendor_default_prop:s0 +odm. u:object_r:vendor_default_prop:s0 +persist.odm. u:object_r:vendor_default_prop:s0 +persist.vendor. u:object_r:vendor_default_prop:s0 +vendor. u:object_r:vendor_default_prop:s0 + +# Properties that relate to time / time zone detection behavior. +persist.time. u:object_r:time_prop:s0 + +# Properties that relate to server configurable flags +device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0 +persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0 +persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0 +persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0 +persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0 +persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0 +persist.device_config.lmkd_native. u:object_r:device_config_lmkd_native_prop:s0 +persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0 +persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0 +persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0 +persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 +persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0 +persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0 +persist.device_config.statsd_native_boot. u:object_r:device_config_statsd_native_boot_prop:s0 +persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0 +persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0 +persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0 + +# MM Events config props +persist.mm_events.enabled u:object_r:mm_events_config_prop:s0 exact bool + +# Properties that relate to legacy server configurable flags +persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0 + +apexd. u:object_r:apexd_prop:s0 +apexd.config.dm_delete.timeout u:object_r:apexd_config_prop:s0 exact uint +apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint +persist.apexd. u:object_r:apexd_prop:s0 + +bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0 + +gsid. u:object_r:gsid_prop:s0 +ro.gsid. u:object_r:gsid_prop:s0 + +# Property for disabling NNAPI vendor extensions on product image (used on GSI /product image, +# which can't use NNAPI vendor extensions). +ro.nnapi.extensions.deny_on_product u:object_r:nnapi_ext_deny_product_prop:s0 + +# Property that is set once ueventd finishes cold boot. +ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 + +# Properties that control performance operations. +# Leave space to later set drop_caches to 1, 2, and 4. +perf.drop_caches u:object_r:perf_drop_caches_prop:s0 exact enum 0 3 + +# Charger properties +ro.charger. u:object_r:charger_prop:s0 +sys.boot_from_charger_mode u:object_r:charger_status_prop:s0 exact int +ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool + +# Virtual A/B properties +ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool +ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool +ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool + +ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string +# Property to set/clear the warm reset flag after an OTA update. +ota.warm_reset u:object_r:ota_prop:s0 +# The vbmeta digest for the inactive slot. It can be set after installing +# ota updates to the b partition of a/b devices. +ota.other.vbmeta_digest u:object_r:ota_prop:s0 exact string + +# Module properties +com.android.sdkext. u:object_r:module_sdkextensions_prop:s0 +persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0 + +# Connectivity module +net.464xlat.cellular.enabled u:object_r:net_464xlat_fromvendor_prop:s0 exact bool +net.tcp_def_init_rwnd u:object_r:net_connectivity_prop:s0 exact int + +# Userspace reboot properties +sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0 +persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0 + +# Integer property which is used in libgui to configure the number of frames +# tracked by buffer queue's frame event timing history. The property is set +# by devices with video decoding pipelines long enough to overflow the default +# history size. +ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0 + +af.fast_track_multiplier u:object_r:audio_config_prop:s0 exact int +ro.af.client_heap_size_kbyte u:object_r:audio_config_prop:s0 exact int +ro.audio.flinger_standbytime_ms u:object_r:audio_config_prop:s0 exact int + +audio.camerasound.force u:object_r:audio_config_prop:s0 exact bool +audio.deep_buffer.media u:object_r:audio_config_prop:s0 exact bool +audio.offload.video u:object_r:audio_config_prop:s0 exact bool +audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int + +ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool +ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool +ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool +# Boolean property used in AudioService to configure whether +# spatializer functionality should be initialized +ro.audio.spatializer_enabled u:object_r:audio_config_prop:s0 exact bool + +persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string + +config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool + +camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool +camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool +ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool +ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool +ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool + +ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool + +ro.vendor.camera.extensions.package u:object_r:camera2_extensions_prop:s0 exact string +ro.vendor.camera.extensions.service u:object_r:camera2_extensions_prop:s0 exact string + +# ART properties +dalvik.vm. u:object_r:dalvik_config_prop:s0 +ro.dalvik.vm. u:object_r:dalvik_config_prop:s0 +ro.zygote u:object_r:dalvik_config_prop:s0 exact string + +# A set of ART properties listed explicitly for compatibility purposes. +ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.backgroundgctype u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.boot-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.boot-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.boot-image u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.bgdexopt.new-classes-percent u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.bgdexopt.new-methods-percent u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.checkjni u:object_r:dalvik_config_prop:s0 exact bool +dalvik.vm.dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.dex2oat-max-image-block-size u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.dex2oat-minidebuginfo u:object_r:dalvik_config_prop:s0 exact bool +dalvik.vm.dex2oat-resolve-startup-strings u:object_r:dalvik_config_prop:s0 exact bool +dalvik.vm.dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.dex2oat-updatable-bcp-packages-file u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.dex2oat-very-large u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.dex2oat-swap u:object_r:dalvik_config_prop:s0 exact bool +dalvik.vm.dex2oat64.enabled u:object_r:dalvik_config_prop:s0 exact bool +dalvik.vm.dexopt.secondary u:object_r:dalvik_config_prop:s0 exact bool +dalvik.vm.dexopt.thermal-cutoff u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.execution-mode u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.extra-opts u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.foreground-heap-growth-multiplier u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.gctype u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.heapgrowthlimit u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.heapmaxfree u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.heapminfree u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.heapsize u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.heapstartsize u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.heaptargetutilization u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.hot-startup-method-samples u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.image-dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.image-dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.image-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.image-dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.image-dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.image-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.isa.arm.features u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.isa.arm.variant u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.isa.arm64.features u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.isa.arm64.variant u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.isa.mips.features u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.isa.mips.variant u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.isa.mips64.features u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.isa.mips64.variant u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.isa.unknown.features u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.isa.unknown.variant u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.isa.x86.features u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.isa.x86.variant u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.isa.x86_64.features u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.isa.x86_64.variant u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.jitinitialsize u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.jitmaxsize u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.jitprithreadweight u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.jitthreshold u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.jittransitionweight u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.jniopts u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.lockprof.threshold u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.method-trace u:object_r:dalvik_config_prop:s0 exact bool +dalvik.vm.method-trace-file u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.method-trace-file-siz u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.method-trace-stream u:object_r:dalvik_config_prop:s0 exact bool +dalvik.vm.profilesystemserver u:object_r:dalvik_config_prop:s0 exact bool +dalvik.vm.profilebootclasspath u:object_r:dalvik_config_prop:s0 exact bool +dalvik.vm.ps-min-save-period-ms u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.ps-resolved-classes-delay-ms u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string +dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int +dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool +dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool +dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int + +persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string + +keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool + +media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int + +media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool +media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string +media.stagefright.enable-aac u:object_r:media_config_prop:s0 exact bool +media.stagefright.enable-fma2dp u:object_r:media_config_prop:s0 exact bool +media.stagefright.enable-http u:object_r:media_config_prop:s0 exact bool +media.stagefright.enable-player u:object_r:media_config_prop:s0 exact bool +media.stagefright.enable-qcp u:object_r:media_config_prop:s0 exact bool +media.stagefright.enable-scan u:object_r:media_config_prop:s0 exact bool +media.stagefright.thumbnail.prefer_hw_codecs u:object_r:media_config_prop:s0 exact bool +persist.sys.media.avsync u:object_r:media_config_prop:s0 exact bool + +persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string +persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool +persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool +persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool + +persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string + +persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool +ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string +ro.hdmi.device_type u:object_r:hdmi_config_prop:s0 exact string +ro.hdmi.set_menu_language u:object_r:hdmi_config_prop:s0 exact bool +ro.hdmi.cec.source.set_menu_language.enabled u:object_r:hdmi_config_prop:s0 exact bool +ro.hdmi.property_sytem_audio_device_arc_port u:object_r:hdmi_config_prop:s0 exact string +ro.hdmi.cec_audio_device_forward_volume_keys_system_audio_mode_off u:object_r:hdmi_config_prop:s0 exact bool +ro.hdmi.property_is_device_hdmi_cec_switch u:object_r:hdmi_config_prop:s0 exact bool +ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool +ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none +ro.hdmi.cec.source.playback_device_action_on_routing_control u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source + +pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.cmdline u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool +pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int +pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.install-fast u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.install-bulk u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.install-bulk-secondary u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.install-bulk-downgraded u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string + +ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int + +ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool + +ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string + +ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string + +ro.config.alarm_alert u:object_r:systemsound_config_prop:s0 exact string +ro.config.alarm_vol_default u:object_r:systemsound_config_prop:s0 exact int +ro.config.alarm_vol_steps u:object_r:systemsound_config_prop:s0 exact int +ro.config.media_vol_default u:object_r:systemsound_config_prop:s0 exact int +ro.config.media_vol_steps u:object_r:systemsound_config_prop:s0 exact int +ro.config.notification_sound u:object_r:systemsound_config_prop:s0 exact string +ro.config.ringtone u:object_r:systemsound_config_prop:s0 exact string +ro.config.system_vol_default u:object_r:systemsound_config_prop:s0 exact int +ro.config.system_vol_steps u:object_r:systemsound_config_prop:s0 exact int +ro.config.vc_call_vol_default u:object_r:systemsound_config_prop:s0 exact int + +ro.control_privapp_permissions u:object_r:packagemanager_config_prop:s0 exact enum disable enforce log +ro.cp_system_other_odex u:object_r:packagemanager_config_prop:s0 exact bool + +ro.crypto.allow_encrypt_override u:object_r:vold_config_prop:s0 exact bool +ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int +ro.crypto.fde_algorithm u:object_r:vold_config_prop:s0 exact string +ro.crypto.fde_sector_size u:object_r:vold_config_prop:s0 exact int +ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool +ro.crypto.scrypt_params u:object_r:vold_config_prop:s0 exact string +ro.crypto.set_dun u:object_r:vold_config_prop:s0 exact bool +ro.crypto.volume.contents_mode u:object_r:vold_config_prop:s0 exact string +ro.crypto.volume.filenames_mode u:object_r:vold_config_prop:s0 exact string +ro.crypto.volume.metadata.encryption u:object_r:vold_config_prop:s0 exact string +ro.crypto.volume.metadata.method u:object_r:vold_config_prop:s0 exact string +ro.crypto.volume.options u:object_r:vold_config_prop:s0 exact string + +external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool +external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool +external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool +external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool + +ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool +ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int +ro.lmk.critical_upgrade u:object_r:lmkd_config_prop:s0 exact bool +ro.lmk.debug u:object_r:lmkd_config_prop:s0 exact bool +ro.lmk.downgrade_pressure u:object_r:lmkd_config_prop:s0 exact int +ro.lmk.filecache_min_kb u:object_r:lmkd_config_prop:s0 exact int +ro.lmk.kill_heaviest_task u:object_r:lmkd_config_prop:s0 exact bool +ro.lmk.kill_timeout_ms u:object_r:lmkd_config_prop:s0 exact int +ro.lmk.log_stats u:object_r:lmkd_config_prop:s0 exact bool +ro.lmk.low u:object_r:lmkd_config_prop:s0 exact int +ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int +ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int +ro.lmk.psi_complete_stall_ms u:object_r:lmkd_config_prop:s0 exact int +ro.lmk.swap_free_low_percentage u:object_r:lmkd_config_prop:s0 exact int +ro.lmk.swap_util_max u:object_r:lmkd_config_prop:s0 exact int +ro.lmk.thrashing_limit u:object_r:lmkd_config_prop:s0 exact int +ro.lmk.thrashing_limit_critical u:object_r:lmkd_config_prop:s0 exact int +ro.lmk.thrashing_limit_decay u:object_r:lmkd_config_prop:s0 exact int +ro.lmk.use_minfree_levels u:object_r:lmkd_config_prop:s0 exact bool +ro.lmk.upgrade_pressure u:object_r:lmkd_config_prop:s0 exact int +lmkd.reinit u:object_r:lmkd_prop:s0 exact int + +ro.media.xml_variant.codecs u:object_r:media_variant_prop:s0 exact string +ro.media.xml_variant.codecs_performance u:object_r:media_variant_prop:s0 exact string +ro.media.xml_variant.profiles u:object_r:media_variant_prop:s0 exact string + +ro.minui.default_rotation u:object_r:recovery_config_prop:s0 exact string +ro.minui.overscan_percent u:object_r:recovery_config_prop:s0 exact int +ro.minui.pixel_format u:object_r:recovery_config_prop:s0 exact string + +ro.oem_unlock_supported u:object_r:oem_unlock_prop:s0 exact int + +ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string + +ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool +ro.storage_manager.show_opt_in u:object_r:storagemanager_config_prop:s0 exact bool + +ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string + +ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string + +ro.zram.mark_idle_delay_mins u:object_r:zram_config_prop:s0 exact int +ro.zram.first_wb_delay_mins u:object_r:zram_config_prop:s0 exact int +ro.zram.periodic_wb_delay_hours u:object_r:zram_config_prop:s0 exact int +zram.force_writeback u:object_r:zram_config_prop:s0 exact bool +persist.sys.zram_enabled u:object_r:zram_control_prop:s0 exact bool + +sendbug.preferred.domain u:object_r:sendbug_config_prop:s0 exact string + +persist.sys.usb.usbradio.config u:object_r:usb_control_prop:s0 exact string + +sys.usb.config u:object_r:usb_control_prop:s0 exact string +sys.usb.configfs u:object_r:usb_control_prop:s0 exact int +sys.usb.controller u:object_r:usb_control_prop:s0 exact string +sys.usb.state u:object_r:usb_control_prop:s0 exact string + +sys.usb.mtp.batchcancel u:object_r:usb_config_prop:s0 exact bool +sys.usb.mtp.device_type u:object_r:usb_config_prop:s0 exact int + +sys.usb.config. u:object_r:usb_prop:s0 + +sys.usb.ffs.aio_compat u:object_r:ffs_config_prop:s0 exact bool +sys.usb.ffs.max_read u:object_r:ffs_config_prop:s0 exact int +sys.usb.ffs.max_write u:object_r:ffs_config_prop:s0 exact int + +sys.usb.ffs.ready u:object_r:ffs_control_prop:s0 exact bool +sys.usb.ffs.mtp.ready u:object_r:ffs_control_prop:s0 exact bool + +tombstoned.max_tombstone_count u:object_r:tombstone_config_prop:s0 exact int + +vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int + +apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready + +odsign.key.done u:object_r:odsign_prop:s0 exact bool +odsign.verification.done u:object_r:odsign_prop:s0 exact bool +odsign.verification.success u:object_r:odsign_prop:s0 exact bool + +dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool +sys.boot_completed u:object_r:boot_status_prop:s0 exact bool + +persist.sys.device_provisioned u:object_r:provisioned_prop:s0 exact string + +persist.sys.theme u:object_r:theme_prop:s0 exact string + +sys.retaildemo.enabled u:object_r:retaildemo_prop:s0 exact int + +sys.user.0.ce_available u:object_r:exported3_system_prop:s0 exact bool + +aac_drc_boost u:object_r:aac_drc_prop:s0 exact int +aac_drc_cut u:object_r:aac_drc_prop:s0 exact int +aac_drc_enc_target_level u:object_r:aac_drc_prop:s0 exact int +aac_drc_heavy u:object_r:aac_drc_prop:s0 exact int +aac_drc_reference_level u:object_r:aac_drc_prop:s0 exact int +ro.aac_drc_effect_type u:object_r:aac_drc_prop:s0 exact int + +build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int + +drm.64bit.enabled u:object_r:mediadrm_config_prop:s0 exact bool +media.mediadrmservice.enable u:object_r:mediadrm_config_prop:s0 exact bool + +drm.service.enabled u:object_r:drm_service_config_prop:s0 exact bool + +dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool +dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool +persist.dumpstate.verbose_logging.enabled u:object_r:hal_dumpstate_config_prop:s0 exact bool + +hal.instrumentation.enable u:object_r:hal_instrumentation_prop:s0 exact bool + +# default contexts only accessible by coredomain +init.svc. u:object_r:init_service_status_private_prop:s0 prefix string + +# Globally-readable init service props +init.svc.adbd u:object_r:init_service_status_prop:s0 exact string +init.svc.bugreport u:object_r:init_service_status_prop:s0 exact string +init.svc.bugreportd u:object_r:init_service_status_prop:s0 exact string +init.svc.console u:object_r:init_service_status_prop:s0 exact string +init.svc.dumpstatez u:object_r:init_service_status_prop:s0 exact string +init.svc.mediadrm u:object_r:init_service_status_prop:s0 exact string +init.svc.statsd u:object_r:init_service_status_prop:s0 exact string +init.svc.surfaceflinger u:object_r:init_service_status_prop:s0 exact string +init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string +init.svc.zygote u:object_r:init_service_status_prop:s0 exact string + +libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string +libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string +libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string + +# shell-only props for ARM memory tagging (MTE). +arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string + +net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool + +persist.sys.locale u:object_r:exported_system_prop:s0 exact string +persist.sys.timezone u:object_r:exported_system_prop:s0 exact string +persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool + +ro.arch u:object_r:build_prop:s0 exact string + +# ro.boot. properties are set based on kernel commandline arguments, which are vendor owned. +ro.boot. u:object_r:bootloader_prop:s0 +ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string +ro.boot.baseband u:object_r:bootloader_prop:s0 exact string +ro.boot.bootdevice u:object_r:bootloader_prop:s0 exact string +ro.boot.bootloader u:object_r:bootloader_prop:s0 exact string +ro.boot.boottime u:object_r:bootloader_prop:s0 exact string +ro.boot.console u:object_r:bootloader_prop:s0 exact string +ro.boot.hardware u:object_r:bootloader_prop:s0 exact string +ro.boot.hardware.color u:object_r:bootloader_prop:s0 exact string +ro.boot.hardware.sku u:object_r:bootloader_prop:s0 exact string +ro.boot.keymaster u:object_r:bootloader_prop:s0 exact string +ro.boot.mode u:object_r:bootloader_prop:s0 exact string +# Populated on Android Studio Emulator (for emulator specific workarounds) +ro.boot.qemu u:object_r:bootloader_prop:s0 exact bool +ro.boot.revision u:object_r:bootloader_prop:s0 exact string +ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string +ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string +ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string +# Properties specific to virtualized deployments of Android +ro.boot.hypervisor.version u:object_r:hypervisor_prop:s0 exact string + +# These ro.X properties are set to values of ro.boot.X by property_service. +ro.baseband u:object_r:bootloader_prop:s0 exact string +ro.bootloader u:object_r:bootloader_prop:s0 exact string +ro.bootmode u:object_r:bootloader_prop:s0 exact string +ro.hardware u:object_r:bootloader_prop:s0 exact string +ro.revision u:object_r:bootloader_prop:s0 exact string + +ro.boot.dynamic_partitions u:object_r:exported_default_prop:s0 exact string +ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string + +ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string +ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string + +ro.build.characteristics u:object_r:build_prop:s0 exact string +ro.build.date u:object_r:build_prop:s0 exact string +ro.build.date.utc u:object_r:build_prop:s0 exact int +ro.build.description u:object_r:build_prop:s0 exact string +ro.build.display.id u:object_r:build_prop:s0 exact string +ro.build.flavor u:object_r:build_prop:s0 exact string +ro.build.host u:object_r:build_prop:s0 exact string +ro.build.id u:object_r:build_prop:s0 exact string +ro.build.product u:object_r:build_prop:s0 exact string +ro.build.system_root_image u:object_r:build_prop:s0 exact bool +ro.build.tags u:object_r:build_prop:s0 exact string +ro.build.type u:object_r:build_prop:s0 exact string +ro.build.user u:object_r:build_prop:s0 exact string +ro.build.version.all_codenames u:object_r:build_prop:s0 exact string +ro.build.version.base_os u:object_r:build_prop:s0 exact string +ro.build.version.codename u:object_r:build_prop:s0 exact string +ro.build.version.incremental u:object_r:build_prop:s0 exact string +ro.build.version.min_supported_target_sdk u:object_r:build_prop:s0 exact int +ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int +ro.build.version.preview_sdk_fingerprint u:object_r:build_prop:s0 exact string +ro.build.version.release u:object_r:build_prop:s0 exact string +ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string +ro.build.version.sdk u:object_r:build_prop:s0 exact int +ro.build.version.security_patch u:object_r:build_prop:s0 exact string + +ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool + +ro.debuggable u:object_r:build_prop:s0 exact bool + +ro.treble.enabled u:object_r:build_prop:s0 exact bool + +ro.product.cpu.abi u:object_r:build_prop:s0 exact string +ro.product.cpu.abilist u:object_r:build_prop:s0 exact string +ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string +ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string + +ro.product.system.brand u:object_r:build_prop:s0 exact string +ro.product.system.device u:object_r:build_prop:s0 exact string +ro.product.system.manufacturer u:object_r:build_prop:s0 exact string +ro.product.system.model u:object_r:build_prop:s0 exact string +ro.product.system.name u:object_r:build_prop:s0 exact string + +ro.system.build.date u:object_r:build_prop:s0 exact string +ro.system.build.date.utc u:object_r:build_prop:s0 exact int +ro.system.build.fingerprint u:object_r:build_prop:s0 exact string +ro.system.build.id u:object_r:build_prop:s0 exact string +ro.system.build.tags u:object_r:build_prop:s0 exact string +ro.system.build.type u:object_r:build_prop:s0 exact string +ro.system.build.version.incremental u:object_r:build_prop:s0 exact string +ro.system.build.version.release u:object_r:build_prop:s0 exact string +ro.system.build.version.release_or_codename u:object_r:build_prop:s0 exact string +ro.system.build.version.sdk u:object_r:build_prop:s0 exact int + +ro.adb.secure u:object_r:build_prop:s0 exact bool +ro.secure u:object_r:build_prop:s0 exact int + +ro.product.system_ext.brand u:object_r:build_prop:s0 exact string +ro.product.system_ext.device u:object_r:build_prop:s0 exact string +ro.product.system_ext.manufacturer u:object_r:build_prop:s0 exact string +ro.product.system_ext.model u:object_r:build_prop:s0 exact string +ro.product.system_ext.name u:object_r:build_prop:s0 exact string + +ro.system_ext.build.date u:object_r:build_prop:s0 exact string +ro.system_ext.build.date.utc u:object_r:build_prop:s0 exact int +ro.system_ext.build.fingerprint u:object_r:build_prop:s0 exact string +ro.system_ext.build.id u:object_r:build_prop:s0 exact string +ro.system_ext.build.tags u:object_r:build_prop:s0 exact string +ro.system_ext.build.type u:object_r:build_prop:s0 exact string +ro.system_ext.build.version.incremental u:object_r:build_prop:s0 exact string +ro.system_ext.build.version.release u:object_r:build_prop:s0 exact string +ro.system_ext.build.version.release_or_codename u:object_r:build_prop:s0 exact string +ro.system_ext.build.version.sdk u:object_r:build_prop:s0 exact int + +# These ro.product.product.* and ro.product.build.* are set by /product/etc/build.prop +ro.product.product.brand u:object_r:build_prop:s0 exact string +ro.product.product.device u:object_r:build_prop:s0 exact string +ro.product.product.manufacturer u:object_r:build_prop:s0 exact string +ro.product.product.model u:object_r:build_prop:s0 exact string +ro.product.product.name u:object_r:build_prop:s0 exact string + +ro.product.build.date u:object_r:build_prop:s0 exact string +ro.product.build.date.utc u:object_r:build_prop:s0 exact int +ro.product.build.fingerprint u:object_r:build_prop:s0 exact string +ro.product.build.id u:object_r:build_prop:s0 exact string +ro.product.build.tags u:object_r:build_prop:s0 exact string +ro.product.build.type u:object_r:build_prop:s0 exact string +ro.product.build.version.incremental u:object_r:build_prop:s0 exact string +ro.product.build.version.release u:object_r:build_prop:s0 exact string +ro.product.build.version.release_or_codename u:object_r:build_prop:s0 exact string +ro.product.build.version.sdk u:object_r:build_prop:s0 exact int + +# These 5 properties are set by property_service +ro.product.brand u:object_r:build_prop:s0 exact string +ro.product.device u:object_r:build_prop:s0 exact string +ro.product.manufacturer u:object_r:build_prop:s0 exact string +ro.product.model u:object_r:build_prop:s0 exact string +ro.product.name u:object_r:build_prop:s0 exact string + +# Sanitizer properties +ro.sanitize.address u:object_r:build_prop:s0 exact bool +ro.sanitize.cfi u:object_r:build_prop:s0 exact bool +ro.sanitize.default-ub u:object_r:build_prop:s0 exact bool +ro.sanitize.fuzzer u:object_r:build_prop:s0 exact bool +ro.sanitize.hwaddress u:object_r:build_prop:s0 exact bool +ro.sanitize.integer_overflow u:object_r:build_prop:s0 exact bool +ro.sanitize.safe-stack u:object_r:build_prop:s0 exact bool +ro.sanitize.scudo u:object_r:build_prop:s0 exact bool +ro.sanitize.thread u:object_r:build_prop:s0 exact bool +ro.sanitize.undefined u:object_r:build_prop:s0 exact bool + +# All odm build props are set by /odm/build.prop +ro.odm.build.date u:object_r:build_odm_prop:s0 exact string +ro.odm.build.date.utc u:object_r:build_odm_prop:s0 exact int +ro.odm.build.fingerprint u:object_r:build_odm_prop:s0 exact string +ro.odm.build.version.incremental u:object_r:build_odm_prop:s0 exact string +ro.odm.build.media_performance_class u:object_r:build_odm_prop:s0 exact int + +ro.product.odm.brand u:object_r:build_odm_prop:s0 exact string +ro.product.odm.device u:object_r:build_odm_prop:s0 exact string +ro.product.odm.manufacturer u:object_r:build_odm_prop:s0 exact string +ro.product.odm.model u:object_r:build_odm_prop:s0 exact string +ro.product.odm.name u:object_r:build_odm_prop:s0 exact string + +# All vendor_dlkm build props are set by /vendor_dlkm/etc/build.prop +ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string +ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int +ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string +ro.vendor_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string +ro.vendor_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string +ro.vendor_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string +ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string +ro.vendor_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string +ro.vendor_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string +ro.vendor_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int + +# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop +ro.product.odm_dlkm.brand u:object_r:build_odm_prop:s0 exact string +ro.product.odm_dlkm.device u:object_r:build_odm_prop:s0 exact string +ro.product.odm_dlkm.manufacturer u:object_r:build_odm_prop:s0 exact string +ro.product.odm_dlkm.model u:object_r:build_odm_prop:s0 exact string +ro.product.odm_dlkm.name u:object_r:build_odm_prop:s0 exact string + +ro.odm_dlkm.build.date u:object_r:build_odm_prop:s0 exact string +ro.odm_dlkm.build.date.utc u:object_r:build_odm_prop:s0 exact int +ro.odm_dlkm.build.fingerprint u:object_r:build_odm_prop:s0 exact string +ro.odm_dlkm.build.id u:object_r:build_odm_prop:s0 exact string +ro.odm_dlkm.build.tags u:object_r:build_odm_prop:s0 exact string +ro.odm_dlkm.build.type u:object_r:build_odm_prop:s0 exact string +ro.odm_dlkm.build.version.incremental u:object_r:build_odm_prop:s0 exact string +ro.odm_dlkm.build.version.release u:object_r:build_odm_prop:s0 exact string +ro.odm_dlkm.build.version.release_or_codename u:object_r:build_odm_prop:s0 exact string +ro.odm_dlkm.build.version.sdk u:object_r:build_odm_prop:s0 exact int + +# enforces debugfs restrictions in non-user builds, set by /vendor/build.prop +ro.product.debugfs_restrictions.enabled u:object_r:debugfs_restriction_prop:s0 exact bool + +# All vendor build props are set by /vendor/build.prop +ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string +ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int +ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string +ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string +ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string +ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string +ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string +ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string +ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string +ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int +ro.vendor.build.dont_use_vabc u:object_r:build_vendor_prop:s0 exact bool + +# All vendor CPU abilist props are set by /vendor/build.prop +ro.vendor.product.cpu.abilist u:object_r:build_vendor_prop:s0 exact string +ro.vendor.product.cpu.abilist32 u:object_r:build_vendor_prop:s0 exact string +ro.vendor.product.cpu.abilist64 u:object_r:build_vendor_prop:s0 exact string + +ro.product.board u:object_r:build_vendor_prop:s0 exact string +ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int +ro.product.vendor.brand u:object_r:build_vendor_prop:s0 exact string +ro.product.vendor.device u:object_r:build_vendor_prop:s0 exact string +ro.product.vendor.manufacturer u:object_r:build_vendor_prop:s0 exact string +ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string +ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string +ro.product.vendor_dlkm.brand u:object_r:build_vendor_prop:s0 exact string +ro.product.vendor_dlkm.device u:object_r:build_vendor_prop:s0 exact string +ro.product.vendor_dlkm.manufacturer u:object_r:build_vendor_prop:s0 exact string +ro.product.vendor_dlkm.model u:object_r:build_vendor_prop:s0 exact string +ro.product.vendor_dlkm.name u:object_r:build_vendor_prop:s0 exact string + +# GRF property for the first api level of the vendor partition +ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int +ro.board.api_level u:object_r:build_vendor_prop:s0 exact int + +# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop +ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string +ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int +ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string +ro.bootimage.build.id u:object_r:build_bootimage_prop:s0 exact string +ro.bootimage.build.tags u:object_r:build_bootimage_prop:s0 exact string +ro.bootimage.build.type u:object_r:build_bootimage_prop:s0 exact string +ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string +ro.bootimage.build.version.release u:object_r:build_bootimage_prop:s0 exact string +ro.bootimage.build.version.release_or_codename u:object_r:build_bootimage_prop:s0 exact string +ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int + +ro.product.bootimage.brand u:object_r:build_bootimage_prop:s0 exact string +ro.product.bootimage.device u:object_r:build_bootimage_prop:s0 exact string +ro.product.bootimage.manufacturer u:object_r:build_bootimage_prop:s0 exact string +ro.product.bootimage.model u:object_r:build_bootimage_prop:s0 exact string +ro.product.bootimage.name u:object_r:build_bootimage_prop:s0 exact string + +# ro.product.property_source_order is settable from any build.prop +ro.product.property_source_order u:object_r:build_config_prop:s0 exact string + +ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported +ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none + +ro.property_service.version u:object_r:property_service_version_prop:s0 exact int + +ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool + +service.bootanim.exit u:object_r:bootanim_system_prop:s0 exact int +service.bootanim.progress u:object_r:bootanim_system_prop:s0 exact int + +sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool +sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool + +vold.decrypt u:object_r:vold_status_prop:s0 exact string + +aaudio.hw_burst_min_usec u:object_r:aaudio_config_prop:s0 exact int +aaudio.minimum_sleep_usec u:object_r:aaudio_config_prop:s0 exact int +aaudio.mixer_bursts u:object_r:aaudio_config_prop:s0 exact int +aaudio.mmap_exclusive_policy u:object_r:aaudio_config_prop:s0 exact int +aaudio.mmap_policy u:object_r:aaudio_config_prop:s0 exact int +aaudio.wakeup_delay_usec u:object_r:aaudio_config_prop:s0 exact int + +persist.rcs.supported u:object_r:exported_default_prop:s0 exact int + +ro.bionic.2nd_arch u:object_r:cpu_variant_prop:s0 exact string +ro.bionic.2nd_cpu_variant u:object_r:cpu_variant_prop:s0 exact string +ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string +ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string + +ro.board.platform u:object_r:exported_default_prop:s0 exact string + +ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int +ro.boot.fstab_suffix u:object_r:exported_default_prop:s0 exact string +ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string +ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string +ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string +ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string + +ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool + +# Update related props +ro.build.ab_update u:object_r:exported_default_prop:s0 exact string +ro.build.ab_update.gki.prevent_downgrade_version u:object_r:ab_update_gki_prop:s0 exact bool +ro.build.ab_update.gki.prevent_downgrade_spl u:object_r:ab_update_gki_prop:s0 exact bool + +ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string +ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string + +ro.carrier u:object_r:exported_default_prop:s0 exact string + +ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool +ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int + +ro.frp.pst u:object_r:exported_default_prop:s0 exact string + +ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string +ro.hardware.audio u:object_r:exported_default_prop:s0 exact string +ro.hardware.audio.a2dp u:object_r:exported_default_prop:s0 exact string +ro.hardware.audio.hearing_aid u:object_r:exported_default_prop:s0 exact string +ro.hardware.audio.primary u:object_r:exported_default_prop:s0 exact string +ro.hardware.audio.usb u:object_r:exported_default_prop:s0 exact string +ro.hardware.audio_policy u:object_r:exported_default_prop:s0 exact string +ro.hardware.bootctrl u:object_r:exported_default_prop:s0 exact string +ro.hardware.camera u:object_r:exported_default_prop:s0 exact string +ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string +ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string +ro.hardware.egl u:object_r:exported_default_prop:s0 exact string +ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string +ro.hardware.flp u:object_r:exported_default_prop:s0 exact string +ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string +ro.hardware.gps u:object_r:exported_default_prop:s0 exact string +ro.hardware.gralloc u:object_r:exported_default_prop:s0 exact string +ro.hardware.hdmi_cec u:object_r:exported_default_prop:s0 exact string +ro.hardware.hwcomposer u:object_r:exported_default_prop:s0 exact string +ro.hardware.input u:object_r:exported_default_prop:s0 exact string +ro.hardware.keystore u:object_r:exported_default_prop:s0 exact string +ro.hardware.keystore_desede u:object_r:exported_default_prop:s0 exact string +ro.hardware.lights u:object_r:exported_default_prop:s0 exact string +ro.hardware.local_time u:object_r:exported_default_prop:s0 exact string +ro.hardware.memtrack u:object_r:exported_default_prop:s0 exact string +ro.hardware.nfc u:object_r:exported_default_prop:s0 exact string +ro.hardware.nfc_nci u:object_r:exported_default_prop:s0 exact string +ro.hardware.nfc_tag u:object_r:exported_default_prop:s0 exact string +ro.hardware.nvram u:object_r:exported_default_prop:s0 exact string +ro.hardware.power u:object_r:exported_default_prop:s0 exact string +ro.hardware.radio u:object_r:exported_default_prop:s0 exact string +ro.hardware.sensors u:object_r:exported_default_prop:s0 exact string +ro.hardware.sound_trigger u:object_r:exported_default_prop:s0 exact string +ro.hardware.thermal u:object_r:exported_default_prop:s0 exact string +ro.hardware.tv_input u:object_r:exported_default_prop:s0 exact string +ro.hardware.type u:object_r:exported_default_prop:s0 exact string +ro.hardware.vehicle u:object_r:exported_default_prop:s0 exact string +ro.hardware.vibrator u:object_r:exported_default_prop:s0 exact string +ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string +ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string + +ro.hw_timeout_multiplier u:object_r:hw_timeout_multiplier_prop:s0 exact int + +ro.hwui.use_vulkan u:object_r:exported_default_prop:s0 exact bool + +# ro.kernel.* properties are emulator specific and deprecated. Do not use. +# Should be retired once presubmit allows. +ro.kernel.qemu u:object_r:exported_default_prop:s0 exact bool +ro.kernel.qemu. u:object_r:exported_default_prop:s0 +ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int + +ro.oem.key1 u:object_r:exported_default_prop:s0 exact string + +ro.product.vndk.version u:object_r:vndk_prop:s0 exact string + +ro.vndk.lite u:object_r:vndk_prop:s0 exact bool +ro.vndk.version u:object_r:vndk_prop:s0 exact string + +ro.vts.coverage u:object_r:vts_config_prop:s0 exact int + +vts.native_server.on u:object_r:vts_status_prop:s0 exact bool + +wifi.active.interface u:object_r:wifi_hal_prop:s0 exact string +wifi.aware.interface u:object_r:wifi_hal_prop:s0 exact string +wifi.concurrent.interface u:object_r:wifi_hal_prop:s0 exact string +wifi.direct.interface u:object_r:wifi_hal_prop:s0 exact string +wifi.interface u:object_r:wifi_hal_prop:s0 exact string +wlan.driver.status u:object_r:wifi_hal_prop:s0 exact enum ok unloaded + +ro.boot.wificountrycode u:object_r:wifi_config_prop:s0 exact string + +ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool + +# Property to enable incremental feature +ro.incremental.enable u:object_r:incremental_prop:s0 + +# Properties to configure userspace reboot. +init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool +init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int +init.userspace_reboot.sigterm.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int +init.userspace_reboot.started.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int +init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int +init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int + +sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string + +# surfaceflinger properties +ro.surface_flinger.default_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.default_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.has_HDR_display u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.has_wide_color_display u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.max_graphics_height u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.max_graphics_width u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.max_virtual_display_dimension u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.primary_display_orientation u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_180 ORIENTATION_270 ORIENTATION_90 +ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.running_without_sync_framework u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.start_graphics_allocator_service u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.use_color_management u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.use_context_priority u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.use_vr_flinger u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.wcg_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.wcg_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.display_primary_red u:object_r:surfaceflinger_prop:s0 exact string +ro.surface_flinger.display_primary_green u:object_r:surfaceflinger_prop:s0 exact string +ro.surface_flinger.display_primary_blue u:object_r:surfaceflinger_prop:s0 exact string +ro.surface_flinger.display_primary_white u:object_r:surfaceflinger_prop:s0 exact string +ro.surface_flinger.protected_contents u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.set_idle_timer_ms u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.set_touch_timer_ms u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.set_display_power_timer_ms u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.support_kernel_idle_timer u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.supports_background_blur u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.use_smart_90_for_video u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool +ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int +ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int + +ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool +ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int + +persist.sys.sf.color_mode u:object_r:surfaceflinger_color_prop:s0 exact int +persist.sys.sf.color_saturation u:object_r:surfaceflinger_color_prop:s0 exact string +persist.sys.sf.native_mode u:object_r:surfaceflinger_color_prop:s0 exact int + +# Binder cache properties. These are world-readable +cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0 +cache_key.is_compat_change_enabled u:object_r:binder_cache_system_server_prop:s0 +cache_key.get_packages_for_uid u:object_r:binder_cache_system_server_prop:s0 +cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0 +cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0 +cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0 +cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0 +cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0 +cache_key.display_info u:object_r:binder_cache_system_server_prop:s0 +cache_key.location_enabled u:object_r:binder_cache_system_server_prop:s0 +cache_key.package_info u:object_r:binder_cache_system_server_prop:s0 + +cache_key.bluetooth. u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string +cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string +cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string + +# Framework watchdog configuration properties. +framework_watchdog.fatal_count u:object_r:framework_watchdog_config_prop:s0 exact int +framework_watchdog.fatal_window.second u:object_r:framework_watchdog_config_prop:s0 exact int + +gsm.operator.iso-country u:object_r:telephony_status_prop:s0 exact string +gsm.sim.operator.iso-country u:object_r:telephony_status_prop:s0 exact string +gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string +persist.radio.airplane_mode_on u:object_r:telephony_status_prop:s0 exact bool + +ro.cdma.home.operator.alpha u:object_r:telephony_config_prop:s0 exact string +ro.cdma.home.operator.numeric u:object_r:telephony_config_prop:s0 exact string +ro.com.android.dataroaming u:object_r:telephony_config_prop:s0 exact bool +ro.com.android.prov_mobiledata u:object_r:telephony_config_prop:s0 exact bool +ro.radio.noril u:object_r:telephony_config_prop:s0 exact string +ro.telephony.call_ring.multiple u:object_r:telephony_config_prop:s0 exact bool +ro.telephony.default_cdma_sub u:object_r:telephony_config_prop:s0 exact int +ro.telephony.default_network u:object_r:telephony_config_prop:s0 exact string +ro.telephony.iwlan_operation_mode u:object_r:telephony_config_prop:s0 exact enum default legacy AP-assisted +telephony.active_modems.max_count u:object_r:telephony_config_prop:s0 exact int +telephony.lteOnCdmaDevice u:object_r:telephony_config_prop:s0 exact int +persist.dbg.volte_avail_ovr u:object_r:telephony_config_prop:s0 exact int +persist.dbg.volte_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int +persist.dbg.volte_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int +persist.dbg.volte_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int +persist.dbg.vt_avail_ovr u:object_r:telephony_config_prop:s0 exact int +persist.dbg.vt_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int +persist.dbg.vt_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int +persist.dbg.vt_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int +persist.dbg.wfc_avail_ovr u:object_r:telephony_config_prop:s0 exact int +persist.dbg.wfc_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int +persist.dbg.wfc_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int +persist.dbg.wfc_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int + +# System locale list filter configuration +ro.localization.locale_filter u:object_r:localization_prop:s0 exact string + +# Graphics related properties +ro.opengles.version u:object_r:graphics_config_prop:s0 exact int + +ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string +ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string +ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool +ro.gfx.driver_build_time u:object_r:graphics_config_prop:s0 exact int + +graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool +graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string + +ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int + +# surfaceflinger-settable +graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool + +# Disable/enable charger input +power.battery_input.suspended u:object_r:power_debug_prop:s0 exact bool + +# zygote config property +zygote.critical_window.minute u:object_r:zygote_config_prop:s0 exact int + +ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool + +# Broadcast boot stages, which keystore listens to +keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int + +# Property that tracks keystore crash counts during a boot cycle. +keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int + +partition.system.verified u:object_r:verity_status_prop:s0 exact string +partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string +partition.product.verified u:object_r:verity_status_prop:s0 exact string +partition.vendor.verified u:object_r:verity_status_prop:s0 exact string + +partition.system.verified.hash_alg u:object_r:verity_status_prop:s0 exact string +partition.system_ext.verified.hash_alg u:object_r:verity_status_prop:s0 exact string +partition.product.verified.hash_alg u:object_r:verity_status_prop:s0 exact string +partition.vendor.verified.hash_alg u:object_r:verity_status_prop:s0 exact string + +ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool +ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string +ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool +ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool + +setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.day_night_mode_enabled u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.deferred_setup_low_ram_filter u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.deferred_setup_notification u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.deferred_setup_suggestion u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.device_default_dark_mode u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.esim_enabled u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.google_services_deferred_setup_pretend_not_suw u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.lock_mobile_data u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.lock_mobile_data.carrier-1 u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.portal_notification u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.predeferred_enabled u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.return_partner_customization_bundle u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.show_pixel_tos u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.use_biometric_lock u:object_r:setupwizard_prop:s0 exact bool +setupwizard.feature.wallpaper_suggestion_after_restore u:object_r:setupwizard_prop:s0 exact bool +setupwizard.logging u:object_r:setupwizard_prop:s0 exact bool +setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool +setupwizard.theme u:object_r:setupwizard_prop:s0 exact string + +db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool +db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int +db.log.slow_query_threshold. u:object_r:sqlite_log_prop:s0 prefix int + +# SOC related props +ro.soc.manufacturer u:object_r:soc_prop:s0 exact string +ro.soc.model u:object_r:soc_prop:s0 exact string + +# set to true when running rollback tests to disable fallback-to-copy when enabling rollbacks +# to detect failures where hard linking should work otherwise +persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool + +# bootanimation properties +ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool + +# dck properties +ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int + +###mediaserver 64 bit enable flag +ro.mediaserver.64b.enable u:object_r:vendor_medsrv_set_64b:s0 exact bool diff --git a/prebuilts/api/32.0/private/racoon.te b/prebuilts/api/32.0/private/racoon.te new file mode 100644 index 000000000..42ea7c9e4 --- /dev/null +++ b/prebuilts/api/32.0/private/racoon.te @@ -0,0 +1,3 @@ +typeattribute racoon coredomain; + +init_daemon_domain(racoon) diff --git a/prebuilts/api/32.0/private/radio.te b/prebuilts/api/32.0/private/radio.te new file mode 100644 index 000000000..08365f05d --- /dev/null +++ b/prebuilts/api/32.0/private/radio.te @@ -0,0 +1,36 @@ +typeattribute radio coredomain, mlstrustedsubject; + +app_domain(radio) + +read_runtime_log_tags(radio) + +# Property service +set_prop(radio, radio_control_prop) +set_prop(radio, radio_prop) +set_prop(radio, net_radio_prop) +set_prop(radio, telephony_status_prop) +set_prop(radio, radio_cdma_ecm_prop) + +# ctl interface +set_prop(radio, ctl_rildaemon_prop) + +# Telephony code contains time / time zone detection logic so it reads the associated properties. +get_prop(radio, time_prop) + +# allow telephony to access platform compat to log permission denials +allow radio platform_compat_service:service_manager find; + +allow radio uce_service:service_manager find; + +# Manage /data/misc/emergencynumberdb +allow radio emergency_data_file:dir r_dir_perms; +allow radio emergency_data_file:file r_file_perms; + +# allow telephony to access related cache properties +set_prop(radio, binder_cache_telephony_server_prop); +neverallow { domain -radio -init } + binder_cache_telephony_server_prop:property_service set; + +# allow sending pulled atoms to statsd +binder_call(radio, statsd) + diff --git a/prebuilts/api/32.0/private/recovery.te b/prebuilts/api/32.0/private/recovery.te new file mode 100644 index 000000000..bba2a0db2 --- /dev/null +++ b/prebuilts/api/32.0/private/recovery.te @@ -0,0 +1,49 @@ +typeattribute recovery coredomain; + +# The allow rules are only included in the recovery policy. +# Otherwise recovery is only allowed the domain rules. +recovery_only(` + # Reboot the device + set_prop(recovery, powerctl_prop) + + # Read serial number of the device from system properties + get_prop(recovery, serialno_prop) + + # Set sys.usb.ffs.ready when starting minadbd for sideload. + get_prop(recovery, ffs_config_prop) + set_prop(recovery, ffs_control_prop) + + # Set sys.usb.config when switching into fastboot. + set_prop(recovery, usb_control_prop) + set_prop(recovery, usb_prop) + + # Read ro.boot.bootreason + get_prop(recovery, bootloader_boot_reason_prop) + + # Read storage properties (for correctly formatting filesystems) + get_prop(recovery, storage_config_prop) + + set_prop(recovery, gsid_prop) + + # These are needed to allow recovery to manage network + allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read }; + allow recovery self:global_capability_class_set net_admin; + allow recovery self:tcp_socket { create ioctl }; + allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS }; + + # Start snapuserd for merging VABC updates + set_prop(recovery, ctl_snapuserd_prop) + + # Needed to communicate with snapuserd to complete merges. + allow recovery snapuserd_socket:sock_file write; + allow recovery snapuserd:unix_stream_socket connectto; + allow recovery dm_user_device:dir r_dir_perms; + + # Set fastbootd protocol property + set_prop(recovery, fastbootd_protocol_prop) + + get_prop(recovery, recovery_config_prop) + + # Needed to read bootconfig parameters through libfs_mgr + allow recovery proc_bootconfig:file r_file_perms; +') diff --git a/prebuilts/api/32.0/private/recovery_persist.te b/prebuilts/api/32.0/private/recovery_persist.te new file mode 100644 index 000000000..7cb2e675a --- /dev/null +++ b/prebuilts/api/32.0/private/recovery_persist.te @@ -0,0 +1,11 @@ +typeattribute recovery_persist coredomain; + +init_daemon_domain(recovery_persist) + +# recovery_persist is not allowed to write anywhere other than recovery_data_file +neverallow recovery_persist { + file_type + -recovery_data_file + userdebug_or_eng(`-coredump_file') + with_native_coverage(`-method_trace_data_file') +}:file write; diff --git a/prebuilts/api/32.0/private/recovery_refresh.te b/prebuilts/api/32.0/private/recovery_refresh.te new file mode 100644 index 000000000..3c095cc26 --- /dev/null +++ b/prebuilts/api/32.0/private/recovery_refresh.te @@ -0,0 +1,10 @@ +typeattribute recovery_refresh coredomain; + +init_daemon_domain(recovery_refresh) + +# recovery_refresh is not allowed to write anywhere +neverallow recovery_refresh { + file_type + userdebug_or_eng(`-coredump_file') + with_native_coverage(`-method_trace_data_file') +}:file write; diff --git a/prebuilts/api/32.0/private/remote_prov_app.te b/prebuilts/api/32.0/private/remote_prov_app.te new file mode 100644 index 000000000..010c9bc3f --- /dev/null +++ b/prebuilts/api/32.0/private/remote_prov_app.te @@ -0,0 +1,13 @@ +type remote_prov_app, domain; +typeattribute remote_prov_app coredomain; + +app_domain(remote_prov_app) +net_domain(remote_prov_app) + +# The app needs access to properly build a DeviceInfo package for the verifying server +get_prop(remote_prov_app, vendor_security_patch_level_prop) + +allow remote_prov_app { + app_api_service + remoteprovisioning_service +}:service_manager find; diff --git a/prebuilts/api/32.0/private/roles_decl b/prebuilts/api/32.0/private/roles_decl new file mode 100644 index 000000000..c84fcba0f --- /dev/null +++ b/prebuilts/api/32.0/private/roles_decl @@ -0,0 +1 @@ +role r; diff --git a/prebuilts/api/32.0/private/rs.te b/prebuilts/api/32.0/private/rs.te new file mode 100644 index 000000000..268f0406b --- /dev/null +++ b/prebuilts/api/32.0/private/rs.te @@ -0,0 +1,40 @@ +# Any files which would have been created as app_data_file and +# privapp_data_file will be created as app_exec_data_file instead. +allow rs { app_data_file privapp_data_file }:dir ra_dir_perms; +allow rs app_exec_data_file:file create_file_perms; +type_transition rs app_data_file:file app_exec_data_file; +type_transition rs privapp_data_file:file app_exec_data_file; + +# Follow /data/user/0 symlink +allow rs system_data_file:lnk_file read; + +# Read files from the app home directory. +allow rs { app_data_file privapp_data_file }:file r_file_perms; +allow rs { app_data_file privapp_data_file }:dir r_dir_perms; + +# Cleanup app_exec_data_file files in the app home directory. +allow rs { app_data_file privapp_data_file }:dir remove_name; + +# Use vendor resources +allow rs vendor_file:dir r_dir_perms; +r_dir_file(rs, vendor_overlay_file) +r_dir_file(rs, vendor_app_file) + +# Read contents of app apks +r_dir_file(rs, apk_data_file) + +allow rs gpu_device:chr_file rw_file_perms; +allow rs ion_device:chr_file r_file_perms; +allow rs same_process_hal_file:file { r_file_perms execute }; + +# File descriptors passed from app to renderscript +allow rs { untrusted_app_all ephemeral_app priv_app }:fd use; + +# rs can access app data, so ensure it can only be entered via an app domain and cannot have +# CAP_DAC_OVERRIDE. +neverallow rs rs:capability_class_set *; +neverallow { domain -appdomain } rs:process { dyntransition transition }; +neverallow rs { domain -crash_dump }:process { dyntransition transition }; +neverallow rs app_data_file:file_class_set ~r_file_perms; +# rs should never use network sockets +neverallow rs *:network_socket_class_set *; diff --git a/prebuilts/api/32.0/private/rss_hwm_reset.te b/prebuilts/api/32.0/private/rss_hwm_reset.te new file mode 100644 index 000000000..30818c2fa --- /dev/null +++ b/prebuilts/api/32.0/private/rss_hwm_reset.te @@ -0,0 +1,14 @@ +type rss_hwm_reset_exec, system_file_type, exec_type, file_type; + +# Start rss_hwm_reset from init. +init_daemon_domain(rss_hwm_reset) + +# Search /proc/pid directories. +allow rss_hwm_reset domain:dir search; + +# Write to /proc/pid/clear_refs of other processes. +# /proc/pid/clear_refs is S_IWUSER, see: fs/proc/base.c +allow rss_hwm_reset self:global_capability_class_set { dac_override }; + +# Write to /prc/pid/clear_refs. +allow rss_hwm_reset domain:file w_file_perms; diff --git a/prebuilts/api/32.0/private/runas.te b/prebuilts/api/32.0/private/runas.te new file mode 100644 index 000000000..ef31aac34 --- /dev/null +++ b/prebuilts/api/32.0/private/runas.te @@ -0,0 +1,4 @@ +typeattribute runas coredomain; + +# ndk-gdb invokes adb shell run-as. +domain_auto_trans(shell, runas_exec, runas) diff --git a/prebuilts/api/32.0/private/runas_app.te b/prebuilts/api/32.0/private/runas_app.te new file mode 100644 index 000000000..c1b354a9a --- /dev/null +++ b/prebuilts/api/32.0/private/runas_app.te @@ -0,0 +1,32 @@ +typeattribute runas_app coredomain; + +app_domain(runas_app) +untrusted_app_domain(runas_app) +net_domain(runas_app) +bluetooth_domain(runas_app) + +# The ability to call exec() on files in the apps home directories +# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf, +# which are copied to the apps home directories. +allow runas_app app_data_file:file execute_no_trans; + +# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes. +r_dir_file(runas_app, untrusted_app_all) + +# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes. +allow runas_app untrusted_app_all:process { ptrace signal sigstop }; +allow runas_app untrusted_app_all:unix_stream_socket connectto; + +# Allow executing system image simpleperf without a domain transition. +allow runas_app simpleperf_exec:file rx_file_perms; + +# Suppress denial logspam when simpleperf is trying to find a matching process +# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within +# the same domain as their respective process, most of which this domain is not +# allowed to see. +dontaudit runas_app domain:dir search; + +# Allow runas_app to call perf_event_open for profiling debuggable app +# processes, but not the whole system. +allow runas_app self:perf_event { open read write kernel }; +neverallow runas_app self:perf_event ~{ open read write kernel }; diff --git a/prebuilts/api/32.0/private/sdcardd.te b/prebuilts/api/32.0/private/sdcardd.te new file mode 100644 index 000000000..126d64349 --- /dev/null +++ b/prebuilts/api/32.0/private/sdcardd.te @@ -0,0 +1,3 @@ +typeattribute sdcardd coredomain; + +type_transition sdcardd system_data_file:{ dir file } media_rw_data_file; diff --git a/prebuilts/api/32.0/private/seapp_contexts b/prebuilts/api/32.0/private/seapp_contexts new file mode 100644 index 000000000..1d38fd926 --- /dev/null +++ b/prebuilts/api/32.0/private/seapp_contexts @@ -0,0 +1,177 @@ +# The entries in this file define how security contexts for apps are determined. +# Each entry lists input selectors, used to match the app, and outputs which are +# used to determine the security contexts for matching apps. +# +# Input selectors: +# isSystemServer (boolean) +# isEphemeralApp (boolean) +# isOwner (boolean) +# user (string) +# seinfo (string) +# name (string) +# path (string) +# isPrivApp (boolean) +# minTargetSdkVersion (unsigned integer) +# fromRunAs (boolean) +# +# All specified input selectors in an entry must match (i.e. logical AND). +# An unspecified string or boolean selector with no default will match any +# value. +# A user, name, or path string selector that ends in * will perform a prefix +# match. +# String matching is case-insensitive. +# See external/selinux/libselinux/src/android/android_platform.c, +# seapp_context_lookup(). +# +# isSystemServer=true only matches the system server. +# An unspecified isSystemServer defaults to false. +# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral +# isOwner=true will only match for the owner/primary user. +# user=_app will match any regular app process. +# user=_isolated will match any isolated service process. +# Other values of user are matched against the name associated with the process +# UID. +# seinfo= matches aginst the seinfo tag for the app, determined from +# mac_permissions.xml files. +# The ':' character is reserved and may not be used in seinfo. +# name= matches against the package name of the app. +# path= matches against the directory path when labeling app directories. +# isPrivApp=true will only match for applications preinstalled in +# /system/priv-app. +# minTargetSdkVersion will match applications with a targetSdkVersion +# greater than or equal to the specified value. If unspecified, +# it has a default value of 0. +# fromRunAs=true means the process being labeled is started by run-as. Default +# is false. +# +# Precedence: entries are compared using the following rules, in the order shown +# (see external/selinux/libselinux/src/android/android_platform.c, +# seapp_context_cmp()). +# (1) isSystemServer=true before isSystemServer=false. +# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= +# boolean. +# (3) Specified isOwner= before unspecified isOwner= boolean. +# (4) Specified user= string before unspecified user= string; +# more specific user= string before less specific user= string. +# (5) Specified seinfo= string before unspecified seinfo= string. +# (6) Specified name= string before unspecified name= string; +# more specific name= string before less specific name= string. +# (7) Specified path= string before unspecified path= string. +# more specific name= string before less specific name= string. +# (8) Specified isPrivApp= before unspecified isPrivApp= boolean. +# (9) Higher value of minTargetSdkVersion= before lower value of +# minTargetSdkVersion= integer. Note that minTargetSdkVersion= +# defaults to 0 if unspecified. +# (10) fromRunAs=true before fromRunAs=false. +# (A fixed selector is more specific than a prefix, i.e. ending in *, and a +# longer prefix is more specific than a shorter prefix.) +# Apps are checked against entries in precedence order until the first match, +# regardless of their order in this file. +# +# Duplicate entries, i.e. with identical input selectors, are not allowed. +# +# Outputs: +# domain (string) +# type (string) +# levelFrom (string; one of none, all, app, or user) +# level (string) +# +# domain= determines the label to be used for the app process; entries +# without domain= are ignored for this purpose. +# type= specifies the label to be used for the app data directory; entries +# without type= are ignored for this purpose. The label specified must +# have the app_data_file_type attribute. +# levelFrom and level are used to determine the level (sensitivity + categories) +# for MLS/MCS. +# levelFrom=none omits the level. +# levelFrom=app determines the level from the process UID. +# levelFrom=user determines the level from the user ID. +# levelFrom=all determines the level from both UID and user ID. +# +# levelFrom=user is only supported for _app or _isolated UIDs. +# levelFrom=app or levelFrom=all is only supported for _app UIDs. +# level may be used to specify a fixed level for any UID. +# +# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app +# and levelFromUid=false is equivalent to levelFrom=none. +# +# +# Neverallow Assertions +# Additional compile time assertion checks for the rules in this file can be +# added as well. The assertion +# rules are lines beginning with the keyword neverallow. Full support for PCRE +# regular expressions exists on all input and output selectors. Neverallow +# rules are never output to the built seapp_contexts file. Like all keywords, +# neverallows are case-insensitive. A neverallow is asserted when all key value +# inputs are matched on a key value rule line. +# + +# only the system server can be in system_server domain +neverallow isSystemServer=false domain=system_server +neverallow isSystemServer="" domain=system_server + +# system domains should never be assigned outside of system uid +neverallow user=((?!system).)* domain=system_app +neverallow user=((?!system).)* type=system_app_data_file + +# any non priv-app with a non-known uid with a specified name should have a specified +# seinfo +neverallow user=_app isPrivApp=false name=.* seinfo="" +neverallow user=_app isPrivApp=false name=.* seinfo=default + +# neverallow shared relro to any other domain +# and neverallow any other uid into shared_relro +neverallow user=shared_relro domain=((?!shared_relro).)* +neverallow user=((?!shared_relro).)* domain=shared_relro + +# neverallow non-isolated uids into isolated_app domain +# and vice versa +neverallow user=_isolated domain=((?!isolated_app).)* +neverallow user=((?!_isolated).)* domain=isolated_app + +# uid shell should always be in shell domain, however non-shell +# uid's can be in shell domain +neverallow user=shell domain=((?!shell).)* + +# only the package named com.android.shell can run in the shell domain +neverallow domain=shell name=((?!com\.android\.shell).)* +neverallow user=shell name=((?!com\.android\.shell).)* + +# Ephemeral Apps must run in the ephemeral_app domain +neverallow isEphemeralApp=true domain=((?!ephemeral_app).)* + +isSystemServer=true domain=system_server_startup + +user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all +user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all +user=system seinfo=platform domain=system_app type=system_app_data_file +user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file +user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file +user=nfc seinfo=platform domain=nfc type=nfc_data_file +user=secure_element seinfo=platform domain=secure_element levelFrom=all +user=radio seinfo=platform domain=radio type=radio_data_file +user=shared_relro domain=shared_relro levelFrom=all +user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file +user=webview_zygote seinfo=webview_zygote domain=webview_zygote +user=_isolated domain=isolated_app levelFrom=user +user=_app seinfo=app_zygote domain=app_zygote levelFrom=user +user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user +user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user +user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all +user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all +user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all +user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all +user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all +user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user +user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all +user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all +user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all +user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user +user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user +user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all +user=_app fromRunAs=true domain=runas_app levelFrom=user diff --git a/prebuilts/api/32.0/private/secure_element.te b/prebuilts/api/32.0/private/secure_element.te new file mode 100644 index 000000000..57f512bbd --- /dev/null +++ b/prebuilts/api/32.0/private/secure_element.te @@ -0,0 +1,14 @@ +# secure element subsystem +typeattribute secure_element coredomain; +app_domain(secure_element) + +binder_service(secure_element) +add_service(secure_element, secure_element_service) + +allow secure_element app_api_service:service_manager find; +hal_client_domain(secure_element, hal_secure_element) + +# already open bugreport file descriptors may be shared with +# the secure element process, from a file in +# /data/data/com.android.shell/files/bugreports/bugreport-*. +allow secure_element shell_data_file:file read; diff --git a/prebuilts/api/32.0/private/security_classes b/prebuilts/api/32.0/private/security_classes new file mode 100644 index 000000000..200b030cc --- /dev/null +++ b/prebuilts/api/32.0/private/security_classes @@ -0,0 +1,167 @@ +# FLASK + +# +# Define the security object classes +# + +# Classes marked as userspace are classes +# for userspace object managers + +class security +class process +class system +class capability + +# file-related classes +class filesystem +class file +class anon_inode +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file + +# network-related classes +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket + +# sysv-ipc-related classes +class sem +class msg +class msgq +class shm +class ipc + +# extended netlink sockets +class netlink_route_socket +class netlink_tcpdiag_socket +class netlink_nflog_socket +class netlink_xfrm_socket +class netlink_selinux_socket +class netlink_audit_socket +class netlink_dnrt_socket + +# IPSec association +class association + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket + +class appletalk_socket + +class packet + +# Kernel access key retention +class key + +class dccp_socket + +class memprotect + +# network peer labels +class peer + +# Capabilities >= 32 +class capability2 + +# kernel services that need to override task security, e.g. cachefiles +class kernel_service + +class tun_socket + +class binder + +# Updated netlink classes for more recent netlink protocols. +class netlink_iscsi_socket +class netlink_fib_lookup_socket +class netlink_connector_socket +class netlink_netfilter_socket +class netlink_generic_socket +class netlink_scsitransport_socket +class netlink_rdma_socket +class netlink_crypto_socket + +# Infiniband +class infiniband_pkey +class infiniband_endport + +# Capability checks when on a non-init user namespace +class cap_userns +class cap2_userns + +# New socket classes introduced by extended_socket_class policy capability. +# These two were previously mapped to rawip_socket. +class sctp_socket +class icmp_socket +# These were previously mapped to socket. +class ax25_socket +class ipx_socket +class netrom_socket +class atmpvc_socket +class x25_socket +class rose_socket +class decnet_socket +class atmsvc_socket +class rds_socket +class irda_socket +class pppox_socket +class llc_socket +class can_socket +class tipc_socket +class bluetooth_socket +class iucv_socket +class rxrpc_socket +class isdn_socket +class phonet_socket +class ieee802154_socket +class caif_socket +class alg_socket +class nfc_socket +class vsock_socket +class kcm_socket +class qipcrtr_socket +class smc_socket + +class process2 + +class bpf + +class xdp_socket + +class perf_event + +# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331 +class lockdown + +# Property service +class property_service # userspace + +# Service manager +class service_manager # userspace + +# hardware service manager # userspace +class hwservice_manager + +# Legacy Keystore key permissions +class keystore_key # userspace + +# Keystore 2.0 permissions +class keystore2 # userspace + +# Keystore 2.0 key permissions +class keystore2_key # userspace + +class drmservice # userspace +# FLASK diff --git a/prebuilts/api/32.0/private/service.te b/prebuilts/api/32.0/private/service.te new file mode 100644 index 000000000..7f692f35c --- /dev/null +++ b/prebuilts/api/32.0/private/service.te @@ -0,0 +1,12 @@ +type attention_service, system_server_service, service_manager_type; +type dynamic_system_service, system_api_service, system_server_service, service_manager_type; +type gsi_service, service_manager_type; +type incidentcompanion_service, system_api_service, system_server_service, service_manager_type; +type mediatuner_service, app_api_service, service_manager_type; +type profcollectd_service, service_manager_type; +type resolver_service, system_server_service, service_manager_type; +type stats_service, service_manager_type; +type statscompanion_service, system_server_service, service_manager_type; +type statsmanager_service, system_api_service, system_server_service, service_manager_type; +type tracingproxy_service, system_server_service, service_manager_type; +type uce_service, service_manager_type; diff --git a/prebuilts/api/32.0/private/service_contexts b/prebuilts/api/32.0/private/service_contexts new file mode 100644 index 000000000..3fd342b9b --- /dev/null +++ b/prebuilts/api/32.0/private/service_contexts @@ -0,0 +1,310 @@ +android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0 +android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0 +android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0 +android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0 +android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0 +android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0 +android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0 +android.hardware.light.ILights/default u:object_r:hal_light_service:s0 +android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0 +android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0 +android.hardware.power.IPower/default u:object_r:hal_power_service:s0 +android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0 +android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0 +android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0 +android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0 +android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0 +android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0 +android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0 +android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0 +android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0 +android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0 +android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0 +android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0 + +accessibility u:object_r:accessibility_service:s0 +account u:object_r:account_service:s0 +activity u:object_r:activity_service:s0 +activity_task u:object_r:activity_task_service:s0 +adb u:object_r:adb_service:s0 +aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0 +aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0 +alarm u:object_r:alarm_service:s0 +android.os.UpdateEngineService u:object_r:update_engine_service:s0 +android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0 +android.security.apc u:object_r:apc_service:s0 +android.security.authorization u:object_r:authorization_service:s0 +android.security.compat u:object_r:keystore_compat_hal_service:s0 +android.security.identity u:object_r:credstore_service:s0 +android.security.keystore u:object_r:keystore_service:s0 +android.security.legacykeystore u:object_r:legacykeystore_service:s0 +android.security.maintenance u:object_r:keystore_maintenance_service:s0 +android.security.metrics u:object_r:keystore_metrics_service:s0 +android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0 +android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0 +app_binding u:object_r:app_binding_service:s0 +app_hibernation u:object_r:app_hibernation_service:s0 +app_integrity u:object_r:app_integrity_service:s0 +app_prediction u:object_r:app_prediction_service:s0 +app_search u:object_r:app_search_service:s0 +apexservice u:object_r:apex_service:s0 +blob_store u:object_r:blob_store_service:s0 +gsiservice u:object_r:gsi_service:s0 +appops u:object_r:appops_service:s0 +appwidget u:object_r:appwidget_service:s0 +assetatlas u:object_r:assetatlas_service:s0 +attention u:object_r:attention_service:s0 +audio u:object_r:audio_service:s0 +auth u:object_r:auth_service:s0 +autofill u:object_r:autofill_service:s0 +backup u:object_r:backup_service:s0 +batteryproperties u:object_r:batteryproperties_service:s0 +batterystats u:object_r:batterystats_service:s0 +battery u:object_r:battery_service:s0 +binder_calls_stats u:object_r:binder_calls_stats_service:s0 +biometric u:object_r:biometric_service:s0 +bluetooth_manager u:object_r:bluetooth_manager_service:s0 +bluetooth u:object_r:bluetooth_service:s0 +broadcastradio u:object_r:broadcastradio_service:s0 +bugreport u:object_r:bugreport_service:s0 +cacheinfo u:object_r:cacheinfo_service:s0 +carrier_config u:object_r:radio_service:s0 +clipboard u:object_r:clipboard_service:s0 +com.android.net.IProxyService u:object_r:IProxyService_service:s0 +android.system.virtmanager u:object_r:virtualization_service:s0 +companiondevice u:object_r:companion_device_service:s0 +platform_compat u:object_r:platform_compat_service:s0 +platform_compat_native u:object_r:platform_compat_service:s0 +connectivity u:object_r:connectivity_service:s0 +connmetrics u:object_r:connmetrics_service:s0 +consumer_ir u:object_r:consumer_ir_service:s0 +content u:object_r:content_service:s0 +content_capture u:object_r:content_capture_service:s0 +content_suggestions u:object_r:content_suggestions_service:s0 +contexthub u:object_r:contexthub_service:s0 +country_detector u:object_r:country_detector_service:s0 +coverage u:object_r:coverage_service:s0 +cpuinfo u:object_r:cpuinfo_service:s0 +crossprofileapps u:object_r:crossprofileapps_service:s0 +dataloader_manager u:object_r:dataloader_manager_service:s0 +dbinfo u:object_r:dbinfo_service:s0 +device_config u:object_r:device_config_service:s0 +device_policy u:object_r:device_policy_service:s0 +device_identifiers u:object_r:device_identifiers_service:s0 +deviceidle u:object_r:deviceidle_service:s0 +device_state u:object_r:device_state_service:s0 +devicestoragemonitor u:object_r:devicestoragemonitor_service:s0 +diskstats u:object_r:diskstats_service:s0 +display u:object_r:display_service:s0 +dnsresolver u:object_r:dnsresolver_service:s0 +domain_verification u:object_r:domain_verification_service:s0 +color_display u:object_r:color_display_service:s0 +netd_listener u:object_r:netd_listener_service:s0 +network_watchlist u:object_r:network_watchlist_service:s0 +DockObserver u:object_r:DockObserver_service:s0 +dreams u:object_r:dreams_service:s0 +drm.drmManager u:object_r:drmserver_service:s0 +dropbox u:object_r:dropbox_service:s0 +dumpstate u:object_r:dumpstate_service:s0 +dynamic_system u:object_r:dynamic_system_service:s0 +econtroller u:object_r:radio_service:s0 +emergency_affordance u:object_r:emergency_affordance_service:s0 +euicc_card_controller u:object_r:radio_service:s0 +external_vibrator_service u:object_r:external_vibrator_service:s0 +lowpan u:object_r:lowpan_service:s0 +ethernet u:object_r:ethernet_service:s0 +face u:object_r:face_service:s0 +file_integrity u:object_r:file_integrity_service:s0 +fingerprint u:object_r:fingerprint_service:s0 +font u:object_r:font_service:s0 +android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0 +game u:object_r:game_service:s0 +gfxinfo u:object_r:gfxinfo_service:s0 +gnss_time_update_service u:object_r:gnss_time_update_service:s0 +graphicsstats u:object_r:graphicsstats_service:s0 +gpu u:object_r:gpu_service:s0 +hardware u:object_r:hardware_service:s0 +hardware_properties u:object_r:hardware_properties_service:s0 +hdmi_control u:object_r:hdmi_control_service:s0 +ions u:object_r:radio_service:s0 +idmap u:object_r:idmap_service:s0 +incident u:object_r:incident_service:s0 +incidentcompanion u:object_r:incidentcompanion_service:s0 +inputflinger u:object_r:inputflinger_service:s0 +input_method u:object_r:input_method_service:s0 +input u:object_r:input_service:s0 +installd u:object_r:installd_service:s0 +iorapd u:object_r:iorapd_service:s0 +iphonesubinfo_msim u:object_r:radio_service:s0 +iphonesubinfo2 u:object_r:radio_service:s0 +iphonesubinfo u:object_r:radio_service:s0 +ims u:object_r:radio_service:s0 +imms u:object_r:imms_service:s0 +incremental u:object_r:incremental_service:s0 +ipsec u:object_r:ipsec_service:s0 +ircsmessage u:object_r:radio_service:s0 +iris u:object_r:iris_service:s0 +isms_msim u:object_r:radio_service:s0 +isms2 u:object_r:radio_service:s0 +isms u:object_r:radio_service:s0 +isub u:object_r:radio_service:s0 +jobscheduler u:object_r:jobscheduler_service:s0 +launcherapps u:object_r:launcherapps_service:s0 +legacy_permission u:object_r:legacy_permission_service:s0 +lights u:object_r:light_service:s0 +location u:object_r:location_service:s0 +location_time_zone_manager u:object_r:location_time_zone_manager_service:s0 +lock_settings u:object_r:lock_settings_service:s0 +looper_stats u:object_r:looper_stats_service:s0 +lpdump_service u:object_r:lpdump_service:s0 +media.aaudio u:object_r:audioserver_service:s0 +media.audio_flinger u:object_r:audioserver_service:s0 +media.audio_policy u:object_r:audioserver_service:s0 +media.camera u:object_r:cameraserver_service:s0 +media.camera.proxy u:object_r:cameraproxy_service:s0 +media.log u:object_r:audioserver_service:s0 +media.player u:object_r:mediaserver_service:s0 +media.metrics u:object_r:mediametrics_service:s0 +media.extractor u:object_r:mediaextractor_service:s0 +media.transcoding u:object_r:mediatranscoding_service:s0 +media.resource_manager u:object_r:mediaserver_service:s0 +media.resource_observer u:object_r:mediaserver_service:s0 +media.sound_trigger_hw u:object_r:audioserver_service:s0 +media.drm u:object_r:mediadrmserver_service:s0 +media.tuner u:object_r:mediatuner_service:s0 +media_communication u:object_r:media_communication_service:s0 +media_metrics u:object_r:media_metrics_service:s0 +media_projection u:object_r:media_projection_service:s0 +media_resource_monitor u:object_r:media_session_service:s0 +media_router u:object_r:media_router_service:s0 +media_session u:object_r:media_session_service:s0 +meminfo u:object_r:meminfo_service:s0 +memtrack.proxy u:object_r:memtrackproxy_service:s0 +midi u:object_r:midi_service:s0 +mount u:object_r:mount_service:s0 +music_recognition u:object_r:music_recognition_service:s0 +netd u:object_r:netd_service:s0 +netpolicy u:object_r:netpolicy_service:s0 +netstats u:object_r:netstats_service:s0 +network_stack u:object_r:network_stack_service:s0 +network_management u:object_r:network_management_service:s0 +network_score u:object_r:network_score_service:s0 +network_time_update_service u:object_r:network_time_update_service:s0 +nfc u:object_r:nfc_service:s0 +notification u:object_r:notification_service:s0 +oem_lock u:object_r:oem_lock_service:s0 +otadexopt u:object_r:otadexopt_service:s0 +overlay u:object_r:overlay_service:s0 +pac_proxy u:object_r:pac_proxy_service:s0 +package u:object_r:package_service:s0 +package_native u:object_r:package_native_service:s0 +people u:object_r:people_service:s0 +performance_hint u:object_r:hint_service:s0 +permission u:object_r:permission_service:s0 +permissionmgr u:object_r:permissionmgr_service:s0 +permission_checker u:object_r:permission_checker_service:s0 +persistent_data_block u:object_r:persistent_data_block_service:s0 +phone_msim u:object_r:radio_service:s0 +phone1 u:object_r:radio_service:s0 +phone2 u:object_r:radio_service:s0 +phone u:object_r:radio_service:s0 +pinner u:object_r:pinner_service:s0 +powerstats u:object_r:powerstats_service:s0 +power u:object_r:power_service:s0 +print u:object_r:print_service:s0 +processinfo u:object_r:processinfo_service:s0 +procstats u:object_r:procstats_service:s0 +profcollectd u:object_r:profcollectd_service:s0 +radio.phonesubinfo u:object_r:radio_service:s0 +radio.phone u:object_r:radio_service:s0 +radio.sms u:object_r:radio_service:s0 +rcs u:object_r:radio_service:s0 +reboot_readiness u:object_r:reboot_readiness_service:s0 +recovery u:object_r:recovery_service:s0 +resolver u:object_r:resolver_service:s0 +restrictions u:object_r:restrictions_service:s0 +role u:object_r:role_service:s0 +rollback u:object_r:rollback_service:s0 +rttmanager u:object_r:rttmanager_service:s0 +runtime u:object_r:runtime_service:s0 +samplingprofiler u:object_r:samplingprofiler_service:s0 +scheduling_policy u:object_r:scheduling_policy_service:s0 +search u:object_r:search_service:s0 +search_ui u:object_r:search_ui_service:s0 +secure_element u:object_r:secure_element_service:s0 +sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0 +sensorservice u:object_r:sensorservice_service:s0 +sensor_privacy u:object_r:sensor_privacy_service:s0 +serial u:object_r:serial_service:s0 +servicediscovery u:object_r:servicediscovery_service:s0 +manager u:object_r:service_manager_service:s0 +settings u:object_r:settings_service:s0 +shortcut u:object_r:shortcut_service:s0 +simphonebook_msim u:object_r:radio_service:s0 +simphonebook2 u:object_r:radio_service:s0 +simphonebook u:object_r:radio_service:s0 +sip u:object_r:radio_service:s0 +slice u:object_r:slice_service:s0 +smartspace u:object_r:smartspace_service:s0 +speech_recognition u:object_r:speech_recognition_service:s0 +stats u:object_r:stats_service:s0 +statscompanion u:object_r:statscompanion_service:s0 +statsmanager u:object_r:statsmanager_service:s0 +soundtrigger u:object_r:voiceinteraction_service:s0 +soundtrigger_middleware u:object_r:soundtrigger_middleware_service:s0 +statusbar u:object_r:statusbar_service:s0 +storaged u:object_r:storaged_service:s0 +storaged_pri u:object_r:storaged_service:s0 +storagestats u:object_r:storagestats_service:s0 +SurfaceFlinger u:object_r:surfaceflinger_service:s0 +suspend_control u:object_r:system_suspend_control_service:s0 +suspend_control_internal u:object_r:system_suspend_control_internal_service:s0 +system_config u:object_r:system_config_service:s0 +system_server_dumper u:object_r:system_server_dumper_service:s0 +system_update u:object_r:system_update_service:s0 +task u:object_r:task_service:s0 +telecom u:object_r:telecom_service:s0 +telephony.registry u:object_r:registry_service:s0 +telephony_ims u:object_r:radio_service:s0 +testharness u:object_r:testharness_service:s0 +tethering u:object_r:tethering_service:s0 +textclassification u:object_r:textclassification_service:s0 +textservices u:object_r:textservices_service:s0 +texttospeech u:object_r:texttospeech_service:s0 +time_detector u:object_r:timedetector_service:s0 +time_zone_detector u:object_r:timezonedetector_service:s0 +timezone u:object_r:timezone_service:s0 +thermalservice u:object_r:thermal_service:s0 +tracing.proxy u:object_r:tracingproxy_service:s0 +translation u:object_r:translation_service:s0 +trust u:object_r:trust_service:s0 +tv_input u:object_r:tv_input_service:s0 +tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0 +uce u:object_r:uce_service:s0 +uimode u:object_r:uimode_service:s0 +updatelock u:object_r:updatelock_service:s0 +uri_grants u:object_r:uri_grants_service:s0 +usagestats u:object_r:usagestats_service:s0 +usb u:object_r:usb_service:s0 +user u:object_r:user_service:s0 +uwb u:object_r:uwb_service:s0 +vcn_management u:object_r:vcn_management_service:s0 +vibrator u:object_r:vibrator_service:s0 +vibrator_manager u:object_r:vibrator_manager_service:s0 +virtual_touchpad u:object_r:virtual_touchpad_service:s0 +voiceinteraction u:object_r:voiceinteraction_service:s0 +vold u:object_r:vold_service:s0 +vpn_management u:object_r:vpn_management_service:s0 +vr_hwc u:object_r:vr_hwc_service:s0 +vrflinger_vsync u:object_r:vrflinger_vsync_service:s0 +vrmanager u:object_r:vr_manager_service:s0 +wallpaper u:object_r:wallpaper_service:s0 +webviewupdate u:object_r:webviewupdate_service:s0 +wifip2p u:object_r:wifip2p_service:s0 +wifiscanner u:object_r:wifiscanner_service:s0 +wifi u:object_r:wifi_service:s0 +wifinl80211 u:object_r:wifinl80211_service:s0 +wifiaware u:object_r:wifiaware_service:s0 +wifirtt u:object_r:rttmanager_service:s0 +window u:object_r:window_service:s0 +* u:object_r:default_android_service:s0 diff --git a/prebuilts/api/32.0/private/servicemanager.te b/prebuilts/api/32.0/private/servicemanager.te new file mode 100644 index 000000000..629445204 --- /dev/null +++ b/prebuilts/api/32.0/private/servicemanager.te @@ -0,0 +1,7 @@ +typeattribute servicemanager coredomain; + +init_daemon_domain(servicemanager) + +read_runtime_log_tags(servicemanager) + +set_prop(servicemanager, ctl_interface_start_prop) diff --git a/prebuilts/api/32.0/private/sgdisk.te b/prebuilts/api/32.0/private/sgdisk.te new file mode 100644 index 000000000..a17342e01 --- /dev/null +++ b/prebuilts/api/32.0/private/sgdisk.te @@ -0,0 +1 @@ +typeattribute sgdisk coredomain; diff --git a/prebuilts/api/32.0/private/shared_relro.te b/prebuilts/api/32.0/private/shared_relro.te new file mode 100644 index 000000000..31fdb8c91 --- /dev/null +++ b/prebuilts/api/32.0/private/shared_relro.te @@ -0,0 +1,15 @@ +typeattribute shared_relro coredomain; + +# The shared relro process is a Java program forked from the zygote, so it +# inherits from app to get basic permissions it needs to run. +app_domain(shared_relro) + +allow shared_relro shared_relro_file:dir rw_dir_perms; +allow shared_relro shared_relro_file:file create_file_perms; + +allow shared_relro activity_service:service_manager find; +allow shared_relro webviewupdate_service:service_manager find; +allow shared_relro package_service:service_manager find; + +# StrictMode may attempt to find this service, failure is harmless. +dontaudit shared_relro network_management_service:service_manager find; diff --git a/prebuilts/api/32.0/private/shell.te b/prebuilts/api/32.0/private/shell.te new file mode 100644 index 000000000..ba9e972a1 --- /dev/null +++ b/prebuilts/api/32.0/private/shell.te @@ -0,0 +1,210 @@ +typeattribute shell coredomain, mlstrustedsubject; + +# allow shell input injection +allow shell uhid_device:chr_file rw_file_perms; + +# systrace support - allow atrace to run +allow shell debugfs_tracing_debug:dir r_dir_perms; +allow shell debugfs_tracing:dir r_dir_perms; +allow shell debugfs_tracing:file rw_file_perms; +allow shell debugfs_trace_marker:file getattr; +allow shell atrace_exec:file rx_file_perms; + +userdebug_or_eng(` + allow shell debugfs_tracing_debug:file rw_file_perms; +') + +# read config.gz for CTS purposes +allow shell config_gz:file r_file_perms; + +# Run app_process. +# XXX Transition into its own domain? +app_domain(shell) + +# allow shell to call dumpsys storaged +binder_call(shell, storaged) + +# Perform SELinux access checks, needed for CTS +selinux_check_access(shell) +selinux_check_context(shell) + +# Control Perfetto traced and obtain traces from it. +# Needed for Studio and debugging. +unix_socket_connect(shell, traced_consumer, traced) + +# Allow shell binaries to write trace data to Perfetto. Used for testing and +# cmdline utils. +perfetto_producer(shell) + +domain_auto_trans(shell, vendor_shell_exec, vendor_shell) + +# Allow shell binaries to exec the perfetto cmdline util and have that +# transition into its own domain, so that it behaves consistently to +# when exec()-d by statsd. +domain_auto_trans(shell, perfetto_exec, perfetto) +# Allow to send SIGINT to perfetto when daemonized. +allow shell perfetto:process signal; + +# Allow shell to run adb shell cmd stats commands. Needed for CTS. +binder_call(shell, statsd); + +# Allow shell to read and unlink traces stored in /data/misc/a11ytraces. +userdebug_or_eng(` + allow shell accessibility_trace_data_file:dir rw_dir_perms; + allow shell accessibility_trace_data_file:file { r_file_perms unlink }; +') + +# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces. +allow shell perfetto_traces_data_file:dir rw_dir_perms; +allow shell perfetto_traces_data_file:file { r_file_perms unlink }; +# ... and /data/misc/perfetto-traces/bugreport/ . +allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms; +allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink }; + +# Allow shell to create/remove configs stored in /data/misc/perfetto-configs. +allow shell perfetto_configs_data_file:dir rw_dir_perms; +allow shell perfetto_configs_data_file:file create_file_perms; + +# Allow shell to run adb shell cmd gpu commands. +binder_call(shell, gpuservice); + +# Allow shell to use atrace HAL +hal_client_domain(shell, hal_atrace) + +# For hostside tests such as CTS listening ports test. +allow shell proc_net_tcp_udp:file r_file_perms; + +# The dl.exec_linker* tests need to execute /system/bin/linker +# b/124789393 +allow shell system_linker_exec:file rx_file_perms; + +# Renderscript host side tests depend on being able to execute +# /system/bin/bcc (b/126388046) +allow shell rs_exec:file rx_file_perms; + +# Allow (host-driven) ART run-tests to execute dex2oat, in order to +# check ART's compiler. +allow shell dex2oat_exec:file rx_file_perms; + +# Allow shell to start and comminicate with lpdumpd. +set_prop(shell, lpdumpd_prop); +binder_call(shell, lpdumpd) + +# Allow shell to set and read value of properties used for CTS tests of +# userspace reboot +set_prop(shell, userspace_reboot_test_prop) + +# Allow shell to set this property used for rollback tests +set_prop(shell, rollback_test_prop) + +# Allow shell to get encryption policy of /data/local/tmp/, for CTS +allowxperm shell shell_data_file:dir ioctl { + FS_IOC_GET_ENCRYPTION_POLICY + FS_IOC_GET_ENCRYPTION_POLICY_EX +}; + +# Allow shell to execute simpleperf without a domain transition. +allow shell simpleperf_exec:file rx_file_perms; + +userdebug_or_eng(` + # Allow shell to execute profcollectctl without a domain transition. + allow shell profcollectd_exec:file rx_file_perms; + + # Allow shell to read profcollectd data files. + r_dir_file(shell, profcollectd_data_file) + + # Allow to issue control commands to profcollectd binder service. + allow shell profcollectd:binder call; +') + +# Allow shell to call perf_event_open for profiling other shell processes, but +# not the whole system. +allow shell self:perf_event { open read write kernel }; +neverallow shell self:perf_event ~{ open read write kernel }; + +# Allow shell to read /apex/apex-info-list.xml and the vendor apexes +allow shell apex_info_file:file r_file_perms; +allow shell vendor_apex_file:file r_file_perms; +allow shell vendor_apex_file:dir r_dir_perms; + +# Set properties. +set_prop(shell, shell_prop) +set_prop(shell, ctl_bugreport_prop) +set_prop(shell, ctl_dumpstate_prop) +set_prop(shell, dumpstate_prop) +set_prop(shell, exported_dumpstate_prop) +set_prop(shell, debug_prop) +set_prop(shell, perf_drop_caches_prop) +set_prop(shell, powerctl_prop) +set_prop(shell, log_tag_prop) +set_prop(shell, wifi_log_prop) +# Allow shell to start/stop traced via the persist.traced.enable +# property (which also takes care of /data/misc initialization). +set_prop(shell, traced_enabled_prop) +# adjust is_loggable properties +userdebug_or_eng(`set_prop(shell, log_prop)') +# logpersist script +userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)') +# Allow shell to start/stop heapprofd via the persist.heapprofd.enable +# property. +set_prop(shell, heapprofd_enabled_prop) +# Allow shell to start/stop traced_perf via the persist.traced_perf.enable +# property. +set_prop(shell, traced_perf_enabled_prop) +# Allow shell to start/stop gsid via ctl.start|stop|restart gsid. +set_prop(shell, ctl_gsid_prop) +set_prop(shell, ctl_snapuserd_prop) +# Allow shell to enable Dynamic System Update +set_prop(shell, dynamic_system_prop) +# Allow shell to mock an OTA using persist.pm.mock-upgrade +set_prop(shell, mock_ota_prop) + +# Read device's serial number from system properties +get_prop(shell, serialno_prop) + +# Allow shell to read the vendor security patch level for CTS +get_prop(shell, vendor_security_patch_level_prop) + +# Read state of logging-related properties +get_prop(shell, device_logging_prop) + +# Read state of boot reason properties +get_prop(shell, bootloader_boot_reason_prop) +get_prop(shell, last_boot_reason_prop) +get_prop(shell, system_boot_reason_prop) + +# Allow reading the outcome of perf_event_open LSM support test for CTS. +get_prop(shell, init_perf_lsm_hooks_prop) + +# Allow shell to read boot image timestamps and fingerprints. +get_prop(shell, build_bootimage_prop) + +userdebug_or_eng(`set_prop(shell, persist_debug_prop)') + +# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup. +allow shell keystore2_key_contexts_file:file r_file_perms; + +# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests. +allow shell shell_key:keystore2_key { delete rebind use get_info update }; + +# Allow shell to write db.log.detailed, db.log.slow_query_threshold* +set_prop(shell, sqlite_log_prop) + +# Allow shell to write MTE properties even on user builds. +set_prop(shell, arm64_memtag_prop) + +# Allow shell to read the dm-verity props on user builds. +get_prop(shell, verity_status_prop) + +# Allow shell to read Virtual A/B related properties +get_prop(shell, virtual_ab_prop) + +# Never allow others to set or get the perf.drop_caches property. +neverallow { domain -shell -init } perf_drop_caches_prop:property_service set; +neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read; + +# Allow ReadDefaultFstab() for CTS. +read_fstab(shell) + +# Allow shell read access to /apex/apex-info-list.xml for CTS. +allow shell apex_info_file:file r_file_perms; diff --git a/prebuilts/api/32.0/private/simpleperf.te b/prebuilts/api/32.0/private/simpleperf.te new file mode 100644 index 000000000..0639c1136 --- /dev/null +++ b/prebuilts/api/32.0/private/simpleperf.te @@ -0,0 +1,37 @@ +# Domain used when running /system/bin/simpleperf to profile a specific app. +# Entered either by the app itself exec-ing the binary, or through +# simpleperf_app_runner (with shell as its origin). Certain other domains +# (runas_app, shell) can also exec this binary without a domain transition. +typeattribute simpleperf coredomain; +type simpleperf_exec, system_file_type, exec_type, file_type; + +domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf) + +# When running in this domain, simpleperf is scoped to profiling an individual +# app. The necessary MAC permissions for profiling are more maintainable and +# consistent if simpleperf is marked as an app domain as well (as, for example, +# it will then see the same set of system libraries as the app). +app_domain(simpleperf) +untrusted_app_domain(simpleperf) + +# Allow ptrace attach to the target app, for reading JIT debug info (using +# process_vm_readv) during unwinding and symbolization. +allow simpleperf untrusted_app_all:process ptrace; + +# Allow using perf_event_open syscall for profiling the target app. +allow simpleperf self:perf_event { open read write kernel }; + +# Allow /proc/<pid> access for the target app (for example, when trying to +# discover it by cmdline). +r_dir_file(simpleperf, untrusted_app_all) + +# Suppress denial logspam when simpleperf is trying to find a matching process +# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within +# the same domain as their respective processes, most of which this domain is +# not allowed to see. +dontaudit simpleperf domain:dir search; + +# Neverallows: + +# Profiling must be confined to the scope of an individual app. +neverallow simpleperf self:perf_event ~{ open read write kernel }; diff --git a/prebuilts/api/32.0/private/simpleperf_app_runner.te b/prebuilts/api/32.0/private/simpleperf_app_runner.te new file mode 100644 index 000000000..850182605 --- /dev/null +++ b/prebuilts/api/32.0/private/simpleperf_app_runner.te @@ -0,0 +1,3 @@ +typeattribute simpleperf_app_runner coredomain; + +domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner) diff --git a/prebuilts/api/32.0/private/slideshow.te b/prebuilts/api/32.0/private/slideshow.te new file mode 100644 index 000000000..7dfa994ea --- /dev/null +++ b/prebuilts/api/32.0/private/slideshow.te @@ -0,0 +1 @@ +typeattribute slideshow coredomain; diff --git a/prebuilts/api/32.0/private/snapshotctl.te b/prebuilts/api/32.0/private/snapshotctl.te new file mode 100644 index 000000000..fb2bbcae7 --- /dev/null +++ b/prebuilts/api/32.0/private/snapshotctl.te @@ -0,0 +1,45 @@ +type snapshotctl, domain, coredomain; +type snapshotctl_exec, system_file_type, exec_type, file_type; + +# Allow init to run snapshotctl and do auto domain transfer. +init_daemon_domain(snapshotctl); + +# Allow to start gsid service. +set_prop(snapshotctl, ctl_gsid_prop) + +# Allow to talk to gsid. +binder_use(snapshotctl) +allow snapshotctl gsi_service:service_manager find; +binder_call(snapshotctl, gsid) + +# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status. +allow snapshotctl metadata_file:dir search; +allow snapshotctl ota_metadata_file:dir rw_dir_perms; +allow snapshotctl ota_metadata_file:file create_file_perms; + +# Allow to get A/B slot suffix from device tree or kernel cmdline. +r_dir_file(snapshotctl, sysfs_dt_firmware_android); +allow snapshotctl proc_cmdline:file r_file_perms; + +# Needed to (re-)map logical partitions. +allow snapshotctl block_device:dir r_dir_perms; +allow snapshotctl super_block_device:blk_file r_file_perms; + +# Interact with device-mapper to collapse snapshots. +allow snapshotctl dm_device:chr_file rw_file_perms; + +# Needed to mutate device-mapper nodes. +allow snapshotctl self:global_capability_class_set sys_admin; + +# Snapshotctl talk to boot control HAL to set merge status. +hwbinder_use(snapshotctl) +hal_client_domain(snapshotctl, hal_bootctl) + +# Allow snapshotctl to write to statsd socket. +unix_socket_send(snapshotctl, statsdw, statsd) + +# Logging +userdebug_or_eng(` + allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms; + allow snapshotctl snapshotctl_log_data_file:file create_file_perms; +') diff --git a/prebuilts/api/32.0/private/snapuserd.te b/prebuilts/api/32.0/private/snapuserd.te new file mode 100644 index 000000000..d96b31e05 --- /dev/null +++ b/prebuilts/api/32.0/private/snapuserd.te @@ -0,0 +1,26 @@ +# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots. +type snapuserd, domain; +type snapuserd_exec, exec_type, file_type, system_file_type; + +typeattribute snapuserd coredomain; + +init_daemon_domain(snapuserd) + +allow snapuserd kmsg_device:chr_file rw_file_perms; + +# Reading and writing to /dev/block/dm-* (device-mapper) nodes. +allow snapuserd block_device:dir r_dir_perms; +allow snapuserd dm_device:chr_file rw_file_perms; +allow snapuserd dm_device:blk_file rw_file_perms; + +# Reading and writing to dm-user control nodes. +allow snapuserd dm_user_device:dir r_dir_perms; +allow snapuserd dm_user_device:chr_file rw_file_perms; + +# Reading and writing to /dev/socket/snapuserd. +allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write }; + +# This arises due to first-stage init opening /dev/null without F_CLOEXEC +# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd +# again, the descriptor leaks into the new process. +allow snapuserd kernel:fd use; diff --git a/prebuilts/api/32.0/private/stats.te b/prebuilts/api/32.0/private/stats.te new file mode 100644 index 000000000..db29072df --- /dev/null +++ b/prebuilts/api/32.0/private/stats.te @@ -0,0 +1,57 @@ +type stats, domain; +typeattribute stats coredomain; +type stats_exec, system_file_type, exec_type, file_type; + +# switch to stats domain for stats command +domain_auto_trans(shell, stats_exec, stats) + +# allow stats access to stdout from its parent shell. +allow stats shell:fd use; + +# allow stats to communicate use, read and write over the adb +# connection. +allow stats adbd:fd use; +allow stats adbd:unix_stream_socket { read write }; + +# allow adbd to reap stats +allow stats adbd:process { sigchld }; + +# Allow the stats command to talk to the statsd over the binder, and get +# back the stats report data from a ParcelFileDescriptor. +binder_use(stats) +allow stats stats_service:service_manager find; +binder_call(stats, statsd) +allow stats statsd:fifo_file write; + +# Only statsd can publish the binder service. +add_service(statsd, stats_service) + +# Allow pipes from (and only from) stats. +allow statsd stats:fd use; +allow statsd stats:fifo_file write; + +# Allow statsd to call back to stats with status updates. +binder_call(statsd, stats) + +### +### neverallow rules +### + +neverallow { + domain + -dumpstate + -gmscore_app + -gpuservice + -incidentd + -keystore + -mediametrics + -platform_app + -priv_app + -shell + -stats + -statsd + -surfaceflinger + -system_app + -system_server + -traceur_app +} stats_service:service_manager find; diff --git a/prebuilts/api/32.0/private/statsd.te b/prebuilts/api/32.0/private/statsd.te new file mode 100644 index 000000000..444d82e3c --- /dev/null +++ b/prebuilts/api/32.0/private/statsd.te @@ -0,0 +1,27 @@ +typeattribute statsd coredomain; + +init_daemon_domain(statsd) + +# Allow to exec the perfetto cmdline client and pass it the trace config on +# stdint through a pipe. It allows statsd to capture traces and hand them +# to Android dropbox. +allow statsd perfetto_exec:file rx_file_perms; +domain_auto_trans(statsd, perfetto_exec, perfetto) + +# Grant statsd with permissions to register the services. +allow statsd { + statscompanion_service +}:service_manager find; + +# Allow incidentd to obtain the statsd incident section. +allow statsd incidentd:fifo_file write; + +# Allow StatsCompanionService to pipe data to statsd. +allow statsd system_server:fifo_file { read getattr }; + +# Allow statsd to retrieve SF statistics over binder +binder_call(statsd, surfaceflinger); + +# Allow statsd to read its system properties +get_prop(statsd, device_config_statsd_native_prop) +get_prop(statsd, device_config_statsd_native_boot_prop) diff --git a/prebuilts/api/32.0/private/storaged.te b/prebuilts/api/32.0/private/storaged.te new file mode 100644 index 000000000..bb39e5b73 --- /dev/null +++ b/prebuilts/api/32.0/private/storaged.te @@ -0,0 +1,69 @@ +# storaged daemon +type storaged, domain, coredomain, mlstrustedsubject; +type storaged_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(storaged) + +# Read access to pseudo filesystems +r_dir_file(storaged, domain) + +# Read /proc/uid_io/stats +allow storaged proc_uid_io_stats:file r_file_perms; + +# Read /data/system/packages.list +allow storaged system_data_file:file r_file_perms; +allow storaged packages_list_file:file r_file_perms; + +# Store storaged proto file +allow storaged storaged_data_file:dir rw_dir_perms; +allow storaged storaged_data_file:file create_file_perms; + +no_debugfs_restriction(` + userdebug_or_eng(` + # Read access to debugfs + allow storaged debugfs_mmc:dir search; + allow storaged debugfs_mmc:file r_file_perms; + ') +') + +# Needed to provide debug dump output via dumpsys pipes. +allow storaged shell:fd use; +allow storaged shell:fifo_file write; + +# Needed for GMScore to call dumpsys storaged +allow storaged priv_app:fd use; +# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain. +# Remove after no logs are seen for this rule. +userdebug_or_eng(` + auditallow storaged priv_app:fd use; +') +allow storaged gmscore_app:fd use; +allow storaged { privapp_data_file app_data_file }:file write; +allow storaged permission_service:service_manager find; + +# Binder permissions +add_service(storaged, storaged_service) + +binder_use(storaged) +binder_call(storaged, system_server) + +hal_client_domain(storaged, hal_health) + +# Implements a dumpsys interface. +allow storaged dumpstate:fd use; + +# use a subset of the package manager service +allow storaged package_native_service:service_manager find; + +# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is +# running as root. See b/35323867 #3. +dontaudit storaged self:global_capability_class_set { dac_override dac_read_search }; + +# For collecting bugreports. +allow storaged dumpstate:fifo_file write; + +### +### neverallow +### +neverallow storaged domain:process ptrace; +neverallow storaged self:capability_class_set *; diff --git a/prebuilts/api/32.0/private/su.te b/prebuilts/api/32.0/private/su.te new file mode 100644 index 000000000..587f449fb --- /dev/null +++ b/prebuilts/api/32.0/private/su.te @@ -0,0 +1,30 @@ +userdebug_or_eng(` + typeattribute su coredomain; + + domain_auto_trans(shell, su_exec, su) + # Allow dumpstate to call su on userdebug / eng builds to collect + # additional information. + domain_auto_trans(dumpstate, su_exec, su) + + # Make sure that dumpstate runs the same from the "su" domain as + # from the "init" domain. + domain_auto_trans(su, dumpstate_exec, dumpstate) + + # Put the incident command into its domain so it is the same on user, userdebug and eng. + domain_auto_trans(su, incident_exec, incident) + + # Put the odrefresh command into its domain. + domain_auto_trans(su, odrefresh_exec, odrefresh) + + # Put the perfetto command into its domain so it is the same on user, userdebug and eng. + domain_auto_trans(su, perfetto_exec, perfetto) + + # su is also permissive to permit setenforce. + permissive su; + + app_domain(su) + + # Do not audit accesses to keystore2 namespace for the su domain. + dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *; + +') diff --git a/prebuilts/api/32.0/private/surfaceflinger.te b/prebuilts/api/32.0/private/surfaceflinger.te new file mode 100644 index 000000000..7a92bd485 --- /dev/null +++ b/prebuilts/api/32.0/private/surfaceflinger.te @@ -0,0 +1,148 @@ +# surfaceflinger - display compositor service + +typeattribute surfaceflinger coredomain; + +type surfaceflinger_exec, system_file_type, exec_type, file_type; +init_daemon_domain(surfaceflinger) +tmpfs_domain(surfaceflinger) + +typeattribute surfaceflinger mlstrustedsubject; +typeattribute surfaceflinger display_service_server; + +read_runtime_log_tags(surfaceflinger) + +# Perform HwBinder IPC. +hal_client_domain(surfaceflinger, hal_graphics_allocator) +hal_client_domain(surfaceflinger, hal_graphics_composer) +typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs; +hal_client_domain(surfaceflinger, hal_codec2) +hal_client_domain(surfaceflinger, hal_omx) +hal_client_domain(surfaceflinger, hal_configstore) +hal_client_domain(surfaceflinger, hal_power) +hal_client_domain(surfaceflinger, hal_bufferhub) +allow surfaceflinger hidl_token_hwservice:hwservice_manager find; + +# Perform Binder IPC. +binder_use(surfaceflinger) +binder_call(surfaceflinger, binderservicedomain) +binder_call(surfaceflinger, appdomain) +binder_call(surfaceflinger, bootanim) +binder_call(surfaceflinger, system_server); +binder_service(surfaceflinger) + +# Binder IPC to bu, presently runs in adbd domain. +binder_call(surfaceflinger, adbd) + +# Read /proc/pid files for Binder clients. +r_dir_file(surfaceflinger, binderservicedomain) +r_dir_file(surfaceflinger, appdomain) + +# Access the GPU. +allow surfaceflinger gpu_device:chr_file rw_file_perms; + +# Access /dev/graphics/fb0. +allow surfaceflinger graphics_device:dir search; +allow surfaceflinger graphics_device:chr_file rw_file_perms; + +# Access /dev/video1. +allow surfaceflinger video_device:dir r_dir_perms; +allow surfaceflinger video_device:chr_file rw_file_perms; + +# Create and use netlink kobject uevent sockets. +allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Set properties. +set_prop(surfaceflinger, system_prop) +set_prop(surfaceflinger, bootanim_system_prop) +set_prop(surfaceflinger, exported_system_prop) +set_prop(surfaceflinger, exported3_system_prop) +set_prop(surfaceflinger, ctl_bootanim_prop) +set_prop(surfaceflinger, surfaceflinger_display_prop) + +# Get properties. +get_prop(surfaceflinger, qemu_sf_lcd_density_prop) + +# Use open files supplied by an app. +allow surfaceflinger appdomain:fd use; +allow surfaceflinger { app_data_file privapp_data_file }:file { read write }; + +# Allow writing surface traces to /data/misc/wmtrace. +userdebug_or_eng(` + allow surfaceflinger wm_trace_data_file:dir rw_dir_perms; + allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms }; +') + +# Needed to register as a Perfetto producer. +perfetto_producer(surfaceflinger) + +# Use socket supplied by adbd, for cmd gpu vkjson etc. +allow surfaceflinger adbd:unix_stream_socket { read write getattr }; + +# Allow a dumpstate triggered screenshot +binder_call(surfaceflinger, dumpstate) +binder_call(surfaceflinger, shell) +r_dir_file(surfaceflinger, dumpstate) + +# media.player service + +# do not use add_service() as hal_graphics_composer_default may be the +# provider as well +#add_service(surfaceflinger, surfaceflinger_service) +allow surfaceflinger surfaceflinger_service:service_manager { add find }; + +add_service(surfaceflinger, vrflinger_vsync_service) + +allow surfaceflinger mediaserver_service:service_manager find; +allow surfaceflinger permission_service:service_manager find; +allow surfaceflinger power_service:service_manager find; +allow surfaceflinger vr_manager_service:service_manager find; +allow surfaceflinger window_service:service_manager find; +allow surfaceflinger inputflinger_service:service_manager find; + + +# allow self to set SCHED_FIFO +allow surfaceflinger self:global_capability_class_set sys_nice; +allow surfaceflinger proc_meminfo:file r_file_perms; +r_dir_file(surfaceflinger, cgroup) +r_dir_file(surfaceflinger, cgroup_v2) +r_dir_file(surfaceflinger, system_file) +allow surfaceflinger tmpfs:dir r_dir_perms; +allow surfaceflinger system_server:fd use; +allow surfaceflinger system_server:unix_stream_socket { read write }; +allow surfaceflinger ion_device:chr_file r_file_perms; +allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms; + +# pdx IPC +pdx_server(surfaceflinger, display_client) +pdx_server(surfaceflinger, display_manager) +pdx_server(surfaceflinger, display_screenshot) +pdx_server(surfaceflinger, display_vsync) + +pdx_client(surfaceflinger, bufferhub_client) +pdx_client(surfaceflinger, performance_client) + +# Allow supplying timestats statistics to statsd +allow surfaceflinger stats_service:service_manager find; +allow surfaceflinger statsmanager_service:service_manager find; +# TODO(146461633): remove this once native pullers talk to StatsManagerService +binder_call(surfaceflinger, statsd); + +# Allow pushing jank event atoms to statsd +userdebug_or_eng(` + unix_socket_send(surfaceflinger, statsdw, statsd) +') + +# Surfaceflinger should not be reading default vendor-defined properties. +dontaudit surfaceflinger vendor_default_prop:file read; + +### +### Neverallow rules +### +### surfaceflinger should NEVER do any of this + +# Do not allow accessing SDcard files as unsafe ejection could +# cause the kernel to kill the process. +neverallow surfaceflinger sdcard_type:file rw_file_perms; + +# b/68864350 +dontaudit surfaceflinger unlabeled:dir search; diff --git a/prebuilts/api/32.0/private/system_app.te b/prebuilts/api/32.0/private/system_app.te new file mode 100644 index 000000000..239686e67 --- /dev/null +++ b/prebuilts/api/32.0/private/system_app.te @@ -0,0 +1,188 @@ +### +### Apps that run with the system UID, e.g. com.android.system.ui, +### com.android.settings. These are not as privileged as the system +### server. +### + +typeattribute system_app coredomain, mlstrustedsubject; + +app_domain(system_app) +net_domain(system_app) +binder_service(system_app) + +# android.ui and system.ui +allow system_app rootfs:dir getattr; + +# Read and write /data/data subdirectory. +allow system_app system_app_data_file:dir create_dir_perms; +allow system_app system_app_data_file:{ file lnk_file } create_file_perms; + +# Read and write to /data/misc/user. +allow system_app misc_user_data_file:dir create_dir_perms; +allow system_app misc_user_data_file:file create_file_perms; + +# Access to apex files stored on /data (b/136063500) +# Needed so that Settings can access NOTICE files inside apex +# files located in the assets/ directory. +allow system_app apex_data_file:dir search; +allow system_app staging_data_file:file r_file_perms; + +# Read wallpaper file. +allow system_app wallpaper_file:file r_file_perms; + +# Read icon file. +allow system_app icon_file:file r_file_perms; + +# Write to properties +set_prop(system_app, bluetooth_a2dp_offload_prop) +set_prop(system_app, bluetooth_audio_hal_prop) +set_prop(system_app, bluetooth_prop) +set_prop(system_app, debug_prop) +set_prop(system_app, system_prop) +set_prop(system_app, exported_bluetooth_prop) +set_prop(system_app, exported_system_prop) +set_prop(system_app, exported3_system_prop) +set_prop(system_app, logd_prop) +set_prop(system_app, net_radio_prop) +set_prop(system_app, usb_control_prop) +set_prop(system_app, usb_prop) +set_prop(system_app, log_tag_prop) +userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)') +auditallow system_app net_radio_prop:property_service set; +auditallow system_app usb_control_prop:property_service set; +auditallow system_app usb_prop:property_service set; +# Allow Settings to enable Dynamic System Update +set_prop(system_app, dynamic_system_prop) + +# ctl interface +set_prop(system_app, ctl_default_prop) +set_prop(system_app, ctl_bugreport_prop) + +# Allow developer settings to query gsid status +get_prop(system_app, gsid_prop) + +# Create /data/anr/traces.txt. +allow system_app anr_data_file:dir ra_dir_perms; +allow system_app anr_data_file:file create_file_perms; + +# Settings need to access app name and icon from asec +allow system_app asec_apk_file:file r_file_perms; + +# Allow system apps (like Settings) to interact with statsd +binder_call(system_app, statsd) + +# Allow system apps to interact with incidentd +binder_call(system_app, incidentd) + +# Allow system app to interact with Dumpstate HAL +hal_client_domain(system_app, hal_dumpstate) + +allow system_app servicemanager:service_manager list; +# TODO: scope this down? Too broad? +allow system_app { + service_manager_type + -apex_service + -dnsresolver_service + -dumpstate_service + -installd_service + -iorapd_service + -lpdump_service + -netd_service + -system_suspend_control_internal_service + -system_suspend_control_service + -tracingproxy_service + -virtual_touchpad_service + -vold_service + -vr_hwc_service + -default_android_service +}:service_manager find; +# suppress denials for services system_app should not be accessing. +dontaudit system_app { + dnsresolver_service + dumpstate_service + installd_service + iorapd_service + netd_service + virtual_touchpad_service + vold_service + vr_hwc_service +}:service_manager find; + +# suppress denials caused by debugfs_tracing +dontaudit system_app debugfs_tracing:file rw_file_perms; + +allow system_app keystore:keystore_key { + get_state + get + insert + delete + exist + list + reset + password + lock + unlock + is_empty + sign + verify + grant + duplicate + clear_uid + user_changed +}; + +allow system_app keystore:keystore2_key { + delete + get_info + grant + rebind + update + use +}; + +# Allow Settings to manage WI-FI keys. +allow system_app wifi_key:keystore2_key { + delete + get_info + rebind + update + use +}; + +# settings app reads /proc/version +allow system_app { + proc_version +}:file r_file_perms; + +# Settings app writes to /dev/stune/foreground/tasks. +allow system_app cgroup:file w_file_perms; +allow system_app cgroup_v2:file w_file_perms; + +control_logd(system_app) +read_runtime_log_tags(system_app) +get_prop(system_app, device_logging_prop) + +# allow system apps to use UDP sockets provided by the system server but not +# modify them other than to connect +allow system_app system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +# Settings app reads ro.oem_unlock_supported +get_prop(system_app, oem_unlock_prop) + +# Allow system apps to act as Perfetto producers. +perfetto_producer(system_app) + +### +### Neverallow rules +### + +# app domains which access /dev/fuse should not run as system_app +neverallow system_app fuse_device:chr_file *; + +# Apps which run as UID=system should not rely on any attacker controlled +# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we +# allow writes to files passed by file descriptor to support dumpstate and +# bug reports, but not reads. +neverallow system_app shell_data_file:dir { no_w_dir_perms open search read }; +neverallow system_app shell_data_file:file { open read ioctl lock }; diff --git a/prebuilts/api/32.0/private/system_server.te b/prebuilts/api/32.0/private/system_server.te new file mode 100644 index 000000000..82b2a1f06 --- /dev/null +++ b/prebuilts/api/32.0/private/system_server.te @@ -0,0 +1,1413 @@ +# +# System Server aka system_server spawned by zygote. +# Most of the framework services run in this process. +# + +typeattribute system_server coredomain; +typeattribute system_server mlstrustedsubject; +typeattribute system_server scheduler_service_server; +typeattribute system_server sensor_service_server; +typeattribute system_server stats_service_server; + +# Define a type for tmpfs-backed ashmem regions. +tmpfs_domain(system_server) + +userfaultfd_use(system_server) + +# Create a socket for connections from crash_dump. +type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; + +# Create a socket for connections from zygotes. +type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket"; + +allow system_server zygote_tmpfs:file read; +allow system_server appdomain_tmpfs:file { getattr map read write }; + +# For Incremental Service to check if incfs is available +allow system_server proc_filesystems:file r_file_perms; + +# To create files, get permission to fill blocks, and configure Incremental File System +allow system_server incremental_control_file:file { ioctl r_file_perms }; +allowxperm system_server incremental_control_file:file ioctl { + INCFS_IOCTL_CREATE_FILE + INCFS_IOCTL_CREATE_MAPPED_FILE + INCFS_IOCTL_PERMIT_FILL + INCFS_IOCTL_GET_READ_TIMEOUTS + INCFS_IOCTL_SET_READ_TIMEOUTS + INCFS_IOCTL_GET_LAST_READ_ERROR +}; + +# To get signature of an APK installed on Incremental File System, and fill in data +# blocks and get the filesystem state +allowxperm system_server apk_data_file:file ioctl { + INCFS_IOCTL_READ_SIGNATURE + INCFS_IOCTL_FILL_BLOCKS + INCFS_IOCTL_GET_FILLED_BLOCKS + INCFS_IOCTL_GET_BLOCK_COUNT + F2FS_IOC_GET_FEATURES + F2FS_IOC_GET_COMPRESS_BLOCKS + F2FS_IOC_COMPRESS_FILE + F2FS_IOC_DECOMPRESS_FILE + F2FS_IOC_RELEASE_COMPRESS_BLOCKS + F2FS_IOC_RESERVE_COMPRESS_BLOCKS + FS_IOC_SETFLAGS + FS_IOC_GETFLAGS +}; + +allowxperm system_server apk_tmp_file:file ioctl { + F2FS_IOC_RELEASE_COMPRESS_BLOCKS + FS_IOC_GETFLAGS +}; + +# For Incremental Service to check incfs metrics +allow system_server sysfs_fs_incfs_metrics:file r_file_perms; + +# For f2fs-compression support +allow system_server sysfs_fs_f2fs:dir r_dir_perms; +allow system_server sysfs_fs_f2fs:file r_file_perms; + +# For art. +allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms; +allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms; + +# When running system server under --invoke-with, we'll try to load the boot image under the +# system server domain, following links to the system partition. +with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') + +# /data/resource-cache +allow system_server resourcecache_data_file:file r_file_perms; +allow system_server resourcecache_data_file:dir r_dir_perms; + +# ptrace to processes in the same domain for debugging crashes. +allow system_server self:process ptrace; + +# Child of the zygote. +allow system_server zygote:fd use; +allow system_server zygote:process sigchld; + +# May kill zygote on crashes. +allow system_server { + app_zygote + crash_dump + webview_zygote + zygote +}:process { sigkill signull }; + +# Read /system/bin/app_process. +allow system_server zygote_exec:file r_file_perms; + +# Needed to close the zygote socket, which involves getopt / getattr +allow system_server zygote:unix_stream_socket { getopt getattr }; + +# system server gets network and bluetooth permissions. +net_domain(system_server) +# in addition to ioctls allowlisted for all domains, also allow system_server +# to use privileged ioctls commands. Needed to set up VPNs. +allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; +bluetooth_domain(system_server) + +# Allow setup of tcp keepalive offload. This gives system_server the permission to +# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to +# be granted individually, except for a small set of safe values allowlisted in +# public/domain.te. +allow system_server appdomain:tcp_socket ioctl; + +# These are the capabilities assigned by the zygote to the +# system server. +allow system_server self:global_capability_class_set { + ipc_lock + kill + net_admin + net_bind_service + net_broadcast + net_raw + sys_boot + sys_nice + sys_ptrace + sys_time + sys_tty_config +}; + +# Trigger module auto-load. +allow system_server kernel:system module_request; + +# Allow alarmtimers to be set +allow system_server self:global_capability2_class_set wake_alarm; + +# Create and share netlink_netfilter_sockets for tetheroffload. +allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; + +# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps. +allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read }; + +# Use netlink uevent sockets. +allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Use generic netlink sockets. +allow system_server self:netlink_socket create_socket_perms_no_ioctl; +allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; + +# libvintf reads the kernel config to verify vendor interface compatibility. +allow system_server config_gz:file { read open }; + +# Use generic "sockets" where the address family is not known +# to the kernel. The ioctl permission is specifically omitted here, but may +# be added to device specific policy along with the ioctl commands to be +# allowlisted. +allow system_server self:socket create_socket_perms_no_ioctl; + +# Set and get routes directly via netlink. +allow system_server self:netlink_route_socket nlmsg_write; + +# Kill apps. +allow system_server appdomain:process { getpgid sigkill signal }; +# signull allowed for kill(pid, 0) existence test. +allow system_server appdomain:process { signull }; + +# Set scheduling info for apps. +allow system_server appdomain:process { getsched setsched }; +allow system_server audioserver:process { getsched setsched }; +allow system_server hal_audio:process { getsched setsched }; +allow system_server hal_bluetooth:process { getsched setsched }; +allow system_server hal_codec2_server:process { getsched setsched }; +allow system_server hal_omx_server:process { getsched setsched }; +allow system_server mediaswcodec:process { getsched setsched }; +allow system_server cameraserver:process { getsched setsched }; +allow system_server hal_camera:process { getsched setsched }; +allow system_server mediaserver:process { getsched setsched }; +allow system_server bootanim:process { getsched setsched }; + +# Set scheduling info for psi monitor thread. +# TODO: delete this line b/131761776 +allow system_server kernel:process { getsched setsched }; + +# Allow system_server to write to /proc/<pid>/* +allow system_server domain:file w_file_perms; + +# Read /proc/pid data for all domains. This is used by ProcessCpuTracker +# within system_server to keep track of memory and CPU usage for +# all processes on the device. In addition, /proc/pid files access is needed +# for dumping stack traces of native processes. +r_dir_file(system_server, domain) + +# Write /proc/uid_cputime/remove_uid_range. +allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; + +# Write /proc/uid_procstat/set. +allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; + +# Write to /proc/sysrq-trigger. +allow system_server proc_sysrq:file rw_file_perms; + +# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories. +allow system_server stats_data_file:dir { open read remove_name search write }; +allow system_server stats_data_file:file unlink; + +# Read /sys/kernel/debug/wakeup_sources. +no_debugfs_restriction(` + allow system_server debugfs_wakeup_sources:file r_file_perms; +') + +# Read /sys/kernel/ion/*. +allow system_server sysfs_ion:file r_file_perms; + +# Read /sys/kernel/dma_heap/*. +allow system_server sysfs_dma_heap:file r_file_perms; + +# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf. +allow system_server sysfs_dmabuf_stats:dir r_dir_perms; +allow system_server sysfs_dmabuf_stats:file r_file_perms; + +# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap +# for dumpsys meminfo +allow system_server dmabuf_heap_device:dir r_dir_perms; + +# Allow reading /proc/vmstat for the oom kill count +allow system_server proc_vmstat:file r_file_perms; + +# The DhcpClient and WifiWatchdog use packet_sockets +allow system_server self:packet_socket create_socket_perms_no_ioctl; + +# 3rd party VPN clients require a tun_socket to be created +allow system_server self:tun_socket create_socket_perms_no_ioctl; + +# Talk to init and various daemons via sockets. +unix_socket_connect(system_server, lmkd, lmkd) +unix_socket_connect(system_server, mtpd, mtp) +unix_socket_connect(system_server, zygote, zygote) +unix_socket_connect(system_server, racoon, racoon) +unix_socket_connect(system_server, uncrypt, uncrypt) + +# Allow system_server to write to statsd. +unix_socket_send(system_server, statsdw, statsd) + +# Communicate over a socket created by surfaceflinger. +allow system_server surfaceflinger:unix_stream_socket { read write setopt }; + +allow system_server gpuservice:unix_stream_socket { read write setopt }; + +# Communicate over a socket created by webview_zygote. +allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; + +# Communicate over a socket created by app_zygote. +allow system_server app_zygote:unix_stream_socket { read write connectto setopt }; + +# Perform Binder IPC. +binder_use(system_server) +binder_call(system_server, appdomain) +binder_call(system_server, binderservicedomain) +binder_call(system_server, dumpstate) +binder_call(system_server, fingerprintd) +binder_call(system_server, gatekeeperd) +binder_call(system_server, gpuservice) +binder_call(system_server, idmap) +binder_call(system_server, installd) +binder_call(system_server, incidentd) +binder_call(system_server, iorapd) +binder_call(system_server, netd) +userdebug_or_eng(`binder_call(system_server, profcollectd)') +binder_call(system_server, statsd) +binder_call(system_server, storaged) +binder_call(system_server, update_engine) +binder_call(system_server, vold) +binder_call(system_server, wificond) +binder_call(system_server, wpantund) +binder_service(system_server) + +# Use HALs +hal_client_domain(system_server, hal_allocator) +hal_client_domain(system_server, hal_audio) +hal_client_domain(system_server, hal_authsecret) +hal_client_domain(system_server, hal_broadcastradio) +hal_client_domain(system_server, hal_codec2) +hal_client_domain(system_server, hal_configstore) +hal_client_domain(system_server, hal_contexthub) +hal_client_domain(system_server, hal_face) +hal_client_domain(system_server, hal_fingerprint) +hal_client_domain(system_server, hal_gnss) +hal_client_domain(system_server, hal_graphics_allocator) +hal_client_domain(system_server, hal_health) +hal_client_domain(system_server, hal_input_classifier) +hal_client_domain(system_server, hal_ir) +hal_client_domain(system_server, hal_light) +hal_client_domain(system_server, hal_memtrack) +hal_client_domain(system_server, hal_neuralnetworks) +hal_client_domain(system_server, hal_oemlock) +hal_client_domain(system_server, hal_omx) +hal_client_domain(system_server, hal_power) +hal_client_domain(system_server, hal_power_stats) +hal_client_domain(system_server, hal_rebootescrow) +hal_client_domain(system_server, hal_sensors) +hal_client_domain(system_server, hal_tetheroffload) +hal_client_domain(system_server, hal_thermal) +hal_client_domain(system_server, hal_tv_cec) +hal_client_domain(system_server, hal_tv_input) +hal_client_domain(system_server, hal_usb) +hal_client_domain(system_server, hal_usb_gadget) +hal_client_domain(system_server, hal_vibrator) +hal_client_domain(system_server, hal_vr) +hal_client_domain(system_server, hal_weaver) +hal_client_domain(system_server, hal_wifi) +hal_client_domain(system_server, hal_wifi_hostapd) +hal_client_domain(system_server, hal_wifi_supplicant) +# The bootctl is a pass through HAL mode under recovery mode. So we skip the +# permission for recovery in order not to give system server the access to +# the low level block devices. +not_recovery(`hal_client_domain(system_server, hal_bootctl)') + +# Talk with graphics composer fences +allow system_server hal_graphics_composer:fd use; + +# Use RenderScript always-passthrough HAL +allow system_server hal_renderscript_hwservice:hwservice_manager find; +allow system_server same_process_hal_file:file { execute read open getattr map }; + +# Talk to tombstoned to get ANR traces. +unix_socket_connect(system_server, tombstoned_intercept, tombstoned) + +# List HAL interfaces to get ANR traces. +allow system_server hwservicemanager:hwservice_manager list; +allow system_server servicemanager:service_manager list; + +# Send signals to trigger ANR traces. +allow system_server { + # This is derived from the list that system server defines as interesting native processes + # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in + # frameworks/base/services/core/java/com/android/server/Watchdog.java. + audioserver + cameraserver + drmserver + gpuservice + inputflinger + keystore + mediadrmserver + mediaextractor + mediametrics + mediaserver + mediaswcodec + mediatranscoding + mediatuner + netd + sdcardd + statsd + surfaceflinger + vold + + # This list comes from HAL_INTERFACES_OF_INTEREST in + # frameworks/base/services/core/java/com/android/server/Watchdog.java. + hal_audio_server + hal_bluetooth_server + hal_camera_server + hal_codec2_server + hal_face_server + hal_fingerprint_server + hal_gnss_server + hal_graphics_allocator_server + hal_graphics_composer_server + hal_health_server + hal_light_server + hal_neuralnetworks_server + hal_omx_server + hal_power_stats_server + hal_sensors_server + hal_vr_server + system_suspend_server +}:process { signal }; + +# Use sockets received over binder from various services. +allow system_server audioserver:tcp_socket rw_socket_perms; +allow system_server audioserver:udp_socket rw_socket_perms; +allow system_server mediaserver:tcp_socket rw_socket_perms; +allow system_server mediaserver:udp_socket rw_socket_perms; + +# Use sockets received over binder from various services. +allow system_server mediadrmserver:tcp_socket rw_socket_perms; +allow system_server mediadrmserver:udp_socket rw_socket_perms; + +userdebug_or_eng(`perfetto_producer({ system_server })') + +# Get file context +allow system_server file_contexts_file:file r_file_perms; +# access for mac_permissions +allow system_server mac_perms_file: file r_file_perms; +# Check SELinux permissions. +selinux_check_access(system_server) + +allow system_server sysfs_type:dir search; + +r_dir_file(system_server, sysfs_android_usb) +allow system_server sysfs_android_usb:file w_file_perms; + +allow system_server sysfs_extcon:dir r_dir_perms; + +r_dir_file(system_server, sysfs_ipv4) +allow system_server sysfs_ipv4:file w_file_perms; + +r_dir_file(system_server, sysfs_rtc) +r_dir_file(system_server, sysfs_switch) + +allow system_server sysfs_nfc_power_writable:file rw_file_perms; +allow system_server sysfs_power:dir search; +allow system_server sysfs_power:file rw_file_perms; +allow system_server sysfs_thermal:dir search; +allow system_server sysfs_thermal:file r_file_perms; +allow system_server sysfs_uhid:dir r_dir_perms; +allow system_server sysfs_uhid:file rw_file_perms; + +# TODO: Remove when HALs are forced into separate processes +allow system_server sysfs_vibrator:file { write append }; + +# TODO: added to match above sysfs rule. Remove me? +allow system_server sysfs_usb:file w_file_perms; + +# Access devices. +allow system_server device:dir r_dir_perms; +allow system_server mdns_socket:sock_file rw_file_perms; +allow system_server gpu_device:chr_file rw_file_perms; +allow system_server input_device:dir r_dir_perms; +allow system_server input_device:chr_file rw_file_perms; +allow system_server tty_device:chr_file rw_file_perms; +allow system_server usbaccessory_device:chr_file rw_file_perms; +allow system_server video_device:dir r_dir_perms; +allow system_server video_device:chr_file rw_file_perms; +allow system_server adbd_socket:sock_file rw_file_perms; +allow system_server rtc_device:chr_file rw_file_perms; +allow system_server audio_device:dir r_dir_perms; + +# write access to ALSA interfaces (/dev/snd/*) needed for MIDI +allow system_server audio_device:chr_file rw_file_perms; + +# tun device used for 3rd party vpn apps +allow system_server tun_device:chr_file rw_file_perms; +allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; + +# Manage data/ota_package +allow system_server ota_package_file:dir rw_dir_perms; +allow system_server ota_package_file:file create_file_perms; + +# Manage system data files. +allow system_server system_data_file:dir create_dir_perms; +allow system_server system_data_file:notdevfile_class_set create_file_perms; +allow system_server packages_list_file:file create_file_perms; +allow system_server keychain_data_file:dir create_dir_perms; +allow system_server keychain_data_file:file create_file_perms; +allow system_server keychain_data_file:lnk_file create_file_perms; + +# Manage /data/app. +allow system_server apk_data_file:dir create_dir_perms; +allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; +allow system_server apk_tmp_file:dir create_dir_perms; +allow system_server apk_tmp_file:file create_file_perms; + +# Access input configuration files in the /vendor directory +r_dir_file(system_server, vendor_keylayout_file) +r_dir_file(system_server, vendor_keychars_file) +r_dir_file(system_server, vendor_idc_file) + +# Access /vendor/{app,framework,overlay} +r_dir_file(system_server, vendor_app_file) +r_dir_file(system_server, vendor_framework_file) +r_dir_file(system_server, vendor_overlay_file) + +# Manage /data/app-private. +allow system_server apk_private_data_file:dir create_dir_perms; +allow system_server apk_private_data_file:file create_file_perms; +allow system_server apk_private_tmp_file:dir create_dir_perms; +allow system_server apk_private_tmp_file:file create_file_perms; + +# Manage files within asec containers. +allow system_server asec_apk_file:dir create_dir_perms; +allow system_server asec_apk_file:file create_file_perms; +allow system_server asec_public_file:file create_file_perms; + +# Manage /data/anr. +# +# TODO: Some of these permissions can be withdrawn once we've switched to the +# new stack dumping mechanism, see b/32064548 and the rules below. In particular, +# the system_server should never need to create a new anr_data_file:file or write +# to one, but it will still need to read and append to existing files. +allow system_server anr_data_file:dir create_dir_perms; +allow system_server anr_data_file:file create_file_perms; + +# New stack dumping scheme : request an output FD from tombstoned via a unix +# domain socket. +# +# Allow system_server to connect and write to the tombstoned java trace socket in +# order to dump its traces. Also allow the system server to write its traces to +# dumpstate during bugreport capture and incidentd during incident collection. +unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) +allow system_server tombstoned:fd use; +allow system_server dumpstate:fifo_file append; +allow system_server incidentd:fifo_file append; +# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`) +userdebug_or_eng(` + allow system_server su:fifo_file append; +') + +# Allow system_server to read pipes from incidentd (used to deliver incident reports +# to dropbox) +allow system_server incidentd:fifo_file read; + +# Read /data/misc/incidents - only read. The fd will be sent over binder, +# with no DAC access to it, for dropbox to read. +allow system_server incident_data_file:file read; + +# Manage /data/misc/prereboot. +allow system_server prereboot_data_file:dir rw_dir_perms; +allow system_server prereboot_data_file:file create_file_perms; + +# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over +# binder. +allow system_server perfetto_traces_data_file:file read; +allow system_server perfetto:fd use; + +# Manage /data/backup. +allow system_server backup_data_file:dir create_dir_perms; +allow system_server backup_data_file:file create_file_perms; + +# Write to /data/system/dropbox +allow system_server dropbox_data_file:dir create_dir_perms; +allow system_server dropbox_data_file:file create_file_perms; + +# Write to /data/system/heapdump +allow system_server heapdump_data_file:dir rw_dir_perms; +allow system_server heapdump_data_file:file create_file_perms; + +# Manage /data/misc/adb. +allow system_server adb_keys_file:dir create_dir_perms; +allow system_server adb_keys_file:file create_file_perms; + +# Manage /data/misc/appcompat. +allow system_server appcompat_data_file:dir rw_dir_perms; +allow system_server appcompat_data_file:file create_file_perms; + +# Manage /data/misc/emergencynumberdb +allow system_server emergency_data_file:dir create_dir_perms; +allow system_server emergency_data_file:file create_file_perms; + +# Manage /data/misc/network_watchlist +allow system_server network_watchlist_data_file:dir create_dir_perms; +allow system_server network_watchlist_data_file:file create_file_perms; + +# Manage /data/misc/sms. +# TODO: Split into a separate type? +allow system_server radio_data_file:dir create_dir_perms; +allow system_server radio_data_file:file create_file_perms; + +# Manage /data/misc/systemkeys. +allow system_server systemkeys_data_file:dir create_dir_perms; +allow system_server systemkeys_data_file:file create_file_perms; + +# Manage /data/misc/textclassifier. +allow system_server textclassifier_data_file:dir create_dir_perms; +allow system_server textclassifier_data_file:file create_file_perms; + +# Access /data/tombstones. +allow system_server tombstone_data_file:dir r_dir_perms; +allow system_server tombstone_data_file:file r_file_perms; + +# Allow write access to be able to truncate tombstones. +allow system_server tombstone_data_file:file write; + +# Manage /data/misc/vpn. +allow system_server vpn_data_file:dir create_dir_perms; +allow system_server vpn_data_file:file create_file_perms; + +# Manage /data/misc/wifi. +allow system_server wifi_data_file:dir create_dir_perms; +allow system_server wifi_data_file:file create_file_perms; + +# Manage /data/misc/zoneinfo. +allow system_server zoneinfo_data_file:dir create_dir_perms; +allow system_server zoneinfo_data_file:file create_file_perms; + +# Manage /data/app-staging. +allow system_server staging_data_file:dir create_dir_perms; +allow system_server staging_data_file:file create_file_perms; + +# Manage /data/rollback. +allow system_server staging_data_file:{ file lnk_file } { create_file_perms link }; + +# Walk /data/data subdirectories. +allow system_server app_data_file_type:dir { getattr read search }; + +# Also permit for unlabeled /data/data subdirectories and +# for unlabeled asec containers on upgrades from 4.2. +allow system_server unlabeled:dir r_dir_perms; +# Read pkg.apk file before it has been relabeled by vold. +allow system_server unlabeled:file r_file_perms; + +# Populate com.android.providers.settings/databases/settings.db. +allow system_server system_app_data_file:dir create_dir_perms; +allow system_server system_app_data_file:file create_file_perms; + +# Receive and use open app data files passed over binder IPC. +allow system_server app_data_file_type:file { getattr read write append map }; + +# Access to /data/media for measuring disk usage. +allow system_server media_rw_data_file:dir { search getattr open read }; + +# Receive and use open /data/media files passed over binder IPC. +# Also used for measuring disk usage. +allow system_server media_rw_data_file:file { getattr read write append }; + +# System server needs to setfscreate to packages_list_file when writing +# /data/system/packages.list +allow system_server system_server:process setfscreate; + +# Relabel apk files. +allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; +allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; +# Allow PackageManager to: +# 1. rename file from /data/app-staging folder to /data/app +# 2. relabel files (linked to /data/rollback) under /data/app-staging +# during staged apk/apex install. +allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto }; + +# Relabel wallpaper. +allow system_server system_data_file:file relabelfrom; +allow system_server wallpaper_file:file relabelto; +allow system_server wallpaper_file:file { rw_file_perms rename unlink }; + +# Backup of wallpaper imagery uses temporary hard links to avoid data churn +allow system_server { system_data_file wallpaper_file }:file link; + +# ShortcutManager icons +allow system_server system_data_file:dir relabelfrom; +allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; +allow system_server shortcut_manager_icons:file create_file_perms; + +# Manage ringtones. +allow system_server ringtone_file:dir { create_dir_perms relabelto }; +allow system_server ringtone_file:file create_file_perms; + +# Relabel icon file. +allow system_server icon_file:file relabelto; +allow system_server icon_file:file { rw_file_perms unlink }; + +# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? +allow system_server system_data_file:dir relabelfrom; + +# server_configurable_flags_data_file is used for storing server configurable flags which +# have been reset during current booting. system_server needs to read the data to perform related +# disaster recovery actions. +allow system_server server_configurable_flags_data_file:dir r_dir_perms; +allow system_server server_configurable_flags_data_file:file r_file_perms; + +# Property Service write +set_prop(system_server, system_prop) +set_prop(system_server, bootanim_system_prop) +set_prop(system_server, exported_system_prop) +set_prop(system_server, exported3_system_prop) +set_prop(system_server, safemode_prop) +set_prop(system_server, theme_prop) +set_prop(system_server, dhcp_prop) +set_prop(system_server, net_connectivity_prop) +set_prop(system_server, net_radio_prop) +set_prop(system_server, net_dns_prop) +set_prop(system_server, usb_control_prop) +set_prop(system_server, usb_prop) +set_prop(system_server, debug_prop) +set_prop(system_server, powerctl_prop) +set_prop(system_server, fingerprint_prop) +set_prop(system_server, device_logging_prop) +set_prop(system_server, dumpstate_options_prop) +set_prop(system_server, overlay_prop) +set_prop(system_server, exported_overlay_prop) +set_prop(system_server, pm_prop) +set_prop(system_server, exported_pm_prop) +set_prop(system_server, socket_hook_prop) +set_prop(system_server, audio_prop) +set_prop(system_server, boot_status_prop) +set_prop(system_server, surfaceflinger_color_prop) +set_prop(system_server, provisioned_prop) +set_prop(system_server, retaildemo_prop) +userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') + +# ctl interface +set_prop(system_server, ctl_default_prop) +set_prop(system_server, ctl_bugreport_prop) +set_prop(system_server, ctl_gsid_prop) + +# cppreopt property +set_prop(system_server, cppreopt_prop) + +# server configurable flags properties +set_prop(system_server, device_config_input_native_boot_prop) +set_prop(system_server, device_config_netd_native_prop) +set_prop(system_server, device_config_activity_manager_native_boot_prop) +set_prop(system_server, device_config_runtime_native_boot_prop) +set_prop(system_server, device_config_runtime_native_prop) +set_prop(system_server, device_config_lmkd_native_prop) +set_prop(system_server, device_config_media_native_prop) +set_prop(system_server, device_config_profcollect_native_boot_prop) +set_prop(system_server, device_config_statsd_native_prop) +set_prop(system_server, device_config_statsd_native_boot_prop) +set_prop(system_server, device_config_storage_native_boot_prop) +set_prop(system_server, device_config_swcodec_native_prop) +set_prop(system_server, device_config_sys_traced_prop) +set_prop(system_server, device_config_window_manager_native_boot_prop) +set_prop(system_server, device_config_configuration_prop) +set_prop(system_server, device_config_connectivity_prop) + + +# Allow query ART device config properties +get_prop(system_server, device_config_runtime_native_boot_prop) +get_prop(system_server, device_config_runtime_native_prop) + +# BootReceiver to read ro.boot.bootreason +get_prop(system_server, bootloader_boot_reason_prop) +# PowerManager to read sys.boot.reason +get_prop(system_server, system_boot_reason_prop) + +# Collect metrics on boot time created by init +get_prop(system_server, boottime_prop) + +# Read device's serial number from system properties +get_prop(system_server, serialno_prop) + +# Read/write the property which keeps track of whether this is the first start of system_server +set_prop(system_server, firstboot_prop) + +# Audio service in system server can read audio config properties, +# such as camera shutter enforcement +get_prop(system_server, audio_config_prop) + +# system server reads this property to keep track of whether server configurable flags have been +# reset during current boot. +get_prop(system_server, device_config_reset_performed_prop) + +# Read/write the property that enables Test Harness Mode +set_prop(system_server, test_harness_prop) + +# Read gsid.image_running. +get_prop(system_server, gsid_prop) + +# Read the property that mocks an OTA +get_prop(system_server, mock_ota_prop) + +# Read the property as feature flag for protecting apks with fs-verity. +get_prop(system_server, apk_verity_prop) + +# Read wifi.interface +get_prop(system_server, wifi_prop) + +# Read the vendor property that indicates if Incremental features is enabled +get_prop(system_server, incremental_prop) + +# Read ro.zram. properties +get_prop(system_server, zram_config_prop) + +# Read/write persist.sys.zram_enabled +set_prop(system_server, zram_control_prop) + +# Read/write persist.sys.dalvik.vm.lib.2 +set_prop(system_server, dalvik_runtime_prop) + +# Read ro.control_privapp_permissions and ro.cp_system_other_odex +get_prop(system_server, packagemanager_config_prop) + +# Read the net.464xlat.cellular.enabled property (written by init). +get_prop(system_server, net_464xlat_fromvendor_prop) + +# Create a socket for connections from debuggerd. +allow system_server system_ndebug_socket:sock_file create_file_perms; + +# Create a socket for connections from zygotes. +allow system_server system_unsolzygote_socket:sock_file create_file_perms; + +# Manage cache files. +allow system_server cache_file:lnk_file r_file_perms; +allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; +allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; +allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; + +allow system_server system_file:dir r_dir_perms; +allow system_server system_file:lnk_file r_file_perms; + +# ART locks profile files. +allow system_server system_file:file lock; + +# LocationManager(e.g, GPS) needs to read and write +# to uart driver and ctrl proc entry +allow system_server gps_control:file rw_file_perms; + +# Allow system_server to use app-created sockets and pipes. +allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; +allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; + +# BackupManagerService needs to manipulate backup data files +allow system_server cache_backup_file:dir rw_dir_perms; +allow system_server cache_backup_file:file create_file_perms; +# LocalTransport works inside /cache/backup +allow system_server cache_private_backup_file:dir create_dir_perms; +allow system_server cache_private_backup_file:file create_file_perms; + +# Allow system to talk to usb device +allow system_server usb_device:chr_file rw_file_perms; +allow system_server usb_device:dir r_dir_perms; + +# Read and delete files under /dev/fscklogs. +r_dir_file(system_server, fscklogs) +allow system_server fscklogs:dir { write remove_name }; +allow system_server fscklogs:file unlink; + +# logd access, system_server inherit logd write socket +# (urge is to deprecate this long term) +allow system_server zygote:unix_dgram_socket write; + +# Read from log daemon. +read_logd(system_server) +read_runtime_log_tags(system_server) + +# Be consistent with DAC permissions. Allow system_server to write to +# /sys/module/lowmemorykiller/parameters/adj +# /sys/module/lowmemorykiller/parameters/minfree +allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; + +# Read /sys/fs/pstore/console-ramoops +# Don't worry about overly broad permissions for now, as there's +# only one file in /sys/fs/pstore +allow system_server pstorefs:dir r_dir_perms; +allow system_server pstorefs:file r_file_perms; + +# /sys access +allow system_server sysfs_zram:dir search; +allow system_server sysfs_zram:file rw_file_perms; + +add_service(system_server, system_server_service); +allow system_server audioserver_service:service_manager find; +allow system_server authorization_service:service_manager find; +allow system_server batteryproperties_service:service_manager find; +allow system_server cameraserver_service:service_manager find; +allow system_server dataloader_manager_service:service_manager find; +allow system_server dnsresolver_service:service_manager find; +allow system_server drmserver_service:service_manager find; +allow system_server dumpstate_service:service_manager find; +allow system_server fingerprintd_service:service_manager find; +allow system_server gatekeeper_service:service_manager find; +allow system_server gpu_service:service_manager find; +allow system_server gsi_service:service_manager find; +allow system_server idmap_service:service_manager find; +allow system_server incident_service:service_manager find; +allow system_server incremental_service:service_manager find; +allow system_server installd_service:service_manager find; +allow system_server iorapd_service:service_manager find; +allow system_server keystore_maintenance_service:service_manager find; +allow system_server keystore_metrics_service:service_manager find; +allow system_server keystore_service:service_manager find; +allow system_server mediaserver_service:service_manager find; +allow system_server mediametrics_service:service_manager find; +allow system_server mediaextractor_service:service_manager find; +allow system_server mediadrmserver_service:service_manager find; +allow system_server mediatuner_service:service_manager find; +allow system_server netd_service:service_manager find; +allow system_server nfc_service:service_manager find; +allow system_server radio_service:service_manager find; +allow system_server stats_service:service_manager find; +allow system_server storaged_service:service_manager find; +allow system_server surfaceflinger_service:service_manager find; +allow system_server update_engine_service:service_manager find; +allow system_server vold_service:service_manager find; +allow system_server wifinl80211_service:service_manager find; +userdebug_or_eng(` + allow system_server profcollectd_service:service_manager find; +') + +add_service(system_server, batteryproperties_service) + +allow system_server keystore:keystore_key { + get_state + get + insert + delete + exist + list + reset + password + lock + unlock + is_empty + sign + verify + grant + duplicate + clear_uid + add_auth + user_changed +}; + +allow system_server keystore:keystore2 { + add_auth + change_password + change_user + clear_ns + clear_uid + get_state + lock + pull_metrics + reset + unlock +}; + +allow system_server keystore:keystore2_key { + delete + use_dev_id + grant + get_info + rebind + update + use +}; + +# Allow Wifi module to manage Wi-Fi keys. +allow system_server wifi_key:keystore2_key { + delete + get_info + rebind + update + use +}; + +# Allow lock_settings service to manage RoR keys. +allow system_server resume_on_reboot_key:keystore2_key { + delete + get_info + rebind + update + use +}; + +# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key). +allow system_server locksettings_key:keystore2_key { + delete + get_info + rebind + update + use +}; + + +# Allow system server to search and write to the persistent factory reset +# protection partition. This block device does not get wiped in a factory reset. +allow system_server block_device:dir search; +allow system_server frp_block_device:blk_file rw_file_perms; +allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; + +# Create new process groups and clean up old cgroups +allow system_server cgroup:dir { remove_name rmdir }; +allow system_server cgroup_v2:dir create_dir_perms; +allow system_server cgroup_v2:file { r_file_perms setattr }; + +# /oem access +r_dir_file(system_server, oemfs) + +# Allow resolving per-user storage symlinks +allow system_server { mnt_user_file storage_file }:dir { getattr search }; +allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; + +# Allow statfs() on storage devices, which happens fast enough that +# we shouldn't be killed during unsafe removal +allow system_server sdcard_type:dir { getattr search }; + +# Traverse into expanded storage +allow system_server mnt_expand_file:dir r_dir_perms; + +# Allow system process to relabel the fingerprint directory after mkdir +# and delete the directory and files when no longer needed +allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; +allow system_server fingerprintd_data_file:file { getattr unlink }; + +userdebug_or_eng(` + # Allow system server to create and write method traces in /data/misc/trace. + allow system_server method_trace_data_file:dir w_dir_perms; + allow system_server method_trace_data_file:file { create w_file_perms }; + + # Allow system server to read dmesg + allow system_server kernel:system syslog_read; + + # Allow writing and removing window traces in /data/misc/wmtrace. + allow system_server wm_trace_data_file:dir rw_dir_perms; + allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; + + # Allow writing and removing accessibility traces in /data/misc/a11ytrace. + allow system_server accessibility_trace_data_file:dir rw_dir_perms; + allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms }; +') + +# For AppFuse. +allow system_server vold:fd use; +allow system_server fuse_device:chr_file { read write ioctl getattr }; +allow system_server app_fuse_file:file { read write getattr }; + +# For configuring sdcardfs +allow system_server configfs:dir { create_dir_perms }; +allow system_server configfs:file { getattr open create unlink write }; + +# Connect to adbd and use a socket transferred from it. +# Used for e.g. jdwp. +allow system_server adbd:unix_stream_socket connectto; +allow system_server adbd:fd use; +allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; + +# Read service.adb.tls.port, persist.adb.wifi. properties +get_prop(system_server, adbd_prop) + +# Set persist.adb.tls_server.enable property +set_prop(system_server, system_adbd_prop) + +# Allow invoking tools like "timeout" +allow system_server toolbox_exec:file rx_file_perms; + +# Allow system process to setup and measure fs-verity +allowxperm system_server apk_data_file:file ioctl { + FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY +}; + +# Postinstall +# +# For OTA dexopt, allow calls coming from postinstall. +binder_call(system_server, postinstall) + +allow system_server postinstall:fifo_file write; +allow system_server update_engine:fd use; +allow system_server update_engine:fifo_file write; + +# Access to /data/preloads +allow system_server preloads_data_file:file { r_file_perms unlink }; +allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; +allow system_server preloads_media_file:file { r_file_perms unlink }; +allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; + +r_dir_file(system_server, cgroup) +r_dir_file(system_server, cgroup_v2) +allow system_server ion_device:chr_file r_file_perms; + +# Access to /dev/dma_heap/system +allow system_server dmabuf_system_heap_device:chr_file r_file_perms; +# Access to /dev/dma_heap/system-secure +allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms; + +r_dir_file(system_server, proc_asound) +r_dir_file(system_server, proc_net_type) +r_dir_file(system_server, proc_qtaguid_stat) +allow system_server { + proc_cmdline + proc_loadavg + proc_locks + proc_meminfo + proc_pagetypeinfo + proc_pipe_conf + proc_stat + proc_uid_cputime_showstat + proc_uid_io_stats + proc_uid_time_in_state + proc_uid_concurrent_active_time + proc_uid_concurrent_policy_time + proc_version + proc_vmallocinfo +}:file r_file_perms; + +allow system_server proc_uid_time_in_state:dir r_dir_perms; +allow system_server proc_uid_cpupower:file r_file_perms; + +r_dir_file(system_server, rootfs) + +# Allow WifiService to start, stop, and read wifi-specific trace events. +allow system_server debugfs_tracing_instances:dir search; +allow system_server debugfs_wifi_tracing:dir search; +allow system_server debugfs_wifi_tracing:file rw_file_perms; + +# Allow BootReceiver to watch trace error_report events. +allow system_server debugfs_bootreceiver_tracing:dir search; +allow system_server debugfs_bootreceiver_tracing:file r_file_perms; + +# Allow system_server to read tracepoint ids in order to attach BPF programs to them. +allow system_server debugfs_tracing:file r_file_perms; + +# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run +# asanwrapper. +with_asan(` + allow system_server shell_exec:file rx_file_perms; + allow system_server asanwrapper_exec:file rx_file_perms; + allow system_server zygote_exec:file rx_file_perms; +') + +# allow system_server to read the eBPF maps that stores the traffic stats information and update +# the map after snapshot is recorded, and to read, update and run the maps and programs used for +# time in state accounting +allow system_server fs_bpf:dir search; +allow system_server fs_bpf:file { read write }; +allow system_server bpfloader:bpf { map_read map_write prog_run }; + +# ART Profiles. +# Allow system_server to open profile snapshots for read. +# System server never reads the actual content. It passes the descriptor to +# to privileged apps which acquire the permissions to inspect the profiles. +allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search }; +allow system_server user_profile_data_file:file { getattr open read }; + +# System server may dump profile data for debuggable apps in the /data/misc/profman. +# As such it needs to be able create files but it should never read from them. +allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms}; +allow system_server profman_dump_data_file:dir w_dir_perms; + +# On userdebug build we may profile system server. Allow it to write and create its own profile. +userdebug_or_eng(` + allow system_server user_profile_data_file:file create_file_perms; +') +# Allow system server to load JVMTI agents under control of a property. +get_prop(system_server,system_jvmti_agent_prop) + +# UsbDeviceManager uses /dev/usb-ffs +allow system_server functionfs:dir search; +allow system_server functionfs:file rw_file_perms; + +# system_server contains time / time zone detection logic so reads the associated properties. +get_prop(system_server, time_prop) + +# system_server reads this property to know it should expect the lmkd sends notification to it +# on low memory kills. +get_prop(system_server, system_lmk_prop) + +get_prop(system_server, wifi_config_prop) + +# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO +allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; + +# Watchdog prints debugging log to /dev/kmsg_debug. +userdebug_or_eng(` + allow system_server kmsg_debug_device:chr_file { open append getattr }; +') +# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop. +get_prop(system_server, framework_watchdog_config_prop) + + +# Font files are written by system server +allow system_server font_data_file:file create_file_perms; +allow system_server font_data_file:dir create_dir_perms; +# Allow system process to setup fs-verity for font files +allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY; + +# Read qemu.hw.mainkeys property +get_prop(system_server, qemu_hw_prop) + +# Allow system server to read profcollectd reports for upload. +userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)') + +### +### Neverallow rules +### +### system_server should NEVER do any of this + +# Do not allow opening files from external storage as unsafe ejection +# could cause the kernel to kill the system_server. +neverallow system_server sdcard_type:dir { open read write }; +neverallow system_server sdcard_type:file rw_file_perms; + +# system server should never be operating on zygote spawned app data +# files directly. Rather, they should always be passed via a +# file descriptor. +# Exclude those types that system_server needs to open directly. +neverallow system_server { + app_data_file_type + -system_app_data_file + -radio_data_file +}:file { open create unlink link }; + +# Forking and execing is inherently dangerous and racy. See, for +# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them +# Prevent the addition of new file execs to stop the problem from +# getting worse. b/28035297 +neverallow system_server { + file_type + -toolbox_exec + -logcat_exec + with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') +}:file execute_no_trans; + +# Ensure that system_server doesn't perform any domain transitions other than +# transitioning to the crash_dump domain when a crash occurs. +neverallow system_server { domain -crash_dump }:process transition; +neverallow system_server *:process dyntransition; + +# Only allow crash_dump to connect to system_ndebug_socket. +neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; + +# Only allow zygotes to connect to system_unsolzygote_socket. +neverallow { + domain + -init + -system_server + -zygote + -app_zygote + -webview_zygote +} system_unsolzygote_socket:sock_file { open write }; + +# Only allow init, system_server, flags_health_check to set properties for server configurable flags +neverallow { + domain + -init + -system_server + -flags_health_check +} { + device_config_activity_manager_native_boot_prop + device_config_connectivity_prop + device_config_input_native_boot_prop + device_config_lmkd_native_prop + device_config_netd_native_prop + device_config_runtime_native_boot_prop + device_config_runtime_native_prop + device_config_media_native_prop + device_config_storage_native_boot_prop + device_config_sys_traced_prop + device_config_swcodec_native_prop + device_config_window_manager_native_boot_prop +}:property_service set; + +# system_server should never be executing dex2oat. This is either +# a bug (for example, bug 16317188), or represents an attempt by +# system server to dynamically load a dex file, something we do not +# want to allow. +neverallow system_server dex2oat_exec:file no_x_file_perms; + +# system_server should never execute or load executable shared libraries +# in /data. Executable files in /data are a persistence vector. +# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. +neverallow system_server data_file_type:file no_x_file_perms; + +# The only block device system_server should be accessing is +# the frp_block_device. This helps avoid a system_server to root +# escalation by writing to raw block devices. +neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; + +# system_server should never use JIT functionality +# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html +# in the section titled "A Short ROP Chain" for why. +# However, in emulator builds without OpenGL passthrough, we use software +# rendering via SwiftShader, which requires JIT support. These builds are +# never shipped to users. +ifelse(target_requires_insecure_execmem_for_swiftshader, `true', + `allow system_server self:process execmem;', + `neverallow system_server self:process execmem;') +neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; + +# TODO: deal with tmpfs_domain pub/priv split properly +neverallow system_server system_server_tmpfs:file execute; + +# Resources handed off by system_server_startup +allow system_server system_server_startup:fd use; +allow system_server system_server_startup_tmpfs:file { read write map }; +allow system_server system_server_startup:unix_dgram_socket write; + +# Allow system server to communicate to apexd +allow system_server apex_service:service_manager find; +allow system_server apexd:binder call; + +# Allow system server to scan /apex for flattened APEXes +allow system_server apex_mnt_dir:dir r_dir_perms; + +# Allow system server to read /apex/apex-info-list.xml +allow system_server apex_info_file:file r_file_perms; + +# Allow system server to communicate to system-suspend's control interface +allow system_server system_suspend_control_internal_service:service_manager find; +allow system_server system_suspend_control_service:service_manager find; +binder_call(system_server, system_suspend) +binder_call(system_suspend, system_server) + +# Allow system server to communicate to system-suspend's wakelock interface +wakelock_use(system_server) + +# Allow the system server to read files under /data/apex. The system_server +# needs these privileges to compare file signatures while processing installs. +# +# Only apexd is allowed to create new entries or write to any file under /data/apex. +allow system_server apex_data_file:dir { getattr search }; +allow system_server apex_data_file:file r_file_perms; + +# Allow the system server to read files under /vendor/apex. This is where +# vendor APEX packages might be installed and system_server needs to parse +# these packages to inspect the signatures and other metadata. +allow system_server vendor_apex_file:dir { getattr search }; +allow system_server vendor_apex_file:file r_file_perms; + +# Allow the system server to manage relevant apex module data files. +allow system_server apex_module_data_file:dir { getattr search }; +allow system_server apex_appsearch_data_file:dir create_dir_perms; +allow system_server apex_appsearch_data_file:file create_file_perms; +allow system_server apex_permission_data_file:dir create_dir_perms; +allow system_server apex_permission_data_file:file create_file_perms; +allow system_server apex_scheduling_data_file:dir create_dir_perms; +allow system_server apex_scheduling_data_file:file create_file_perms; +allow system_server apex_wifi_data_file:dir create_dir_perms; +allow system_server apex_wifi_data_file:file create_file_perms; + +# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can +# communicate which slots are available for use. +allow system_server metadata_file:dir search; +allow system_server password_slot_metadata_file:dir rw_dir_perms; +allow system_server password_slot_metadata_file:file create_file_perms; + +allow system_server userspace_reboot_metadata_file:dir create_dir_perms; +allow system_server userspace_reboot_metadata_file:file create_file_perms; + +# Allow system server rw access to files in /metadata/staged-install folder +allow system_server staged_install_file:dir rw_dir_perms; +allow system_server staged_install_file:file create_file_perms; + +allow system_server watchdog_metadata_file:dir rw_dir_perms; +allow system_server watchdog_metadata_file:file create_file_perms; + +allow system_server gsi_persistent_data_file:dir rw_dir_perms; +allow system_server gsi_persistent_data_file:file create_file_perms; + +# Allow system server read and remove files under /data/misc/odrefresh +allow system_server odrefresh_data_file:dir rw_dir_perms; +allow system_server odrefresh_data_file:file { r_file_perms unlink }; + +# Allow system server r access to /system/bin/surfaceflinger for PinnerService. +allow system_server surfaceflinger_exec:file r_file_perms; + +# Allow init to set sysprop used to compute stats about userspace reboot. +set_prop(system_server, userspace_reboot_log_prop) + +# JVMTI agent settings are only readable from the system server. +neverallow { + domain + -system_server + -dumpstate + -init + -vendor_init +} { + system_jvmti_agent_prop +}:file no_rw_file_perms; + +# Read/Write /proc/pressure/memory +allow system_server proc_pressure_mem:file rw_file_perms; + +# dexoptanalyzer is currently used only for secondary dex files which +# system_server should never access. +neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; + +# No ptracing others +neverallow system_server { domain -system_server }:process ptrace; + +# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID +# file read access. However, that is now unnecessary (b/34951864) +neverallow system_server system_server:global_capability_class_set sys_resource; + +# Only system_server/init should access /metadata/password_slots. +neverallow { domain -init -system_server } password_slot_metadata_file:dir *; +neverallow { + domain + -init + -system_server +} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr }; +neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *; + +# Only system_server/init should access /metadata/userspacereboot. +neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *; +neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms; + +# Allow systemserver to read/write the invalidation property +set_prop(system_server, binder_cache_system_server_prop) +neverallow { domain -system_server -init } + binder_cache_system_server_prop:property_service set; + +# Allow system server to attach BPF programs to tracepoints. Deny read permission so that +# system_server cannot use this access to read perf event data like process stacks. +allow system_server self:perf_event { open write cpu kernel }; +neverallow system_server self:perf_event ~{ open write cpu kernel }; + +# Do not allow any domain other than init or system server to set the property +neverallow { domain -init -system_server } socket_hook_prop:property_service set; + +neverallow { domain -init -system_server } boot_status_prop:property_service set; + +neverallow { + domain + -init + -vendor_init + -dumpstate + -system_server +} wifi_config_prop:file no_rw_file_perms; + +# Only allow system server to write uhid sysfs files +neverallow { + domain + -init + -system_server + -ueventd + -vendor_init +} sysfs_uhid:file no_w_file_perms; + +# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it +# can be accessed by system_server only (b/143717177) +# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder +# interface +neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; + +# Only system server can write the font files. +neverallow { domain -init -system_server } font_data_file:file no_w_file_perms; +neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms; diff --git a/prebuilts/api/32.0/private/system_server_startup.te b/prebuilts/api/32.0/private/system_server_startup.te new file mode 100644 index 000000000..064e0383c --- /dev/null +++ b/prebuilts/api/32.0/private/system_server_startup.te @@ -0,0 +1,24 @@ +type system_server_startup, domain, coredomain; +type system_server_startup_tmpfs, file_type; + +tmpfs_domain(system_server_startup) + +# Create JIT memory +allow system_server_startup self:process execmem; +allow system_server_startup system_server_startup_tmpfs:file { execute read write open map }; + +# Allow to pick up integrity-checked artifacts from the ART APEX dalvik cache. +allow system_server_startup apex_art_data_file:dir r_dir_perms; +allow system_server_startup apex_art_data_file:file { r_file_perms execute }; + +# Allow system_server_startup to run setcon() and enter the +# system_server domain +allow system_server_startup self:process setcurrent; +allow system_server_startup system_server:process dyntransition; + +# Child of the zygote. +allow system_server_startup zygote:process sigchld; + +# Allow query ART device config properties +get_prop(system_server_startup, device_config_runtime_native_boot_prop) +get_prop(system_server_startup, device_config_runtime_native_prop) diff --git a/prebuilts/api/32.0/private/system_suspend.te b/prebuilts/api/32.0/private/system_suspend.te new file mode 100644 index 000000000..caf8955bb --- /dev/null +++ b/prebuilts/api/32.0/private/system_suspend.te @@ -0,0 +1,38 @@ +type system_suspend, domain, coredomain, system_suspend_server, system_suspend_internal_server; + +type system_suspend_exec, system_file_type, exec_type, file_type; +init_daemon_domain(system_suspend) + +# To serve ISuspendControlService. +binder_use(system_suspend) +add_service(system_suspend, system_suspend_control_service) + +# Access to /sys/power/{ wakeup_count, state } suspend interface. +allow system_suspend sysfs_power:file rw_file_perms; + +# Access to wakeup, suspend stats, and wakeup reasons. +r_dir_file(system_suspend, sysfs_suspend_stats) +r_dir_file(system_suspend, sysfs_wakeup) +r_dir_file(system_suspend, sysfs_wakeup_reasons) +# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks. +allow system_suspend sysfs_type:dir search; + +# Access to suspend_hal system properties +get_prop(system_suspend, suspend_prop) + +# To call BTAA registered callbacks +allow system_suspend bluetooth:binder call; + +# For adding `dumpsys syspend_control` output to bugreport +allow system_suspend dumpstate:fd use; +allow system_suspend dumpstate:fifo_file write; + +neverallow { + domain + -atrace # tracing + -bluetooth # support Bluetooth activity attribution (BTAA) + -dumpstate # bug reports + -system_suspend # implements system_suspend_control_service + -system_server # configures system_suspend via ISuspendControlService + -traceur_app # tracing +} system_suspend_control_service:service_manager find; diff --git a/prebuilts/api/32.0/private/technical_debt.cil b/prebuilts/api/32.0/private/technical_debt.cil new file mode 100644 index 000000000..9b3e3c6ad --- /dev/null +++ b/prebuilts/api/32.0/private/technical_debt.cil @@ -0,0 +1,71 @@ +; THIS IS A WORKAROUND for the current limitations of the module policy language +; This should be used sparingly until we figure out a saner way to achieve the +; stuff below, for example, by improving typeattribute statement of module +; language. +; +; NOTE: This file has no effect on recovery policy. + +; Apps, except isolated apps, are clients of Allocator HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute { appdomain -isolated_app } hal_allocator_client; +; typeattribute hal_allocator_client halclientdomain; +(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app)))))) +(typeattributeset halclientdomain (hal_allocator_client)) + +; Apps, except isolated apps, are clients of OMX-related services +; Unfortunately, we can't currently express this in module policy language: +(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app)))))) + +; Apps, except isolated apps, are clients of Codec2-related services +; Unfortunately, we can't currently express this in module policy language: +(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app)))))) + +; Apps, except isolated apps, are clients of Drm-related services +; Unfortunately, we can't currently express this in module policy language: +(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app)))))) + +; Apps, except isolated apps, are clients of Configstore HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute { appdomain -isolated_app } hal_configstore_client; +(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app)))))) + +; Apps, except isolated apps, are clients of Graphics Allocator HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client; +(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app)))))) + +; Apps, except isolated apps, are clients of Cas HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute { appdomain -isolated_app } hal_cas_client; +(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app)))))) + +; Domains hosting Camera HAL implementations are clients of Allocator HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute hal_camera hal_allocator_client; +(typeattributeset hal_allocator_client (hal_camera)) + +; Apps, except isolated apps, are clients of Neuralnetworks HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client; +(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app)))))) + +; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes. +; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators. +; Unfortunately, we can't currently express this in module policy language: +; typeattribute untrusted_app_visible_hwservice untrusted_app_visible_hwservice_violators; +; typeattribute untrusted_app_visible_halserver untrusted_app_visible_halserver_violators; +(typeattribute untrusted_app_visible_hwservice) +(typeattributeset untrusted_app_visible_hwservice_violators (untrusted_app_visible_hwservice)) +(typeattribute untrusted_app_visible_halserver) +(typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver)) + +; Apps, except isolated apps, are clients of BufferHub HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute { appdomain -isolated_app } hal_cas_client; +(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app)))))) + +; Properties having both system_property_type and vendor_property_type are illegal +; Unfortunately, we can't currently express this in module policy language: +; typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type; +(typeattribute system_and_vendor_property_type) +(typeattributeset system_and_vendor_property_type ((and (system_property_type) (vendor_property_type)))) diff --git a/prebuilts/api/32.0/private/tombstoned.te b/prebuilts/api/32.0/private/tombstoned.te new file mode 100644 index 000000000..b6dfd1e4d --- /dev/null +++ b/prebuilts/api/32.0/private/tombstoned.te @@ -0,0 +1,13 @@ +typeattribute tombstoned coredomain; + +init_daemon_domain(tombstoned) + +get_prop(tombstoned, tombstone_config_prop) + +neverallow { + domain + -init + -vendor_init + -dumpstate + -tombstoned +} tombstone_config_prop:file no_rw_file_perms; diff --git a/prebuilts/api/32.0/private/toolbox.te b/prebuilts/api/32.0/private/toolbox.te new file mode 100644 index 000000000..a2b958dba --- /dev/null +++ b/prebuilts/api/32.0/private/toolbox.te @@ -0,0 +1,3 @@ +typeattribute toolbox coredomain; + +init_daemon_domain(toolbox) diff --git a/prebuilts/api/32.0/private/traced.te b/prebuilts/api/32.0/private/traced.te new file mode 100644 index 000000000..fc9a2455a --- /dev/null +++ b/prebuilts/api/32.0/private/traced.te @@ -0,0 +1,121 @@ +# Perfetto user-space tracing daemon (unprivileged) + +# type traced is defined under /public (because iorapd rules +# under public/ need to refer to it). +type traced_exec, system_file_type, exec_type, file_type; + +# Allow init to exec the daemon. +init_daemon_domain(traced) +tmpfs_domain(traced) + +# Allow apps in other MLS contexts (for multi-user) to access +# share memory buffers created by traced. +typeattribute traced_tmpfs mlstrustedobject; + +# Allow traced to start with a lower scheduling class and change +# class accordingly to what defined in the config provided by +# the privileged process that controls it. +allow traced self:global_capability_class_set { sys_nice }; + +# Allow to pass a file descriptor for the output trace from "perfetto" (the +# cmdline client) and other shell binaries to traced and let traced write +# directly into that (rather than returning the trace contents over the socket). +allow traced perfetto:fd use; +allow traced shell:fd use; +allow traced shell:fifo_file { read write }; + +# Allow the service to create new files within /data/misc/perfetto-traces. +allow traced perfetto_traces_data_file:file create_file_perms; +allow traced perfetto_traces_data_file:dir rw_dir_perms; +# ... and /data/misc/perfetto-traces/bugreport* +allow traced perfetto_traces_bugreport_data_file:file create_file_perms; +allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms; + +# Allow traceur to pass open file descriptors to traced, so traced can directly +# write into the output file without doing roundtrips over IPC. +allow traced traceur_app:fd use; +allow traced trace_data_file:file { read write }; + +# Allow perfetto to access the proxy service for notifying Traceur. +allow traced tracingproxy_service:service_manager find; +binder_use(traced); +binder_call(traced, system_server); + +# Allow iorapd to pass memfd descriptors to traced, so traced can directly +# write into the shmem buffer file without doing roundtrips over IPC. +allow traced iorapd:fd use; +allow traced iorapd_tmpfs:file { read write }; + +# Allow traced to use shared memory supplied by producers. Typically, traced +# (i.e. the tracing service) creates the shared memory used for data transfer +# from the producer. This rule allows an alternative scheme, where the producer +# creates the shared memory, that is then adopted by traced (after validating +# that it is appropriately sealed). +# This list has to replicate the tmpfs domains of all applicable domains that +# have perfetto_producer() macro applied to them. +# perfetto_tmpfs excluded as it should never need to use the producer-supplied +# shared memory scheme. +allow traced { + appdomain_tmpfs + heapprofd_tmpfs + surfaceflinger_tmpfs + traced_probes_tmpfs + userdebug_or_eng(`system_server_tmpfs') +}:file { getattr map read write }; + +# Allow traced to notify Traceur when a trace ends by setting the +# sys.trace.trace_end_signal property. +set_prop(traced, system_trace_prop) +# Allow to lazily start producers. +set_prop(traced, traced_lazy_prop) + +# Allow traced to talk to statsd for logging metrics. +unix_socket_send(traced, statsdw, statsd) + +### +### Neverallow rules +### +### traced should NEVER do any of this + +# Disallow mapping executable memory (execstack and exec are already disallowed +# globally in domain.te). +neverallow traced self:process execmem; + +# Block device access. +neverallow traced dev_type:blk_file { read write }; + +# ptrace any other process +neverallow traced domain:process ptrace; + +# Disallows access to /data files, still allowing to write to file descriptors +# passed through the socket. +neverallow traced { + data_file_type + -perfetto_traces_data_file + -perfetto_traces_bugreport_data_file + -system_data_file + -system_data_root_file + # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a + # subsequent neverallow. Currently only getattr and search are allowed. + -vendor_data_file + -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') +}:dir *; +neverallow traced { system_data_file }:dir ~{ getattr search }; +neverallow traced zoneinfo_data_file:dir ~r_dir_perms; +neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *; +neverallow traced { + data_file_type + -zoneinfo_data_file + -perfetto_traces_data_file + -perfetto_traces_bugreport_data_file + -trace_data_file + with_native_coverage(`-method_trace_data_file') +}:file ~write; + +# Only init is allowed to enter the traced domain via exec() +neverallow { domain -init } traced:process transition; +neverallow * traced:process dyntransition; + +# Limit the processes that can access tracingproxy_service. +neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find; diff --git a/prebuilts/api/32.0/private/traced_perf.te b/prebuilts/api/32.0/private/traced_perf.te new file mode 100644 index 000000000..96a7263f7 --- /dev/null +++ b/prebuilts/api/32.0/private/traced_perf.te @@ -0,0 +1,72 @@ +# Performance profiler, backed by perf_event_open(2). +# See go/perfetto-perf-android. +typeattribute traced_perf coredomain; +typeattribute traced_perf mlstrustedsubject; + +type traced_perf_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(traced_perf) +perfetto_producer(traced_perf) + +# Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide +# profiling, but retain samples only for profileable processes. +# Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH +# check (which would require a process:attach SELinux allow-rule). +allow traced_perf self:perf_event { open cpu kernel read write tracepoint }; + +# Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a +# process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of +# sampled stacks, which requires opening the backing libraries/executables (as +# symbols are usually not mapped into the process space). Not all such files +# are world-readable, e.g. odex files that included user profiles during +# profile-guided optimization. +allow traced_perf self:capability { kill dac_read_search }; + +# Allow reading /system/data/packages.list. +allow traced_perf packages_list_file:file r_file_perms; + +# Allow reading files for stack unwinding and symbolization. +r_dir_file(traced_perf, nativetest_data_file) +r_dir_file(traced_perf, system_file_type) +r_dir_file(traced_perf, apex_art_data_file) +r_dir_file(traced_perf, apk_data_file) +r_dir_file(traced_perf, dalvikcache_data_file) +r_dir_file(traced_perf, vendor_file_type) + +# Allow to temporarily lift the kptr_restrict setting and build a symbolization +# map reading /proc/kallsyms. +userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)') +allow traced_perf proc_kallsyms:file r_file_perms; + +# Allow reading tracefs files to get the format and numeric ids of tracepoints. +allow traced_perf debugfs_tracing:dir r_dir_perms; +allow traced_perf debugfs_tracing:file r_file_perms; +userdebug_or_eng(` + allow traced_perf debugfs_tracing_debug:dir r_dir_perms; + allow traced_perf debugfs_tracing_debug:file r_file_perms; +') + +# Do not audit the cases where traced_perf attempts to access /proc/[pid] for +# domains that it cannot read. +dontaudit traced_perf domain:dir { search getattr open }; + +# Do not audit failures to signal a process, as there are cases when this is +# expected (native processes on debug builds use the policy for enforcing which +# processes are profileable). +dontaudit traced_perf domain:process signal; + +# Never allow access to app data files +neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *; + +# Never allow profiling highly privileged processes. +never_profile_perf(`{ + bpfloader + init + kernel + keystore + llkd + logd + ueventd + vendor_init + vold +}') diff --git a/prebuilts/api/32.0/private/traced_probes.te b/prebuilts/api/32.0/private/traced_probes.te new file mode 100644 index 000000000..730a45c95 --- /dev/null +++ b/prebuilts/api/32.0/private/traced_probes.te @@ -0,0 +1,152 @@ +# Perfetto tracing probes, has tracefs access. +type traced_probes_exec, system_file_type, exec_type, file_type; +type traced_probes_tmpfs, file_type; + +# Allow init to exec the daemon. +init_daemon_domain(traced_probes) +tmpfs_domain(traced_probes) + +# Write trace data to the Perfetto traced damon. This requires connecting to its +# producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(traced_probes) + +# Allow traced_probes to access tracefs. +allow traced_probes debugfs_tracing:dir r_dir_perms; +allow traced_probes debugfs_tracing:file rw_file_perms; +allow traced_probes debugfs_trace_marker:file getattr; +allow traced_probes debugfs_tracing_printk_formats:file r_file_perms; + +# Allow traced_probes to access mm_events trace instance +allow traced_probes debugfs_tracing_instances:dir search; +allow traced_probes debugfs_mm_events_tracing:dir search; +allow traced_probes debugfs_mm_events_tracing:file rw_file_perms; + +# TODO(primiano): temporarily I/O tracing categories are still +# userdebug only until we nail down the denylist/allowlist. +userdebug_or_eng(` +allow traced_probes debugfs_tracing_debug:dir r_dir_perms; +allow traced_probes debugfs_tracing_debug:file rw_file_perms; +') + +# Allow traced_probes to start with a higher scheduling class and then downgrade +# itself. +allow traced_probes self:global_capability_class_set { sys_nice }; + +# Allow procfs access +r_dir_file(traced_probes, domain) + +# Allow to temporarily lift the kptr_restrict setting and build a symbolization +# map reading /proc/kallsyms. +userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)') +allow traced_probes proc_kallsyms:file r_file_perms; + +# Allow to read packages.list file. +allow traced_probes packages_list_file:file r_file_perms; + +# Allow to log to kernel dmesg when starting / stopping ftrace. +allow traced_probes kmsg_device:chr_file write; + +# Allow traced_probes to list the system partition. +allow traced_probes system_file:dir { open read }; + +# Allow traced_probes to list some of the data partition. +allow traced_probes self:global_capability_class_set dac_read_search; + +allow traced_probes apk_data_file:dir { getattr open read search }; +allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search }; +allow traced_probes dalvikcache_data_file:dir { getattr open read search }; +userdebug_or_eng(` +# search and getattr are granted via domain and coredomain, respectively. +allow traced_probes system_data_file:dir { open read }; +') +allow traced_probes system_app_data_file:dir { getattr open read search }; +allow traced_probes backup_data_file:dir { getattr open read search }; +allow traced_probes bootstat_data_file:dir { getattr open read search }; +allow traced_probes update_engine_data_file:dir { getattr open read search }; +allow traced_probes update_engine_log_data_file:dir { getattr open read search }; +allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search }; + +# Allow traced_probes to run atrace. atrace pokes at system services to enable +# their userspace TRACE macros. +domain_auto_trans(traced_probes, atrace_exec, atrace); + +# Allow traced_probes to kill atrace on timeout. +allow traced_probes atrace:process sigkill; + +# Allow traced_probes to access /proc files for system stats. +# Note: trace data is NOT exposed to anything other than shell and privileged +# system apps that have access to the traced consumer socket. +allow traced_probes { + proc_meminfo + proc_vmstat + proc_stat +}:file r_file_perms; + +# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files +allow traced_probes sysfs_devfreq_dir:dir r_dir_perms; +allow traced_probes sysfs_devfreq_cur:file r_file_perms; + +# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters. +hal_client_domain(traced_probes, hal_health) +hal_client_domain(traced_probes, hal_power_stats) + +# Allow access to Atrace HAL for enabling vendor/device specific tracing categories. +hal_client_domain(traced_probes, hal_atrace) + +# On debug builds allow to ingest system logs into the trace. +userdebug_or_eng(`read_logd(traced_probes)') + +# Allow traced_probes to talk to statsd for logging metrics. +unix_socket_send(traced_probes, statsdw, statsd) + +### +### Neverallow rules +### +### traced_probes should NEVER do any of this + +# Disallow mapping executable memory (execstack and exec are already disallowed +# globally in domain.te). +neverallow traced_probes self:process execmem; + +# Block device access. +neverallow traced_probes dev_type:blk_file { read write }; + +# ptrace any other app +neverallow traced_probes domain:process ptrace; + +# Disallows access to /data files. +neverallow traced_probes { + data_file_type + -apex_module_data_file + -apex_art_data_file + -apk_data_file + -dalvikcache_data_file + -system_data_file + -system_data_root_file + -system_app_data_file + -backup_data_file + -bootstat_data_file + -update_engine_data_file + -update_engine_log_data_file + -user_profile_root_file + -user_profile_data_file + # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a + # subsequent neverallow. Currently only getattr and search are allowed. + -vendor_data_file + -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') +}:dir *; +neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search }; +neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms; +neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *; +neverallow traced_probes { + data_file_type + -zoneinfo_data_file + -packages_list_file + with_native_coverage(`-method_trace_data_file') +}:file *; + +# Only init is allowed to enter the traced_probes domain via exec() +neverallow { domain -init } traced_probes:process transition; +neverallow * traced_probes:process dyntransition; + diff --git a/prebuilts/api/32.0/private/traceur_app.te b/prebuilts/api/32.0/private/traceur_app.te new file mode 100644 index 000000000..2937e269b --- /dev/null +++ b/prebuilts/api/32.0/private/traceur_app.te @@ -0,0 +1,24 @@ +typeattribute traceur_app coredomain; + +app_domain(traceur_app); +allow traceur_app debugfs_tracing:file rw_file_perms; +allow traceur_app debugfs_tracing_debug:dir r_dir_perms; + +userdebug_or_eng(` + allow traceur_app debugfs_tracing_debug:file rw_file_perms; +') + +allow traceur_app trace_data_file:file create_file_perms; +allow traceur_app trace_data_file:dir rw_dir_perms; +allow traceur_app atrace_exec:file rx_file_perms; + +# To exec the perfetto cmdline client and pass it the trace config on +# stdint through a pipe. +allow traceur_app perfetto_exec:file rx_file_perms; + +# Allow to access traced's privileged consumer socket. +unix_socket_connect(traceur_app, traced_consumer, traced) + +dontaudit traceur_app debugfs_tracing_debug:file audit_access; + +set_prop(traceur_app, debug_prop) diff --git a/prebuilts/api/32.0/private/tzdatacheck.te b/prebuilts/api/32.0/private/tzdatacheck.te new file mode 100644 index 000000000..502735cad --- /dev/null +++ b/prebuilts/api/32.0/private/tzdatacheck.te @@ -0,0 +1,3 @@ +typeattribute tzdatacheck coredomain; + +init_daemon_domain(tzdatacheck) diff --git a/prebuilts/api/32.0/private/ueventd.te b/prebuilts/api/32.0/private/ueventd.te new file mode 100644 index 000000000..8bcdbf95a --- /dev/null +++ b/prebuilts/api/32.0/private/ueventd.te @@ -0,0 +1,7 @@ +typeattribute ueventd coredomain; + +tmpfs_domain(ueventd) + +# ueventd can set properties, particularly it sets ro.cold_boot_done to signal +# to init that cold boot has completed. +set_prop(ueventd, cold_boot_done_prop) diff --git a/prebuilts/api/32.0/private/uncrypt.te b/prebuilts/api/32.0/private/uncrypt.te new file mode 100644 index 000000000..1a94cd1e5 --- /dev/null +++ b/prebuilts/api/32.0/private/uncrypt.te @@ -0,0 +1,6 @@ +typeattribute uncrypt coredomain; + +init_daemon_domain(uncrypt) + +# Set a property to reboot the device. +set_prop(uncrypt, powerctl_prop) diff --git a/prebuilts/api/32.0/private/untrusted_app.te b/prebuilts/api/32.0/private/untrusted_app.te new file mode 100644 index 000000000..6e7a99cd8 --- /dev/null +++ b/prebuilts/api/32.0/private/untrusted_app.te @@ -0,0 +1,16 @@ +### +### Untrusted apps. +### +### This file defines the rules for untrusted apps running with +### targetSdkVersion >= 30. +### +### See public/untrusted_app.te for more information about which apps are +### placed in this selinux domain. +### + +typeattribute untrusted_app coredomain; + +app_domain(untrusted_app) +untrusted_app_domain(untrusted_app) +net_domain(untrusted_app) +bluetooth_domain(untrusted_app) diff --git a/prebuilts/api/32.0/private/untrusted_app_25.te b/prebuilts/api/32.0/private/untrusted_app_25.te new file mode 100644 index 000000000..41cabe878 --- /dev/null +++ b/prebuilts/api/32.0/private/untrusted_app_25.te @@ -0,0 +1,54 @@ +### +### Untrusted_app_25 +### +### This file defines the rules for untrusted apps running with +### targetSdkVersion <= 25. +### +### See public/untrusted_app.te for more information about which apps are +### placed in this selinux domain. +### + +typeattribute untrusted_app_25 coredomain; + +app_domain(untrusted_app_25) +untrusted_app_domain(untrusted_app_25) +net_domain(untrusted_app_25) +bluetooth_domain(untrusted_app_25) + +# b/35917228 - /proc/misc access +# This will go away in a future Android release +allow untrusted_app_25 proc_misc:file r_file_perms; + +# Access to /proc/tty/drivers, to allow apps to determine if they +# are running in an emulated environment. +# b/33214085 b/33814662 b/33791054 b/33211769 +# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java +# This will go away in a future Android release +allow untrusted_app_25 proc_tty_drivers:file r_file_perms; + +# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q. +# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23 +allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod; + +# The ability to call exec() on files in the apps home directories +# for targetApi<=25. This is also allowed for targetAPIs 26, 27, +# and 28 in untrusted_app_27.te. +allow untrusted_app_25 app_data_file:file execute_no_trans; +auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans }; + +# The ability to invoke dex2oat. Historically required by ART, now only +# allowed for targetApi<=28 for compat reasons. +allow untrusted_app_25 dex2oat_exec:file rx_file_perms; +userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;') + +# The ability to talk to /dev/ashmem directly. targetApi>=29 must use +# ASharedMemory instead. +allow untrusted_app_25 ashmem_device:chr_file rw_file_perms; +auditallow untrusted_app_25 ashmem_device:chr_file open; + +# Read /mnt/sdcard symlink. +allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms; + +# allow binding to netlink route sockets and sending RTM_GETLINK messages. +allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv }; +auditallow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv }; diff --git a/prebuilts/api/32.0/private/untrusted_app_27.te b/prebuilts/api/32.0/private/untrusted_app_27.te new file mode 100644 index 000000000..0993faa9b --- /dev/null +++ b/prebuilts/api/32.0/private/untrusted_app_27.te @@ -0,0 +1,42 @@ +### +### Untrusted_27. +### +### This file defines the rules for untrusted apps running with +### 25 < targetSdkVersion <= 28. +### +### See public/untrusted_app.te for more information about which apps are +### placed in this selinux domain. +### + +typeattribute untrusted_app_27 coredomain; + +app_domain(untrusted_app_27) +untrusted_app_domain(untrusted_app_27) +net_domain(untrusted_app_27) +bluetooth_domain(untrusted_app_27) + +# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q. +# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23 +allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file execmod; + +# The ability to call exec() on files in the apps home directories +# for targetApi 26, 27, and 28. +allow untrusted_app_27 app_data_file:file execute_no_trans; +auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans }; + +# The ability to invoke dex2oat. Historically required by ART, now only +# allowed for targetApi<=28 for compat reasons. +allow untrusted_app_27 dex2oat_exec:file rx_file_perms; +userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;') + +# The ability to talk to /dev/ashmem directly. targetApi>=29 must use +# ASharedMemory instead. +allow untrusted_app_27 ashmem_device:chr_file rw_file_perms; +auditallow untrusted_app_27 ashmem_device:chr_file open; + +# Read /mnt/sdcard symlink. +allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms; + +# allow binding to netlink route sockets and sending RTM_GETLINK messages. +allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv }; +auditallow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv }; diff --git a/prebuilts/api/32.0/private/untrusted_app_29.te b/prebuilts/api/32.0/private/untrusted_app_29.te new file mode 100644 index 000000000..c5652b169 --- /dev/null +++ b/prebuilts/api/32.0/private/untrusted_app_29.te @@ -0,0 +1,20 @@ +### +### Untrusted_29. +### +### This file defines the rules for untrusted apps running with +### targetSdkVersion = 29. +### +### See public/untrusted_app.te for more information about which apps are +### placed in this selinux domain. +### + +typeattribute untrusted_app_29 coredomain; + +app_domain(untrusted_app_29) +untrusted_app_domain(untrusted_app_29) +net_domain(untrusted_app_29) +bluetooth_domain(untrusted_app_29) + +# allow binding to netlink route sockets and sending RTM_GETLINK messages. +allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv }; +auditallow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv }; diff --git a/prebuilts/api/32.0/private/untrusted_app_all.te b/prebuilts/api/32.0/private/untrusted_app_all.te new file mode 100644 index 000000000..6064c1453 --- /dev/null +++ b/prebuilts/api/32.0/private/untrusted_app_all.te @@ -0,0 +1,177 @@ +### +### Untrusted_app_all. +### +### This file defines the rules shared by all untrusted app domains except +### ephemeral_app for instant apps and isolated_app (which has a reduced +### permission set). +### Apps are labeled based on mac_permissions.xml (maps signer and +### optionally package name to seinfo value) and seapp_contexts (maps UID +### and optionally seinfo value to domain for process and type for data +### directory). The untrusted_app_all attribute is assigned to all default +### seapp_contexts for any app with UID between APP_AID (10000) +### and AID_ISOLATED_START (99000) if the app has no specific seinfo +### value as determined from mac_permissions.xml. In current AOSP, this +### attribute is assigned to all non-system apps as well as to any system apps +### that are not signed by the platform key. To move +### a system app into a specific domain, add a signer entry for it to +### mac_permissions.xml and assign it one of the pre-existing seinfo values +### or define and use a new seinfo value in both mac_permissions.xml and +### seapp_contexts. +### +### Note that rules that should apply to all untrusted apps must be in app.te or also +### added to ephemeral_app.te. + +# Some apps ship with shared libraries and binaries that they write out +# to their sandbox directory and then execute. +allow untrusted_app_all privapp_data_file:file { r_file_perms execute }; +allow untrusted_app_all app_data_file:file { r_file_perms execute }; +auditallow untrusted_app_all app_data_file:file execute; + +# Chrome Crashpad uses the the dynamic linker to load native executables +# from an APK (b/112050209, crbug.com/928422) +allow untrusted_app_all system_linker_exec:file execute_no_trans; + +# Follow priv-app symlinks. This is used for dynamite functionality. +allow untrusted_app_all privapp_data_file:lnk_file r_file_perms; + +# Allow handling of less common filesystem objects +allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } create_file_perms; + +# Allow loading and deleting executable shared libraries +# within an application home directory. Such shared libraries would be +# created by things like renderscript or via other mechanisms. +allow untrusted_app_all app_exec_data_file:file { r_file_perms execute unlink }; + +# ASEC +allow untrusted_app_all asec_apk_file:file r_file_perms; +allow untrusted_app_all asec_apk_file:dir r_dir_perms; +# Execute libs in asec containers. +allow untrusted_app_all asec_public_file:file { execute }; + +# Used by Finsky / Android "Verify Apps" functionality when +# running "adb install foo.apk". +# TODO: Long term, we don't want apps probing into shell data files. +# Figure out a way to remove these rules. +allow untrusted_app_all shell_data_file:file r_file_perms; +allow untrusted_app_all shell_data_file:dir r_dir_perms; + +# Allow traceur to pass file descriptors through a content provider to untrusted apps +# for the purpose of sharing files through e.g. gmail +allow untrusted_app_all trace_data_file:file { getattr read }; + +# untrusted apps should not be able to open trace data files, they should depend +# upon traceur to pass a file descriptor +neverallow untrusted_app_all trace_data_file:dir *; +neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open }; + +# neverallow untrusted apps accessing debugfs_tracing +neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms; + +# Allow to read staged apks. +allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr}; + +# Read and write system app data files passed over Binder. +# Motivating case was /data/data/com.android.settings/cache/*.jpg for +# cropping or taking user photos. +allow untrusted_app_all system_app_data_file:file { read write getattr }; + +# +# Rules migrated from old app domains coalesced into untrusted_app. +# This includes what used to be media_app, shared_app, and release_app. +# + +# Access to /data/media. +allow untrusted_app_all media_rw_data_file:dir create_dir_perms; +allow untrusted_app_all media_rw_data_file:file create_file_perms; + +# allow cts to query all services +allow untrusted_app_all servicemanager:service_manager list; + +allow untrusted_app_all audioserver_service:service_manager find; +allow untrusted_app_all cameraserver_service:service_manager find; +allow untrusted_app_all drmserver_service:service_manager find; +allow untrusted_app_all mediaserver_service:service_manager find; +allow untrusted_app_all mediaextractor_service:service_manager find; +allow untrusted_app_all mediametrics_service:service_manager find; +allow untrusted_app_all mediadrmserver_service:service_manager find; +allow untrusted_app_all nfc_service:service_manager find; +allow untrusted_app_all radio_service:service_manager find; +allow untrusted_app_all app_api_service:service_manager find; +allow untrusted_app_all vr_manager_service:service_manager find; + +# gdbserver for ndk-gdb ptrace attaches to app process. +allow untrusted_app_all self:process ptrace; + +# Android Studio Instant Run has the application connect to a +# runas_app socket listening in the abstract namespace. +# https://developer.android.com/studio/run/ +# b/123297648 +allow untrusted_app_all runas_app:unix_stream_socket connectto; + +# Untrusted apps need to be able to send a SIGCHLD to runas_app +# when running under a debugger (b/123612207) +allow untrusted_app_all runas_app:process sigchld; + +# Cts: HwRngTest +allow untrusted_app_all sysfs_hwrandom:dir search; +allow untrusted_app_all sysfs_hwrandom:file r_file_perms; + +# Allow apps to view preloaded media content +allow untrusted_app_all preloads_media_file:dir r_dir_perms; +allow untrusted_app_all preloads_media_file:file r_file_perms; +allow untrusted_app_all preloads_data_file:dir search; + +# Allow untrusted apps read / execute access to /vendor/app for there can +# be pre-installed vendor apps that package a library within themselves. +# TODO (b/37784178) Consider creating a special type for /vendor/app installed +# apps. +allow untrusted_app_all vendor_app_file:dir { open getattr read search }; +allow untrusted_app_all vendor_app_file:file { r_file_perms execute }; +allow untrusted_app_all vendor_app_file:lnk_file { open getattr read }; + +# Write app-specific trace data to the Perfetto traced damon. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(untrusted_app_all) + +# Allow profiling if the app opts in by being marked profileable/debuggable. +can_profile_heap(untrusted_app_all) +can_profile_perf(untrusted_app_all) + +# allow untrusted apps to use UDP sockets provided by the system server but not +# modify them other than to connect +allow untrusted_app_all system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +# Allow the renderscript compiler to be run. +domain_auto_trans(untrusted_app_all, rs_exec, rs) + +# suppress denials caused by debugfs_tracing +dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms; + +# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions. +dontaudit untrusted_app_all net_dns_prop:file read; + +# These have been disallowed since Android O. +# For P, we assume that apps are safely handling the denial. +dontaudit untrusted_app_all proc_stat:file read; +dontaudit untrusted_app_all proc_vmstat:file read; +dontaudit untrusted_app_all proc_uptime:file read; + +# Allow the allocation and use of ptys +# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm +create_pty(untrusted_app_all) + +# Allow access to kcov via its ioctl interface for coverage +# guided kernel fuzzing. +userdebug_or_eng(` + allow untrusted_app_all debugfs_kcov:file rw_file_perms; + allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE }; + # The use of debugfs kcov is considered a breach of the kernel integrity + # according to the heuristic of lockdown. + allow untrusted_app_all self:lockdown integrity; +') + +# Allow signalling simpleperf domain, which is the domain that the simpleperf +# profiler runs as when executed by the app. The signals are used to control +# the profiler (which would be profiling the app that is sending the signal). +allow untrusted_app_all simpleperf:process signal; diff --git a/prebuilts/api/32.0/private/update_engine.te b/prebuilts/api/32.0/private/update_engine.te new file mode 100644 index 000000000..d828e1fe1 --- /dev/null +++ b/prebuilts/api/32.0/private/update_engine.te @@ -0,0 +1,31 @@ +typeattribute update_engine coredomain; + +init_daemon_domain(update_engine); + +# Allow to talk to gsid. +allow update_engine gsi_service:service_manager find; +binder_call(update_engine, gsid) + +# Allow to start gsid service. +set_prop(update_engine, ctl_gsid_prop) + +# Allow to start snapuserd for dm-user communication. +set_prop(update_engine, ctl_snapuserd_prop) + +# Allow to set the OTA related properties, e.g. ota.warm_reset. +set_prop(update_engine, ota_prop) + +# Allow to get the DSU status +get_prop(update_engine, gsid_prop) + +# Allow update_engine to call the callback function provided by GKI update hook. +binder_call(update_engine, gki_apex_prepostinstall) + +# Allow to communicate with the snapuserd service, for dm-user snapshots. +allow update_engine snapuserd:unix_stream_socket connectto; +allow update_engine snapuserd_socket:sock_file write; + +# Allow to communicate with apexd for calculating and reserving space for +# capex decompression +allow update_engine apex_service:service_manager find; +binder_call(update_engine, apexd) diff --git a/prebuilts/api/32.0/private/update_engine_common.te b/prebuilts/api/32.0/private/update_engine_common.te new file mode 100644 index 000000000..8571ff650 --- /dev/null +++ b/prebuilts/api/32.0/private/update_engine_common.te @@ -0,0 +1,13 @@ +# type_transition must be private policy the domain_trans rules could stay +# public, but conceptually should go with this +# The postinstall program is run by update_engine_common and must be tagged +# with postinstall_exec in the new filesystem. +# TODO Have build system attempt to verify this +domain_auto_trans(update_engine_common, postinstall_exec, postinstall) + +# Vendor directories can have the transition as well during OTA. This is caused +# by update_engine execing scripts in vendor to perform any update tasks needed +# there. +domain_auto_trans(update_engine_common, postinstall_file, postinstall) + +allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom }; diff --git a/prebuilts/api/32.0/private/update_verifier.te b/prebuilts/api/32.0/private/update_verifier.te new file mode 100644 index 000000000..5e1b27bf8 --- /dev/null +++ b/prebuilts/api/32.0/private/update_verifier.te @@ -0,0 +1,9 @@ +typeattribute update_verifier coredomain; + +init_daemon_domain(update_verifier) + +# Allow update_verifier to reboot the device. +set_prop(update_verifier, powerctl_prop) + +# Allow to set the OTA related properties e.g. ota.warm_reset. +set_prop(update_verifier, ota_prop) diff --git a/prebuilts/api/32.0/private/usbd.te b/prebuilts/api/32.0/private/usbd.te new file mode 100644 index 000000000..42f23244e --- /dev/null +++ b/prebuilts/api/32.0/private/usbd.te @@ -0,0 +1,15 @@ +typeattribute usbd coredomain; + +init_daemon_domain(usbd) + +# Access usb gadget hal +hal_client_domain(usbd, hal_usb_gadget) + +# Access persist.sys.usb.config +get_prop(usbd, system_prop) + +# start adbd during boot if adb is enabled +set_prop(usbd, ctl_default_prop) + +# Start/stop adbd via ctl.start adbd +set_prop(usbd, ctl_adbd_prop) diff --git a/prebuilts/api/32.0/private/users b/prebuilts/api/32.0/private/users new file mode 100644 index 000000000..51b7b57e6 --- /dev/null +++ b/prebuilts/api/32.0/private/users @@ -0,0 +1 @@ +user u roles { r } level s0 range s0 - mls_systemhigh; diff --git a/prebuilts/api/32.0/private/vdc.te b/prebuilts/api/32.0/private/vdc.te new file mode 100644 index 000000000..63c9c2a0e --- /dev/null +++ b/prebuilts/api/32.0/private/vdc.te @@ -0,0 +1,6 @@ +typeattribute vdc coredomain; + +init_daemon_domain(vdc) + +# Allow stdin/out back to vehicle_binding_util +allow vdc vehicle_binding_util:fd use; diff --git a/prebuilts/api/32.0/private/vehicle_binding_util.te b/prebuilts/api/32.0/private/vehicle_binding_util.te new file mode 100644 index 000000000..76d075600 --- /dev/null +++ b/prebuilts/api/32.0/private/vehicle_binding_util.te @@ -0,0 +1,20 @@ +# vehicle binding util startup application +type vehicle_binding_util, domain, coredomain; + +# allow init to start vehicle_binding_util +type vehicle_binding_util_exec, exec_type, file_type, system_file_type; +init_daemon_domain(vehicle_binding_util) + +# allow writing to kmsg during boot +allow vehicle_binding_util kmsg_device:chr_file { getattr w_file_perms }; + +# allow reading the binding property from vhal +hwbinder_use(vehicle_binding_util) +hal_client_domain(vehicle_binding_util, hal_vehicle) + +# allow executing vdc +domain_auto_trans(vehicle_binding_util, vdc_exec, vdc) + +# devpts is needed to redirect output from vdc +allow vehicle_binding_util devpts:chr_file rw_file_perms; + diff --git a/prebuilts/api/32.0/private/vendor_init.te b/prebuilts/api/32.0/private/vendor_init.te new file mode 100644 index 000000000..2e616f363 --- /dev/null +++ b/prebuilts/api/32.0/private/vendor_init.te @@ -0,0 +1,20 @@ +# Creating files on sysfs is impossible so this isn't a threat +# Sometimes we have to write to non-existent files to avoid conditional +# init behavior. See b/35303861 for an example. +dontaudit vendor_init sysfs:dir write; + +# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now +allow vendor_init system_data_root_file:dir rw_dir_perms; + +# Let vendor_init set service.adb.tcp.port. +set_prop(vendor_init, adbd_config_prop) + +# chown/chmod on devices, e.g. /dev/ttyHS0 +allow vendor_init { + dev_type + -keychord_device + -kvm_device + -port_device + -lowpan_device + -hw_random_device +}:chr_file setattr; diff --git a/prebuilts/api/32.0/private/viewcompiler.te b/prebuilts/api/32.0/private/viewcompiler.te new file mode 100644 index 000000000..d1f096441 --- /dev/null +++ b/prebuilts/api/32.0/private/viewcompiler.te @@ -0,0 +1,25 @@ +# viewcompiler +type viewcompiler, domain, coredomain, mlstrustedsubject; +type viewcompiler_exec, system_file_type, exec_type, file_type; +type viewcompiler_tmpfs, file_type; + +# Reading an APK opens a ZipArchive, which unpack to tmpfs. +# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their +# own label, which differs from other labels created by other processes. +# This allows to distinguish in policy files created by viewcompiler vs other +# processes. +tmpfs_domain(viewcompiler) + +allow viewcompiler installd:fd use; + +# Include write permission for app data files so viewcompiler can generate +# compiled layout dex files +allow viewcompiler app_data_file:file { getattr write }; + +# Allow the view compiler to read resources from the apps APK. +allow viewcompiler apk_data_file:file { read map }; + +# priv-apps are moving to a world where they can only execute +# signed code. Make sure viewcompiler never can write to privapp +# directories to avoid introducing unsigned executable code +neverallow viewcompiler privapp_data_file:file no_w_file_perms; diff --git a/prebuilts/api/32.0/private/virtmanager.te b/prebuilts/api/32.0/private/virtmanager.te new file mode 100644 index 000000000..467f7d4f9 --- /dev/null +++ b/prebuilts/api/32.0/private/virtmanager.te @@ -0,0 +1,17 @@ +type virtmanager, domain, coredomain; +type virtmanager_exec, system_file_type, exec_type, file_type; + +# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain. +init_daemon_domain(virtmanager) + +# Let the virtmanager domain use Binder. +binder_use(virtmanager) + +# Let the virtmanager domain register the virtualization_service with ServiceManager. +add_service(virtmanager, virtualization_service) + +# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain. +domain_auto_trans(virtmanager, crosvm_exec, crosvm) + +# Let virtmanager kill crosvm. +allow virtmanager crosvm:process sigkill; diff --git a/prebuilts/api/32.0/private/virtual_touchpad.te b/prebuilts/api/32.0/private/virtual_touchpad.te new file mode 100644 index 000000000..e735172fe --- /dev/null +++ b/prebuilts/api/32.0/private/virtual_touchpad.te @@ -0,0 +1,3 @@ +typeattribute virtual_touchpad coredomain; + +init_daemon_domain(virtual_touchpad) diff --git a/prebuilts/api/32.0/private/vold.te b/prebuilts/api/32.0/private/vold.te new file mode 100644 index 000000000..de0fde48a --- /dev/null +++ b/prebuilts/api/32.0/private/vold.te @@ -0,0 +1,68 @@ +typeattribute vold coredomain; + +init_daemon_domain(vold) + +# Switch to more restrictive domains when executing common tools +domain_auto_trans(vold, sgdisk_exec, sgdisk); +domain_auto_trans(vold, sdcardd_exec, sdcardd); + +# For a handful of probing tools, we choose an even more restrictive +# domain when working with untrusted block devices +domain_trans(vold, blkid_exec, blkid); +domain_trans(vold, blkid_exec, blkid_untrusted); +domain_trans(vold, fsck_exec, fsck); +domain_trans(vold, fsck_exec, fsck_untrusted); + +# Newly created storage dirs are always treated as mount stubs to prevent us +# from accidentally writing when the mount point isn't present. +type_transition vold storage_file:dir storage_stub_file; +type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file; + +# Property Service +get_prop(vold, vold_config_prop) +get_prop(vold, storage_config_prop); +get_prop(vold, incremental_prop); + +set_prop(vold, vold_post_fs_data_prop) +set_prop(vold, vold_prop) +set_prop(vold, vold_status_prop) +set_prop(vold, powerctl_prop) +set_prop(vold, ctl_fuse_prop) +set_prop(vold, restorecon_prop) +set_prop(vold, ota_prop) +set_prop(vold, boottime_prop) +set_prop(vold, boottime_public_prop) + +# Vold will use Keystore instead of using Keymint directly. But it still needs +# to manage its Keymint blobs. This is why it needs the `manage_blob` permission. +allow vold vold_key:keystore2_key { + convert_storage_key_to_ephemeral + delete + get_info + manage_blob + rebind + req_forced_op + update + use +}; + +# vold needs to call keystore methods +allow vold keystore:binder call; + +# vold needs to find keystore2 services +allow vold keystore_service:service_manager find; +allow vold keystore_maintenance_service:service_manager find; + +# vold needs to be able to call earlyBootEnded() and deleteAllKeys() +allow vold keystore:keystore2 early_boot_ended; +allow vold keystore:keystore2 delete_all_keys; + +neverallow { + domain + -system_server + -vdc + -vold + -update_verifier + -apexd + -gsid +} vold_service:service_manager find; diff --git a/prebuilts/api/32.0/private/vold_prepare_subdirs.te b/prebuilts/api/32.0/private/vold_prepare_subdirs.te new file mode 100644 index 000000000..956e94e5f --- /dev/null +++ b/prebuilts/api/32.0/private/vold_prepare_subdirs.te @@ -0,0 +1,60 @@ +domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs) + +typeattribute vold_prepare_subdirs mlstrustedsubject; + +allow vold_prepare_subdirs system_file:file execute_no_trans; +allow vold_prepare_subdirs shell_exec:file rx_file_perms; +allow vold_prepare_subdirs toolbox_exec:file rx_file_perms; +allow vold_prepare_subdirs devpts:chr_file rw_file_perms; +allow vold_prepare_subdirs vold:fd use; +allow vold_prepare_subdirs vold:fifo_file { read write }; +allow vold_prepare_subdirs file_contexts_file:file r_file_perms; +allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner }; +allow vold_prepare_subdirs self:process setfscreate; +allow vold_prepare_subdirs { + system_data_file + vendor_data_file +}:dir { open read write add_name remove_name rmdir relabelfrom }; +allow vold_prepare_subdirs { + apex_appsearch_data_file + apex_art_data_file + apex_module_data_file + apex_permission_data_file + apex_rollback_data_file + apex_scheduling_data_file + apex_wifi_data_file + backup_data_file + face_vendor_data_file + fingerprint_vendor_data_file + iris_vendor_data_file + rollback_data_file + storaged_data_file + system_data_file + vold_data_file +}:dir { create_dir_perms relabelto }; +allow vold_prepare_subdirs { + apex_appsearch_data_file + apex_art_data_file + apex_art_staging_data_file + apex_module_data_file + apex_permission_data_file + apex_rollback_data_file + apex_scheduling_data_file + apex_wifi_data_file + backup_data_file + face_vendor_data_file + fingerprint_vendor_data_file + iris_vendor_data_file + rollback_data_file + storaged_data_file + system_data_file + vold_data_file +}:file { getattr unlink }; +allow vold_prepare_subdirs apex_mnt_dir:dir { open read }; +allow vold_prepare_subdirs mnt_expand_file:dir search; +allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom }; +allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto }; +# /data/misc is unlabeled during early boot. +allow vold_prepare_subdirs unlabeled:dir search; + +dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms; diff --git a/prebuilts/api/32.0/private/vr_hwc.te b/prebuilts/api/32.0/private/vr_hwc.te new file mode 100644 index 000000000..51d242061 --- /dev/null +++ b/prebuilts/api/32.0/private/vr_hwc.te @@ -0,0 +1,4 @@ +typeattribute vr_hwc coredomain; + +# Daemon started by init. +init_daemon_domain(vr_hwc) diff --git a/prebuilts/api/32.0/private/vzwomatrigger_app.te b/prebuilts/api/32.0/private/vzwomatrigger_app.te new file mode 100644 index 000000000..8deb22bc8 --- /dev/null +++ b/prebuilts/api/32.0/private/vzwomatrigger_app.te @@ -0,0 +1,6 @@ +### +### A domain for further sandboxing the VzwOmaTrigger app. +### +type vzwomatrigger_app, domain; + +app_domain(vzwomatrigger_app) diff --git a/prebuilts/api/32.0/private/wait_for_keymaster.te b/prebuilts/api/32.0/private/wait_for_keymaster.te new file mode 100644 index 000000000..da98e2e07 --- /dev/null +++ b/prebuilts/api/32.0/private/wait_for_keymaster.te @@ -0,0 +1,15 @@ +# wait_for_keymaster service +type wait_for_keymaster, domain, coredomain; +type wait_for_keymaster_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(wait_for_keymaster) + +hal_client_domain(wait_for_keymaster, hal_keymaster) + +allow wait_for_keymaster kmsg_device:chr_file w_file_perms; + +# wait_for_keymaster needs to find keystore and call methods with the returned +# binder reference. +binder_use(wait_for_keymaster) +allow wait_for_keymaster keystore_service:service_manager find; +binder_call(wait_for_keymaster, keystore) diff --git a/prebuilts/api/32.0/private/watchdogd.te b/prebuilts/api/32.0/private/watchdogd.te new file mode 100644 index 000000000..91ece7052 --- /dev/null +++ b/prebuilts/api/32.0/private/watchdogd.te @@ -0,0 +1,3 @@ +typeattribute watchdogd coredomain; + +init_daemon_domain(watchdogd) diff --git a/prebuilts/api/32.0/private/webview_zygote.te b/prebuilts/api/32.0/private/webview_zygote.te new file mode 100644 index 000000000..3473ecaee --- /dev/null +++ b/prebuilts/api/32.0/private/webview_zygote.te @@ -0,0 +1,155 @@ +# webview_zygote is an auxiliary zygote process that is used to spawn +# isolated_app processes for rendering untrusted web content. + +typeattribute webview_zygote coredomain; + +# The webview_zygote needs to be able to transition domains. +typeattribute webview_zygote mlstrustedsubject; + +# Allow access to temporary files, which is normally permitted through +# a domain macro. +tmpfs_domain(webview_zygote); + +userfaultfd_use(webview_zygote) + +# Allow reading/executing installed binaries to enable preloading the +# installed WebView implementation. +allow webview_zygote apk_data_file:dir r_dir_perms; +allow webview_zygote apk_data_file:file { r_file_perms execute }; + +# Access to the WebView relro file. +allow webview_zygote shared_relro_file:dir search; +allow webview_zygote shared_relro_file:file r_file_perms; + +# Set the UID/GID of the process. +allow webview_zygote self:global_capability_class_set { setgid setuid }; +# Drop capabilities from bounding set. +allow webview_zygote self:global_capability_class_set setpcap; +# Switch SELinux context to app domains. +allow webview_zygote self:process setcurrent; +allow webview_zygote isolated_app:process dyntransition; + +# For art. +allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms; +allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms; +allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute }; +allow webview_zygote apex_module_data_file:dir search; + +# Allow webview_zygote to create JIT memory. +allow webview_zygote self:process execmem; + +# Allow webview_zygote to stat the files that it opens. It must +# be able to inspect them so that it can reopen them on fork +# if necessary: b/30963384. +allow webview_zygote debugfs_trace_marker:file getattr; + +# Allow webview_zygote to manage the pgroup of its children. +allow webview_zygote system_server:process getpgid; + +# Interaction between the webview_zygote and its children. +allow webview_zygote isolated_app:process setpgid; + +# TODO (b/63631799) fix this access +# Suppress denials to storage. Webview zygote should not be accessing. +dontaudit webview_zygote mnt_expand_file:dir getattr; + +# TODO (b/72957399) remove this when webview_zygote is reparented to +# app_process zygote +dontaudit webview_zygote dex2oat_exec:file execute; + +# Get seapp_contexts +allow webview_zygote seapp_contexts_file:file r_file_perms; +# Check validity of SELinux context before use. +selinux_check_context(webview_zygote) +# Check SELinux permissions. +selinux_check_access(webview_zygote) + +# Directory listing in /system. +allow webview_zygote system_file:dir r_dir_perms; + +# Read and inspect temporary files (like system properties) managed by zygote. +allow webview_zygote zygote_tmpfs:file { read getattr }; +# Child of zygote. +allow webview_zygote zygote:fd use; +allow webview_zygote zygote:process sigchld; + +# Allow apps access to /vendor/overlay +r_dir_file(webview_zygote, vendor_overlay_file) + +allow webview_zygote same_process_hal_file:file { execute read open getattr map }; + +allow webview_zygote system_data_file:lnk_file r_file_perms; + +# Send unsolicited message to system_server +unix_socket_send(webview_zygote, system_unsolzygote, system_server) + +# Allow the webview_zygote to access the runtime feature flag properties. +get_prop(webview_zygote, device_config_runtime_native_prop) +get_prop(webview_zygote, device_config_runtime_native_boot_prop) + +# Allow webview_zygote to access odsign verification status +get_prop(zygote, odsign_prop) + +##### +##### Neverallow +##### + +# Only permit transition to isolated_app. +neverallow webview_zygote { domain -isolated_app }:process dyntransition; + +# Only setcon() transitions, no exec() based transitions, except for crash_dump. +neverallow webview_zygote { domain -crash_dump }:process transition; + +# Must not exec() a program without changing domains. +# Having said that, exec() above is not allowed. +neverallow webview_zygote *:file execute_no_trans; + +# The only way to enter this domain is for the zygote to fork a new +# webview_zygote child. +neverallow { domain -zygote } webview_zygote:process dyntransition; + +# Disallow write access to properties. +neverallow webview_zygote property_socket:sock_file write; +neverallow webview_zygote property_type:property_service set; + +# Should not have any access to app data files. +neverallow webview_zygote app_data_file_type:file { rwx_file_perms }; + +neverallow webview_zygote { + service_manager_type + -activity_service + -webviewupdate_service +}:service_manager find; + +# Isolated apps shouldn't be able to access the driver directly. +neverallow webview_zygote gpu_device:chr_file { rwx_file_perms }; + +# Do not allow webview_zygote access to /cache. +neverallow webview_zygote cache_file:dir ~{ r_dir_perms }; +neverallow webview_zygote cache_file:file ~{ read getattr }; + +# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket, +# unix_stream_socket, and netlink_selinux_socket. +neverallow webview_zygote domain:{ + socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket + appletalk_socket netlink_route_socket netlink_tcpdiag_socket + netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket + netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket + netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket + netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket + sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket + x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket + pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket + rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket + alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket + xdp_socket +} *; + +# Do not allow access to Bluetooth-related system properties. +# neverallow rules for Bluetooth-related data files are listed above. +neverallow webview_zygote { + bluetooth_a2dp_offload_prop + bluetooth_audio_hal_prop + bluetooth_prop + exported_bluetooth_prop +}:file create_file_perms; diff --git a/prebuilts/api/32.0/private/wificond.te b/prebuilts/api/32.0/private/wificond.te new file mode 100644 index 000000000..3fdaca273 --- /dev/null +++ b/prebuilts/api/32.0/private/wificond.te @@ -0,0 +1,11 @@ +typeattribute wificond coredomain; + +set_prop(wificond, wifi_hal_prop) +set_prop(wificond, wifi_prop) +set_prop(wificond, ctl_default_prop) + +get_prop(wificond, hwservicemanager_prop) + +allow wificond legacykeystore_service:service_manager find; + +init_daemon_domain(wificond) diff --git a/prebuilts/api/32.0/private/wpantund.te b/prebuilts/api/32.0/private/wpantund.te new file mode 100644 index 000000000..e91662cb7 --- /dev/null +++ b/prebuilts/api/32.0/private/wpantund.te @@ -0,0 +1,3 @@ +typeattribute wpantund coredomain; + +init_daemon_domain(wpantund) diff --git a/prebuilts/api/32.0/private/zygote.te b/prebuilts/api/32.0/private/zygote.te new file mode 100644 index 000000000..743647ec7 --- /dev/null +++ b/prebuilts/api/32.0/private/zygote.te @@ -0,0 +1,268 @@ +# zygote +typeattribute zygote coredomain; +typeattribute zygote mlstrustedsubject; + +init_daemon_domain(zygote) +tmpfs_domain(zygote) + +read_runtime_log_tags(zygote) + +# Override DAC on files and switch uid/gid. +allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown }; + +# Drop capabilities from bounding set. +allow zygote self:global_capability_class_set setpcap; + +# Switch SELinux context to app domains. +allow zygote self:process setcurrent; +allow zygote system_server_startup:process dyntransition; +allow zygote appdomain:process dyntransition; +allow zygote webview_zygote:process dyntransition; +allow zygote app_zygote:process dyntransition; + +# Allow zygote to read app /proc/pid dirs (b/10455872). +allow zygote appdomain:dir { getattr search }; +allow zygote appdomain:file { r_file_perms }; + +userfaultfd_use(zygote) + +# Move children into the peer process group. +allow zygote system_server:process { getpgid setpgid }; +allow zygote appdomain:process { getpgid setpgid }; +allow zygote webview_zygote:process { getpgid setpgid }; +allow zygote app_zygote:process { getpgid setpgid }; + +# Read system data. +allow zygote system_data_file:dir r_dir_perms; +allow zygote system_data_file:file r_file_perms; + +# Write to /data/dalvik-cache. +allow zygote dalvikcache_data_file:dir create_dir_perms; +allow zygote dalvikcache_data_file:file create_file_perms; + +# Create symlinks in /data/dalvik-cache. +allow zygote dalvikcache_data_file:lnk_file create_file_perms; + +# Write to /data/resource-cache. +allow zygote resourcecache_data_file:dir rw_dir_perms; +allow zygote resourcecache_data_file:file create_file_perms; + +# For updateability, the zygote may fetch the current boot +# classpath from the dalvik cache. Integrity of the files +# is ensured by fsverity protection (checked in art_apex_boot_integrity). +allow zygote dalvikcache_data_file:file execute; + +# Allow zygote to find files in APEX data directories. +allow zygote apex_module_data_file:dir search; + +# Allow zygote to find and map files created by on device signing. +allow zygote apex_art_data_file:dir { getattr search }; +allow zygote apex_art_data_file:file { r_file_perms execute }; + +# Bind mount on /data/data and mounted volumes +allow zygote { system_data_file mnt_expand_file }:dir mounton; + +# Relabel /data/user /data/user_de and /data/data +allow zygote tmpfs:{ dir lnk_file } relabelfrom; +allow zygote system_data_file:{ dir lnk_file } relabelto; + +# Zygote opens /mnt/expand to mount CE DE storage on each vol +allow zygote mnt_expand_file:dir { open read search relabelto }; + +# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref +allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search }; + +# Create and bind dirs on /data/data +allow zygote tmpfs:dir { create_dir_perms mounton }; + +# Goes into media directory and bind mount obb directory +allow zygote media_rw_data_file:dir { getattr search }; + +# Bind mount on top of existing mounted obb and data directory +allow zygote media_rw_data_file:dir { mounton }; + +# Read if sdcardfs is supported +allow zygote proc_filesystems:file r_file_perms; + +# Create symlink for /data/user/0 +allow zygote tmpfs:lnk_file create; + +allow zygote mirror_data_file:dir r_dir_perms; + +# Get inode of directories for app data isolation +allow zygote { + app_data_file_type + system_data_file + mnt_expand_file +}:dir getattr; + +# Allow zygote to create JIT memory. +allow zygote self:process execmem; +allow zygote zygote_tmpfs:file execute; +allow zygote ashmem_libcutils_device:chr_file execute; + +# Execute idmap and dex2oat within zygote's own domain. +# TODO: Should either of these be transitioned to the same domain +# used by installd or stay in-domain for zygote? +allow zygote idmap_exec:file rx_file_perms; +allow zygote dex2oat_exec:file rx_file_perms; + +# Allow apps access to /vendor/overlay +r_dir_file(zygote, vendor_overlay_file) + +# Control cgroups. +allow zygote cgroup:dir create_dir_perms; +allow zygote cgroup:{ file lnk_file } { r_file_perms setattr }; +allow zygote cgroup_v2:dir create_dir_perms; +allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr }; +allow zygote self:global_capability_class_set sys_admin; + +# Allow zygote to stat the files that it opens. The zygote must +# be able to inspect them so that it can reopen them on fork +# if necessary: b/30963384. +allow zygote pmsg_device:chr_file getattr; +allow zygote debugfs_trace_marker:file getattr; + +# Get seapp_contexts +allow zygote seapp_contexts_file:file r_file_perms; +# Check validity of SELinux context before use. +selinux_check_context(zygote) +# Check SELinux permissions. +selinux_check_access(zygote) + +# Native bridge functionality requires that zygote replaces +# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount +allow zygote proc_cpuinfo:file mounton; + +# Allow remounting rootfs as MS_SLAVE. +allow zygote rootfs:dir mounton; +allow zygote tmpfs:filesystem { mount unmount }; +allow zygote fuse:filesystem { unmount }; +allow zygote sdcardfs:filesystem { unmount }; + +# Allow creating user-specific storage source if started before vold. +allow zygote mnt_user_file:dir { create_dir_perms mounton }; +allow zygote mnt_user_file:lnk_file create_file_perms; +allow zygote mnt_user_file:file create_file_perms; + +# Allow mounting user-specific storage source if started before vold. +allow zygote mnt_pass_through_file:dir { create_dir_perms mounton }; + +# Allowed to mount user-specific storage into place +allow zygote storage_file:dir { search mounton }; + +# Allow mounting and creating files, dirs on sdcardfs. +allow zygote { sdcard_type }:dir { create_dir_perms mounton }; +allow zygote { sdcard_type }:file { create_file_perms }; + +# Handle --invoke-with command when launching Zygote with a wrapper command. +allow zygote zygote_exec:file rx_file_perms; + +# Allow zygote to write to statsd. +unix_socket_send(zygote, statsdw, statsd) + +# Root fs. +r_dir_file(zygote, rootfs) + +# System file accesses. +r_dir_file(zygote, system_file) + +# /oem accesses. +allow zygote oemfs:dir search; + +userdebug_or_eng(` + # Allow zygote to create and write method traces in /data/misc/trace. + allow zygote method_trace_data_file:dir w_dir_perms; + allow zygote method_trace_data_file:file { create w_file_perms }; +') + +allow zygote ion_device:chr_file r_file_perms; +allow zygote tmpfs:dir r_dir_perms; + +allow zygote same_process_hal_file:file { execute read open getattr map }; + +# Allow the zygote to access storage properties to check if sdcardfs is enabled. +get_prop(zygote, storage_config_prop); + +# Let the zygote access overlays so it can initialize the AssetManager. +get_prop(zygote, overlay_prop) +get_prop(zygote, exported_overlay_prop) + +# Allow the zygote to access the runtime feature flag properties. +get_prop(zygote, device_config_runtime_native_prop) +get_prop(zygote, device_config_runtime_native_boot_prop) + +# Allow the zygote to access window manager native boot feature flags +# to initialize WindowManager static properties. +get_prop(zygote, device_config_window_manager_native_boot_prop) + +# ingore spurious denials +# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is +# done to determine if the file should inherit setgid. In this case, setgid on the file is +# undesirable, so suppress the denial. +dontaudit zygote self:global_capability_class_set { sys_resource fsetid }; + +# Ignore spurious denials calling access() on fuse. +# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that +# doesn't exist. +# TODO(b/151316657): avoid the denials +dontaudit zygote media_rw_data_file:dir { read open setattr }; + +# Allow zygote to use ashmem fds from system_server. +allow zygote system_server:fd use; + +# Send unsolicited message to system_server +unix_socket_send(zygote, system_unsolzygote, system_server) + +# Allow zygote to access media_variant_prop for static initialization +get_prop(zygote, media_variant_prop) + +# Allow zygote to access odsign verification status +get_prop(zygote, odsign_prop) + +# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex +get_prop(zygote, packagemanager_config_prop) + +# Allow zygote to read qemu.sf.lcd_density +get_prop(zygote, qemu_sf_lcd_density_prop) + +# Allow zygote to read /apex/apex-info-list.xml +allow zygote apex_info_file:file r_file_perms; + +### +### neverallow rules +### + +# Ensure that all types assigned to app processes are included +# in the appdomain attribute, so that all allow and neverallow rules +# written on appdomain are applied to all app processes. +# This is achieved by ensuring that it is impossible for zygote to +# setcon (dyntransition) to any types other than those associated +# with appdomain plus system_server_startup, webview_zygote and +# app_zygote. +neverallow zygote ~{ + appdomain + system_server_startup + webview_zygote + app_zygote +}:process dyntransition; + +# Zygote should never execute anything from /data except for +# /data/dalvik-cache files or files generated during on-device +# signing under /data/misc/apexdata/com.android.art/. +neverallow zygote { + data_file_type + -apex_art_data_file # map PROT_EXEC + -dalvikcache_data_file # map PROT_EXEC +}:file no_x_file_perms; + +# Do not allow access to Bluetooth-related system properties and files +neverallow zygote { + bluetooth_a2dp_offload_prop + bluetooth_audio_hal_prop + bluetooth_prop + exported_bluetooth_prop +}:file create_file_perms; + +# Zygote should not be able to access app private data. +neverallow zygote app_data_file_type:dir ~getattr; diff --git a/prebuilts/api/32.0/public/adbd.te b/prebuilts/api/32.0/public/adbd.te new file mode 100644 index 000000000..5056b3528 --- /dev/null +++ b/prebuilts/api/32.0/public/adbd.te @@ -0,0 +1,13 @@ +# adbd seclabel is specified in init.rc since +# it lives in the rootfs and has no unique file type. +type adbd, domain; +type adbd_exec, exec_type, file_type, system_file_type; + +# Only init is allowed to enter the adbd domain via exec() +neverallow { domain -init } adbd:process transition; +neverallow * adbd:process dyntransition; + +# Access /data/local/tests. +allow adbd shell_test_data_file:dir create_dir_perms; +allow adbd shell_test_data_file:file create_file_perms; +allow adbd shell_test_data_file:lnk_file create_file_perms; diff --git a/prebuilts/api/32.0/public/aidl_lazy_test_server.te b/prebuilts/api/32.0/public/aidl_lazy_test_server.te new file mode 100644 index 000000000..626d0088b --- /dev/null +++ b/prebuilts/api/32.0/public/aidl_lazy_test_server.te @@ -0,0 +1,9 @@ +type aidl_lazy_test_server, domain; +type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type; + +userdebug_or_eng(` + binder_use(aidl_lazy_test_server) + binder_call(aidl_lazy_test_server, binderservicedomain) + + add_service(aidl_lazy_test_server, aidl_lazy_test_service) +') diff --git a/prebuilts/api/32.0/public/apexd.te b/prebuilts/api/32.0/public/apexd.te new file mode 100644 index 000000000..53bc5692b --- /dev/null +++ b/prebuilts/api/32.0/public/apexd.te @@ -0,0 +1,11 @@ +# apexd -- manager for APEX packages +type apexd, domain; +type apexd_exec, exec_type, file_type, system_file_type; + +binder_use(apexd) +add_service(apexd, apex_service) + +neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find; +neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call; + +neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace; diff --git a/prebuilts/api/32.0/public/app.te b/prebuilts/api/32.0/public/app.te new file mode 100644 index 000000000..5527f9994 --- /dev/null +++ b/prebuilts/api/32.0/public/app.te @@ -0,0 +1,603 @@ +### +### Domain for all zygote spawned apps +### +### This file is the base policy for all zygote spawned apps. +### Other policy files, such as isolated_app.te, untrusted_app.te, etc +### extend from this policy. Only policies which should apply to ALL +### zygote spawned apps should be added here. +### +type appdomain_tmpfs, file_type; + +# WebView and other application-specific JIT compilers +allow appdomain self:process execmem; + +allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute; + +# Receive and use open file descriptors inherited from zygote. +allow appdomain zygote:fd use; + +# Receive and use open file descriptors inherited from app zygote. +allow appdomain app_zygote:fd use; + +# gdbserver for ndk-gdb reads the zygote. +# valgrind needs mmap exec for zygote +allow appdomain zygote_exec:file rx_file_perms; + +# Notify zygote of death; +allow appdomain zygote:process sigchld; + +# Read /data/dalvik-cache. +allow appdomain dalvikcache_data_file:dir { search getattr }; +allow appdomain dalvikcache_data_file:file r_file_perms; + +# Read the /sdcard and /mnt/sdcard symlinks +allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms; +allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms; + +# Search /storage/emulated tmpfs mount. +allow appdomain tmpfs:dir r_dir_perms; + +# Notify zygote of the wrapped process PID when using --invoke-with. +allow appdomain zygote:fifo_file write; + +userdebug_or_eng(` + # Allow apps to create and write method traces in /data/misc/trace. + allow appdomain method_trace_data_file:dir w_dir_perms; + allow appdomain method_trace_data_file:file { create w_file_perms }; +') + +# Notify shell and adbd of death when spawned via runas for ndk-gdb. +allow appdomain shell:process sigchld; +allow appdomain adbd:process sigchld; + +# child shell or gdbserver pty access for runas. +allow appdomain devpts:chr_file { getattr read write ioctl }; + +# Use pipes and sockets provided by system_server via binder or local socket. +allow appdomain system_server:fd use; +allow appdomain system_server:fifo_file rw_file_perms; +allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; +allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; + +# For AppFuse. +allow appdomain vold:fd use; + +# Communication with other apps via fifos +allow appdomain appdomain:fifo_file rw_file_perms; + +# Communicate with surfaceflinger. +allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; + +# App sandbox file accesses. +allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms; +allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms; + +# Access via already open fds is ok even for mlstrustedsubject. +allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write }; + +# Traverse into expanded storage +allow appdomain mnt_expand_file:dir r_dir_perms; + +# Keychain and user-trusted credentials +r_dir_file(appdomain, keychain_data_file) +allow appdomain misc_user_data_file:dir r_dir_perms; +allow appdomain misc_user_data_file:file r_file_perms; + +# TextClassifier +r_dir_file({ appdomain -isolated_app }, textclassifier_data_file) + +# Access to OEM provided data and apps +allow appdomain oemfs:dir r_dir_perms; +allow appdomain oemfs:file rx_file_perms; + +# Execute the shell or other system executables. +allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms; +allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms; +allow appdomain system_file:file x_file_perms; +not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;') + +# Renderscript needs the ability to read directories on /system +allow appdomain system_file:dir r_dir_perms; +allow appdomain system_file:lnk_file { getattr open read }; +# Renderscript specific permissions to open /system/vendor/lib64. +not_full_treble(` + allow appdomain vendor_file_type:dir r_dir_perms; + allow appdomain vendor_file_type:lnk_file { getattr open read }; +') + +full_treble_only(` + # For looking up Renderscript vendor drivers + allow { appdomain -isolated_app } vendor_file:dir { open read }; +') + +# Allow apps access to /vendor/app except for privileged +# apps which cannot be in /vendor. +r_dir_file({ appdomain -ephemeral_app }, vendor_app_file) +allow { appdomain -ephemeral_app } vendor_app_file:file execute; + +# Allow apps access to /vendor/overlay +r_dir_file(appdomain, vendor_overlay_file) + +# Allow apps access to /vendor/framework +# for vendor provided libraries. +r_dir_file(appdomain, vendor_framework_file) + +# Allow apps read / execute access to vendor public libraries. +allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms; +allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map }; + +# Read/write wallpaper file (opened by system). +allow appdomain wallpaper_file:file { getattr read write map }; + +# Read/write cached ringtones (opened by system). +allow appdomain ringtone_file:file { getattr read write map }; + +# Read ShortcutManager icon files (opened by system). +allow appdomain shortcut_manager_icons:file { getattr read map }; + +# Read icon file (opened by system). +allow appdomain icon_file:file { getattr read map }; + +# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt). +# +# TODO: All of these permissions except for anr_data_file:file append can be +# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548 +# and the rules below. +allow appdomain anr_data_file:dir search; +allow appdomain anr_data_file:file { open append }; + +# New stack dumping scheme : request an output FD from tombstoned via a unix +# domain socket. +# +# Allow apps to connect and write to the tombstoned java trace socket in +# order to dump their traces. Also allow them to append traces to pipes +# created by dumptrace. (Also see the rules below where they are given +# additional permissions to dumpstate pipes for other aspects of bug report +# creation). +unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned) +allow appdomain tombstoned:fd use; +allow appdomain dumpstate:fifo_file append; +allow appdomain incidentd:fifo_file append; + +# Allow apps to send dump information to dumpstate +allow appdomain dumpstate:fd use; +allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; +allow appdomain dumpstate:fifo_file { write getattr }; +allow appdomain shell_data_file:file { write getattr }; + +# Allow apps to send dump information to incidentd +allow appdomain incidentd:fd use; +allow appdomain incidentd:fifo_file { write getattr }; + +# Allow apps to send information to statsd socket. +unix_socket_send(appdomain, statsdw, statsd) + +# Write profiles /data/misc/profiles +allow appdomain user_profile_root_file:dir search; +allow appdomain user_profile_data_file:dir { search write add_name }; +allow appdomain user_profile_data_file:file create_file_perms; + +# Send heap dumps to system_server via an already open file descriptor +# % adb shell am set-watch-heap com.android.systemui 1048576 +# % adb shell dumpsys procstats --start-testing +# debuggable builds only. +userdebug_or_eng(` + allow appdomain heapdump_data_file:file append; +') + +# /proc/net access. +# TODO(b/9496886) Audit access for removal. +# proc_net access for the negated domains below is granted (or not) in their +# individual .te files. +r_dir_file({ + appdomain + -ephemeral_app + -isolated_app + -platform_app + -priv_app + -shell + -system_app + -untrusted_app_all +}, proc_net_type) +# audit access for all these non-core app domains. +userdebug_or_eng(` + auditallow { + appdomain + -ephemeral_app + -isolated_app + -platform_app + -priv_app + -shell + -su + -system_app + -untrusted_app_all + } proc_net_type:{ dir file lnk_file } { getattr open read }; +') + +# Grant GPU access to all processes started by Zygote. +# They need that to render the standard UI. +allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms; + +# Use the Binder. +binder_use(appdomain) +# Perform binder IPC to binder services. +binder_call(appdomain, binderservicedomain) +# Perform binder IPC to other apps. +binder_call(appdomain, appdomain) +# Perform binder IPC to ephemeral apps. +binder_call(appdomain, ephemeral_app) +# Perform binder IPC to gpuservice. +binder_call({ appdomain -isolated_app }, gpuservice) + +# Talk with graphics composer fences +allow appdomain hal_graphics_composer:fd use; + +# Already connected, unnamed sockets being passed over some other IPC +# hence no sock_file or connectto permission. This appears to be how +# Chrome works, may need to be updated as more apps using isolated services +# are examined. +allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; + +# Backup ability for every app. BMS opens and passes the fd +# to any app that has backup ability. Hence, no open permissions here. +allow appdomain backup_data_file:file { read write getattr map }; +allow appdomain cache_backup_file:file { read write getattr map }; +allow appdomain cache_backup_file:dir getattr; +# Backup ability using 'adb backup' +allow appdomain system_data_file:lnk_file r_file_perms; +allow appdomain system_data_file:file { getattr read map }; + +# Allow read/stat of /data/media files passed by Binder or local socket IPC. +allow { appdomain -isolated_app } media_rw_data_file:file { read getattr }; + +# Read and write /data/data/com.android.providers.telephony files passed over Binder. +allow { appdomain -isolated_app } radio_data_file:file { read write getattr }; + +# Allow access to external storage; we have several visible mount points under /storage +# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary +allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms; +allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms; +allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms; +allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms; + +# Read/write visible storage +allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms; +allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms; +# This should be removed if sdcardfs is modified to alter the secontext for its +# accesses to the underlying FS. +allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms; +allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms; + +# Allow apps to use the USB Accessory interface. +# http://developer.android.com/guide/topics/connectivity/usb/accessory.html +# +# USB devices are first opened by the system server (USBDeviceManagerService) +# and the file descriptor is passed to the right Activity via binder. +allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl }; +allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr }; + +# For art. +allow appdomain dalvikcache_data_file:file execute; +allow appdomain dalvikcache_data_file:lnk_file r_file_perms; + +# Allow any app to read shared RELRO files. +allow appdomain shared_relro_file:dir search; +allow appdomain shared_relro_file:file r_file_perms; + +# Allow apps to read/execute installed binaries +allow appdomain apk_data_file:dir r_dir_perms; +allow appdomain apk_data_file:file rx_file_perms; + +# /data/resource-cache +allow appdomain resourcecache_data_file:file r_file_perms; +allow appdomain resourcecache_data_file:dir r_dir_perms; + +# logd access +read_logd(appdomain) +control_logd({ appdomain -ephemeral_app }) +# application inherit logd write socket (urge is to deprecate this long term) +allow appdomain zygote:unix_dgram_socket write; + +allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify }; +allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update }; + +allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find; +allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state; + +use_keystore({ appdomain -isolated_app -ephemeral_app }) + +use_credstore({ appdomain -isolated_app -ephemeral_app }) + +allow appdomain console_device:chr_file { read write }; + +# only allow unprivileged socket ioctl commands +allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } + ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; + +allow { appdomain -isolated_app } ion_device:chr_file r_file_perms; +allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms; +allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms; + +# Allow AAudio apps to use shared memory file descriptors from the HAL +allow { appdomain -isolated_app } hal_audio:fd use; + +# Allow app to access shared memory created by camera HAL1 +allow { appdomain -isolated_app } hal_camera:fd use; + +# Allow apps to access shared memory file descriptor from the tuner HAL +allow {appdomain -isolated_app} hal_tv_tuner_server:fd use; + +# RenderScript always-passthrough HAL +allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find; +allow appdomain same_process_hal_file:file { execute read open getattr map }; + +# TODO: switch to meminfo service +allow appdomain proc_meminfo:file r_file_perms; + +# For app fuse. +allow appdomain app_fuse_file:file { getattr read append write map }; + +pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client) +pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager) +pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync) +pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client) +# Apps do not directly open the IPC socket for bufferhubd. +pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client) + +### +### CTS-specific rules +### + +# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. +# testRunAsHasCorrectCapabilities +allow appdomain runas_exec:file getattr; +# Others are either allowed elsewhere or not desired. + +# Apps receive an open tun fd from the framework for +# device traffic. Do not allow untrusted app to directly open tun_device +allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl }; +allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF; + +# Connect to adbd and use a socket transferred from it. +# This is used for e.g. adb backup/restore. +allow appdomain adbd:unix_stream_socket connectto; +allow appdomain adbd:fd use; +allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; + +allow appdomain cache_file:dir getattr; + +# Allow apps to run with asanwrapper. +with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;') + +# Read access to FDs from the DropboxManagerService. +allow appdomain dropbox_data_file:file { getattr read }; + +# Read tmpfs types from these processes. +allow appdomain audioserver_tmpfs:file { getattr map read write }; +allow appdomain system_server_tmpfs:file { getattr map read write }; +allow appdomain zygote_tmpfs:file { map read }; + +### +### Neverallow rules +### +### These are things that Android apps should NEVER be able to do +### + +# Superuser capabilities. +# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin. +neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *; + +# Block device access. +neverallow appdomain dev_type:blk_file { read write }; + +# Access to any of the following character devices. +neverallow appdomain { + audio_device + camera_device + dm_device + radio_device + rpmsg_device + video_device +}:chr_file { read write }; + +# Note: Try expanding list of app domains in the future. +neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; + +neverallow { appdomain -nfc } nfc_device:chr_file + { read write }; +neverallow { appdomain -bluetooth } hci_attach_dev:chr_file + { read write }; +neverallow appdomain tee_device:chr_file { read write }; + +# Privileged netlink socket interfaces. +neverallow { appdomain -network_stack } + domain:{ + netlink_tcpdiag_socket + netlink_nflog_socket + netlink_xfrm_socket + netlink_audit_socket + netlink_dnrt_socket + } *; + +# These messages are broadcast messages from the kernel to userspace. +# Do not allow the writing of netlink messages, which has been a source +# of rooting vulns in the past. +neverallow appdomain domain:netlink_kobject_uevent_socket { write append }; + +# Sockets under /dev/socket that are not specifically typed. +neverallow appdomain socket_device:sock_file write; + +# Unix domain sockets. +neverallow appdomain adbd_socket:sock_file write; +neverallow { appdomain -radio } rild_socket:sock_file write; + +# ptrace access to non-app domains. +neverallow appdomain { domain -appdomain }:process ptrace; + +# The Android security model guarantees the confidentiality and integrity +# of application data and execution state. Ptrace bypasses those +# confidentiality guarantees. Disallow ptrace access from system components +# to apps. Crash_dump is excluded, as it needs ptrace access to +# produce stack traces. llkd is excluded, as it needs ptrace access to +# inspect stack traces for live lock conditions. + +neverallow { + domain + -appdomain + -crash_dump + userdebug_or_eng(`-llkd') +} appdomain:process ptrace; + +# Read or write access to /proc/pid entries for any non-app domain. +# A different form of hidepid=2 like protections +neverallow appdomain { domain -appdomain }:file no_w_file_perms; +neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms; + +# signal access to non-app domains. +# sigchld allowed for parent death notification. +# signull allowed for kill(pid, 0) existence test. +# All others prohibited. +# -perfetto is to allow shell (which is an appdomain) to kill perfetto +# (see private/shell.te). +neverallow appdomain { domain -appdomain -perfetto }:process + { sigkill sigstop signal }; + +# Write to rootfs. +neverallow appdomain rootfs:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; + +# Write to /system. +neverallow appdomain system_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; + +# Write to entrypoint executables. +neverallow appdomain exec_type:file + { create write setattr relabelfrom relabelto append unlink link rename }; + +# Write to system-owned parts of /data. +# This is the default type for anything under /data not otherwise +# specified in file_contexts. Define a different type for portions +# that should be writable by apps. +neverallow appdomain system_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; + +# Write to various other parts of /data. +neverallow appdomain drm_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow { appdomain -platform_app } + apk_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow { appdomain -platform_app } + apk_tmp_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow { appdomain -platform_app } + apk_private_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow { appdomain -platform_app } + apk_private_tmp_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow { appdomain -shell } + shell_data_file:dir_file_class_set + { create setattr relabelfrom relabelto append unlink link rename }; +neverallow { appdomain -bluetooth } + bluetooth_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *; +neverallow appdomain + keystore_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow appdomain + systemkeys_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow appdomain + wifi_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow appdomain + dhcp_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; + +# access tmp apk files +neverallow { appdomain -untrusted_app_all -platform_app -priv_app } + { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *; + +neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *; +neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read }; + +# Access to factory files. +neverallow appdomain efs_file:dir_file_class_set write; +neverallow { appdomain -shell } efs_file:dir_file_class_set read; + +# Write to various pseudo file systems. +neverallow { appdomain -bluetooth -nfc } + sysfs:dir_file_class_set write; +neverallow appdomain + proc:dir_file_class_set write; + +# Access to syslog(2) or /proc/kmsg. +neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console }; + +# SELinux is not an API for apps to use +neverallow { appdomain -shell } *:security { compute_av check_context }; +neverallow { appdomain -shell } *:netlink_selinux_socket *; + +# Ability to perform any filesystem operation other than statfs(2). +# i.e. no mount(2), unmount(2), etc. +neverallow appdomain fs_type:filesystem ~getattr; + +# prevent creation/manipulation of globally readable symlinks +neverallow appdomain { + apk_data_file + cache_file + cache_recovery_file + dev_type + rootfs + system_file + tmpfs +}:lnk_file no_w_file_perms; + +# Applications should use the activity model for receiving events +neverallow { + appdomain + -shell # bugreport +} input_device:chr_file ~getattr; + +# Do not allow access to Bluetooth-related system properties except for a few allowed domains. +# neverallow rules for access to Bluetooth-related data files are above. +neverallow { + appdomain + -bluetooth + -system_app +} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms; + +# Apps cannot access proc_uid_time_in_state +neverallow appdomain proc_uid_time_in_state:file *; + +# Apps cannot access proc_uid_concurrent_active_time +neverallow appdomain proc_uid_concurrent_active_time:file *; + +# Apps cannot access proc_uid_concurrent_policy_time +neverallow appdomain proc_uid_concurrent_policy_time:file *; + +# Apps cannot access proc_uid_cpupower +neverallow appdomain proc_uid_cpupower:file *; + +# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the +# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to +# perform UID lookups. +neverallow { appdomain -shell } proc_net_tcp_udp:file *; + +# Apps cannot access bootstrap files. The bootstrap files are only for +# extremely early processes (like init, etc.) which are started before +# the runtime APEX is activated and Bionic libs are provided from there. +# If app process accesses (or even load/execute) the bootstrap files, +# it might cause problems such as ODR violation, etc. +neverallow appdomain system_bootstrap_lib_file:file + { open read write append execute execute_no_trans map }; +neverallow appdomain system_bootstrap_lib_file:dir + { open read getattr search }; + +# Allow to read ro.vendor.camera.extensions.enabled +get_prop(appdomain, camera2_extensions_prop) + +# Allow to ro.camerax.extensions.enabled +get_prop(appdomain, camerax_extensions_prop) diff --git a/prebuilts/api/32.0/public/app_zygote.te b/prebuilts/api/32.0/public/app_zygote.te new file mode 100644 index 000000000..4c1ec9652 --- /dev/null +++ b/prebuilts/api/32.0/public/app_zygote.te @@ -0,0 +1,6 @@ +# app_zygote is an auxiliary zygote process that is used to spawn +# isolated service processes for individual applications. It is +# spawned from the regular zygote process as a "child zygote". + +type app_zygote, domain; +type app_zygote_tmpfs, file_type; diff --git a/prebuilts/api/32.0/public/asan_extract.te b/prebuilts/api/32.0/public/asan_extract.te new file mode 100644 index 000000000..d8a1b7366 --- /dev/null +++ b/prebuilts/api/32.0/public/asan_extract.te @@ -0,0 +1,33 @@ +# asan_extract +# +# This command set moves the artifact corresponding to the current slot +# from /data/ota to /data/dalvik-cache. + +with_asan(` + type asan_extract, domain, coredomain; + type asan_extract_exec, exec_type, file_type, system_file_type; + + # Allow asan_extract to execute itself using #!/system/bin/sh + allow asan_extract shell_exec:file rx_file_perms; + + # We execute log, rm, gzip and tar. + allow asan_extract toolbox_exec:file rx_file_perms; + allow asan_extract system_file:file execute_no_trans; + + # asan_extract deletes old /data/lib. + allow asan_extract system_file:dir { open read remove_name rmdir write }; + allow asan_extract system_file:file unlink; + + # asan_extract untars ASAN libraries into /data. + allow asan_extract system_data_file:dir create_dir_perms ; + allow asan_extract system_data_file:{ file lnk_file } create_file_perms ; + + # Relabel the libraries with restorecon. + allow asan_extract file_contexts_file:file r_file_perms; + allow asan_extract system_data_file:{ dir file } relabelfrom; + allow asan_extract system_file:dir { relabelto setattr }; + allow asan_extract system_file:file relabelto; + + # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser). + allow asan_extract system_data_file:file execute; +') diff --git a/prebuilts/api/32.0/public/atrace.te b/prebuilts/api/32.0/public/atrace.te new file mode 100644 index 000000000..7327f84ec --- /dev/null +++ b/prebuilts/api/32.0/public/atrace.te @@ -0,0 +1 @@ +type atrace, domain, coredomain; diff --git a/prebuilts/api/32.0/public/attributes b/prebuilts/api/32.0/public/attributes new file mode 100644 index 000000000..b60c9cc62 --- /dev/null +++ b/prebuilts/api/32.0/public/attributes @@ -0,0 +1,401 @@ +###################################### +# Attribute declarations +# + +# All types used for devices. +# On change, update CHECK_FC_ASSERT_ATTRS +# in tools/checkfc.c +attribute dev_type; + +# Attribute for block devices. +attribute bdev_type; + +# All types used for processes. +attribute domain; + +# All types used for filesystems. +# On change, update CHECK_FC_ASSERT_ATTRS +# definition in tools/checkfc.c. +attribute fs_type; + +# All types used for context= mounts. +attribute contextmount_type; + +# All types used for files that can exist on a labeled fs. +# Do not use for pseudo file types. +# On change, update CHECK_FC_ASSERT_ATTRS +# definition in tools/checkfc.c. +attribute file_type; + +# All types used for domain entry points. +attribute exec_type; + +# All types used for /data files. +attribute data_file_type; +expandattribute data_file_type false; +# All types in /data, not in /data/vendor +attribute core_data_file_type; +expandattribute core_data_file_type false; + +# All types used for app private data files in seapp_contexts. +# Such types should not be applied to any other files. +attribute app_data_file_type; +expandattribute app_data_file_type false; + +# All types in /system +attribute system_file_type; + +# All types in /vendor +attribute vendor_file_type; + +# All types used for procfs files. +attribute proc_type; +expandattribute proc_type false; + +# Types in /proc/net, excluding qtaguid types. +# TODO(b/9496886) Lock down access to /proc/net. +# This attribute is used to audit access to proc_net. it is temporary and will +# be removed. +attribute proc_net_type; +expandattribute proc_net_type true; + +# All types used for sysfs files. +attribute sysfs_type; + +# Attribute for /sys/class/block files. +attribute sysfs_block_type; + +# All types use for debugfs files. +attribute debugfs_type; + +# All types used for tracefs files. +attribute tracefs_type; + +# Attribute used for all sdcards +attribute sdcard_type; + +# All types used for nodes/hosts. +attribute node_type; + +# All types used for network interfaces. +attribute netif_type; + +# All types used for network ports. +attribute port_type; + +# All types used for property service +# On change, update CHECK_PC_ASSERT_ATTRS +# definition in tools/checkfc.c. +attribute property_type; + +# All properties defined in core SELinux policy. Should not be +# used by device specific properties +attribute core_property_type; + +# All properties used to configure log filtering. +attribute log_property_type; + +# All properties that are not specific to device but are added from +# outside of AOSP. (e.g. OEM-specific properties) +# These properties are not accessible from device-specific domains +attribute extended_core_property_type; + +# Properties used for representing ownership. All properties should have one +# of: system_property_type, product_property_type, or vendor_property_type. + +# All properties defined by /system. +attribute system_property_type; +expandattribute system_property_type false; + +# All /system-defined properties used only in /system. +attribute system_internal_property_type; +expandattribute system_internal_property_type false; + +# All /system-defined properties which can't be written outside /system. +attribute system_restricted_property_type; +expandattribute system_restricted_property_type false; + +# All /system-defined properties with no restrictions. +attribute system_public_property_type; +expandattribute system_public_property_type false; + +# All keystore2_key labels. +attribute keystore2_key_type; + +# All properties defined by /product. +# Currently there are no enforcements between /system and /product, so for now +# /product attributes are just replaced to /system attributes. +define(`product_property_type', `system_property_type') +define(`product_internal_property_type', `system_internal_property_type') +define(`product_restricted_property_type', `system_restricted_property_type') +define(`product_public_property_type', `system_public_property_type') + +# All properties defined by /vendor. +attribute vendor_property_type; +expandattribute vendor_property_type false; + +# All /vendor-defined properties used only in /vendor. +attribute vendor_internal_property_type; +expandattribute vendor_internal_property_type false; + +# All /vendor-defined properties which can't be written outside /vendor. +attribute vendor_restricted_property_type; +expandattribute vendor_restricted_property_type false; + +# All /vendor-defined properties with no restrictions. +attribute vendor_public_property_type; +expandattribute vendor_public_property_type false; + +# All service_manager types created by system_server +attribute system_server_service; + +# services which should be available to all but isolated apps +attribute app_api_service; + +# services which should be available to all ephemeral apps +attribute ephemeral_app_api_service; + +# services which export only system_api +attribute system_api_service; + +# services which are explicitly disallowed for untrusted apps to access +attribute protected_service; + +# services which served by vendor and also using the copy of libbinder on +# system (for instance via libbinder_ndk). services using a different copy +# of libbinder currently need their own context manager (e.g. +# vndservicemanager) +attribute vendor_service; + +# All types used for services managed by servicemanager. +# On change, update CHECK_SC_ASSERT_ATTRS +# definition in tools/checkfc.c. +attribute service_manager_type; + +# All types used for services managed by hwservicemanager +attribute hwservice_manager_type; + +# All HwBinder services guaranteed to be passthrough. These services always run +# in the process of their clients, and thus operate with the same access as +# their clients. +attribute same_process_hwservice; + +# All HwBinder services guaranteed to be offered only by core domain components +attribute coredomain_hwservice; + +# All HwBinder services that untrusted apps can't directly access +attribute protected_hwservice; + +# All types used for services managed by vndservicemanager +attribute vndservice_manager_type; + + +# All domains that can override MLS restrictions. +# i.e. processes that can read up and write down. +attribute mlstrustedsubject; + +# All types that can override MLS restrictions. +# i.e. files that can be read by lower and written by higher +attribute mlstrustedobject; + +# All domains used for apps. +attribute appdomain; + +# All third party apps (except isolated_app and ephemeral_app) +attribute untrusted_app_all; + +# All domains used for apps with network access. +attribute netdomain; + +# All domains used for apps with bluetooth access. +attribute bluetoothdomain; + +# All domains used for binder service domains. +attribute binderservicedomain; + +# update_engine related domains that need to apply an update and run +# postinstall. This includes the background daemon and the sideload tool from +# recovery for A/B devices. +attribute update_engine_common; + +# All core domains (as opposed to vendor/device-specific domains) +attribute coredomain; + +# All vendor hwservice. +attribute vendor_hwservice_type; + +# All socket devices owned by core domain components +attribute coredomain_socket; +expandattribute coredomain_socket false; + +# All vendor domains which violate the requirement of not using sockets for +# communicating with core components +# TODO(b/36577153): Remove this once there are no violations +attribute socket_between_core_and_vendor_violators; +expandattribute socket_between_core_and_vendor_violators false; + +# All vendor domains which violate the requirement of not executing +# system processes +# TODO(b/36463595) +attribute vendor_executes_system_violators; +expandattribute vendor_executes_system_violators false; + +# All domains which violate the requirement of not sharing files by path +# between between vendor and core domains. +# TODO(b/34980020) +attribute data_between_core_and_vendor_violators; +expandattribute data_between_core_and_vendor_violators false; + +# All system domains which violate the requirement of not executing vendor +# binaries/libraries. +# TODO(b/62041836) +attribute system_executes_vendor_violators; +expandattribute system_executes_vendor_violators false; + +# All system domains which violate the requirement of not writing vendor +# properties. +# TODO(b/78598545): Remove this once there are no violations +attribute system_writes_vendor_properties_violators; +expandattribute system_writes_vendor_properties_violators false; + +# All system domains which violate the requirement of not writing to +# /mnt/vendor/*. Must not be used on devices launched with P or later. +attribute system_writes_mnt_vendor_violators; +expandattribute system_writes_mnt_vendor_violators false; + +# hwservices that are accessible from untrusted applications +# WARNING: Use of this attribute should be avoided unless +# absolutely necessary. It is a temporary allowance to aid the +# transition to treble and will be removed in a future platform +# version, requiring all hwservices that are labeled with this +# attribute to be submitted to AOSP in order to maintain their +# app-visibility. +attribute untrusted_app_visible_hwservice_violators; +expandattribute untrusted_app_visible_hwservice_violators false; + +# halserver domains that are accessible to untrusted applications. These +# domains are typically those hosting hwservices attributed by the +# untrusted_app_visible_hwservice_violators. +# WARNING: Use of this attribute should be avoided unless absolutely necessary. +# It is a temporary allowance to aid the transition to treble and will be +# removed in the future platform version, requiring all halserver domains that +# are labeled with this attribute to be submitted to AOSP in order to maintain +# their app-visibility. +attribute untrusted_app_visible_halserver_violators; +expandattribute untrusted_app_visible_halserver_violators false; + +# PDX services +attribute pdx_endpoint_dir_type; +attribute pdx_endpoint_socket_type; +expandattribute pdx_endpoint_socket_type false; +attribute pdx_channel_socket_type; +expandattribute pdx_channel_socket_type false; + +pdx_service_attributes(display_client) +pdx_service_attributes(display_manager) +pdx_service_attributes(display_screenshot) +pdx_service_attributes(display_vsync) +pdx_service_attributes(performance_client) +pdx_service_attributes(bufferhub_client) + +# All HAL servers +attribute halserverdomain; +# All HAL clients +attribute halclientdomain; +expandattribute halclientdomain true; + +# Exempt for halserverdomain to access sockets. Only builds for automotive +# device types are allowed to use this attribute (enforced by CTS). +# Unlike phone, in a car many modules are external from Android perspective and +# HALs should be able to communicate with those devices through sockets. +attribute hal_automotive_socket_exemption; + +# HALs +hal_attribute(allocator); +hal_attribute(atrace); +hal_attribute(audio); +hal_attribute(audiocontrol); +hal_attribute(authsecret); +hal_attribute(bluetooth); +hal_attribute(bootctl); +hal_attribute(bufferhub); +hal_attribute(broadcastradio); +hal_attribute(camera); +hal_attribute(can_bus); +hal_attribute(can_controller); +hal_attribute(cas); +hal_attribute(codec2); +hal_attribute(configstore); +hal_attribute(confirmationui); +hal_attribute(contexthub); +hal_attribute(drm); +hal_attribute(dumpstate); +hal_attribute(evs); +hal_attribute(face); +hal_attribute(fingerprint); +hal_attribute(gatekeeper); +hal_attribute(gnss); +hal_attribute(graphics_allocator); +hal_attribute(graphics_composer); +hal_attribute(health); +hal_attribute(health_storage); +hal_attribute(identity); +hal_attribute(input_classifier); +hal_attribute(ir); +hal_attribute(keymaster); +hal_attribute(keymint); +hal_attribute(light); +hal_attribute(lowpan); +hal_attribute(memtrack); +hal_attribute(neuralnetworks); +hal_attribute(nfc); +hal_attribute(oemlock); +hal_attribute(omx); +hal_attribute(power); +hal_attribute(power_stats); +hal_attribute(rebootescrow); +hal_attribute(secure_element); +hal_attribute(sensors); +hal_attribute(telephony); +hal_attribute(tetheroffload); +hal_attribute(thermal); +hal_attribute(tv_cec); +hal_attribute(tv_input); +hal_attribute(tv_tuner); +hal_attribute(usb); +hal_attribute(usb_gadget); +hal_attribute(uwb); +hal_attribute(vehicle); +hal_attribute(vibrator); +hal_attribute(vr); +hal_attribute(weaver); +hal_attribute(wifi); +hal_attribute(wifi_hostapd); +hal_attribute(wifi_supplicant); + +# HwBinder services offered across the core-vendor boundary +# +# We annotate server domains with x_server to loosen the coupling between +# system and vendor images. For example, it should be possible to move a service +# from one core domain to another, without having to update the vendor image +# which contains clients of this service. + +attribute automotive_display_service_server; +attribute camera_service_server; +attribute display_service_server; +attribute scheduler_service_server; +attribute sensor_service_server; +attribute stats_service_server; +attribute system_suspend_internal_server; +attribute system_suspend_server; +attribute wifi_keystore_service_server; + +# All types used for super partition block devices. +attribute super_block_device_type; + +# All types used for DMA-BUF heaps +attribute dmabuf_heap_device_type; +expandattribute dmabuf_heap_device_type false; + +# All types used for DSU metadata files. +attribute gsi_metadata_file_type; diff --git a/prebuilts/api/32.0/public/audioserver.te b/prebuilts/api/32.0/public/audioserver.te new file mode 100644 index 000000000..d593567aa --- /dev/null +++ b/prebuilts/api/32.0/public/audioserver.te @@ -0,0 +1,10 @@ +# audioserver - audio services daemon +type audioserver, domain; +type audioserver_tmpfs, file_type; + +# Allow audioserver to signal audio HAL processes and dump their stacks. +allow audioserver hal_audio_server:process signal; + +# Allow audioserver to access sensorservice. +allow audioserver sensorservice_service:service_manager find; +allow audioserver system_server:unix_stream_socket { read write }; diff --git a/prebuilts/api/32.0/public/blkid.te b/prebuilts/api/32.0/public/blkid.te new file mode 100644 index 000000000..dabe01452 --- /dev/null +++ b/prebuilts/api/32.0/public/blkid.te @@ -0,0 +1,2 @@ +# blkid called from vold +type blkid, domain; diff --git a/prebuilts/api/32.0/public/blkid_untrusted.te b/prebuilts/api/32.0/public/blkid_untrusted.te new file mode 100644 index 000000000..4be4c0cb2 --- /dev/null +++ b/prebuilts/api/32.0/public/blkid_untrusted.te @@ -0,0 +1,2 @@ +# blkid for untrusted block devices +type blkid_untrusted, domain; diff --git a/prebuilts/api/32.0/public/bluetooth.te b/prebuilts/api/32.0/public/bluetooth.te new file mode 100644 index 000000000..9b3442aa5 --- /dev/null +++ b/prebuilts/api/32.0/public/bluetooth.te @@ -0,0 +1,2 @@ +# bluetooth subsystem +type bluetooth, domain; diff --git a/prebuilts/api/32.0/public/bootanim.te b/prebuilts/api/32.0/public/bootanim.te new file mode 100644 index 000000000..88fe17365 --- /dev/null +++ b/prebuilts/api/32.0/public/bootanim.te @@ -0,0 +1,43 @@ +# bootanimation oneshot service +type bootanim, domain; +type bootanim_exec, system_file_type, exec_type, file_type; + +hal_client_domain(bootanim, hal_configstore) +hal_client_domain(bootanim, hal_graphics_allocator) +hal_client_domain(bootanim, hal_graphics_composer) + +binder_use(bootanim) +binder_call(bootanim, surfaceflinger) +binder_call(bootanim, audioserver) + +hwbinder_use(bootanim) + +allow bootanim gpu_device:chr_file rw_file_perms; + +# /oem access +allow bootanim oemfs:dir search; +allow bootanim oemfs:file r_file_perms; + +allow bootanim audio_device:dir r_dir_perms; +allow bootanim audio_device:chr_file rw_file_perms; + +allow bootanim audioserver_service:service_manager find; +allow bootanim surfaceflinger_service:service_manager find; +allow bootanim surfaceflinger:unix_stream_socket { read write }; + +# Allow access to ion memory allocation device +allow bootanim ion_device:chr_file rw_file_perms; + +# Allow access to DMA-BUF system heap +allow bootanim dmabuf_system_heap_device:chr_file r_file_perms; + +allow bootanim hal_graphics_allocator:fd use; + +# Fences +allow bootanim hal_graphics_composer:fd use; + +# Read access to pseudo filesystems. +allow bootanim proc_meminfo:file r_file_perms; + +# System file accesses. +allow bootanim system_file:dir r_dir_perms; diff --git a/prebuilts/api/32.0/public/bootstat.te b/prebuilts/api/32.0/public/bootstat.te new file mode 100644 index 000000000..5079c28f1 --- /dev/null +++ b/prebuilts/api/32.0/public/bootstat.te @@ -0,0 +1,32 @@ +# bootstat command +type bootstat, domain; +type bootstat_exec, system_file_type, exec_type, file_type; + +read_runtime_log_tags(bootstat) + +# Allow persistent storage in /data/misc/bootstat. +allow bootstat bootstat_data_file:dir rw_dir_perms; +allow bootstat bootstat_data_file:file create_file_perms; + +allow bootstat metadata_file:dir search; +allow bootstat metadata_bootstat_file:dir rw_dir_perms; +allow bootstat metadata_bootstat_file:file create_file_perms; + +# ToDo: TBI move access for the following to a system health HAL + +# Allow access to /sys/fs/pstore/ and syslog +allow bootstat pstorefs:dir search; +allow bootstat pstorefs:file r_file_perms; +allow bootstat kernel:system syslog_read; + +# Allow access to reading the logs to read aspects of system health +read_logd(bootstat) + +# Allow bootstat write to statsd. +unix_socket_send(bootstat, statsdw, statsd) + +neverallow { + domain + -bootstat + -init +} system_boot_reason_prop:property_service set; diff --git a/prebuilts/api/32.0/public/bufferhubd.te b/prebuilts/api/32.0/public/bufferhubd.te new file mode 100644 index 000000000..37edb5dce --- /dev/null +++ b/prebuilts/api/32.0/public/bufferhubd.te @@ -0,0 +1,25 @@ +# bufferhubd +type bufferhubd, domain, mlstrustedsubject; +type bufferhubd_exec, system_file_type, exec_type, file_type; + +hal_client_domain(bufferhubd, hal_graphics_allocator) + +# TODO(b/112338294): remove these after migrate to Binder +pdx_server(bufferhubd, bufferhub_client) +pdx_client(bufferhubd, performance_client) + +# Access the GPU. +allow bufferhubd gpu_device:chr_file rw_file_perms; + +# Access /dev/ion +allow bufferhubd ion_device:chr_file r_file_perms; + +# Receive sync fence FDs from hal_omx_server. Note that hal_omx_server never directly +# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between +# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX. +# Thus, there is no need to use pdx_client macro. +allow bufferhubd hal_omx_server:fd use; + +# Codec2 is similar to OMX +allow bufferhubd hal_codec2_server:fd use; + diff --git a/prebuilts/api/32.0/public/camera_service_server.te b/prebuilts/api/32.0/public/camera_service_server.te new file mode 100644 index 000000000..352e1b7aa --- /dev/null +++ b/prebuilts/api/32.0/public/camera_service_server.te @@ -0,0 +1 @@ +add_hwservice(camera_service_server, fwk_camera_hwservice) diff --git a/prebuilts/api/32.0/public/cameraserver.te b/prebuilts/api/32.0/public/cameraserver.te new file mode 100644 index 000000000..7a29240c3 --- /dev/null +++ b/prebuilts/api/32.0/public/cameraserver.te @@ -0,0 +1,76 @@ +# cameraserver - camera daemon +type cameraserver, domain; +type cameraserver_exec, system_file_type, exec_type, file_type; +type cameraserver_tmpfs, file_type; + +binder_use(cameraserver) +binder_call(cameraserver, binderservicedomain) +binder_call(cameraserver, appdomain) +binder_service(cameraserver) + +hal_client_domain(cameraserver, hal_camera) + +hal_client_domain(cameraserver, hal_graphics_allocator) + +allow cameraserver ion_device:chr_file rw_file_perms; +allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms; + +# Talk with graphics composer fences +allow cameraserver hal_graphics_composer:fd use; + +add_service(cameraserver, cameraserver_service) +add_hwservice(cameraserver, fwk_camera_hwservice) + +allow cameraserver activity_service:service_manager find; +allow cameraserver appops_service:service_manager find; +allow cameraserver audioserver_service:service_manager find; +allow cameraserver batterystats_service:service_manager find; +allow cameraserver cameraproxy_service:service_manager find; +allow cameraserver mediaserver_service:service_manager find; +allow cameraserver package_native_service:service_manager find; +allow cameraserver processinfo_service:service_manager find; +allow cameraserver scheduling_policy_service:service_manager find; +allow cameraserver sensor_privacy_service:service_manager find; +allow cameraserver surfaceflinger_service:service_manager find; + +allow cameraserver hidl_token_hwservice:hwservice_manager find; + +### +### neverallow rules +### + +# cameraserver should never execute any executable without a +# domain transition +neverallow cameraserver { file_type fs_type }:file execute_no_trans; + +# The goal of the mediaserver split is to place media processing code into +# restrictive sandboxes with limited responsibilities and thus limited +# permissions. Example: Audioserver is only responsible for controlling audio +# hardware and processing audio content. Cameraserver does the same for camera +# hardware/content. Etc. +# +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *; + +# Allow shell commands from ADB for CTS testing/dumping +allow cameraserver adbd:fd use; +allow cameraserver adbd:unix_stream_socket { read write }; +allow cameraserver shell:fd use; +allow cameraserver shell:unix_stream_socket { read write }; +allow cameraserver shell:fifo_file { read write }; + +# Allow to talk with media codec +allow cameraserver mediametrics_service:service_manager find; +hal_client_domain(cameraserver, hal_codec2) +hal_client_domain(cameraserver, hal_omx) +hal_client_domain(cameraserver, hal_allocator) + +# Allow shell commands from ADB for CTS testing/dumping +userdebug_or_eng(` + allow cameraserver su:fd use; + allow cameraserver su:fifo_file { read write }; + allow cameraserver su:unix_stream_socket { read write }; +') diff --git a/prebuilts/api/32.0/public/charger.te b/prebuilts/api/32.0/public/charger.te new file mode 100644 index 000000000..37359e3bf --- /dev/null +++ b/prebuilts/api/32.0/public/charger.te @@ -0,0 +1,40 @@ +type charger, domain; +type charger_exec, system_file_type, exec_type, file_type; + +# Write to /dev/kmsg +allow charger kmsg_device:chr_file rw_file_perms; + +# Read access to pseudo filesystems. +r_dir_file(charger, rootfs) +r_dir_file(charger, cgroup) +r_dir_file(charger, cgroup_v2) + +# Allow to read /sys/class/power_supply directory +allow charger sysfs_type:dir r_dir_perms; + +allow charger self:global_capability_class_set { sys_tty_config }; +allow charger self:global_capability_class_set sys_boot; + +wakelock_use(charger) + +allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Read/write to /sys/power/state +allow charger sysfs_power:file rw_file_perms; + +r_dir_file(charger, sysfs_batteryinfo) + +# Read /sys/fs/pstore/console-ramoops +# Don't worry about overly broad permissions for now, as there's +# only one file in /sys/fs/pstore +allow charger pstorefs:dir r_dir_perms; +allow charger pstorefs:file r_file_perms; + +allow charger graphics_device:dir r_dir_perms; +allow charger graphics_device:chr_file rw_file_perms; +allow charger input_device:dir r_dir_perms; +allow charger input_device:chr_file r_file_perms; +allow charger tty_device:chr_file rw_file_perms; +allow charger proc_sysrq:file rw_file_perms; + +hal_client_domain(charger, hal_health) diff --git a/prebuilts/api/32.0/public/crash_dump.te b/prebuilts/api/32.0/public/crash_dump.te new file mode 100644 index 000000000..a6f0a9470 --- /dev/null +++ b/prebuilts/api/32.0/public/crash_dump.te @@ -0,0 +1,78 @@ +type crash_dump, domain; +type crash_dump_exec, system_file_type, exec_type, file_type; + +# crash_dump might inherit CAP_SYS_PTRACE from a privileged process, +# which will result in an audit log even when it's allowed to trace. +dontaudit crash_dump self:global_capability_class_set { sys_ptrace }; + +userdebug_or_eng(` + allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill }; + + # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up. + allow crash_dump kmsg_debug_device:chr_file { open append }; +') + +# Use inherited file descriptors +allow crash_dump domain:fd use; + +# Read/write IPC pipes inherited from crashing processes. +allow crash_dump domain:fifo_file { read write }; + +# Append to pipes given to us by processes requesting dumps (e.g. dumpstate) +allow crash_dump domain:fifo_file { append }; + +# Read information from /proc/$PID. +allow crash_dump domain:process getattr; + +r_dir_file(crash_dump, domain) +allow crash_dump exec_type:file r_file_perms; + +# Read /data/dalvik-cache. +allow crash_dump dalvikcache_data_file:dir { search getattr }; +allow crash_dump dalvikcache_data_file:file r_file_perms; + +# Read APEX data directories. +allow crash_dump apex_module_data_file:dir { getattr search }; + +# Read APK files. +r_dir_file(crash_dump, apk_data_file); + +# Read all /vendor +r_dir_file(crash_dump, { vendor_file same_process_hal_file }) + +# Talk to tombstoned +unix_socket_connect(crash_dump, tombstoned_crash, tombstoned) + +# Talk to ActivityManager. +unix_socket_connect(crash_dump, system_ndebug, system_server) + +# Append to ANR files. +allow crash_dump anr_data_file:file { append getattr }; + +# Append to tombstone files. +allow crash_dump tombstone_data_file:file { append getattr }; + +# crash_dump writes out logcat logs at the bottom of tombstones, +# which is super useful in some cases. +unix_socket_connect(crash_dump, logdr, logd) + +# Crash dump is not intended to access the following files. Since these +# are WAI, suppress the denials to clean up the logs. +dontaudit crash_dump { + core_data_file_type + vendor_file_type +}:dir search; +dontaudit crash_dump system_data_file:{ lnk_file file } read; +dontaudit crash_dump property_type:file read; + +# Suppress denials for files in /proc that are passed +# across exec(). +dontaudit crash_dump proc_type:file rw_file_perms; + +### +### neverallow assertions +### + +# A domain transition must occur for crash_dump to get the privileges needed to trace the process. +# Do not allow the execution of crash_dump without a domain transition. +neverallow domain crash_dump_exec:file execute_no_trans; diff --git a/prebuilts/api/32.0/public/credstore.te b/prebuilts/api/32.0/public/credstore.te new file mode 100644 index 000000000..97d942d91 --- /dev/null +++ b/prebuilts/api/32.0/public/credstore.te @@ -0,0 +1,19 @@ +type credstore, domain; +type credstore_exec, system_file_type, exec_type, file_type; + +# credstore daemon +binder_use(credstore) +binder_service(credstore) +binder_call(credstore, system_server) + +allow credstore credstore_data_file:dir create_dir_perms; +allow credstore credstore_data_file:file create_file_perms; + +add_service(credstore, credstore_service) +allow credstore sec_key_att_app_id_provider_service:service_manager find; +allow credstore dropbox_service:service_manager find; +allow credstore authorization_service:service_manager find; +allow credstore keystore:keystore2 get_auth_token; + +r_dir_file(credstore, cgroup) +r_dir_file(credstore, cgroup_v2) diff --git a/prebuilts/api/32.0/public/device.te b/prebuilts/api/32.0/public/device.te new file mode 100644 index 000000000..cc2ef57a4 --- /dev/null +++ b/prebuilts/api/32.0/public/device.te @@ -0,0 +1,123 @@ +# Device types +type device, dev_type, fs_type; +type ashmem_device, dev_type, mlstrustedobject; +type ashmem_libcutils_device, dev_type, mlstrustedobject; +type audio_device, dev_type; +type binder_device, dev_type, mlstrustedobject; +type hwbinder_device, dev_type, mlstrustedobject; +type vndbinder_device, dev_type; +type block_device, dev_type, bdev_type; +type camera_device, dev_type; +type dm_device, dev_type, bdev_type; +type dm_user_device, dev_type, bdev_type; +type keychord_device, dev_type; +type loop_control_device, dev_type; +type loop_device, dev_type, bdev_type; +type pmsg_device, dev_type, mlstrustedobject; +type radio_device, dev_type; +type ram_device, dev_type, bdev_type; +type rtc_device, dev_type; +type vd_device, dev_type; +type vold_device, dev_type; +type console_device, dev_type; +type fscklogs, dev_type; +# GPU (used by most UI apps) +type gpu_device, dev_type, mlstrustedobject; +type graphics_device, dev_type; +type hw_random_device, dev_type; +type input_device, dev_type; +type port_device, dev_type; +type lowpan_device, dev_type; +type mtp_device, dev_type, mlstrustedobject; +type nfc_device, dev_type; +type ptmx_device, dev_type, mlstrustedobject; +type kmsg_device, dev_type, mlstrustedobject; +type kmsg_debug_device, dev_type; +type null_device, dev_type, mlstrustedobject; +type random_device, dev_type, mlstrustedobject; +type secure_element_device, dev_type; +type sensors_device, dev_type; +type serial_device, dev_type; +type socket_device, dev_type; +type owntty_device, dev_type, mlstrustedobject; +type tty_device, dev_type; +type video_device, dev_type; +type zero_device, dev_type, mlstrustedobject; +type fuse_device, dev_type, mlstrustedobject; +type iio_device, dev_type; +type ion_device, dev_type, mlstrustedobject; +type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject; +type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject; +type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject; +type qtaguid_device, dev_type; +type watchdog_device, dev_type; +type uhid_device, dev_type, mlstrustedobject; +type uio_device, dev_type; +type tun_device, dev_type, mlstrustedobject; +type usbaccessory_device, dev_type, mlstrustedobject; +type usb_device, dev_type, mlstrustedobject; +type usb_serial_device, dev_type; +type gnss_device, dev_type; +type properties_device, dev_type; +type properties_serial, dev_type; +type property_info, dev_type; + +# All devices have a uart for the hci +# attach service. The uart dev node +# varies per device. This type +# is used in per device policy +type hci_attach_dev, dev_type; + +# All devices have a rpmsg device for +# achieving remoteproc and rpmsg modules +type rpmsg_device, dev_type; + +# Partition layout block device +type root_block_device, dev_type, bdev_type; + +# factory reset protection block device +type frp_block_device, dev_type, bdev_type; + +# System block device mounted on /system. +# Documented at https://source.android.com/devices/bootloader/partitions-images +type system_block_device, dev_type, bdev_type; + +# Recovery block device. +# Documented at https://source.android.com/devices/bootloader/partitions-images +type recovery_block_device, dev_type, bdev_type; + +# boot block device. +# Documented at https://source.android.com/devices/bootloader/partitions-images +type boot_block_device, dev_type, bdev_type; + +# Userdata block device mounted on /data. +# Documented at https://source.android.com/devices/bootloader/partitions-images +type userdata_block_device, dev_type, bdev_type; + +# Cache block device mounted on /cache. +# Documented at https://source.android.com/devices/bootloader/partitions-images +type cache_block_device, dev_type, bdev_type; + +# Block device for any swap partition. +type swap_block_device, dev_type, bdev_type; + +# Metadata block device used for encryption metadata. +# Assign this type to the partition specified by the encryptable= +# mount option in your fstab file in the entry for userdata. +# Documented at https://source.android.com/devices/bootloader/partitions-images +type metadata_block_device, dev_type, bdev_type; + +# The 'misc' partition used by recovery and A/B. +# Documented at https://source.android.com/devices/bootloader/partitions-images +type misc_block_device, dev_type, bdev_type; + +# 'super' partition to be used for logical partitioning. +type super_block_device, super_block_device_type, dev_type, bdev_type; + +# sdcard devices; normally vold uses the vold_block_device label and creates a +# separate device node. gsid, however, accesses the original devide node +# created through uevents, so we use a separate label. +type sdcard_block_device, dev_type, bdev_type; + +# Userdata device file for filesystem tunables +type userdata_sysdev, dev_type; diff --git a/prebuilts/api/32.0/public/dhcp.te b/prebuilts/api/32.0/public/dhcp.te new file mode 100644 index 000000000..1d875ab17 --- /dev/null +++ b/prebuilts/api/32.0/public/dhcp.te @@ -0,0 +1,28 @@ +type dhcp, domain; +type dhcp_exec, system_file_type, exec_type, file_type; + +net_domain(dhcp) + +allow dhcp cgroup:dir { create write add_name }; +allow dhcp cgroup_v2:dir { create write add_name }; +allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service }; +allow dhcp self:packet_socket create_socket_perms_no_ioctl; +allow dhcp self:netlink_route_socket nlmsg_write; +allow dhcp shell_exec:file rx_file_perms; +allow dhcp system_file:file rx_file_perms; +not_full_treble(`allow dhcp vendor_file:file rx_file_perms;') + +# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec) +allow dhcp toolbox_exec:file rx_file_perms; + +# For /proc/sys/net/ipv4/conf/*/promote_secondaries +allow dhcp proc_net_type:file write; + +allow dhcp dhcp_data_file:dir create_dir_perms; +allow dhcp dhcp_data_file:file create_file_perms; + +# PAN connections +allow dhcp netd:fd use; +allow dhcp netd:fifo_file rw_file_perms; +allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write }; +allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write }; diff --git a/prebuilts/api/32.0/public/display_service_server.te b/prebuilts/api/32.0/public/display_service_server.te new file mode 100644 index 000000000..c5839fa54 --- /dev/null +++ b/prebuilts/api/32.0/public/display_service_server.te @@ -0,0 +1 @@ +add_hwservice(display_service_server, fwk_display_hwservice) diff --git a/prebuilts/api/32.0/public/dnsmasq.te b/prebuilts/api/32.0/public/dnsmasq.te new file mode 100644 index 000000000..86f1eb1c9 --- /dev/null +++ b/prebuilts/api/32.0/public/dnsmasq.te @@ -0,0 +1,28 @@ +# DNS, DHCP services +type dnsmasq, domain; +type dnsmasq_exec, system_file_type, exec_type, file_type; + +net_domain(dnsmasq) +allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls; + +# TODO: Run with dhcp group to avoid need for dac_override. +allow dnsmasq self:global_capability_class_set { dac_override dac_read_search }; + +allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid }; + +allow dnsmasq dhcp_data_file:dir w_dir_perms; +allow dnsmasq dhcp_data_file:file create_file_perms; + +# Inherit and use open files from netd. +allow dnsmasq netd:fd use; +allow dnsmasq netd:fifo_file { getattr read write }; +# TODO: Investigate whether these inherited sockets should be closed on exec. +allow dnsmasq netd:netlink_kobject_uevent_socket { read write }; +allow dnsmasq netd:netlink_nflog_socket { read write }; +allow dnsmasq netd:netlink_route_socket { read write }; +allow dnsmasq netd:unix_stream_socket { getattr read write }; +allow dnsmasq netd:unix_dgram_socket { read write }; +allow dnsmasq netd:udp_socket { read write }; + +# sometimes a network device vanishes and we try to load module netdev-{devicename} +dontaudit dnsmasq kernel:system module_request; diff --git a/prebuilts/api/32.0/public/domain.te b/prebuilts/api/32.0/public/domain.te new file mode 100644 index 000000000..799a2f1c5 --- /dev/null +++ b/prebuilts/api/32.0/public/domain.te @@ -0,0 +1,1400 @@ +# Rules for all domains. + +# Allow reaping by init. +allow domain init:process sigchld; + +# Intra-domain accesses. +allow domain self:process { + fork + sigchld + sigkill + sigstop + signull + signal + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + getattr + setrlimit +}; +allow domain self:fd use; +allow domain proc:dir r_dir_perms; +allow domain proc_net_type:dir search; +r_dir_file(domain, self) +allow domain self:{ fifo_file file } rw_file_perms; +allow domain self:unix_dgram_socket { create_socket_perms sendto }; +allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; + +# Inherit or receive open files from others. +allow domain init:fd use; + +userdebug_or_eng(` + allow domain su:fd use; + allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; + allow domain su:unix_dgram_socket sendto; + + allow { domain -init } su:binder { call transfer }; + + # Running something like "pm dump com.android.bluetooth" requires + # fifo writes + allow domain su:fifo_file { write getattr }; + + # allow "gdbserver --attach" to work for su. + allow domain su:process sigchld; + + # Allow writing coredumps to /cores/* + allow domain coredump_file:file create_file_perms; + allow domain coredump_file:dir ra_dir_perms; +') + +with_native_coverage(` + # Allow writing coverage information to /data/misc/trace + allow domain method_trace_data_file:dir create_dir_perms; + allow domain method_trace_data_file:file create_file_perms; +') + +# Root fs. +allow domain tmpfs:dir { getattr search }; +allow domain rootfs:dir search; +allow domain rootfs:lnk_file { read getattr }; + +# Device accesses. +allow domain device:dir search; +allow domain dev_type:lnk_file r_file_perms; +allow domain devpts:dir search; +allow domain dmabuf_heap_device:dir r_dir_perms; +allow domain socket_device:dir r_dir_perms; +allow domain owntty_device:chr_file rw_file_perms; +allow domain null_device:chr_file rw_file_perms; +allow domain zero_device:chr_file rw_file_perms; + +# /dev/ashmem is being deprecated by means of constraining and eventually +# removing all "open" permissions. We preserve the other permissions. +allow domain ashmem_device:chr_file { getattr read ioctl lock map append write }; +# This device is used by libcutils, which is accessible to everyone. +allow domain ashmem_libcutils_device:chr_file rw_file_perms; + +# /dev/binder can be accessed by ... everyone! :) +allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; + +# Restrict binder ioctls to an allowlist. Additional ioctl commands may be +# added to individual domains, but this sets safe defaults for all processes. +allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls }; + +# /dev/binderfs needs to be accessed by everyone too! +allow domain binderfs:dir { getattr search }; +allow domain binderfs_logs_proc:dir search; + +allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; +allow domain ptmx_device:chr_file rw_file_perms; +allow domain random_device:chr_file rw_file_perms; +allow domain proc_random:dir r_dir_perms; +allow domain proc_random:file r_file_perms; +allow domain properties_device:dir { search getattr }; +allow domain properties_serial:file r_file_perms; +allow domain property_info:file r_file_perms; + +# Public readable properties +get_prop(domain, aaudio_config_prop) +get_prop(domain, arm64_memtag_prop) +get_prop(domain, bootloader_prop) +get_prop(domain, build_odm_prop) +get_prop(domain, build_prop) +get_prop(domain, build_vendor_prop) +get_prop(domain, debug_prop) +get_prop(domain, exported_config_prop) +get_prop(domain, exported_default_prop) +get_prop(domain, exported_dumpstate_prop) +get_prop(domain, exported_secure_prop) +get_prop(domain, exported_system_prop) +get_prop(domain, fingerprint_prop) +get_prop(domain, hal_instrumentation_prop) +get_prop(domain, hw_timeout_multiplier_prop) +get_prop(domain, init_service_status_prop) +get_prop(domain, libc_debug_prop) +get_prop(domain, logd_prop) +get_prop(domain, mediadrm_config_prop) +get_prop(domain, property_service_version_prop) +get_prop(domain, soc_prop) +get_prop(domain, socket_hook_prop) +get_prop(domain, surfaceflinger_prop) +get_prop(domain, telephony_status_prop) +get_prop(domain, vendor_socket_hook_prop) +get_prop(domain, vndk_prop) +get_prop(domain, vold_status_prop) +get_prop(domain, vts_config_prop) + +# Binder cache properties are world-readable +get_prop(domain, binder_cache_bluetooth_server_prop) +get_prop(domain, binder_cache_system_server_prop) +get_prop(domain, binder_cache_telephony_server_prop) + +# Let everyone read log properties, so that liblog can avoid sending unloggable +# messages to logd. +get_prop(domain, log_property_type) +dontaudit domain property_type:file audit_access; +allow domain property_contexts_file:file r_file_perms; + +allow domain init:key search; +allow domain vold:key search; + +# logd access +write_logd(domain) + +# Directory/link file access for path resolution. +allow domain { + system_file + system_lib_file + system_seccomp_policy_file + system_security_cacerts_file +}:dir r_dir_perms; +allow domain system_file:lnk_file { getattr read }; + +# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*, +# /(system|product|system_ext)/etc/(group|passwd), linker and its config. +allow domain system_seccomp_policy_file:file r_file_perms; +# cacerts are accessible from public Java API. +allow domain system_security_cacerts_file:file r_file_perms; +allow domain system_group_file:file r_file_perms; +allow domain system_passwd_file:file r_file_perms; +allow domain system_linker_exec:file { execute read open getattr map }; +allow domain system_linker_config_file:file r_file_perms; +allow domain system_lib_file:file { execute read open getattr map }; +# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc. +allow domain system_linker_exec:lnk_file { read open getattr }; +allow domain system_lib_file:lnk_file { read open getattr }; + +allow domain system_event_log_tags_file:file r_file_perms; + +allow { appdomain coredomain } system_file:file { execute read open getattr map }; + +# Make sure system/vendor split doesn not affect non-treble +# devices +not_full_treble(` + allow domain system_file:file { execute read open getattr map }; + allow domain vendor_file_type:dir { search getattr }; + allow domain vendor_file_type:file { execute read open getattr map }; + allow domain vendor_file_type:lnk_file { getattr read }; +') + +# All domains are allowed to open and read directories +# that contain HAL implementations (e.g. passthrough +# HALs require clients to have these permissions) +allow domain vendor_hal_file:dir r_dir_perms; + +# Everyone can read and execute all same process HALs +allow domain same_process_hal_file:dir r_dir_perms; +allow { + domain + -coredomain # access is explicitly granted to individual coredomains +} same_process_hal_file:file { execute read open getattr map }; + +# Any process can load vndk-sp libraries, which are system libraries +# used by same process HALs +allow domain vndk_sp_file:dir r_dir_perms; +allow domain vndk_sp_file:file { execute read open getattr map }; + +# All domains get access to /vendor/etc +allow domain vendor_configs_file:dir r_dir_perms; +allow domain vendor_configs_file:file { read open getattr map }; + +full_treble_only(` + # Allow all domains to be able to follow /system/vendor and/or + # /vendor/odm symlinks. + allow domain vendor_file_type:lnk_file { getattr open read }; + + # This is required to be able to search & read /vendor/lib64 + # in order to lookup vendor libraries. The execute permission + # for coredomains is granted *only* for same process HALs + allow domain vendor_file:dir { getattr search }; + + # Allow reading and executing out of /vendor to all vendor domains + allow { domain -coredomain } vendor_file_type:dir r_dir_perms; + allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; + allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; +') + +# read and stat any sysfs symlinks +allow domain sysfs:lnk_file { getattr read }; + +# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for +# timezone related information. +# This directory is considered to be a VNDK-stable +allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms; +allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms; + +# Lots of processes access current CPU information +r_dir_file(domain, sysfs_devices_system_cpu) + +r_dir_file(domain, sysfs_usb); + +# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically +# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled. +allow domain sysfs_transparent_hugepage:dir search; +allow domain sysfs_transparent_hugepage:file r_file_perms; + +# files under /data. +not_full_treble(` + allow domain system_data_file:dir getattr; +') +allow { coredomain appdomain } system_data_file:dir getattr; +# /data has the label system_data_root_file. Vendor components need the search +# permission on system_data_root_file for path traversal to /data/vendor. +allow domain system_data_root_file:dir { search getattr } ; +allow domain system_data_file:dir search; +# TODO restrict this to non-coredomain +allow domain vendor_data_file:dir { getattr search }; + +# required by the dynamic linker +allow domain proc:lnk_file { getattr read }; + +# /proc/cpuinfo +allow domain proc_cpuinfo:file r_file_perms; + +# /dev/cpu_variant:.* +allow domain dev_cpu_variant:file r_file_perms; + +# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate +allow domain proc_perf:file r_file_perms; + +# toybox loads libselinux which stats /sys/fs/selinux/ +allow domain selinuxfs:dir search; +allow domain selinuxfs:file getattr; +allow domain sysfs:dir search; +allow domain selinuxfs:filesystem getattr; + +# Almost all processes log tracing information to +# /sys/kernel/debug/tracing/trace_marker +# The reason behind this is documented in b/6513400 +allow domain debugfs:dir search; +allow domain debugfs_tracing:dir search; +allow domain debugfs_tracing_debug:dir search; +allow domain debugfs_trace_marker:file w_file_perms; + +# Linux lockdown mode offers coarse-grained definitions for access controls. +# The "confidentiality" level detects access to tracefs or the perf subsystem. +# This overlaps with more precise declarations in Android's policy. The +# debugfs_trace_marker above is an example in which all processes should have +# some access to tracefs. Therefore, allow all domains to access this level. +# The "integrity" level is however enforced. +allow domain self:lockdown confidentiality; + +# Filesystem access. +allow domain fs_type:filesystem getattr; +allow domain fs_type:dir getattr; + +# Restrict all domains to an allowlist for common socket types. Additional +# ioctl commands may be added to individual domains, but this sets safe +# defaults for all processes. Note that granting this allowlist to domain does +# not grant the ioctl permission on these socket types. That must be granted +# separately. +allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } + ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; +# default allowlist for unix sockets. +allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } + ioctl unpriv_unix_sock_ioctls; + +# Restrict PTYs to only allowed ioctls. +# Note that granting this allowlist to domain does +# not grant the wider ioctl permission. That must be granted +# separately. +allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; + +# All domains must clearly enumerate what ioctls they use +# on filesystem objects (plain files, directories, symbolic links, +# named pipes, and named sockets). We start off with a safe set. +allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; + +# If a domain has ioctl access to tun_device, it must clearly enumerate the +# ioctls used. Safe defaults are listed below. +allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; + +# Allow a process to make a determination whether a file descriptor +# for a plain file or pipe (fifo_file) is a tty. Note that granting +# this allowlist to domain does not grant the ioctl permission to +# these files. That must be granted separately. +allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; +allowxperm domain domain:fifo_file ioctl { TCGETS }; + +# If a domain has access to perform an ioctl on a block device, allow these +# very common, benign ioctls +allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET }; + +# Support sqlite F2FS specific optimizations +# ioctl permission on the specific file type is still required +# TODO: consider only compiling these rules if we know the +# /data partition is F2FS +allowxperm domain { file_type sdcard_type }:file ioctl { + F2FS_IOC_ABORT_VOLATILE_WRITE + F2FS_IOC_COMMIT_ATOMIC_WRITE + F2FS_IOC_GET_FEATURES + F2FS_IOC_GET_PIN_FILE + F2FS_IOC_SET_PIN_FILE + F2FS_IOC_START_ATOMIC_WRITE +}; + +# Workaround for policy compiler being too aggressive and removing hwservice_manager_type +# when it's not explicitly used in allow rules +allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; +# Workaround for policy compiler being too aggressive and removing vndservice_manager_type +# when it's not explicitly used in allow rules +allow { domain -domain } vndservice_manager_type:service_manager { add find }; + +# Under ASAN, processes will try to read /data, as the sanitized libraries are there. +with_asan(`allow domain system_data_file:dir getattr;') +# Under ASAN, /system/asan.options needs to be globally accessible. +with_asan(`allow domain system_asan_options_file:file r_file_perms;') + +# read APEX dir and stat any symlink pointing to APEXs. +allow domain apex_mnt_dir:dir { getattr search }; +allow domain apex_mnt_dir:lnk_file r_file_perms; + +### +### neverallow rules +### + +# All ioctls on file-like objects (except chr_file and blk_file) and +# sockets must be restricted to an allowlist. +neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; + +# b/68014825 and https://android-review.googlesource.com/516535 +# rfc6093 says that processes should not use the TCP urgent mechanism +neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; + +# TIOCSTI is only ever used for exploits. Block it. +# b/33073072, b/7530569 +# http://www.openwall.com/lists/oss-security/2016/09/26/14 +neverallowxperm * devpts:chr_file ioctl TIOCSTI; + +# Do not allow any domain other than init to create unlabeled files. +neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; + +# Limit device node creation to these allowed domains. +neverallow { + domain + -kernel + -init + -ueventd + -vold +} self:global_capability_class_set mknod; + +# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). +neverallow * self:memprotect mmap_zero; + +# No domain needs mac_override as it is unused by SELinux. +neverallow * self:global_capability2_class_set mac_override; + +# Disallow attempts to set contexts not defined in current policy +# This helps guarantee that unknown or dangerous contents will not ever +# be set. +neverallow * self:global_capability2_class_set mac_admin; + +# Once the policy has been loaded there shall be none to modify the policy. +# It is sealed. +neverallow * kernel:security load_policy; + +# Only init prior to switching context should be able to set enforcing mode. +# init starts in kernel domain and switches to init domain via setcon in +# the init.rc, so the setenforce occurs while still in kernel. After +# switching domains, there is never any need to setenforce again by init. +neverallow * kernel:security setenforce; +neverallow { domain -kernel } kernel:security setcheckreqprot; + +# No booleans in AOSP policy, so no need to ever set them. +neverallow * kernel:security setbool; + +# Adjusting the AVC cache threshold. +# Not presently allowed to anything in policy, but possibly something +# that could be set from init.rc. +neverallow { domain -init } kernel:security setsecparam; + +# Only the kernel hwrng thread should be able to read from the HW RNG. +neverallow { + domain + -shell # For CTS, restricted to just getattr in shell.te + -ueventd # To create the /dev/hw_random file +} hw_random_device:chr_file *; +# b/78174219 b/64114943 +neverallow { + domain + -shell # stat of /dev, getattr only + -ueventd +} keychord_device:chr_file *; + +# Ensure that all entrypoint executables are in exec_type or postinstall_file. +neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; + +# The dynamic linker always calls access(2) on the path. Don't generate SElinux +# denials since the linker does not actually access the path in case the path +# does not exist or isn't accessible for the process. +dontaudit domain postinstall_mnt_dir:dir audit_access; + +#Ensure that nothing in userspace can access /dev/port +neverallow { + domain + -shell # Shell user should not have any abilities outside of getattr + -ueventd +} port_device:chr_file *; +neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; +# Only init should be able to configure kernel usermodehelpers or +# security-sensitive proc settings. +neverallow { domain -init } usermodehelper:file { append write }; +neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; +neverallow { domain -init -vendor_init } proc_security:file { append open read write }; + +# Init can't do anything with binder calls. If this neverallow rule is being +# triggered, it's probably due to a service with no SELinux domain. +neverallow * init:binder *; +neverallow * vendor_init:binder *; + +# Don't allow raw read/write/open access to block_device +# Rather force a relabel to a more specific type +neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; + +# Do not allow renaming of block files or character files +# Ability to do so can lead to possible use in an exploit chain +# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html +neverallow * *:{ blk_file chr_file } rename; + +# Don't allow raw read/write/open access to generic devices. +# Rather force a relabel to a more specific type. +neverallow domain device:chr_file { open read write }; + +# Files from cache should never be executed +neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; + +# The test files and executables MUST not be accessible to any domain +neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms; +neverallow domain nativetest_data_file:dir no_w_dir_perms; +neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; + +neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms; +neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms; +neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *; +neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms }; +neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *; + +# Only the init property service should write to /data/property and /dev/__properties__ +neverallow { domain -init } property_data_file:dir no_w_dir_perms; +neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; +neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; +neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; +neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; + +# Nobody should be doing writes to /system & /vendor +# These partitions are intended to be read-only and must never be +# modified. Doing so would violate important Android security guarantees +# and invalidate dm-verity signatures. +neverallow { + domain + with_asan(`-asan_extract') + recovery_only(`userdebug_or_eng(`-fastbootd')') +} { + system_file_type + vendor_file_type + exec_type +}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; + +neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto; + +# Don't allow mounting on top of /system files or directories +neverallow * exec_type:dir_file_class_set mounton; + +# Nothing should be writing to files in the rootfs. +neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; + +# Restrict context mounts to specific types marked with +# the contextmount_type attribute. +neverallow * {fs_type -contextmount_type}:filesystem relabelto; + +# Ensure that context mount types are not writable, to ensure that +# the write to /system restriction above is not bypassed via context= +# mount to another type. +neverallow * contextmount_type:dir_file_class_set + { create setattr relabelfrom relabelto append link rename }; +neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink }; + +# Do not allow service_manager add for default service labels. +# Instead domains should use a more specific type such as +# system_app_service rather than the generic type. +# New service_types are defined in {,hw,vnd}service.te and new mappings +# from service name to service_type are defined in {,hw,vnd}service_contexts. +neverallow * default_android_service:service_manager *; +neverallow * default_android_vndservice:service_manager *; +neverallow * default_android_hwservice:hwservice_manager *; + +# Looking up the base class/interface of all HwBinder services is a bad idea. +# hwservicemanager currently offer such lookups only to make it so that security +# decisions are expressed in SELinux policy. However, it's unclear whether this +# lookup has security implications. If it doesn't, hwservicemanager should be +# modified to not offer this lookup. +# This rule can be removed if hwservicemanager is modified to not permit these +# lookups. +neverallow * hidl_base_hwservice:hwservice_manager find; + +# Require that domains explicitly label unknown properties, and do not allow +# anyone but init to modify unknown properties. +neverallow { domain -init -vendor_init } mmc_prop:property_service set; +neverallow { domain -init -vendor_init } vndk_prop:property_service set; + +compatible_property_only(` + neverallow { domain -init } mmc_prop:property_service set; + neverallow { domain -init -vendor_init } exported_default_prop:property_service set; + neverallow { domain -init } exported_secure_prop:property_service set; + neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; + neverallow { domain -init -vendor_init } storage_config_prop:property_service set; + neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set; +') + +compatible_property_only(` + neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; + neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; +') + +neverallow { domain -init } aac_drc_prop:property_service set; +neverallow { domain -init } build_prop:property_service set; + +# Do not allow reading device's serial number from system properties except form +# a few allowed domains. +neverallow { + domain + -adbd + -dumpstate + -fastbootd + -hal_camera_server + -hal_cas_server + -hal_drm_server + userdebug_or_eng(`-incidentd') + -init + -mediadrmserver + -mediaserver + -recovery + -shell + -system_server + -vendor_init +} serialno_prop:file r_file_perms; + +neverallow { + domain + -init + -recovery + -system_server + -shell # Shell is further restricted in shell.te + -ueventd # Further restricted in ueventd.te +} frp_block_device:blk_file no_rw_file_perms; + +# The metadata block device is set aside for device encryption and +# verified boot metadata. It may be reset at will and should not +# be used by other domains. +neverallow { + domain + -init + -recovery + -vold + -e2fs + -fsck + -fastbootd +} metadata_block_device:blk_file { append link rename write open read ioctl lock }; + +# No domain other than recovery, update_engine and fastbootd can write to system partition(s). +neverallow { + domain + -fastbootd + userdebug_or_eng(`-fsck') + userdebug_or_eng(`-init') + -recovery + -update_engine +} system_block_device:blk_file { write append }; + +# No domains other than a select few can access the misc_block_device. This +# block device is reserved for OTA use. +# Do not assert this rule on userdebug/eng builds, due to some devices using +# this partition for testing purposes. +neverallow { + domain + userdebug_or_eng(`-domain') # exclude debuggable builds + -fastbootd + -hal_bootctl_server + -init + -uncrypt + -update_engine + -vendor_init + -vendor_misc_writer + -vold + -recovery + -ueventd +} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; + +# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager +neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; +# The service managers are only allowed to access their own device node +neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; +neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; +neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; +neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; +neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; +neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; + +# system services cant add vendor services +neverallow { + coredomain +} vendor_service:service_manager add; + +full_treble_only(` + # vendor services cant add system services + neverallow { + domain + -coredomain + } { + service_manager_type + -vendor_service + }:service_manager add; +') + +full_treble_only(` + # Vendor apps are permited to use only stable public services. If they were to use arbitrary + # services which can change any time framework/core is updated, breakage is likely. + # + # Note, this same logic applies to untrusted apps, but neverallows for these are separate. + neverallow { + appdomain + -coredomain + } { + service_manager_type + + -app_api_service + -vendor_service # must be @VintfStability to be used by an app + -ephemeral_app_api_service + + -apc_service + -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed + -cameraserver_service + -drmserver_service + -credstore_service + -keystore_maintenance_service + -keystore_service + -legacykeystore_service + -mediadrmserver_service + -mediaextractor_service + -mediametrics_service + -mediaserver_service + -nfc_service + -radio_service + -virtual_touchpad_service + -vr_hwc_service + -vr_manager_service + userdebug_or_eng(`-hal_face_service') + }:service_manager find; +') + +# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. +full_treble_only(` + neverallow { + coredomain + -shell + userdebug_or_eng(`-su') + -ueventd # uevent is granted create for this device, but we still neverallow I/O below + } vndbinder_device:chr_file rw_file_perms; +') +full_treble_only(` + neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; +') +full_treble_only(` + neverallow { + coredomain + -shell + userdebug_or_eng(`-su') + } vndservice_manager_type:service_manager *; +') +full_treble_only(` + neverallow { + coredomain + -shell + userdebug_or_eng(`-su') + } vndservicemanager:binder *; +') + +# On full TREBLE devices, socket communications between core components and vendor components are +# not permitted. + # Most general rules first, more specific rules below. + + # Core domains are not permitted to initiate communications to vendor domain sockets. + # We are not restricting the use of already established sockets because it is fine for a process + # to obtain an already established socket via some public/official/stable API and then exchange + # data with its peer over that socket. The wire format in this scenario is dicatated by the API + # and thus does not break the core-vendor separation. +full_treble_only(` + neverallow_establish_socket_comms({ + coredomain + -init + -adbd + }, { + domain + -coredomain + -socket_between_core_and_vendor_violators + }); +') + + # Vendor domains are not permitted to initiate create/open sockets owned by core domains +full_treble_only(` + neverallow { + domain + -coredomain + -appdomain # appdomain restrictions below + -data_between_core_and_vendor_violators # b/70393317 + -socket_between_core_and_vendor_violators + -vendor_init + } { + coredomain_socket + core_data_file_type + unlabeled # used only by core domains + }:sock_file ~{ append getattr ioctl read write }; +') +full_treble_only(` + neverallow { + appdomain + -coredomain + } { + coredomain_socket + unlabeled # used only by core domains + core_data_file_type + -app_data_file + -privapp_data_file + -pdx_endpoint_socket_type # used by VR layer + -pdx_channel_socket_type # used by VR layer + }:sock_file ~{ append getattr ioctl read write }; +') + + # Core domains are not permitted to create/open sockets owned by vendor domains +full_treble_only(` + neverallow { + coredomain + -init + -ueventd + -socket_between_core_and_vendor_violators + } { + file_type + dev_type + -coredomain_socket + -core_data_file_type + -app_data_file_type + -unlabeled + }:sock_file ~{ append getattr ioctl read write }; +') + +# On TREBLE devices, vendor and system components are only allowed to share +# files by passing open FDs over hwbinder. Ban all directory access and all file +# accesses other than what can be applied to an open FD such as +# ioctl/stat/read/write/append. This is enforced by segregating /data. +# Vendor domains may directly access file in /data/vendor by path, but may only +# access files outside of /data/vendor via an open FD passed over hwbinder. +# Likewise, core domains may only directly access files outside /data/vendor by +# path and files in /data/vendor by open FD. +full_treble_only(` + # only coredomains may only access core_data_file_type, particularly not + # /data/vendor + neverallow { + coredomain + -appdomain # TODO(b/34980020) remove exemption for appdomain + -data_between_core_and_vendor_violators + -init + -vold_prepare_subdirs + } { + data_file_type + -core_data_file_type + -app_data_file_type + }:file_class_set ~{ append getattr ioctl read write map }; +') +full_treble_only(` + neverallow { + coredomain + -appdomain # TODO(b/34980020) remove exemption for appdomain + -data_between_core_and_vendor_violators + -init + -vold_prepare_subdirs + } { + data_file_type + -core_data_file_type + -app_data_file_type + # TODO(b/72998741) Remove exemption. Further restricted in a subsequent + # neverallow. Currently only getattr and search are allowed. + -vendor_data_file + }:dir *; + +') +full_treble_only(` + # vendor domains may only access files in /data/vendor, never core_data_file_types + neverallow { + domain + -appdomain # TODO(b/34980020) remove exemption for appdomain + -coredomain + -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up + -vendor_init + } { + core_data_file_type + # libc includes functions like mktime and localtime which attempt to access + # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata. + # These functions are considered vndk-stable and thus must be allowed for + # all processes. + -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') + }:file_class_set ~{ append getattr ioctl read write map }; + neverallow { + vendor_init + -data_between_core_and_vendor_violators + } { + core_data_file_type + -unencrypted_data_file + -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') + }:file_class_set ~{ append getattr ioctl read write map }; + # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. + # The vendor init binary lives on the system partition so there is not a concern with stability. + neverallow vendor_init unencrypted_data_file:file ~r_file_perms; +') +full_treble_only(` + # vendor domains may only access dirs in /data/vendor, never core_data_file_types + neverallow { + domain + -appdomain # TODO(b/34980020) remove exemption for appdomain + -coredomain + -data_between_core_and_vendor_violators + -vendor_init + } { + core_data_file_type + -system_data_file # default label for files on /data. Covered below... + -system_data_root_file + -vendor_data_file + -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') + }:dir *; + neverallow { + vendor_init + -data_between_core_and_vendor_violators + } { + core_data_file_type + -unencrypted_data_file + -system_data_file + -system_data_root_file + -vendor_data_file + -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') + }:dir *; + # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. + # The vendor init binary lives on the system partition so there is not a concern with stability. + neverallow vendor_init unencrypted_data_file:dir ~search; +') +full_treble_only(` + # vendor domains may only access dirs in /data/vendor, never core_data_file_types + neverallow { + domain + -appdomain # TODO(b/34980020) remove exemption for appdomain + -coredomain + -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up + } { + system_data_file # default label for files on /data. Covered below + }:dir ~{ getattr search }; +') + +full_treble_only(` + # coredomains may not access dirs in /data/vendor. + neverallow { + coredomain + -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up + -init + -vold # vold creates per-user storage for both system and vendor + -vold_prepare_subdirs + } { + vendor_data_file # default label for files on /data. Covered below + }:dir ~{ getattr search }; +') + +full_treble_only(` + # coredomains may not access dirs in /data/vendor. + neverallow { + coredomain + -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up + -init + } { + vendor_data_file # default label for files on /data/vendor{,_ce,_de}. + }:file_class_set ~{ append getattr ioctl read write map }; +') + +full_treble_only(` + # Non-vendor domains are not allowed to file execute shell + # from vendor + neverallow { + coredomain + -init + -shell + -ueventd + } vendor_shell_exec:file { execute execute_no_trans }; +') + +full_treble_only(` + # Do not allow vendor components to execute files from system + # except for the ones allowed here. + neverallow { + domain + -coredomain + -appdomain + -vendor_executes_system_violators + -vendor_init + } { + system_file_type + -system_lib_file + -system_linker_exec + -crash_dump_exec + -iorap_prefetcherd_exec + -iorap_inode2filename_exec + -netutils_wrapper_exec + userdebug_or_eng(`-tcpdump_exec') + }:file { entrypoint execute execute_no_trans }; +') + +full_treble_only(` + # Do not allow coredomain to access entrypoint for files other + # than system_file_type and postinstall_file + neverallow coredomain { + file_type + -system_file_type + -postinstall_file + }:file entrypoint; + # Do not allow domains other than coredomain to access entrypoint + # for anything but vendor_file_type and init_exec for vendor_init. + neverallow { domain -coredomain } { + file_type + -vendor_file_type + -init_exec + }:file entrypoint; +') + +full_treble_only(` + # Do not allow system components to execute files from vendor + # except for the ones allowed here. + neverallow { + coredomain + -init + -shell + -system_executes_vendor_violators + -ueventd + } { + vendor_file_type + -same_process_hal_file + -vndk_sp_file + -vendor_app_file + -vendor_public_framework_file + -vendor_public_lib_file + }:file execute; +') + +full_treble_only(` + neverallow { + coredomain + -shell + -system_executes_vendor_violators + } { + vendor_file_type + -same_process_hal_file + }:file execute_no_trans; +') + +full_treble_only(` + # Do not allow vendor components access to /system files except for the + # ones allowed here. + neverallow { + domain + -appdomain + -coredomain + -vendor_executes_system_violators + # vendor_init needs access to init_exec for domain transition. vendor_init + # neverallows are covered in public/vendor_init.te + -vendor_init + } { + system_file_type + -crash_dump_exec + -file_contexts_file + -iorap_inode2filename_exec + -netutils_wrapper_exec + -property_contexts_file + -system_event_log_tags_file + -system_group_file + -system_lib_file + with_asan(`-system_asan_options_file') + -system_linker_exec + -system_linker_config_file + -system_passwd_file + -system_seccomp_policy_file + -system_security_cacerts_file + -system_zoneinfo_file + -task_profiles_api_file + -task_profiles_file + userdebug_or_eng(`-tcpdump_exec') + }:file *; +') + +# Only system_server should be able to send commands via the zygote socket +neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; +neverallow { domain -system_server } zygote_socket:sock_file write; + +neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto; +neverallow { domain -system_server } webview_zygote:sock_file write; +neverallow { domain -system_server } app_zygote:sock_file write; + +neverallow { + domain + -tombstoned + -crash_dump + -dumpstate + -incidentd + -system_server + + # Processes that can't exec crash_dump + -hal_codec2_server + -hal_omx_server + -mediaextractor +} tombstoned_crash_socket:unix_stream_socket connectto; + +# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to +# the tombstoned intercept socket. +neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; +neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; + +# Never allow anyone but system_server to read heapdumps in /data/system/heapdump. +neverallow { domain -init -system_server } heapdump_data_file:file read; + +# Android does not support System V IPCs. +# +# The reason for this is due to the fact that, by design, they lead to global +# kernel resource leakage. +# +# For example, there is no way to automatically release a SysV semaphore +# allocated in the kernel when: +# +# - a buggy or malicious process exits +# - a non-buggy and non-malicious process crashes or is explicitly killed. +# +# Killing processes automatically to make room for new ones is an +# important part of Android's application lifecycle implementation. This means +# that, even assuming only non-buggy and non-malicious code, it is very likely +# that over time, the kernel global tables used to implement SysV IPCs will fill +# up. +neverallow * *:{ shm sem msg msgq } *; + +# Do not mount on top of symlinks, fifos, or sockets. +# Feature parity with Chromium LSM. +neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; + +# Nobody should be able to execute su on user builds. +# On userdebug/eng builds, only dumpstate, shell, and +# su itself execute su. +neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; + +# Do not allow the introduction of new execmod rules. Text relocations +# and modification of executable pages are unsafe. +# The only exceptions are for NDK text relocations associated with +# https://code.google.com/p/android/issues/detail?id=23203 +# which, long term, need to go away. +neverallow * { + file_type + -apk_data_file + -app_data_file + -asec_public_file +}:file execmod; + +# Do not allow making the stack or heap executable. +# We would also like to minimize execmem but it seems to be +# required by some device-specific service domains. +neverallow * self:process { execstack execheap }; + +# Do not allow the introduction of new execmod rules. Text relocations +# and modification of executable pages are unsafe. +neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod; + +neverallow { domain -init } proc:{ file dir } mounton; + +# Ensure that all types assigned to processes are included +# in the domain attribute, so that all allow and neverallow rules +# written on domain are applied to all processes. +# This is achieved by ensuring that it is impossible to transition +# from a domain to a non-domain type and vice versa. +# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; +neverallow ~domain domain:process { transition dyntransition }; + +# +# Only system_app and system_server should be creating or writing +# their files. The proper way to share files is to setup +# type transitions to a more specific type or assigning a type +# to its parent directory via a file_contexts entry. +# Example type transition: +# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) +# +neverallow { + domain + -system_server + -system_app + -init + -toolbox # TODO(b/141108496) We want to remove toolbox + -installd # for relabelfrom and unlink, check for this in explicit neverallow + -vold_prepare_subdirs # For unlink + with_asan(`-asan_extract') +} system_data_file:file no_w_file_perms; +# do not grant anything greater than r_file_perms and relabelfrom unlink +# to installd +neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; + +# respect system_app sandboxes +neverallow { + domain + -appdomain # finer-grained rules for appdomain are listed below + -system_server #populate com.android.providers.settings/databases/settings.db. + -installd # creation of app sandbox + -iorap_inode2filename + -traced_probes # resolve inodes for i/o tracing. + # only needs open and read, the rest is neverallow in + # traced_probes.te. +} system_app_data_file:dir_file_class_set { create unlink open }; +neverallow { + isolated_app + untrusted_app_all # finer-grained rules for appdomain are listed below + ephemeral_app + priv_app +} system_app_data_file:dir_file_class_set { create unlink open }; + +# +# Only these domains should transition to shell domain. This domain is +# permissible for the "shell user". If you need a process to exec a shell +# script with differing privilege, define a domain and set up a transition. +# +neverallow { + domain + -adbd + -init + -runas + -zygote +} shell:process { transition dyntransition }; + +# Only domains spawned from zygote, runas and simpleperf_app_runner may have +# the appdomain attribute. simpleperf is excluded as a domain transitioned to +# when running an app-scoped profiling session. +neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } { + appdomain -shell -simpleperf userdebug_or_eng(`-su') +}:process { transition dyntransition }; + +# Minimize read access to shell- or app-writable symlinks. +# This is to prevent malicious symlink attacks. +neverallow { + domain + -appdomain + -installd +} { app_data_file privapp_data_file }:lnk_file read; + +neverallow { + domain + -shell + userdebug_or_eng(`-uncrypt') + -installd +} shell_data_file:lnk_file read; + +# In addition to the symlink reading restrictions above, restrict +# write access to shell owned directories. The /data/local/tmp +# directory is untrustworthy, and non-allowed domains should +# not be trusting any content in those directories. +neverallow { + domain + -adbd + -dumpstate + -installd + -init + -shell + -vold +} shell_data_file:dir no_w_dir_perms; + +neverallow { + domain + -adbd + -appdomain + -dumpstate + -init + -installd + -iorap_inode2filename + -simpleperf_app_runner + -system_server # why? + userdebug_or_eng(`-uncrypt') +} shell_data_file:dir { open search }; + +# Same as above for /data/local/tmp files. We allow shell files +# to be passed around by file descriptor, but not directly opened. +neverallow { + domain + -adbd + -appdomain + -dumpstate + -installd + userdebug_or_eng(`-uncrypt') +} shell_data_file:file open; + +# servicemanager and vndservicemanager are the only processes which handle the +# service_manager list request +neverallow * ~{ + servicemanager + vndservicemanager + }:service_manager list; + +# hwservicemanager is the only process which handles hw list requests +neverallow * ~{ + hwservicemanager + }:hwservice_manager list; + +# only service_manager_types can be added to service_manager +# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; + +# Prevent assigning non property types to properties +# TODO - rework this: neverallow * ~property_type:property_service set; + +# Domain types should never be assigned to any files other +# than the /proc/pid files associated with a process. The +# executable file used to enter a domain should be labeled +# with its own _exec type, not with the domain type. +# Conventionally, this looks something like: +# $ cat mydaemon.te +# type mydaemon, domain; +# type mydaemon_exec, exec_type, file_type; +# init_daemon_domain(mydaemon) +# $ grep mydaemon file_contexts +# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 +neverallow * domain:file { execute execute_no_trans entrypoint }; + +# Do not allow access to the generic debugfs label. This is too broad. +# Instead, if access to part of debugfs is desired, it should have a +# more specific label. +# TODO: fix dumpstate +neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms; + +# Do not allow executable files in debugfs. +neverallow domain debugfs_type:file { execute execute_no_trans }; + +# Don't allow access to the FUSE control filesystem, except to vold and init's +neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms; + +# Profiles contain untrusted data and profman parses that. We should only run +# in from installd forked processes. +neverallow { + domain + -installd + -profman +} profman_exec:file no_x_file_perms; + +# Enforce restrictions on kernel module origin. +# Do not allow kernel module loading except from system, +# vendor, and boot partitions. +neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load; + +# Only allow filesystem caps to be set at build time. Runtime changes +# to filesystem capabilities are not permitted. +neverallow * self:global_capability_class_set setfcap; + +# Enforce AT_SECURE for executing crash_dump. +neverallow domain crash_dump:process noatsecure; + +# Do not permit non-core domains to register HwBinder services which are +# guaranteed to be provided by core domains only. +neverallow ~coredomain coredomain_hwservice:hwservice_manager add; + +# Do not permit the registeration of HwBinder services which are guaranteed to +# be passthrough only (i.e., run in the process of their clients instead of a +# separate server process). +neverallow * same_process_hwservice:hwservice_manager add; + +# If an already existing file is opened with O_CREAT, the kernel might generate +# a false report of a create denial. Silence these denials and make sure that +# inappropriate permissions are not granted. + +# These filesystems don't allow files or directories to be created, so the permission +# to do so should never be granted. +neverallow domain { + proc_type + sysfs_type +}:dir { add_name create link remove_name rename reparent rmdir write }; + +# cgroupfs directories can be created, but not files within them. +neverallow domain cgroup:file create; +neverallow domain cgroup_v2:file create; + +dontaudit domain proc_type:dir write; +dontaudit domain sysfs_type:dir write; +dontaudit domain cgroup:file create; +dontaudit domain cgroup_v2:file create; + +# These are only needed in permissive mode - in enforcing mode the +# directory write check fails and so these are never attempted. +userdebug_or_eng(` + dontaudit domain proc_type:dir add_name; + dontaudit domain sysfs_type:dir add_name; + dontaudit domain proc_type:file create; + dontaudit domain sysfs_type:file create; +') + +# Platform must not have access to /mnt/vendor. +neverallow { + coredomain + -init + -ueventd + -vold + -system_writes_mnt_vendor_violators +} mnt_vendor_file:dir *; + +# Only apps are allowed access to vendor public libraries. +full_treble_only(` + neverallow { + coredomain + -appdomain + } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans }; +') + +# Vendor domian must not have access to /mnt/product. +neverallow { + domain + -coredomain +} mnt_product_file:dir *; + +# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd +full_treble_only(` + neverallow { + coredomain + -healthd + -shell + # Generate uevents for health info + -ueventd + # Recovery uses health HAL passthrough implementation. + -recovery + # Charger uses health HAL passthrough implementation. + -charger + # TODO(b/110891300): remove this exception + -incidentd + } sysfs_batteryinfo:file { open read }; +') + +neverallow { + domain + -hal_codec2_server + -hal_omx_server +} hal_codec2_hwservice:hwservice_manager add; + +# Only apps targetting < Q are allowed to open /dev/ashmem directly. +# Apps must use ASharedMemory NDK API. Native code must use libcutils API. +neverallow { + domain + -ephemeral_app # We don't distinguish ephemeral apps based on target API. + -untrusted_app_25 + -untrusted_app_27 +} ashmem_device:chr_file open; + +neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; + +# Linux lockdown "integrity" level is enforced for user builds. +neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity; diff --git a/prebuilts/api/32.0/public/drmserver.te b/prebuilts/api/32.0/public/drmserver.te new file mode 100644 index 000000000..eede0fce2 --- /dev/null +++ b/prebuilts/api/32.0/public/drmserver.te @@ -0,0 +1,65 @@ +# drmserver - DRM service +type drmserver, domain; +type drmserver_exec, system_file_type, exec_type, file_type; + +typeattribute drmserver mlstrustedsubject; + +net_domain(drmserver) + +# Perform Binder IPC to system server. +binder_use(drmserver) +binder_call(drmserver, system_server) +binder_call(drmserver, appdomain) +binder_call(drmserver, mediametrics) +binder_service(drmserver) +# Inherit or receive open files from system_server. +allow drmserver system_server:fd use; + +# Perform Binder IPC to mediaserver +binder_call(drmserver, mediaserver) + +allow drmserver sdcard_type:dir search; +allow drmserver drm_data_file:dir create_dir_perms; +allow drmserver drm_data_file:file create_file_perms; +allow drmserver { app_data_file privapp_data_file }:file { read write getattr map }; +allow drmserver sdcard_type:file { read write getattr map }; +r_dir_file(drmserver, efs_file) + +type drmserver_socket, file_type; + +# /data/app/tlcd_sock socket file. +# Clearly, /data/app is the most logical place to create a socket. Not. +allow drmserver apk_data_file:dir rw_dir_perms; +auditallow drmserver apk_data_file:dir { add_name write }; +allow drmserver drmserver_socket:sock_file create_file_perms; +auditallow drmserver drmserver_socket:sock_file create; +# Delete old socket file if present. +allow drmserver apk_data_file:sock_file unlink; + +# After taking a video, drmserver looks at the video file. +r_dir_file(drmserver, media_rw_data_file) + +# Read resources from open apk files passed over Binder. +allow drmserver apk_data_file:file { read getattr map }; +allow drmserver asec_apk_file:file { read getattr map }; +allow drmserver ringtone_file:file { read getattr map }; + +# Read /data/data/com.android.providers.telephony files passed over Binder. +allow drmserver radio_data_file:file { read getattr map }; + +# /oem access +allow drmserver oemfs:dir search; +allow drmserver oemfs:file r_file_perms; + +# overlay package access +allow drmserver vendor_overlay_file:file { read map }; + +add_service(drmserver, drmserver_service) +allow drmserver permission_service:service_manager find; +allow drmserver mediametrics_service:service_manager find; + +selinux_check_access(drmserver) + +r_dir_file(drmserver, cgroup) +r_dir_file(drmserver, cgroup_v2) +r_dir_file(drmserver, system_file) diff --git a/prebuilts/api/32.0/public/dumpstate.te b/prebuilts/api/32.0/public/dumpstate.te new file mode 100644 index 000000000..85a579606 --- /dev/null +++ b/prebuilts/api/32.0/public/dumpstate.te @@ -0,0 +1,394 @@ +# dumpstate +type dumpstate, domain, mlstrustedsubject; +type dumpstate_exec, system_file_type, exec_type, file_type; + +net_domain(dumpstate) +binder_use(dumpstate) +wakelock_use(dumpstate) + +# Allow setting process priority, protect from OOM killer, and dropping +# privileges by switching UID / GID +allow dumpstate self:global_capability_class_set { setuid setgid sys_resource }; + +# Allow dumpstate to scan through /proc/pid for all processes +r_dir_file(dumpstate, domain) + +allow dumpstate self:global_capability_class_set { + # Send signals to processes + kill + # Run iptables + net_raw + net_admin +}; + +# Allow executing files on system, such as: +# /system/bin/toolbox +# /system/bin/logcat +# /system/bin/dumpsys +allow dumpstate system_file:file execute_no_trans; +not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;') +allow dumpstate toolbox_exec:file rx_file_perms; + +# hidl searches for files in /system/lib(64)/hw/ +allow dumpstate system_file:dir r_dir_perms; + +# Create and write into /data/anr/ +allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid }; +allow dumpstate anr_data_file:dir rw_dir_perms; +allow dumpstate anr_data_file:file create_file_perms; + +# Allow reading /data/system/uiderrors.txt +# TODO: scope this down. +allow dumpstate system_data_file:file r_file_perms; + +# Allow dumpstate to append into apps' private files. +allow dumpstate { privapp_data_file app_data_file }:file append; + +# Read dmesg +allow dumpstate self:global_capability2_class_set syslog; +allow dumpstate kernel:system syslog_read; + +# Read /sys/fs/pstore/console-ramoops +allow dumpstate pstorefs:dir r_dir_perms; +allow dumpstate pstorefs:file r_file_perms; + +# Get process attributes +allow dumpstate domain:process getattr; + +# Signal java processes to dump their stack +allow dumpstate { appdomain system_server zygote }:process signal; + +# Signal native processes to dump their stack. +allow dumpstate { + # This list comes from native_processes_to_dump in dumputils/dump_utils.c + audioserver + cameraserver + drmserver + inputflinger + mediadrmserver + mediaextractor + mediametrics + mediaserver + mediaswcodec + sdcardd + surfaceflinger + vold + + # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c + hal_audio_server + hal_audiocontrol_server + hal_bluetooth_server + hal_camera_server + hal_codec2_server + hal_drm_server + hal_evs_server + hal_face_server + hal_fingerprint_server + hal_graphics_allocator_server + hal_graphics_composer_server + hal_health_server + hal_neuralnetworks_server + hal_omx_server + hal_power_server + hal_power_stats_server + hal_sensors_server + hal_thermal_server + hal_vehicle_server + hal_vr_server + system_suspend_server +}:process signal; + +# Connect to tombstoned to intercept dumps. +unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned) + +# Access to /sys +allow dumpstate sysfs_type:dir r_dir_perms; + +allow dumpstate { + sysfs_devices_block + sysfs_dm + sysfs_loop + sysfs_usb + sysfs_zram +}:file r_file_perms; + +# Other random bits of data we want to collect +no_debugfs_restriction(` + allow dumpstate debugfs:file r_file_perms; + auditallow dumpstate debugfs:file r_file_perms; + + allow dumpstate debugfs_mmc:file r_file_perms; +') + +# df for +allow dumpstate { + block_device + cache_file + metadata_file + rootfs + selinuxfs + storage_file + tmpfs +}:dir { search getattr }; +allow dumpstate fuse_device:chr_file getattr; +allow dumpstate { dm_device cache_block_device }:blk_file getattr; +allow dumpstate { cache_file rootfs }:lnk_file { getattr read }; + +# Read /dev/cpuctl and /dev/cpuset +r_dir_file(dumpstate, cgroup) +r_dir_file(dumpstate, cgroup_v2) + +# Allow dumpstate to make binder calls to any binder service +binder_call(dumpstate, binderservicedomain) +binder_call(dumpstate, { appdomain netd wificond }) + +dump_hal(hal_dumpstate) +dump_hal(hal_wifi) +dump_hal(hal_graphics_allocator) +dump_hal(hal_light) +dump_hal(hal_neuralnetworks) +dump_hal(hal_thermal) +dump_hal(hal_power) +dump_hal(hal_power_stats) +dump_hal(hal_identity) +dump_hal(hal_face) +dump_hal(hal_fingerprint) +dump_hal(hal_gnss) + +# Vibrate the device after we are done collecting the bugreport +hal_client_domain(dumpstate, hal_vibrator) + +# Reading /proc/PID/maps of other processes +allow dumpstate self:global_capability_class_set sys_ptrace; + +# Allow the bugreport service to create a file in +# /data/data/com.android.shell/files/bugreports/bugreport +allow dumpstate shell_data_file:dir create_dir_perms; +allow dumpstate shell_data_file:file create_file_perms; + +# Run a shell. +allow dumpstate shell_exec:file rx_file_perms; + +# For running am and similar framework commands. +# Run /system/bin/app_process. +allow dumpstate zygote_exec:file rx_file_perms; + +# For Bluetooth +allow dumpstate bluetooth_data_file:dir search; +allow dumpstate bluetooth_logs_data_file:dir r_dir_perms; +allow dumpstate bluetooth_logs_data_file:file r_file_perms; + +# For Nfc +allow dumpstate nfc_logs_data_file:dir r_dir_perms; +allow dumpstate nfc_logs_data_file:file r_file_perms; + +# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access +allow dumpstate gpu_device:chr_file rw_file_perms; + +# logd access +read_logd(dumpstate) +control_logd(dumpstate) +read_runtime_log_tags(dumpstate) + +# Read files in /proc +allow dumpstate { + proc_buddyinfo + proc_cmdline + proc_meminfo + proc_modules + proc_net_type + proc_pipe_conf + proc_pagetypeinfo + proc_qtaguid_ctrl + proc_qtaguid_stat + proc_slabinfo + proc_version + proc_vmallocinfo + proc_vmstat +}:file r_file_perms; + +# Read network state info files. +allow dumpstate net_data_file:dir search; +allow dumpstate net_data_file:file r_file_perms; + +# List sockets via ss. +allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read }; + +# Access /data/tombstones. +allow dumpstate tombstone_data_file:dir r_dir_perms; +allow dumpstate tombstone_data_file:file r_file_perms; + +# Access /cache/recovery +allow dumpstate cache_recovery_file:dir r_dir_perms; +allow dumpstate cache_recovery_file:file r_file_perms; + +# Access /data/misc/recovery +allow dumpstate recovery_data_file:dir r_dir_perms; +allow dumpstate recovery_data_file:file r_file_perms; + +#Access /data/misc/update_engine_log +allow dumpstate update_engine_log_data_file:dir r_dir_perms; +allow dumpstate update_engine_log_data_file:file r_file_perms; + +# Access /data/misc/profiles/{cur,ref}/ +userdebug_or_eng(` + allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms; + allow dumpstate user_profile_data_file:file r_file_perms; +') + +# Access /data/misc/logd +allow dumpstate misc_logd_file:dir r_dir_perms; +allow dumpstate misc_logd_file:file r_file_perms; + +# Access /data/misc/prereboot +allow dumpstate prereboot_data_file:dir r_dir_perms; +allow dumpstate prereboot_data_file:file r_file_perms; + +allow dumpstate app_fuse_file:dir r_dir_perms; +allow dumpstate overlayfs_file:dir r_dir_perms; + +allow dumpstate { + service_manager_type + -apex_service + -dumpstate_service + -gatekeeper_service + -virtual_touchpad_service + -vold_service + -vr_hwc_service + -default_android_service +}:service_manager find; +# suppress denials for services dumpstate should not be accessing. +dontaudit dumpstate { + apex_service + dumpstate_service + gatekeeper_service + virtual_touchpad_service + vold_service + vr_hwc_service +}:service_manager find; + +# Most of these are neverallowed. +dontaudit dumpstate hwservice_manager_type:hwservice_manager find; + +allow dumpstate servicemanager:service_manager list; +allow dumpstate hwservicemanager:hwservice_manager list; + +allow dumpstate devpts:chr_file rw_file_perms; + +# Read any system properties +get_prop(dumpstate, property_type) + +# Access to /data/media. +# This should be removed if sdcardfs is modified to alter the secontext for its +# accesses to the underlying FS. +allow dumpstate media_rw_data_file:dir getattr; +allow dumpstate proc_interrupts:file r_file_perms; +allow dumpstate proc_zoneinfo:file r_file_perms; + +# Create a service for talking back to system_server +add_service(dumpstate, dumpstate_service) + +# use /dev/ion for screen capture +allow dumpstate ion_device:chr_file r_file_perms; + +# Allow dumpstate to run top +allow dumpstate proc_stat:file r_file_perms; + +allow dumpstate proc_pressure_cpu:file r_file_perms; +allow dumpstate proc_pressure_mem:file r_file_perms; +allow dumpstate proc_pressure_io:file r_file_perms; + +# Allow dumpstate to run ps +allow dumpstate proc_pid_max:file r_file_perms; + +# Allow dumpstate to talk to installd over binder +binder_call(dumpstate, installd); + +# Allow dumpstate to talk to iorapd over binder. +binder_call(dumpstate, iorapd) + +# Allow dumpstate to run ip xfrm policy +allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read }; + +# Allow dumpstate to run iotop +allow dumpstate self:netlink_socket create_socket_perms_no_ioctl; +# newer kernels (e.g. 4.4) have a new class for sockets +allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl; + +# Allow dumpstate to run ss +allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr; + +# Allow dumpstate to read linkerconfig directory +allow dumpstate linkerconfig_file:dir { read open }; + +# For when dumpstate runs df +dontaudit dumpstate { + mnt_vendor_file + mirror_data_file + mnt_user_file +}:dir search; +dontaudit dumpstate { + apex_mnt_dir + linkerconfig_file + mirror_data_file + mnt_user_file +}:dir getattr; + +# Allow dumpstate to talk to bufferhubd over binder +binder_call(dumpstate, bufferhubd); + +# Allow dumpstate to talk to mediaswcodec over binder +binder_call(dumpstate, mediaswcodec); + +# Allow dumpstate to talk to these stable AIDL services over binder +binder_call(dumpstate, hal_rebootescrow_server) +allow hal_rebootescrow_server dumpstate:fifo_file write; +allow hal_rebootescrow_server dumpstate:fd use; + +binder_call(dumpstate, hal_authsecret_server) +allow hal_authsecret_server dumpstate:fifo_file write; +allow hal_authsecret_server dumpstate:fd use; + +binder_call(dumpstate, hal_keymint_server) +allow hal_keymint_server dumpstate:fifo_file write; +allow hal_keymint_server dumpstate:fd use; + +binder_call(dumpstate, hal_memtrack_server) +allow hal_memtrack_server dumpstate:fifo_file write; +allow hal_memtrack_server dumpstate:fd use; + +binder_call(dumpstate, hal_oemlock_server) +allow hal_oemlock_server dumpstate:fifo_file write; +allow hal_oemlock_server dumpstate:fd use; + +binder_call(dumpstate, hal_weaver_server) +allow hal_weaver_server dumpstate:fifo_file write; +allow hal_weaver_server dumpstate:fd use; + +#Access /data/misc/snapshotctl_log +allow dumpstate snapshotctl_log_data_file:dir r_dir_perms; +allow dumpstate snapshotctl_log_data_file:file r_file_perms; + +#Allow access to /dev/binderfs/binder_logs +allow dumpstate binderfs_logs:dir r_dir_perms; +allow dumpstate binderfs_logs:file r_file_perms; +allow dumpstate binderfs_logs_proc:file r_file_perms; + +allow dumpstate apex_info_file:file getattr; + +### +### neverallow rules +### + +# dumpstate has capability sys_ptrace, but should only use that capability for +# accessing sensitive /proc/PID files, never for using ptrace attach. +neverallow dumpstate *:process ptrace; + +# only system_server, dumpstate, traceur_app and shell can find the dumpstate service +neverallow { + domain + -system_server + -shell + -traceur_app + -dumpstate +} dumpstate_service:service_manager find; diff --git a/prebuilts/api/32.0/public/e2fs.te b/prebuilts/api/32.0/public/e2fs.te new file mode 100644 index 000000000..dd5bd69de --- /dev/null +++ b/prebuilts/api/32.0/public/e2fs.te @@ -0,0 +1,26 @@ +type e2fs, domain, coredomain; +type e2fs_exec, system_file_type, exec_type, file_type; + +allow e2fs devpts:chr_file { read write getattr ioctl }; + +allow e2fs dev_type:blk_file getattr; +allow e2fs block_device:dir search; +allow e2fs userdata_block_device:blk_file rw_file_perms; +allow e2fs metadata_block_device:blk_file rw_file_perms; +allow e2fs dm_device:blk_file rw_file_perms; +allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl { + BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET +}; + +allow e2fs { + proc_filesystems + proc_mounts + proc_swaps +}:file r_file_perms; + +# access /sys/fs/ext4/features +allow e2fs sysfs_fs_ext4_features:dir search; +allow e2fs sysfs_fs_ext4_features:file r_file_perms; + +# access SELinux context files +allow e2fs file_contexts_file:file r_file_perms; diff --git a/prebuilts/api/32.0/public/ephemeral_app.te b/prebuilts/api/32.0/public/ephemeral_app.te new file mode 100644 index 000000000..dc39a22b5 --- /dev/null +++ b/prebuilts/api/32.0/public/ephemeral_app.te @@ -0,0 +1,14 @@ +### +### Ephemeral apps. +### +### This file defines the security policy for apps with the ephemeral +### feature. +### +### The ephemeral_app domain is a reduced permissions sandbox allowing +### ephemeral applications to be safely installed and run. Non ephemeral +### applications may also opt-in to ephemeral to take advantage of the +### additional security features. +### +### PackageManager flags an app as ephemeral at install time. + +type ephemeral_app, domain; diff --git a/prebuilts/api/32.0/public/fastbootd.te b/prebuilts/api/32.0/public/fastbootd.te new file mode 100644 index 000000000..e167a5e87 --- /dev/null +++ b/prebuilts/api/32.0/public/fastbootd.te @@ -0,0 +1,118 @@ +# fastbootd (used in recovery init.rc for /sbin/fastbootd) + +# Declare the domain unconditionally so we can always reference it +# in neverallow rules. +type fastbootd, domain; + +# But the allow rules are only included in the recovery policy. +# Otherwise fastbootd is only allowed the domain rules. +recovery_only(` + # fastbootd can only use HALs in passthrough mode + passthrough_hal_client_domain(fastbootd, hal_bootctl) + + # Access /dev/usb-ffs/fastbootd/ep0 + allow fastbootd functionfs:dir search; + allow fastbootd functionfs:file rw_file_perms; + + allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC }; + # Log to serial + allow fastbootd kmsg_device:chr_file { open getattr write }; + + # battery info + allow fastbootd sysfs_batteryinfo:file r_file_perms; + + allow fastbootd device:dir r_dir_perms; + + # For dev/block/by-name dir + allow fastbootd block_device:dir r_dir_perms; + + # Needed for DM_DEV_CREATE ioctl call + allow fastbootd self:capability sys_admin; + + unix_socket_connect(fastbootd, recovery, recovery) + + # Required for flashing + allow fastbootd dm_device:chr_file rw_file_perms; + allow fastbootd dm_device:blk_file rw_file_perms; + + allow fastbootd cache_block_device:blk_file rw_file_perms; + allow fastbootd super_block_device_type:blk_file rw_file_perms; + allow fastbootd { + boot_block_device + metadata_block_device + system_block_device + userdata_block_device + }:blk_file { w_file_perms getattr ioctl }; + + # For disabling/wiping GSI, and for modifying/deleting files created via + # libfiemap. + allow fastbootd metadata_block_device:blk_file r_file_perms; + allow fastbootd {rootfs tmpfs}:dir mounton; + allow fastbootd metadata_file:dir { search getattr mounton }; + allow fastbootd gsi_metadata_file_type:dir rw_dir_perms; + allow fastbootd gsi_metadata_file_type:file create_file_perms; + + allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF }; + + allowxperm fastbootd { + metadata_block_device + userdata_block_device + dm_device + cache_block_device + }:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; + + allow fastbootd misc_block_device:blk_file rw_file_perms; + + allow fastbootd proc_cmdline:file r_file_perms; + allow fastbootd rootfs:dir r_dir_perms; + + # Needed to read fstab node from device tree. + allow fastbootd sysfs_dt_firmware_android:file r_file_perms; + allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms; + + # Needed because libdm reads sysfs to validate when a dm path is ready. + r_dir_file(fastbootd, sysfs_dm) + + # Needed for realpath() call to resolve symlinks. + allow fastbootd block_device:dir getattr; + userdebug_or_eng(` + # Refined manipulation of /mnt/scratch, without these perms resorts + # to deleting scratch partition when partition(s) are flashed. + allow fastbootd self:process setfscreate; + allow fastbootd cache_file:dir search; + allow fastbootd proc_filesystems:file { getattr open read }; + allow fastbootd self:capability sys_rawio; + dontaudit fastbootd kernel:system module_request; + allowxperm fastbootd dev_type:blk_file ioctl BLKROSET; + allow fastbootd overlayfs_file:dir { create_dir_perms mounton }; + allow fastbootd { + system_file_type + unlabeled + vendor_file_type + }:dir { remove_name rmdir search write }; + allow fastbootd { + overlayfs_file + system_file_type + unlabeled + vendor_file_type + }:{ file lnk_file } unlink; + allow fastbootd tmpfs:dir rw_dir_perms; + # Fetch vendor_boot partition + allow fastbootd boot_block_device:blk_file r_file_perms; + ') + + # Allow using libfiemap/gsid directly (no binder in recovery). + allow fastbootd gsi_metadata_file_type:dir search; + allow fastbootd ota_metadata_file:dir rw_dir_perms; + allow fastbootd ota_metadata_file:file create_file_perms; +') + +### +### neverallow rules +### + +# Write permission is required to wipe userdata +# until recovery supports vold. +neverallow fastbootd { + data_file_type +}:file { no_x_file_perms }; diff --git a/prebuilts/api/32.0/public/file.te b/prebuilts/api/32.0/public/file.te new file mode 100644 index 000000000..dc788ac6a --- /dev/null +++ b/prebuilts/api/32.0/public/file.te @@ -0,0 +1,606 @@ +# Filesystem types +type labeledfs, fs_type; +type pipefs, fs_type; +type sockfs, fs_type; +type rootfs, fs_type; +type proc, fs_type, proc_type; +type binderfs, fs_type; +type binderfs_logs, fs_type; +type binderfs_logs_proc, fs_type; +# Security-sensitive proc nodes that should not be writable to most. +type proc_security, fs_type, proc_type; +type proc_drop_caches, fs_type, proc_type; +type proc_overcommit_memory, fs_type, proc_type; +type proc_min_free_order_shift, fs_type, proc_type; +type proc_kpageflags, fs_type, proc_type; +# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. +type usermodehelper, fs_type, proc_type; +type sysfs_usermodehelper, fs_type, sysfs_type; +type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type; +type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type; +type proc_bluetooth_writable, fs_type, proc_type; +type proc_abi, fs_type, proc_type; +type proc_asound, fs_type, proc_type; +type proc_bootconfig, fs_type, proc_type; +type proc_buddyinfo, fs_type, proc_type; +type proc_cmdline, fs_type, proc_type; +type proc_cpuinfo, fs_type, proc_type; +type proc_dirty, fs_type, proc_type; +type proc_diskstats, fs_type, proc_type; +type proc_extra_free_kbytes, fs_type, proc_type; +type proc_filesystems, fs_type, proc_type; +type proc_fs_verity, fs_type, proc_type; +type proc_hostname, fs_type, proc_type; +type proc_hung_task, fs_type, proc_type; +type proc_interrupts, fs_type, proc_type; +type proc_iomem, fs_type, proc_type; +type proc_kallsyms, fs_type, proc_type; +type proc_keys, fs_type, proc_type; +type proc_kmsg, fs_type, proc_type; +type proc_loadavg, fs_type, proc_type; +type proc_locks, fs_type, proc_type; +type proc_lowmemorykiller, fs_type, proc_type; +type proc_max_map_count, fs_type, proc_type; +type proc_meminfo, fs_type, proc_type; +type proc_misc, fs_type, proc_type; +type proc_modules, fs_type, proc_type; +type proc_mounts, fs_type, proc_type; +type proc_net, fs_type, proc_type, proc_net_type; +type proc_net_tcp_udp, fs_type, proc_type; +type proc_page_cluster, fs_type, proc_type; +type proc_pagetypeinfo, fs_type, proc_type; +type proc_panic, fs_type, proc_type; +type proc_perf, fs_type, proc_type; +type proc_pid_max, fs_type, proc_type; +type proc_pipe_conf, fs_type, proc_type; +type proc_pressure_cpu, fs_type, proc_type; +type proc_pressure_io, fs_type, proc_type; +type proc_pressure_mem, fs_type, proc_type; +type proc_random, fs_type, proc_type; +type proc_sched, fs_type, proc_type; +type proc_slabinfo, fs_type, proc_type; +type proc_stat, fs_type, proc_type; +type proc_swaps, fs_type, proc_type; +type proc_sysrq, fs_type, proc_type; +type proc_timer, fs_type, proc_type; +type proc_tty_drivers, fs_type, proc_type; +type proc_uid_cputime_showstat, fs_type, proc_type; +type proc_uid_cputime_removeuid, fs_type, proc_type; +type proc_uid_io_stats, fs_type, proc_type; +type proc_uid_procstat_set, fs_type, proc_type; +type proc_uid_time_in_state, fs_type, proc_type; +type proc_uid_concurrent_active_time, fs_type, proc_type; +type proc_uid_concurrent_policy_time, fs_type, proc_type; +type proc_uid_cpupower, fs_type, proc_type; +type proc_uptime, fs_type, proc_type; +type proc_version, fs_type, proc_type; +type proc_vmallocinfo, fs_type, proc_type; +type proc_vmstat, fs_type, proc_type; +type proc_zoneinfo, fs_type, proc_type; +type proc_vendor_sched, proc_type, fs_type; +type selinuxfs, fs_type, mlstrustedobject; +type fusectlfs, fs_type; +type cgroup, fs_type, mlstrustedobject; +type cgroup_v2, fs_type; +type sysfs, fs_type, sysfs_type, mlstrustedobject; +type sysfs_android_usb, fs_type, sysfs_type; +type sysfs_uio, sysfs_type, fs_type; +type sysfs_batteryinfo, fs_type, sysfs_type; +type sysfs_block, fs_type, sysfs_type, sysfs_block_type; +type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; +type sysfs_devfreq_cur, fs_type, sysfs_type; +type sysfs_devfreq_dir, fs_type, sysfs_type; +type sysfs_devices_block, fs_type, sysfs_type; +type sysfs_dm, fs_type, sysfs_type; +type sysfs_dm_verity, fs_type, sysfs_type; +type sysfs_dma_heap, fs_type, sysfs_type; +type sysfs_dmabuf_stats, fs_type, sysfs_type; +type sysfs_dt_firmware_android, fs_type, sysfs_type; +type sysfs_extcon, fs_type, sysfs_type; +type sysfs_ion, fs_type, sysfs_type; +type sysfs_ipv4, fs_type, sysfs_type; +type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject; +type sysfs_leds, fs_type, sysfs_type; +type sysfs_loop, fs_type, sysfs_type; +type sysfs_hwrandom, fs_type, sysfs_type; +type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; +type sysfs_wake_lock, fs_type, sysfs_type; +type sysfs_net, fs_type, sysfs_type; +type sysfs_power, fs_type, sysfs_type; +type sysfs_rtc, fs_type, sysfs_type; +type sysfs_suspend_stats, fs_type, sysfs_type; +type sysfs_switch, fs_type, sysfs_type; +type sysfs_transparent_hugepage, fs_type, sysfs_type; +type sysfs_usb, fs_type, sysfs_type; +type sysfs_wakeup, fs_type, sysfs_type; +type sysfs_wakeup_reasons, fs_type, sysfs_type; +type sysfs_fs_ext4_features, sysfs_type, fs_type; +type sysfs_fs_f2fs, sysfs_type, fs_type; +type sysfs_fs_incfs_features, sysfs_type, fs_type; +type sysfs_fs_incfs_metrics, sysfs_type, fs_type; +type sysfs_vendor_sched, sysfs_type, fs_type; +userdebug_or_eng(` + typeattribute sysfs_vendor_sched mlstrustedobject; +') +type fs_bpf, fs_type; +type fs_bpf_tethering, fs_type; +type configfs, fs_type; +# /sys/devices/cs_etm +type sysfs_devices_cs_etm, fs_type, sysfs_type; +# /sys/devices/system/cpu +type sysfs_devices_system_cpu, fs_type, sysfs_type; +# /sys/module/lowmemorykiller +type sysfs_lowmemorykiller, fs_type, sysfs_type; +# /sys/module/wlan/parameters/fwpath +type sysfs_wlan_fwpath, fs_type, sysfs_type; +type sysfs_vibrator, fs_type, sysfs_type; +type sysfs_uhid, fs_type, sysfs_type; +type sysfs_thermal, sysfs_type, fs_type; + +type sysfs_zram, fs_type, sysfs_type; +type sysfs_zram_uevent, fs_type, sysfs_type; +type inotify, fs_type, mlstrustedobject; +type devpts, fs_type, mlstrustedobject; +type tmpfs, fs_type; +type shm, fs_type; +type mqueue, fs_type; +type fuse, sdcard_type, fs_type, mlstrustedobject; +type sdcardfs, sdcard_type, fs_type, mlstrustedobject; +type vfat, sdcard_type, fs_type, mlstrustedobject; +type exfat, sdcard_type, fs_type, mlstrustedobject; +type debugfs, fs_type, debugfs_type; +type debugfs_kprobes, fs_type, debugfs_type; +type debugfs_mmc, fs_type, debugfs_type; +type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type; +type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type; +type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type; +type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type; +type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type; +type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type; +type debugfs_wakeup_sources, fs_type, debugfs_type; +type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type; +type securityfs, fs_type; + +type pstorefs, fs_type; +type functionfs, fs_type, mlstrustedobject; +type oemfs, fs_type, contextmount_type; +type usbfs, fs_type; +type binfmt_miscfs, fs_type; +type app_fusefs, fs_type, contextmount_type; + +# File types +type unlabeled, file_type; + +# Default type for anything under /system. +type system_file, system_file_type, file_type; +# Default type for /system/asan.options +type system_asan_options_file, system_file_type, file_type; +# Type for /system/etc/event-log-tags (liblog implementation detail) +type system_event_log_tags_file, system_file_type, file_type; +# Default type for anything under /system/lib[64]. +type system_lib_file, system_file_type, file_type; +# system libraries that are available only to bootstrap processes +type system_bootstrap_lib_file, system_file_type, file_type; +# Default type for the group file /system/etc/group. +type system_group_file, system_file_type, file_type; +# Default type for linker executable /system/bin/linker[64]. +type system_linker_exec, system_file_type, file_type; +# Default type for linker config /system/etc/ld.config.*. +type system_linker_config_file, system_file_type, file_type; +# Default type for the passwd file /system/etc/passwd. +type system_passwd_file, system_file_type, file_type; +# Default type for linker config /system/etc/seccomp_policy/*. +type system_seccomp_policy_file, system_file_type, file_type; +# Default type for cacerts in /system/etc/security/cacerts/*. +type system_security_cacerts_file, system_file_type, file_type; +# Default type for /system/bin/tcpdump. +type tcpdump_exec, system_file_type, exec_type, file_type; +# Default type for zoneinfo files in /system/usr/share/zoneinfo/*. +type system_zoneinfo_file, system_file_type, file_type; +# Cgroups description file under /system/etc/cgroups.json +type cgroup_desc_file, system_file_type, file_type; +# Cgroups description file under /system/etc/task_profiles/cgroups_*.json +type cgroup_desc_api_file, system_file_type, file_type; +# Vendor cgroups description file under /vendor/etc/cgroups.json +type vendor_cgroup_desc_file, vendor_file_type, file_type; +# Task profiles file under /system/etc/task_profiles.json +type task_profiles_file, system_file_type, file_type; +# Task profiles file under /system/etc/task_profiles/task_profiles_*.json +type task_profiles_api_file, system_file_type, file_type; +# Vendor task profiles file under /vendor/etc/task_profiles.json +type vendor_task_profiles_file, vendor_file_type, file_type; +# Type for /system/apex/com.android.art +type art_apex_dir, system_file_type, file_type; +# /linkerconfig(/.*)? +type linkerconfig_file, file_type; +# Control files under /data/incremental +type incremental_control_file, file_type, data_file_type, core_data_file_type; + +# Default type for directories search for +# HAL implementations +type vendor_hal_file, vendor_file_type, file_type; +# Default type for under /vendor or /system/vendor +type vendor_file, vendor_file_type, file_type; +# Default type for everything in /vendor/app +type vendor_app_file, vendor_file_type, file_type; +# Default type for everything under /vendor/etc/ +type vendor_configs_file, vendor_file_type, file_type; +# Default type for all *same process* HALs and their lib/bin dependencies. +# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so +type same_process_hal_file, vendor_file_type, file_type; +# Default type for vndk-sp libs. /vendor/lib/vndk-sp +type vndk_sp_file, vendor_file_type, file_type; +# Default type for everything in /vendor/framework +type vendor_framework_file, vendor_file_type, file_type; +# Default type for everything in /vendor/overlay +type vendor_overlay_file, vendor_file_type, file_type; +# Type for all vendor public libraries. These libs should only be exposed to +# apps. ABI stability of these libs is vendor's responsibility. +type vendor_public_lib_file, vendor_file_type, file_type; +# Type for all vendor public libraries for system. These libs should only be exposed to +# system. ABI stability of these libs is vendor's responsibility. +type vendor_public_framework_file, vendor_file_type, file_type; + +# Input configuration +type vendor_keylayout_file, vendor_file_type, file_type; +type vendor_keychars_file, vendor_file_type, file_type; +type vendor_idc_file, vendor_file_type, file_type; + +# /metadata partition itself +type metadata_file, file_type; +# Vold files within /metadata +type vold_metadata_file, file_type; +# GSI files within /metadata +type gsi_metadata_file, gsi_metadata_file_type, file_type; +# DSU (GSI) files within /metadata that are globally readable. +type gsi_public_metadata_file, gsi_metadata_file_type, file_type; +# system_server shares Weaver slot information in /metadata +type password_slot_metadata_file, file_type; +# APEX files within /metadata +type apex_metadata_file, file_type; +# libsnapshot files within /metadata +type ota_metadata_file, file_type; +# property files within /metadata/bootstat +type metadata_bootstat_file, file_type; +# userspace reboot files within /metadata/userspacereboot +type userspace_reboot_metadata_file, file_type; +# Staged install files within /metadata/staged-install +type staged_install_file, file_type; +# Metadata information within /metadata/watchdog +type watchdog_metadata_file, file_type; + +# Type for /dev/cpu_variant:.*. +type dev_cpu_variant, file_type; +# Speedup access for trusted applications to the runtime event tags +type runtime_event_log_tags_file, file_type; +# Type for /system/bin/logcat. +type logcat_exec, system_file_type, exec_type, file_type; +# Speedup access to cgroup map file +type cgroup_rc_file, file_type; +# /cores for coredumps on userdebug / eng builds +type coredump_file, file_type; +# Type of /data itself +type system_data_root_file, file_type, data_file_type, core_data_file_type; +# Default type for anything under /data. +type system_data_file, file_type, data_file_type, core_data_file_type; +# Type for /data/system/packages.list. +# TODO(b/129332765): Narrow down permissions to this. +# Find out users of system_data_file that should be granted only this. +type packages_list_file, file_type, data_file_type, core_data_file_type; +# Default type for anything under /data/vendor{_ce,_de}. +type vendor_data_file, file_type, data_file_type; +# Unencrypted data +type unencrypted_data_file, file_type, data_file_type, core_data_file_type; +# installd-create files in /data/misc/installd such as layout_version +type install_data_file, file_type, data_file_type, core_data_file_type; +# /data/drm - DRM plugin data +type drm_data_file, file_type, data_file_type, core_data_file_type; +# /data/adb - adb debugging files +type adb_data_file, file_type, data_file_type, core_data_file_type; +# /data/anr - ANR traces +type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/tombstones - core dumps +type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/vendor/tombstones/wifi - vendor wifi dumps +type tombstone_wifi_data_file, file_type, data_file_type; +# /data/apex - APEX data files +type apex_data_file, file_type, data_file_type, core_data_file_type; +# /data/app - user-installed apps +type apk_data_file, file_type, data_file_type, core_data_file_type; +type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/app-private - forward-locked apps +type apk_private_data_file, file_type, data_file_type, core_data_file_type; +type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/dalvik-cache +type dalvikcache_data_file, file_type, data_file_type, core_data_file_type; +# /data/ota +type ota_data_file, file_type, data_file_type, core_data_file_type; +# /data/ota_package +type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/misc/profiles +type user_profile_root_file, file_type, data_file_type, core_data_file_type; +type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/misc/profman +type profman_dump_data_file, file_type, data_file_type, core_data_file_type; +# /data/misc/prereboot +type prereboot_data_file, file_type, data_file_type, core_data_file_type; +# /data/resource-cache +type resourcecache_data_file, file_type, data_file_type, core_data_file_type; +# /data/local - writable by shell +type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; +# /data/property +type property_data_file, file_type, data_file_type, core_data_file_type; +# /data/bootchart +type bootchart_data_file, file_type, data_file_type, core_data_file_type; +# /data/system/dropbox +type dropbox_data_file, file_type, data_file_type, core_data_file_type; +# /data/system/heapdump +type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/nativetest +type nativetest_data_file, file_type, data_file_type, core_data_file_type; +# /data/local/tests +type shell_test_data_file, file_type, data_file_type, core_data_file_type; +# /data/system_de/0/ringtones +type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/preloads +type preloads_data_file, file_type, data_file_type, core_data_file_type; +# /data/preloads/media +type preloads_media_file, file_type, data_file_type, core_data_file_type; +# /data/misc/dhcp and /data/misc/dhcp-6.8.2 +type dhcp_data_file, file_type, data_file_type, core_data_file_type; +# /data/server_configurable_flags +type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type; +# /data/app-staging +type staging_data_file, file_type, data_file_type, core_data_file_type; +# /vendor/apex +type vendor_apex_file, vendor_file_type, file_type; + +# Mount locations managed by vold +type mnt_media_rw_file, file_type; +type mnt_user_file, file_type; +type mnt_pass_through_file, file_type; +type mnt_expand_file, file_type; +type mnt_sdcard_file, file_type; +type storage_file, file_type; + +# Label for storage dirs which are just mount stubs +type mnt_media_rw_stub_file, file_type; +type storage_stub_file, file_type; + +# Mount location for read-write vendor partitions. +type mnt_vendor_file, file_type; + +# Mount location for read-write product partitions. +type mnt_product_file, file_type; + +# Mount point used for APEX images +type apex_mnt_dir, file_type; + +# /apex/apex-info-list.xml created by apexd +type apex_info_file, file_type; + +# /postinstall: Mount point used by update_engine to run postinstall. +type postinstall_mnt_dir, file_type; +# Files inside the /postinstall mountpoint are all labeled as postinstall_file. +type postinstall_file, file_type; +# /postinstall/apex: Mount point used for APEX images within /postinstall. +type postinstall_apex_mnt_dir, file_type; + +# /data_mirror: Contains mirror directory for storing all apps data. +type mirror_data_file, file_type, core_data_file_type; + +# /data/misc subdirectories +type adb_keys_file, file_type, data_file_type, core_data_file_type; +type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type; +type apex_module_data_file, file_type, data_file_type, core_data_file_type; +type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type; +type apex_permission_data_file, file_type, data_file_type, core_data_file_type; +type apex_rollback_data_file, file_type, data_file_type, core_data_file_type; +type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type; +type apex_wifi_data_file, file_type, data_file_type, core_data_file_type; +type appcompat_data_file, file_type, data_file_type, core_data_file_type; +type audio_data_file, file_type, data_file_type, core_data_file_type; +type audioserver_data_file, file_type, data_file_type, core_data_file_type; +type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; +type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type; +type bootstat_data_file, file_type, data_file_type, core_data_file_type; +type boottrace_data_file, file_type, data_file_type, core_data_file_type; +type camera_data_file, file_type, data_file_type, core_data_file_type; +type credstore_data_file, file_type, data_file_type, core_data_file_type; +type gatekeeper_data_file, file_type, data_file_type, core_data_file_type; +type incident_data_file, file_type, data_file_type, core_data_file_type; +type keychain_data_file, file_type, data_file_type, core_data_file_type; +type keystore_data_file, file_type, data_file_type, core_data_file_type; +type media_data_file, file_type, data_file_type, core_data_file_type; +type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +type misc_user_data_file, file_type, data_file_type, core_data_file_type; +type net_data_file, file_type, data_file_type, core_data_file_type; +type network_watchlist_data_file, file_type, data_file_type, core_data_file_type; +type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; +type nfc_logs_data_file, file_type, data_file_type, core_data_file_type; +type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; +type recovery_data_file, file_type, data_file_type, core_data_file_type; +type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type; +type stats_data_file, file_type, data_file_type, core_data_file_type; +type systemkeys_data_file, file_type, data_file_type, core_data_file_type; +type textclassifier_data_file, file_type, data_file_type, core_data_file_type; +type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +type vpn_data_file, file_type, data_file_type, core_data_file_type; +type wifi_data_file, file_type, data_file_type, core_data_file_type; +type zoneinfo_data_file, file_type, data_file_type, core_data_file_type; +type vold_data_file, file_type, data_file_type, core_data_file_type; +type iorapd_data_file, file_type, data_file_type, core_data_file_type; +type tee_data_file, file_type, data_file_type; +type update_engine_data_file, file_type, data_file_type, core_data_file_type; +type update_engine_log_data_file, file_type, data_file_type, core_data_file_type; +# /data/misc/trace for method traces on userdebug / eng builds +type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +type gsi_data_file, file_type, data_file_type, core_data_file_type; +type radio_core_data_file, file_type, data_file_type, core_data_file_type; + +# /data/data subdirectories - app sandboxes +type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; +# /data/data subdirectories - priv-app sandboxes +type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; +# /data/data subdirectory for system UID apps. +type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; +# Compatibility with type name used in Android 4.3 and 4.4. +# Default type for anything under /cache +type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# Type for /cache/overlay /mnt/scratch/overlay +type overlayfs_file, file_type, data_file_type, core_data_file_type; +# Type for /cache/backup_stage/* (fd interchange with apps) +type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# type for anything under /cache/backup (local transport storage) +type cache_private_backup_file, file_type, data_file_type, core_data_file_type; +# Type for anything under /cache/recovery +type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# Default type for anything under /efs +type efs_file, file_type; +# Type for wallpaper file. +type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# Type for shortcut manager icon file. +type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# Type for user icon file. +type icon_file, file_type, data_file_type, core_data_file_type; +# /mnt/asec +type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# Elements of asec files (/mnt/asec) that are world readable +type asec_public_file, file_type, data_file_type, core_data_file_type; +# /data/app-asec +type asec_image_file, file_type, data_file_type, core_data_file_type; +# /data/backup and /data/secure/backup +type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# All devices have bluetooth efs files. But they +# vary per device, so this type is used in per +# device policy +type bluetooth_efs_file, file_type; +# Type for fingerprint template file +type fingerprintd_data_file, file_type, data_file_type, core_data_file_type; +# Type for _new_ fingerprint template file +type fingerprint_vendor_data_file, file_type, data_file_type; +# Type for appfuse file. +type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# Type for face template file +type face_vendor_data_file, file_type, data_file_type; +# Type for iris template file +type iris_vendor_data_file, file_type, data_file_type; + +# Socket types +type adbd_socket, file_type, coredomain_socket; +type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; +type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject; +type dumpstate_socket, file_type, coredomain_socket; +type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject; +type lmkd_socket, file_type, coredomain_socket; +type logd_socket, file_type, coredomain_socket, mlstrustedobject; +type logdr_socket, file_type, coredomain_socket, mlstrustedobject; +type logdw_socket, file_type, coredomain_socket, mlstrustedobject; +type mdns_socket, file_type, coredomain_socket; +type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject; +type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type; +type mtpd_socket, file_type, coredomain_socket; +type property_socket, file_type, coredomain_socket, mlstrustedobject; +type racoon_socket, file_type, coredomain_socket; +type recovery_socket, file_type, coredomain_socket; +type rild_socket, file_type; +type rild_debug_socket, file_type; +type snapuserd_socket, file_type, coredomain_socket; +type statsdw_socket, file_type, coredomain_socket, mlstrustedobject; +type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; +type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; +type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; +type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject; +type tombstoned_java_trace_socket, file_type, mlstrustedobject; +type tombstoned_intercept_socket, file_type, coredomain_socket; +type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject; +type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject; +type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject; +type uncrypt_socket, file_type, coredomain_socket; +type wpa_socket, file_type, data_file_type, core_data_file_type; +type zygote_socket, file_type, coredomain_socket; +type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject; +# UART (for GPS) control proc file +type gps_control, file_type; + +# PDX endpoint types +type pdx_display_dir, pdx_endpoint_dir_type, file_type; +type pdx_performance_dir, pdx_endpoint_dir_type, file_type; +type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type; + +pdx_service_socket_types(display_client, pdx_display_dir) +pdx_service_socket_types(display_manager, pdx_display_dir) +pdx_service_socket_types(display_screenshot, pdx_display_dir) +pdx_service_socket_types(display_vsync, pdx_display_dir) +pdx_service_socket_types(performance_client, pdx_performance_dir) +pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir) + +# file_contexts files +type file_contexts_file, system_file_type, file_type; + +# mac_permissions file +type mac_perms_file, system_file_type, file_type; + +# property_contexts file +type property_contexts_file, system_file_type, file_type; + +# seapp_contexts file +type seapp_contexts_file, system_file_type, file_type; + +# sepolicy files binary and others +type sepolicy_file, system_file_type, file_type; + +# service_contexts file +type service_contexts_file, system_file_type, file_type; + +# keystore2_key_contexts_file +type keystore2_key_contexts_file, system_file_type, file_type; + +# vendor service_contexts file +type vendor_service_contexts_file, vendor_file_type, file_type; + +# nonplat service_contexts file (only accessible on non full-treble devices) +type nonplat_service_contexts_file, vendor_file_type, file_type; + +# hwservice_contexts file +type hwservice_contexts_file, system_file_type, file_type; + +# vndservice_contexts file +type vndservice_contexts_file, file_type; + +# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions. +type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type; + +# kernel modules +type vendor_kernel_modules, vendor_file_type, file_type; + +# Allow files to be created in their appropriate filesystems. +allow fs_type self:filesystem associate; +allow cgroup tmpfs:filesystem associate; +allow cgroup_v2 tmpfs:filesystem associate; +allow cgroup_rc_file tmpfs:filesystem associate; +allow sysfs_type sysfs:filesystem associate; +allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; +allow file_type labeledfs:filesystem associate; +allow file_type tmpfs:filesystem associate; +allow file_type rootfs:filesystem associate; +allow dev_type tmpfs:filesystem associate; +allow app_fuse_file app_fusefs:filesystem associate; +allow postinstall_file self:filesystem associate; +allow proc_net proc:filesystem associate; + +# asanwrapper (run a sanitized app_process, to be used with wrap properties) +with_asan(`type asanwrapper_exec, exec_type, file_type;') + +# Deprecated in SDK version 28 +type audiohal_data_file, file_type, data_file_type, core_data_file_type; + +# It's a bug to assign the file_type attribute and fs_type attribute +# to any type. Do not allow it. +# +# For example, the following is a bug: +# type apk_data_file, file_type, data_file_type, fs_type; +# Should be: +# type apk_data_file, file_type, data_file_type; +neverallow fs_type file_type:filesystem associate; diff --git a/prebuilts/api/32.0/public/fingerprintd.te b/prebuilts/api/32.0/public/fingerprintd.te new file mode 100644 index 000000000..8cf24111b --- /dev/null +++ b/prebuilts/api/32.0/public/fingerprintd.te @@ -0,0 +1,27 @@ +type fingerprintd, domain; +type fingerprintd_exec, system_file_type, exec_type, file_type; + +binder_use(fingerprintd) + +# Scan through /system/lib64/hw looking for installed HALs +allow fingerprintd system_file:dir r_dir_perms; + +# need to find KeyStore and add self +add_service(fingerprintd, fingerprintd_service) + +# allow HAL module to read dir contents +allow fingerprintd fingerprintd_data_file:file { create_file_perms }; + +# allow HAL module to read/write/unlink contents of this dir +allow fingerprintd fingerprintd_data_file:dir rw_dir_perms; + +# Need to add auth tokens to KeyStore +use_keystore(fingerprintd) +allow fingerprintd keystore:keystore_key { add_auth }; +allow fingerprintd keystore:keystore2 { add_auth }; + +# For permissions checking +binder_call(fingerprintd, system_server); +allow fingerprintd permission_service:service_manager find; + +allow fingerprintd ion_device:chr_file r_file_perms; diff --git a/prebuilts/api/32.0/public/flags_health_check.te b/prebuilts/api/32.0/public/flags_health_check.te new file mode 100644 index 000000000..25a776813 --- /dev/null +++ b/prebuilts/api/32.0/public/flags_health_check.te @@ -0,0 +1,11 @@ +# The flags_health_check command run by init. +type flags_health_check, domain, coredomain; +type flags_health_check_exec, system_file_type, exec_type, file_type; + +allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms; +allow flags_health_check server_configurable_flags_data_file:file create_file_perms; + +# server_configurable_flags_data_file is used for storing whether server configurable flags which +# have been reset during current booting. Mistakenly modified by unrelated components can +# cause bad server configurable flags synced back to device. +neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms; diff --git a/prebuilts/api/32.0/public/fsck.te b/prebuilts/api/32.0/public/fsck.te new file mode 100644 index 000000000..7a9fbeef1 --- /dev/null +++ b/prebuilts/api/32.0/public/fsck.te @@ -0,0 +1,68 @@ +# Any fsck program run by init +type fsck, domain; +type fsck_exec, system_file_type, exec_type, file_type; + +# /dev/__null__ created by init prior to policy load, +# open fd inherited by fsck. +allow fsck tmpfs:chr_file { read write ioctl }; + +# Inherit and use pty created by android_fork_execvp_ext(). +allow fsck devpts:chr_file { read write ioctl getattr }; + +# Allow stdin/out back to vold +allow fsck vold:fd use; +allow fsck vold:fifo_file { read write getattr }; + +# Run fsck on certain block devices +allow fsck block_device:dir search; +allow fsck userdata_block_device:blk_file rw_file_perms; +allow fsck cache_block_device:blk_file rw_file_perms; +allow fsck dm_device:blk_file rw_file_perms; +userdebug_or_eng(` +allow fsck system_block_device:blk_file rw_file_perms; +') + +# For the block devices where we have ioctl access, +# allow at a minimum the following common fsck ioctls. +allowxperm fsck dev_type:blk_file ioctl { + BLKDISCARDZEROES + BLKROGET +}; + +# To determine if it is safe to run fsck on a filesystem, e2fsck +# must first determine if the filesystem is mounted. To do that, +# e2fsck scans through /proc/mounts and collects all the mounted +# block devices. With that information, it runs stat() on each block +# device, comparing the major and minor numbers to the filesystem +# passed in on the command line. If there is a match, then the filesystem +# is currently mounted and running fsck is dangerous. +# Allow stat access to all block devices so that fsck can compare +# major/minor values. +allow fsck dev_type:blk_file getattr; + +allow fsck { + proc_mounts + proc_swaps +}:file r_file_perms; +allow fsck rootfs:dir r_dir_perms; + +### +### neverallow rules +### + +# fsck should never be run on these block devices +neverallow fsck { + boot_block_device + frp_block_device + recovery_block_device + root_block_device + swap_block_device + system_block_device + userdebug_or_eng(`-system_block_device') + vold_device +}:blk_file no_rw_file_perms; + +# Only allow entry from init or vold via fsck binaries +neverallow { domain -init -vold } fsck:process transition; +neverallow * fsck:process dyntransition; +neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint; diff --git a/prebuilts/api/32.0/public/fsck_untrusted.te b/prebuilts/api/32.0/public/fsck_untrusted.te new file mode 100644 index 000000000..149ea6c03 --- /dev/null +++ b/prebuilts/api/32.0/public/fsck_untrusted.te @@ -0,0 +1,50 @@ +# Any fsck program run on untrusted block devices +type fsck_untrusted, domain; + +# Inherit and use pty created by android_fork_execvp_ext(). +allow fsck_untrusted devpts:chr_file { read write ioctl getattr }; + +# Allow stdin/out back to vold +allow fsck_untrusted vold:fd use; +allow fsck_untrusted vold:fifo_file { read write getattr }; + +# Run fsck on vold block devices +allow fsck_untrusted block_device:dir search; +allow fsck_untrusted vold_device:blk_file rw_file_perms; +allowxperm fsck_untrusted vold_device:blk_file ioctl BLKGETSIZE; + +allow fsck_untrusted proc_mounts:file r_file_perms; + +# To determine if it is safe to run fsck on a filesystem, e2fsck +# must first determine if the filesystem is mounted. To do that, +# e2fsck scans through /proc/mounts and collects all the mounted +# block devices. With that information, it runs stat() on each block +# device, comparing the major and minor numbers to the filesystem +# passed in on the command line. If there is a match, then the filesystem +# is currently mounted and running fsck is dangerous. +# Allow stat access to all block devices so that fsck can compare +# major/minor values. +allow fsck_untrusted dev_type:blk_file getattr; + +### +### neverallow rules +### + +# Untrusted fsck should never be run on block devices holding sensitive data +neverallow fsck_untrusted { + boot_block_device + frp_block_device + metadata_block_device + recovery_block_device + root_block_device + swap_block_device + system_block_device + userdata_block_device + cache_block_device + dm_device +}:blk_file no_rw_file_perms; + +# Only allow entry from vold via fsck binaries +neverallow { domain -vold } fsck_untrusted:process transition; +neverallow * fsck_untrusted:process dyntransition; +neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint; diff --git a/prebuilts/api/32.0/public/fwk_bufferhub.te b/prebuilts/api/32.0/public/fwk_bufferhub.te new file mode 100644 index 000000000..03486bd1e --- /dev/null +++ b/prebuilts/api/32.0/public/fwk_bufferhub.te @@ -0,0 +1,4 @@ +binder_call(hal_bufferhub_client, hal_bufferhub_server) +binder_call(hal_bufferhub_server, hal_bufferhub_client) + +hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice) diff --git a/prebuilts/api/32.0/public/gatekeeperd.te b/prebuilts/api/32.0/public/gatekeeperd.te new file mode 100644 index 000000000..d48c5f82d --- /dev/null +++ b/prebuilts/api/32.0/public/gatekeeperd.te @@ -0,0 +1,42 @@ +type gatekeeperd, domain; +type gatekeeperd_exec, system_file_type, exec_type, file_type; + +# gatekeeperd +binder_service(gatekeeperd) +binder_use(gatekeeperd) + +### Rules needed when Gatekeeper HAL runs inside gatekeeperd process. +### These rules should eventually be granted only when needed. +allow gatekeeperd ion_device:chr_file r_file_perms; +# Load HAL implementation +allow gatekeeperd system_file:dir r_dir_perms; +### + +### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process. +### These rules should eventually be granted only when needed. +hal_client_domain(gatekeeperd, hal_gatekeeper) +### + +# need to find KeyStore and add self +add_service(gatekeeperd, gatekeeper_service) + +# Need to add auth tokens to KeyStore +use_keystore(gatekeeperd) +allow gatekeeperd keystore:keystore_key { add_auth }; +allow gatekeeperd keystore:keystore2 { add_auth }; +allow gatekeeperd authorization_service:service_manager find; + + +# For permissions checking +allow gatekeeperd system_server:binder call; +allow gatekeeperd permission_service:service_manager find; + +# for SID file access +allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms; +allow gatekeeperd gatekeeper_data_file:file create_file_perms; + +# For hardware properties retrieval +allow gatekeeperd hardware_properties_service:service_manager find; + +r_dir_file(gatekeeperd, cgroup) +r_dir_file(gatekeeperd, cgroup_v2) diff --git a/prebuilts/api/32.0/public/global_macros b/prebuilts/api/32.0/public/global_macros new file mode 100644 index 000000000..2c87fde5e --- /dev/null +++ b/prebuilts/api/32.0/public/global_macros @@ -0,0 +1,51 @@ +##################################### +# Common groupings of object classes. +# +define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }') +define(`global_capability_class_set', `{ capability cap_userns }') +define(`global_capability2_class_set', `{ capability2 cap2_userns }') + +define(`devfile_class_set', `{ chr_file blk_file }') +define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') +define(`file_class_set', `{ devfile_class_set notdevfile_class_set }') +define(`dir_file_class_set', `{ dir file_class_set }') + +define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }') +define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }') +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }') +define(`network_socket_class_set', `{ icmp_socket rawip_socket tcp_socket udp_socket }') + +define(`ipc_class_set', `{ sem msgq shm ipc }') + +##################################### +# Common groupings of permissions. +# +define(`x_file_perms', `{ getattr execute execute_no_trans map }') +define(`r_file_perms', `{ getattr open read ioctl lock map watch watch_reads }') +define(`w_file_perms', `{ open append write lock map }') +define(`rx_file_perms', `{ r_file_perms x_file_perms }') +define(`ra_file_perms', `{ r_file_perms append }') +define(`rw_file_perms', `{ r_file_perms w_file_perms }') +define(`rwx_file_perms', `{ rw_file_perms x_file_perms }') +define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }') + +define(`r_dir_perms', `{ open getattr read search ioctl lock watch watch_reads }') +define(`w_dir_perms', `{ open search write add_name remove_name lock }') +define(`ra_dir_perms', `{ r_dir_perms add_name write }') +define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }') +define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }') + +define(`r_ipc_perms', `{ getattr read associate unix_read }') +define(`w_ipc_perms', `{ write unix_write }') +define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }') +define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }') + +##################################### +# Common socket permission sets. +define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }') +define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }') +define(`create_socket_perms', `{ create rw_socket_perms }') +define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }') +define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') +define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }') diff --git a/prebuilts/api/32.0/public/gmscore_app.te b/prebuilts/api/32.0/public/gmscore_app.te new file mode 100644 index 000000000..b574bf39c --- /dev/null +++ b/prebuilts/api/32.0/public/gmscore_app.te @@ -0,0 +1,5 @@ +### +### A domain for further sandboxing the PrebuiltGMSCore app. +### + +type gmscore_app, domain; diff --git a/prebuilts/api/32.0/public/gpuservice.te b/prebuilts/api/32.0/public/gpuservice.te new file mode 100644 index 000000000..443cc45a3 --- /dev/null +++ b/prebuilts/api/32.0/public/gpuservice.te @@ -0,0 +1,3 @@ +# gpuservice - server for gpu stats and other gpu related services +type gpuservice, domain; +get_prop(gpuservice, graphics_config_prop)
\ No newline at end of file diff --git a/prebuilts/api/32.0/public/hal_allocator.te b/prebuilts/api/32.0/public/hal_allocator.te new file mode 100644 index 000000000..6417b6289 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_allocator.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server +binder_call(hal_allocator_client, hal_allocator_server) + +hal_attribute_hwservice(hal_allocator, hidl_allocator_hwservice) +allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find; +allow hal_allocator_client same_process_hal_file:file { execute read open getattr map }; diff --git a/prebuilts/api/32.0/public/hal_atrace.te b/prebuilts/api/32.0/public/hal_atrace.te new file mode 100644 index 000000000..51d9237f9 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_atrace.te @@ -0,0 +1,4 @@ +# HwBinder IPC from client to server +binder_call(hal_atrace_client, hal_atrace_server) + +hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice) diff --git a/prebuilts/api/32.0/public/hal_audio.te b/prebuilts/api/32.0/public/hal_audio.te new file mode 100644 index 000000000..d1970b9bd --- /dev/null +++ b/prebuilts/api/32.0/public/hal_audio.te @@ -0,0 +1,39 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_audio_client, hal_audio_server) +binder_call(hal_audio_server, hal_audio_client) + +hal_attribute_hwservice(hal_audio, hal_audio_hwservice) +hal_attribute_service(hal_audio, hal_audio_service) + +allow hal_audio ion_device:chr_file r_file_perms; + +r_dir_file(hal_audio, proc) +r_dir_file(hal_audio, proc_asound) +allow hal_audio_server audio_device:dir r_dir_perms; +allow hal_audio_server audio_device:chr_file rw_file_perms; + +# Needed to provide debug dump output via dumpsys' pipes. +allow hal_audio shell:fd use; +allow hal_audio shell:fifo_file write; +allow hal_audio dumpstate:fd use; +allow hal_audio dumpstate:fifo_file write; + +# Needed to allow sound trigger hal to access shared memory from apps. +allow hal_audio_server appdomain:fd use; + +# allow hal audio to use vnbinder +vndbinder_use(hal_audio) + +### +### neverallow rules +### + +# Should never execute any executable without a domain transition +neverallow hal_audio_server { file_type fs_type }:file execute_no_trans; + +# Only audio HAL may directly access the audio hardware +neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *; + +get_prop(hal_audio, audio_config_prop) +get_prop(hal_audio, bluetooth_a2dp_offload_prop) +get_prop(hal_audio, bluetooth_audio_hal_prop) diff --git a/prebuilts/api/32.0/public/hal_audiocontrol.te b/prebuilts/api/32.0/public/hal_audiocontrol.te new file mode 100644 index 000000000..6f45b0ebb --- /dev/null +++ b/prebuilts/api/32.0/public/hal_audiocontrol.te @@ -0,0 +1,8 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_audiocontrol_client, hal_audiocontrol_server) +binder_call(hal_audiocontrol_server, hal_audiocontrol_client) + +hal_attribute_hwservice(hal_audiocontrol, hal_audiocontrol_hwservice) +hal_attribute_service(hal_audiocontrol, hal_audiocontrol_service) + +binder_call(hal_audiocontrol_server, servicemanager) diff --git a/prebuilts/api/32.0/public/hal_authsecret.te b/prebuilts/api/32.0/public/hal_authsecret.te new file mode 100644 index 000000000..bbcdb9a33 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_authsecret.te @@ -0,0 +1,7 @@ +# HwBinder IPC from client to server +binder_call(hal_authsecret_client, hal_authsecret_server) + +hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice) +hal_attribute_service(hal_authsecret, hal_authsecret_service) + +binder_call(hal_authsecret_server, servicemanager) diff --git a/prebuilts/api/32.0/public/hal_bluetooth.te b/prebuilts/api/32.0/public/hal_bluetooth.te new file mode 100644 index 000000000..97177bad7 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_bluetooth.te @@ -0,0 +1,32 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_bluetooth_client, hal_bluetooth_server) +binder_call(hal_bluetooth_server, hal_bluetooth_client) + +hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice) + +wakelock_use(hal_bluetooth); + +# The HAL toggles rfkill to power the chip off/on. +allow hal_bluetooth self:global_capability_class_set net_admin; + +# bluetooth factory file accesses. +r_dir_file(hal_bluetooth, bluetooth_efs_file) + +allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms; + +# sysfs access. +r_dir_file(hal_bluetooth, sysfs_type) +allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms; +allow hal_bluetooth self:global_capability2_class_set wake_alarm; + +# Allow write access to bluetooth-specific properties +set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop) +set_prop(hal_bluetooth, bluetooth_audio_hal_prop) +set_prop(hal_bluetooth, bluetooth_prop) +set_prop(hal_bluetooth, exported_bluetooth_prop) + +# /proc access (bluesleep etc.). +allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms; + +# allow to run with real-time scheduling policy +allow hal_bluetooth self:global_capability_class_set sys_nice; diff --git a/prebuilts/api/32.0/public/hal_bootctl.te b/prebuilts/api/32.0/public/hal_bootctl.te new file mode 100644 index 000000000..a1f3d7fe4 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_bootctl.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_bootctl_client, hal_bootctl_server) +binder_call(hal_bootctl_server, hal_bootctl_client) + +hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice) +allow hal_bootctl_server proc_bootconfig:file r_file_perms; diff --git a/prebuilts/api/32.0/public/hal_broadcastradio.te b/prebuilts/api/32.0/public/hal_broadcastradio.te new file mode 100644 index 000000000..84a25970f --- /dev/null +++ b/prebuilts/api/32.0/public/hal_broadcastradio.te @@ -0,0 +1,4 @@ +binder_call(hal_broadcastradio_client, hal_broadcastradio_server) +binder_call(hal_broadcastradio_server, hal_broadcastradio_client) + +hal_attribute_hwservice(hal_broadcastradio, hal_broadcastradio_hwservice) diff --git a/prebuilts/api/32.0/public/hal_camera.te b/prebuilts/api/32.0/public/hal_camera.te new file mode 100644 index 000000000..45fad56e7 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_camera.te @@ -0,0 +1,38 @@ +# HwBinder IPC from clients to server and callbacks +binder_call(hal_camera_client, hal_camera_server) +binder_call(hal_camera_server, hal_camera_client) + +hal_attribute_hwservice(hal_camera, hal_camera_hwservice) + +allow hal_camera device:dir r_dir_perms; +allow hal_camera video_device:dir r_dir_perms; +allow hal_camera video_device:chr_file rw_file_perms; +allow hal_camera camera_device:chr_file rw_file_perms; +allow hal_camera ion_device:chr_file rw_file_perms; +allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms; + +# Both the client and the server need to use the graphics allocator +allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use; + +# Allow hal_camera to use fd from app,gralloc,and ashmem HAL +allow hal_camera { appdomain -isolated_app }:fd use; +allow hal_camera surfaceflinger:fd use; +allow hal_camera hal_allocator_server:fd use; + +# Needed to provide debug dump output via dumpsys' pipes. +allow hal_camera shell:fd use; +allow hal_camera shell:fifo_file write; + +### +### neverallow rules +### + +# hal_camera should never execute any executable without a +# domain transition +neverallow hal_camera_server { file_type fs_type }:file execute_no_trans; + +# hal_camera should never need network access. Disallow network sockets. +neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *; + +# Only camera HAL may directly access the camera hardware +neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *; diff --git a/prebuilts/api/32.0/public/hal_can.te b/prebuilts/api/32.0/public/hal_can.te new file mode 100644 index 000000000..959d1d94a --- /dev/null +++ b/prebuilts/api/32.0/public/hal_can.te @@ -0,0 +1,9 @@ +# CAN controller +binder_call(hal_can_controller_client, hal_can_controller_server) +binder_call(hal_can_controller_server, hal_can_controller_client) +hal_attribute_hwservice(hal_can_controller, hal_can_controller_hwservice) + +# CAN bus +binder_call(hal_can_bus_client, hal_can_bus_server) +binder_call(hal_can_bus_server, hal_can_bus_client) +hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice) diff --git a/prebuilts/api/32.0/public/hal_cas.te b/prebuilts/api/32.0/public/hal_cas.te new file mode 100644 index 000000000..e699a6bac --- /dev/null +++ b/prebuilts/api/32.0/public/hal_cas.te @@ -0,0 +1,38 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_cas_client, hal_cas_server) +binder_call(hal_cas_server, hal_cas_client) + +hal_attribute_hwservice(hal_cas, hal_cas_hwservice) +allow hal_cas_server hidl_memory_hwservice:hwservice_manager find; + +# Permit reading device's serial number from system properties +get_prop(hal_cas_server, serialno_prop) + +# Read files already opened under /data +allow hal_cas system_data_file:file { getattr read }; + +# Read access to pseudo filesystems +r_dir_file(hal_cas, cgroup) +allow hal_cas cgroup:dir { search write }; +allow hal_cas cgroup:file w_file_perms; + +r_dir_file(hal_cas, cgroup_v2) +allow hal_cas cgroup_v2:dir { search write }; +allow hal_cas cgroup_v2:file w_file_perms; + +# Allow access to ion memory allocation device +allow hal_cas ion_device:chr_file rw_file_perms; +allow hal_cas hal_graphics_allocator:fd use; + +allow hal_cas tee_device:chr_file rw_file_perms; + +### +### neverallow rules +### + +# hal_cas should never execute any executable without a +# domain transition +neverallow hal_cas_server { file_type fs_type }:file execute_no_trans; + +# do not allow privileged socket ioctl commands +neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; diff --git a/prebuilts/api/32.0/public/hal_codec2.te b/prebuilts/api/32.0/public/hal_codec2.te new file mode 100644 index 000000000..a379bb3fc --- /dev/null +++ b/prebuilts/api/32.0/public/hal_codec2.te @@ -0,0 +1,27 @@ +get_prop(hal_codec2_client, media_variant_prop) +get_prop(hal_codec2_server, media_variant_prop) +get_prop(hal_codec2_client, codec2_config_prop) +get_prop(hal_codec2_server, codec2_config_prop) + +binder_call(hal_codec2_client, hal_codec2_server) +binder_call(hal_codec2_server, hal_codec2_client) + +hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice) + +# The following permissions are added to hal_codec2_server because vendor and +# vndk libraries provided for Codec2 implementation need them. + +# Allow server access to composer sync fences +allow hal_codec2_server hal_graphics_composer:fd use; + +# Allow both server and client access to ion +allow hal_codec2_server ion_device:chr_file r_file_perms; + +# Allow server access to camera HAL's fences +allow hal_codec2_server hal_camera:fd use; + +# Receive gralloc buffer FDs from bufferhubd. +allow hal_codec2_server bufferhubd:fd use; + +allow hal_codec2_client ion_device:chr_file r_file_perms; + diff --git a/prebuilts/api/32.0/public/hal_configstore.te b/prebuilts/api/32.0/public/hal_configstore.te new file mode 100644 index 000000000..069da4791 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_configstore.te @@ -0,0 +1,69 @@ +# HwBinder IPC from client to server +binder_call(hal_configstore_client, hal_configstore_server) + +hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs) + +# hal_configstore runs with a strict seccomp filter. Use crash_dump's +# fallback path to collect crash data. +crash_dump_fallback(hal_configstore_server) + +### +### neverallow rules +### + +# Should never execute an executable without a domain transition +neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans; + +# Should never need network access. Disallow sockets except for +# for unix stream/dgram sockets used for logging/debugging. +neverallow hal_configstore_server domain:{ + rawip_socket tcp_socket udp_socket + netlink_route_socket netlink_selinux_socket + socket netlink_socket packet_socket key_socket appletalk_socket + netlink_tcpdiag_socket netlink_nflog_socket + netlink_xfrm_socket netlink_audit_socket + netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket + netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket + netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket + netlink_rdma_socket netlink_crypto_socket +} *; +neverallow hal_configstore_server { + domain + -hal_configstore_server + -logd + userdebug_or_eng(`-su') + -tombstoned + userdebug_or_eng(`-heapprofd') + userdebug_or_eng(`-traced_perf') +}:{ unix_dgram_socket unix_stream_socket } *; + +# Should never need access to anything on /data +neverallow hal_configstore_server { + data_file_type + -anr_data_file # for crash dump collection + -tombstone_data_file # for crash dump collection + -zoneinfo_data_file # granted to domain + with_native_coverage(`-method_trace_data_file') +}:{ file fifo_file sock_file } *; + +# Should never need sdcard access +neverallow hal_configstore_server { + sdcard_type + fuse sdcardfs vfat exfat # manual expansion for completeness +}:dir ~getattr; +neverallow hal_configstore_server { + sdcard_type + fuse sdcardfs vfat exfat # manual expansion for completeness +}:file *; + +# Do not permit access to service_manager and vndservice_manager +neverallow hal_configstore_server *:service_manager *; + +# No privileged capabilities +neverallow hal_configstore_server self:capability_class_set *; + +# No ptracing other processes +neverallow hal_configstore_server *:process ptrace; + +# no relabeling +neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto }; diff --git a/prebuilts/api/32.0/public/hal_confirmationui.te b/prebuilts/api/32.0/public/hal_confirmationui.te new file mode 100644 index 000000000..5d2e4b7a1 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_confirmationui.te @@ -0,0 +1,4 @@ +# HwBinder IPC from client to server +binder_call(hal_confirmationui_client, hal_confirmationui_server) + +hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice) diff --git a/prebuilts/api/32.0/public/hal_contexthub.te b/prebuilts/api/32.0/public/hal_contexthub.te new file mode 100644 index 000000000..34acb38d6 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_contexthub.te @@ -0,0 +1,5 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_contexthub_client, hal_contexthub_server) +binder_call(hal_contexthub_server, hal_contexthub_client) + +hal_attribute_hwservice(hal_contexthub, hal_contexthub_hwservice) diff --git a/prebuilts/api/32.0/public/hal_drm.te b/prebuilts/api/32.0/public/hal_drm.te new file mode 100644 index 000000000..bb1bd91e6 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_drm.te @@ -0,0 +1,56 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_drm_client, hal_drm_server) +binder_call(hal_drm_server, hal_drm_client) + +hal_attribute_hwservice(hal_drm, hal_drm_hwservice) + +allow hal_drm hidl_memory_hwservice:hwservice_manager find; + +# Required by Widevine DRM (b/22990512) +allow hal_drm self:process execmem; + +# Permit reading device's serial number from system properties +get_prop(hal_drm, serialno_prop) + +# Read files already opened under /data +allow hal_drm system_data_file:file { getattr read }; + +# Read access to pseudo filesystems +r_dir_file(hal_drm, cgroup) +allow hal_drm cgroup:dir { search write }; +allow hal_drm cgroup:file w_file_perms; + +r_dir_file(hal_drm, cgroup_v2) +allow hal_drm cgroup_v2:dir { search write }; +allow hal_drm cgroup_v2:file w_file_perms; + +# Allow access to ion memory allocation device +allow hal_drm ion_device:chr_file rw_file_perms; +allow hal_drm hal_graphics_allocator:fd use; + +# Allow access to hidl_memory allocation service +allow hal_drm hal_allocator_server:fd use; + +# Allow access to fds allocated by mediaserver +allow hal_drm mediaserver:fd use; + +allow hal_drm sysfs:file r_file_perms; + +allow hal_drm tee_device:chr_file rw_file_perms; + +allow hal_drm_server { appdomain -isolated_app }:fd use; + +# only allow unprivileged socket ioctl commands +allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket } + ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; + +### +### neverallow rules +### + +# hal_drm should never execute any executable without a +# domain transition +neverallow hal_drm_server { file_type fs_type }:file execute_no_trans; + +# do not allow privileged socket ioctl commands +neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; diff --git a/prebuilts/api/32.0/public/hal_dumpstate.te b/prebuilts/api/32.0/public/hal_dumpstate.te new file mode 100644 index 000000000..9f854e366 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_dumpstate.te @@ -0,0 +1,12 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_dumpstate_client, hal_dumpstate_server) +binder_call(hal_dumpstate_server, hal_dumpstate_client) + +set_prop(hal_dumpstate_server, hal_dumpstate_config_prop) + +hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice) + +# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport +allow hal_dumpstate shell_data_file:file write; +# allow reading /proc/interrupts for all hal impls +allow hal_dumpstate proc_interrupts:file r_file_perms; diff --git a/prebuilts/api/32.0/public/hal_evs.te b/prebuilts/api/32.0/public/hal_evs.te new file mode 100644 index 000000000..789333af7 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_evs.te @@ -0,0 +1,5 @@ +hwbinder_use(hal_evs_client) +hwbinder_use(hal_evs_server) +binder_call(hal_evs_client, hal_evs_server) +binder_call(hal_evs_server, hal_evs_client) +hal_attribute_hwservice(hal_evs, hal_evs_hwservice) diff --git a/prebuilts/api/32.0/public/hal_face.te b/prebuilts/api/32.0/public/hal_face.te new file mode 100644 index 000000000..013457674 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_face.te @@ -0,0 +1,15 @@ +# Allow HwBinder IPC from client to server, and vice versa for callbacks. +binder_call(hal_face_client, hal_face_server) +binder_call(hal_face_server, hal_face_client) + +hal_attribute_hwservice(hal_face, hal_face_hwservice) +hal_attribute_service(hal_face, hal_face_service) + +binder_call(hal_face_server, servicemanager) + +# Allow access to the ion memory allocation device. +allow hal_face ion_device:chr_file r_file_perms; + +# Allow read/write access to the face template directory. +allow hal_face face_vendor_data_file:file create_file_perms; +allow hal_face face_vendor_data_file:dir rw_dir_perms; diff --git a/prebuilts/api/32.0/public/hal_fingerprint.te b/prebuilts/api/32.0/public/hal_fingerprint.te new file mode 100644 index 000000000..444cfdad0 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_fingerprint.te @@ -0,0 +1,20 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_fingerprint_client, hal_fingerprint_server) +binder_call(hal_fingerprint_server, hal_fingerprint_client) + +hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice) +hal_attribute_service(hal_fingerprint, hal_fingerprint_service) + +binder_call(hal_fingerprint_server, servicemanager) + +# For memory allocation +allow hal_fingerprint ion_device:chr_file r_file_perms; + +allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms }; +allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms; + +r_dir_file(hal_fingerprint, cgroup) +r_dir_file(hal_fingerprint, cgroup_v2) +r_dir_file(hal_fingerprint, sysfs) + + diff --git a/prebuilts/api/32.0/public/hal_gatekeeper.te b/prebuilts/api/32.0/public/hal_gatekeeper.te new file mode 100644 index 000000000..b918f88a2 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_gatekeeper.te @@ -0,0 +1,7 @@ +binder_call(hal_gatekeeper_client, hal_gatekeeper_server) + +hal_attribute_hwservice(hal_gatekeeper, hal_gatekeeper_hwservice) + +# TEE access. +allow hal_gatekeeper tee_device:chr_file rw_file_perms; +allow hal_gatekeeper ion_device:chr_file r_file_perms; diff --git a/prebuilts/api/32.0/public/hal_gnss.te b/prebuilts/api/32.0/public/hal_gnss.te new file mode 100644 index 000000000..832bc8d24 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_gnss.te @@ -0,0 +1,9 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_gnss_client, hal_gnss_server) +binder_call(hal_gnss_server, hal_gnss_client) + +hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice) +hal_attribute_service(hal_gnss, hal_gnss_service) +binder_call(hal_gnss_server, servicemanager) +binder_call(hal_gnss_client, servicemanager) + diff --git a/prebuilts/api/32.0/public/hal_graphics_allocator.te b/prebuilts/api/32.0/public/hal_graphics_allocator.te new file mode 100644 index 000000000..3ec6b9618 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_graphics_allocator.te @@ -0,0 +1,14 @@ +# HwBinder IPC from client to server +binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server) + +hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice) +allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find; +allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map }; + +# GPU device access +allow hal_graphics_allocator gpu_device:chr_file rw_file_perms; +allow hal_graphics_allocator ion_device:chr_file r_file_perms; +allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms; + +# allow to run with real-time scheduling policy +allow hal_graphics_allocator self:global_capability_class_set sys_nice; diff --git a/prebuilts/api/32.0/public/hal_graphics_composer.te b/prebuilts/api/32.0/public/hal_graphics_composer.te new file mode 100644 index 000000000..1c69c9993 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_graphics_composer.te @@ -0,0 +1,32 @@ +type hal_graphics_composer_server_tmpfs, file_type; +attribute hal_graphics_composer_client_tmpfs; +expandattribute hal_graphics_composer_client_tmpfs true; + +# HwBinder IPC from client to server, and callbacks +binder_call(hal_graphics_composer_client, hal_graphics_composer_server) +binder_call(hal_graphics_composer_server, hal_graphics_composer_client) +allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write }; +allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write }; + +hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice) + +# Coordinate with hal_graphics_mapper +allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find; + +# GPU device access +allow hal_graphics_composer gpu_device:chr_file rw_file_perms; +allow hal_graphics_composer ion_device:chr_file r_file_perms; +allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_graphics_composer hal_graphics_allocator:fd use; + +# Access /dev/graphics/fb0. +allow hal_graphics_composer graphics_device:dir search; +allow hal_graphics_composer graphics_device:chr_file rw_file_perms; + +# Fences +allow hal_graphics_composer system_server:fd use; +allow hal_graphics_composer bootanim:fd use; +allow hal_graphics_composer appdomain:fd use; + +# allow self to set SCHED_FIFO +allow hal_graphics_composer self:global_capability_class_set sys_nice; diff --git a/prebuilts/api/32.0/public/hal_health.te b/prebuilts/api/32.0/public/hal_health.te new file mode 100644 index 000000000..dc7d0836e --- /dev/null +++ b/prebuilts/api/32.0/public/hal_health.te @@ -0,0 +1,27 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_health_client, hal_health_server) +binder_call(hal_health_server, hal_health_client) + +hal_attribute_hwservice(hal_health, hal_health_hwservice) + +# Common rules for a health service. + +# Allow to listen to uevents for updates +allow hal_health_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Allow to read /sys/class/power_supply directory +allow hal_health_server sysfs:dir r_dir_perms; + +# Allow to read files under /sys/class/power_supply. Implementations typically have symlinks +# to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health +# HAL service. +r_dir_file(hal_health_server, sysfs_batteryinfo) + +# Allow to wake up to send periodic events +wakelock_use(hal_health_server) + +# Write to /dev/kmsg +allow hal_health_server kmsg_device:chr_file { getattr w_file_perms }; + +# Allow to use timerfd to wake itself up periodically to send health info. +allow hal_health_server self:capability2 wake_alarm; diff --git a/prebuilts/api/32.0/public/hal_health_storage.te b/prebuilts/api/32.0/public/hal_health_storage.te new file mode 100644 index 000000000..4938a162f --- /dev/null +++ b/prebuilts/api/32.0/public/hal_health_storage.te @@ -0,0 +1,11 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_health_storage_client, hal_health_storage_server) +binder_call(hal_health_storage_server, hal_health_storage_client) + +binder_use(hal_health_storage_server) + +hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice) +hal_attribute_service(hal_health_storage, hal_health_storage_service) + +# Allow ReadDefaultFstab(). +read_fstab(hal_health_storage_server) diff --git a/prebuilts/api/32.0/public/hal_identity.te b/prebuilts/api/32.0/public/hal_identity.te new file mode 100644 index 000000000..8d558ade1 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_identity.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server +binder_call(hal_identity_client, hal_identity_server) + +hal_attribute_service(hal_identity, hal_identity_service) + +binder_call(hal_identity_server, servicemanager) diff --git a/prebuilts/api/32.0/public/hal_input_classifier.te b/prebuilts/api/32.0/public/hal_input_classifier.te new file mode 100644 index 000000000..70a4b7deb --- /dev/null +++ b/prebuilts/api/32.0/public/hal_input_classifier.te @@ -0,0 +1,4 @@ +# HwBinder IPC from client to server +binder_call(hal_input_classifier_client, hal_input_classifier_server) + +hal_attribute_hwservice(hal_input_classifier, hal_input_classifier_hwservice) diff --git a/prebuilts/api/32.0/public/hal_ir.te b/prebuilts/api/32.0/public/hal_ir.te new file mode 100644 index 000000000..29555f74c --- /dev/null +++ b/prebuilts/api/32.0/public/hal_ir.te @@ -0,0 +1,5 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_ir_client, hal_ir_server) +binder_call(hal_ir_server, hal_ir_client) + +hal_attribute_hwservice(hal_ir, hal_ir_hwservice) diff --git a/prebuilts/api/32.0/public/hal_keymaster.te b/prebuilts/api/32.0/public/hal_keymaster.te new file mode 100644 index 000000000..3e164ade9 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_keymaster.te @@ -0,0 +1,7 @@ +# HwBinder IPC from client to server +binder_call(hal_keymaster_client, hal_keymaster_server) + +hal_attribute_hwservice(hal_keymaster, hal_keymaster_hwservice) + +allow hal_keymaster tee_device:chr_file rw_file_perms; +allow hal_keymaster ion_device:chr_file r_file_perms; diff --git a/prebuilts/api/32.0/public/hal_keymint.te b/prebuilts/api/32.0/public/hal_keymint.te new file mode 100644 index 000000000..9c65e22df --- /dev/null +++ b/prebuilts/api/32.0/public/hal_keymint.te @@ -0,0 +1,8 @@ +binder_call(hal_keymint_client, hal_keymint_server) + +hal_attribute_service(hal_keymint, hal_keymint_service) +hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service) +binder_call(hal_keymint_server, servicemanager) + +allow hal_keymint tee_device:chr_file rw_file_perms; +allow hal_keymint ion_device:chr_file r_file_perms; diff --git a/prebuilts/api/32.0/public/hal_light.te b/prebuilts/api/32.0/public/hal_light.te new file mode 100644 index 000000000..40829b6bb --- /dev/null +++ b/prebuilts/api/32.0/public/hal_light.te @@ -0,0 +1,15 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_light_client, hal_light_server) +binder_call(hal_light_server, hal_light_client) + +hal_attribute_hwservice(hal_light, hal_light_hwservice) +hal_attribute_service(hal_light, hal_light_service) + +binder_call(hal_light_server, servicemanager) +binder_use(hal_light_client) + +allow hal_light_server dumpstate:fifo_file write; + +allow hal_light sysfs_leds:lnk_file read; +allow hal_light sysfs_leds:file rw_file_perms; +allow hal_light sysfs_leds:dir r_dir_perms; diff --git a/prebuilts/api/32.0/public/hal_lowpan.te b/prebuilts/api/32.0/public/hal_lowpan.te new file mode 100644 index 000000000..6fb95e943 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_lowpan.te @@ -0,0 +1,20 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_lowpan_client, hal_lowpan_server) +binder_call(hal_lowpan_server, hal_lowpan_client) + + +# Allow hal_lowpan_client to be able to find the hal_lowpan_server +hal_attribute_hwservice(hal_lowpan, hal_lowpan_hwservice) + +# hal_lowpan domain can write/read to/from lowpan_prop +set_prop(hal_lowpan_server, lowpan_prop) + +# Allow hal_lowpan_server to open lowpan_devices +allow hal_lowpan_server lowpan_device:chr_file rw_file_perms; + +### +### neverallow rules +### + +# Only LoWPAN HAL may directly access LoWPAN hardware +neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr; diff --git a/prebuilts/api/32.0/public/hal_memtrack.te b/prebuilts/api/32.0/public/hal_memtrack.te new file mode 100644 index 000000000..30a4480bd --- /dev/null +++ b/prebuilts/api/32.0/public/hal_memtrack.te @@ -0,0 +1,7 @@ +# HwBinder IPC from client to server +binder_call(hal_memtrack_client, hal_memtrack_server) + +hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice) + +hal_attribute_service(hal_memtrack, hal_memtrack_service) +binder_call(hal_memtrack_server, servicemanager) diff --git a/prebuilts/api/32.0/public/hal_neuralnetworks.te b/prebuilts/api/32.0/public/hal_neuralnetworks.te new file mode 100644 index 000000000..7497deca7 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_neuralnetworks.te @@ -0,0 +1,41 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server) +binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client) + +hal_attribute_hwservice(hal_neuralnetworks, hal_neuralnetworks_hwservice) +allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find; +allow hal_neuralnetworks hal_allocator:fd use; +allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find; +allow hal_neuralnetworks hal_graphics_allocator:fd use; + +# Allow NN HAL service to use a client-provided fd residing in /data/data/. +allow hal_neuralnetworks_server app_data_file:file { read write getattr map }; +allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map }; + +# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/. +allow hal_neuralnetworks_server shell_data_file:file { read write getattr map }; + +# Allow NN HAL service to read a client-provided ION memory fd. +allow hal_neuralnetworks_server ion_device:chr_file r_file_perms; + +# Allow NN HAL service to use a client-provided fd residing in /storage +allow hal_neuralnetworks_server storage_file:file { getattr map read }; + +# Allow NN HAL service to read a client-provided fd residing in /data/app/. +allow hal_neuralnetworks_server apk_data_file:file { getattr map read }; + +# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product +# property to determine whether to deny NNAPI extensions use for apps +# on product partition (apps in GSI are not allowed to use NNAPI extensions). +get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop); +# This property is only expected to be found in /product/build.prop, +# allow to be set only by init. +neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set; + +# Define sepolicy for NN AIDL HAL service +hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service) +binder_call(hal_neuralnetworks_server, servicemanager) + +binder_use(hal_neuralnetworks_server) + +allow hal_neuralnetworks_server dumpstate:fifo_file write; diff --git a/prebuilts/api/32.0/public/hal_neverallows.te b/prebuilts/api/32.0/public/hal_neverallows.te new file mode 100644 index 000000000..105689b8a --- /dev/null +++ b/prebuilts/api/32.0/public/hal_neverallows.te @@ -0,0 +1,71 @@ +# only HALs responsible for network hardware should have privileged +# network capabilities +neverallow { + halserverdomain + -hal_bluetooth_server + -hal_can_controller_server + -hal_wifi_server + -hal_wifi_hostapd_server + -hal_wifi_supplicant_server + -hal_telephony_server + -hal_uwb_server +} self:global_capability_class_set { net_admin net_raw }; + +# Unless a HAL's job is to communicate over the network, or control network +# hardware, it should not be using network sockets. +# NOTE: HALs for automotive devices have an exemption from this rule because in +# a car it is common to have external modules and HALs need to communicate to +# those modules using network. Using this exemption for non-automotive builds +# will result in CTS failure. +neverallow { + halserverdomain + -hal_automotive_socket_exemption + -hal_can_controller_server + -hal_tetheroffload_server + -hal_wifi_server + -hal_wifi_hostapd_server + -hal_wifi_supplicant_server + -hal_telephony_server + -hal_uwb_server +} domain:{ tcp_socket udp_socket rawip_socket } *; + +# The UWB HAL is not actually a networking HAL but may need to bring up and down +# interfaces. Restrict it to only these networking operations. +neverallow hal_uwb_server self:global_capability_class_set { net_raw }; + +# Subset of socket_class_set likely to be usable for communication or accessible through net_admin. +# udp_socket is required to use interface ioctls. +neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *; + +### +# HALs are defined as an attribute and so a given domain could hypothetically +# have multiple HALs in it (or even all of them) with the subsequent policy of +# the domain comprised of the union of all the HALs. +# +# This is a problem because +# 1) Security sensitive components should only be accessed by specific HALs. +# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in +# the platform. +# 3) The platform cannot reason about defense in depth if there are +# monolithic domains etc. +# +# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while +# its OK for them to share a process its not OK with them to share processes +# with other hals. +# +# The following neverallow rules, in conjuntion with CTS tests, assert that +# these security principles are adhered to. +# +# Do not allow a hal to exec another process without a domain transition. +# TODO remove exemptions. +neverallow { + halserverdomain + -hal_dumpstate_server + -hal_telephony_server +} { file_type fs_type }:file execute_no_trans; +# Do not allow a process other than init to transition into a HAL domain. +neverallow { domain -init } halserverdomain:process transition; +# Only allow transitioning to a domain by running its executable. Do not +# allow transitioning into a HAL domain by use of seclabel in an +# init.*.rc script. +neverallow * halserverdomain:process dyntransition; diff --git a/prebuilts/api/32.0/public/hal_nfc.te b/prebuilts/api/32.0/public/hal_nfc.te new file mode 100644 index 000000000..7cef4a17d --- /dev/null +++ b/prebuilts/api/32.0/public/hal_nfc.te @@ -0,0 +1,11 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_nfc_client, hal_nfc_server) +binder_call(hal_nfc_server, hal_nfc_client) + +hal_attribute_hwservice(hal_nfc, hal_nfc_hwservice) + +# Set NFC properties (used by bcm2079x HAL). +set_prop(hal_nfc, nfc_prop) + +# NFC device access. +allow hal_nfc nfc_device:chr_file rw_file_perms; diff --git a/prebuilts/api/32.0/public/hal_oemlock.te b/prebuilts/api/32.0/public/hal_oemlock.te new file mode 100644 index 000000000..9f38fa55a --- /dev/null +++ b/prebuilts/api/32.0/public/hal_oemlock.te @@ -0,0 +1,7 @@ +# HwBinder IPC from client to server +binder_call(hal_oemlock_client, hal_oemlock_server) + +hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice) +hal_attribute_service(hal_oemlock, hal_oemlock_service) + +binder_call(hal_oemlock_server, servicemanager) diff --git a/prebuilts/api/32.0/public/hal_omx.te b/prebuilts/api/32.0/public/hal_omx.te new file mode 100644 index 000000000..8e74383d3 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_omx.te @@ -0,0 +1,49 @@ +# applies all permissions to hal_omx NOT hal_omx_server +# since OMX must always be in its own process. + +binder_call(hal_omx_server, binderservicedomain) +binder_call(hal_omx_server, { appdomain -isolated_app }) + +# Allow hal_omx_server access to composer sync fences +allow hal_omx_server hal_graphics_composer:fd use; + +allow hal_omx_server ion_device:chr_file rw_file_perms; +allow hal_omx_server hal_camera:fd use; + +crash_dump_fallback(hal_omx_server) + +# Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never +# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge +# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd +# via PDX. Thus, there is no need to use pdx_client macro. +allow hal_omx_server bufferhubd:fd use; + +hal_attribute_hwservice(hal_omx, hal_omx_hwservice) + +allow hal_omx_client hidl_token_hwservice:hwservice_manager find; + +get_prop(hal_omx_client, media_variant_prop) +get_prop(hal_omx_server, media_variant_prop) + +binder_call(hal_omx_client, hal_omx_server) +binder_call(hal_omx_server, hal_omx_client) + +### +### neverallow rules +### + +# hal_omx_server should never execute any executable without a +# domain transition +neverallow hal_omx_server { file_type fs_type }:file execute_no_trans; + +# The goal of the mediaserver split is to place media processing code into +# restrictive sandboxes with limited responsibilities and thus limited +# permissions. Example: Audioserver is only responsible for controlling audio +# hardware and processing audio content. Cameraserver does the same for camera +# hardware/content. Etc. +# +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/prebuilts/api/32.0/public/hal_power.te b/prebuilts/api/32.0/public/hal_power.te new file mode 100644 index 000000000..aae32a016 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_power.te @@ -0,0 +1,9 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_power_client, hal_power_server) +binder_call(hal_power_server, hal_power_client) + +hal_attribute_hwservice(hal_power, hal_power_hwservice) +hal_attribute_service(hal_power, hal_power_service) + +binder_call(hal_power_server, servicemanager) +binder_call(hal_power_client, servicemanager) diff --git a/prebuilts/api/32.0/public/hal_power_stats.te b/prebuilts/api/32.0/public/hal_power_stats.te new file mode 100644 index 000000000..4076effc9 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_power_stats.te @@ -0,0 +1,9 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_power_stats_client, hal_power_stats_server) +binder_call(hal_power_stats_server, hal_power_stats_client) + +hal_attribute_hwservice(hal_power_stats, hal_power_stats_hwservice) +hal_attribute_service(hal_power_stats, hal_power_stats_service) + +binder_call(hal_power_stats_server, servicemanager) +binder_call(hal_power_stats_client, servicemanager) diff --git a/prebuilts/api/32.0/public/hal_rebootescrow.te b/prebuilts/api/32.0/public/hal_rebootescrow.te new file mode 100644 index 000000000..d16333bae --- /dev/null +++ b/prebuilts/api/32.0/public/hal_rebootescrow.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server +binder_call(hal_rebootescrow_client, hal_rebootescrow_server) + +hal_attribute_service(hal_rebootescrow, hal_rebootescrow_service) + +binder_use(hal_rebootescrow_server) diff --git a/prebuilts/api/32.0/public/hal_secure_element.te b/prebuilts/api/32.0/public/hal_secure_element.te new file mode 100644 index 000000000..3724d35b0 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_secure_element.te @@ -0,0 +1,5 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_secure_element_client, hal_secure_element_server) +binder_call(hal_secure_element_server, hal_secure_element_client) + +hal_attribute_hwservice(hal_secure_element, hal_secure_element_hwservice) diff --git a/prebuilts/api/32.0/public/hal_sensors.te b/prebuilts/api/32.0/public/hal_sensors.te new file mode 100644 index 000000000..06e76f1e1 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_sensors.te @@ -0,0 +1,14 @@ +# HwBinder IPC from client to server +binder_call(hal_sensors_client, hal_sensors_server) + +hal_attribute_hwservice(hal_sensors, hal_sensors_hwservice) + +# Allow sensor hals to access ashmem memory allocated by apps +allow hal_sensors { appdomain -isolated_app }:fd use; + +# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator +# fd is passed in from framework sensorservice HAL. +allow hal_sensors hal_allocator:fd use; + +# allow to run with real-time scheduling policy +allow hal_sensors self:global_capability_class_set sys_nice; diff --git a/prebuilts/api/32.0/public/hal_telephony.te b/prebuilts/api/32.0/public/hal_telephony.te new file mode 100644 index 000000000..f0cf075c8 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_telephony.te @@ -0,0 +1,44 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_telephony_client, hal_telephony_server) +binder_call(hal_telephony_server, hal_telephony_client) + +hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice) + +allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls; + +allow hal_telephony_server self:netlink_route_socket nlmsg_write; +allow hal_telephony_server kernel:system module_request; +allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw }; +allow hal_telephony_server cgroup:dir create_dir_perms; +allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms; +allow hal_telephony_server cgroup_v2:dir create_dir_perms; +allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms; +allow hal_telephony_server radio_device:chr_file rw_file_perms; +allow hal_telephony_server radio_device:blk_file r_file_perms; +allow hal_telephony_server efs_file:dir create_dir_perms; +allow hal_telephony_server efs_file:file create_file_perms; +allow hal_telephony_server vendor_shell_exec:file rx_file_perms; +allow hal_telephony_server bluetooth_efs_file:file r_file_perms; +allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms; + +# property service +get_prop(hal_telephony_server, telephony_config_prop) +set_prop(hal_telephony_server, radio_control_prop) +set_prop(hal_telephony_server, radio_prop) +set_prop(hal_telephony_server, telephony_status_prop) + +allow hal_telephony_server tty_device:chr_file rw_file_perms; + +# Allow hal_telephony_server to create and use netlink sockets. +allow hal_telephony_server self:netlink_socket create_socket_perms_no_ioctl; +allow hal_telephony_server self:netlink_generic_socket create_socket_perms_no_ioctl; +allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Access to wake locks +wakelock_use(hal_telephony_server) + +r_dir_file(hal_telephony_server, proc_net_type) +r_dir_file(hal_telephony_server, sysfs_type) + +# granting the ioctl permission for hal_telephony_server should be device specific +allow hal_telephony_server self:socket create_socket_perms_no_ioctl; diff --git a/prebuilts/api/32.0/public/hal_tetheroffload.te b/prebuilts/api/32.0/public/hal_tetheroffload.te new file mode 100644 index 000000000..cf5172366 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_tetheroffload.te @@ -0,0 +1,8 @@ +## HwBinder IPC from client to server, and callbacks +binder_call(hal_tetheroffload_client, hal_tetheroffload_server) +binder_call(hal_tetheroffload_server, hal_tetheroffload_client) + +hal_attribute_hwservice(hal_tetheroffload, hal_tetheroffload_hwservice) + +# allow the client to pass the server already open netlink sockets +allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write }; diff --git a/prebuilts/api/32.0/public/hal_thermal.te b/prebuilts/api/32.0/public/hal_thermal.te new file mode 100644 index 000000000..2115da1b9 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_thermal.te @@ -0,0 +1,5 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_thermal_client, hal_thermal_server) +binder_call(hal_thermal_server, hal_thermal_client) + +hal_attribute_hwservice(hal_thermal, hal_thermal_hwservice) diff --git a/prebuilts/api/32.0/public/hal_tv_cec.te b/prebuilts/api/32.0/public/hal_tv_cec.te new file mode 100644 index 000000000..658490474 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_tv_cec.te @@ -0,0 +1,5 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_tv_cec_client, hal_tv_cec_server) +binder_call(hal_tv_cec_server, hal_tv_cec_client) + +hal_attribute_hwservice(hal_tv_cec, hal_tv_cec_hwservice) diff --git a/prebuilts/api/32.0/public/hal_tv_input.te b/prebuilts/api/32.0/public/hal_tv_input.te new file mode 100644 index 000000000..5a5bdda16 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_tv_input.te @@ -0,0 +1,5 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_tv_input_client, hal_tv_input_server) +binder_call(hal_tv_input_server, hal_tv_input_client) + +hal_attribute_hwservice(hal_tv_input, hal_tv_input_hwservice) diff --git a/prebuilts/api/32.0/public/hal_tv_tuner.te b/prebuilts/api/32.0/public/hal_tv_tuner.te new file mode 100644 index 000000000..0da4ec704 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_tv_tuner.te @@ -0,0 +1,4 @@ +binder_call(hal_tv_tuner_client, hal_tv_tuner_server) +binder_call(hal_tv_tuner_server, hal_tv_tuner_client) + +hal_attribute_hwservice(hal_tv_tuner, hal_tv_tuner_hwservice) diff --git a/prebuilts/api/32.0/public/hal_usb.te b/prebuilts/api/32.0/public/hal_usb.te new file mode 100644 index 000000000..38bc49a21 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_usb.te @@ -0,0 +1,18 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_usb_client, hal_usb_server) +binder_call(hal_usb_server, hal_usb_client) + +hal_attribute_hwservice(hal_usb, hal_usb_hwservice) + +allow hal_usb self:netlink_kobject_uevent_socket create; +allow hal_usb self:netlink_kobject_uevent_socket setopt; +allow hal_usb self:netlink_kobject_uevent_socket getopt; +allow hal_usb self:netlink_kobject_uevent_socket bind; +allow hal_usb self:netlink_kobject_uevent_socket read; +allow hal_usb sysfs:dir open; +allow hal_usb sysfs:dir read; +allow hal_usb sysfs:file read; +allow hal_usb sysfs:file open; +allow hal_usb sysfs:file write; +allow hal_usb sysfs:file getattr; + diff --git a/prebuilts/api/32.0/public/hal_usb_gadget.te b/prebuilts/api/32.0/public/hal_usb_gadget.te new file mode 100644 index 000000000..a474652f7 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_usb_gadget.te @@ -0,0 +1,13 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_usb_gadget_client, hal_usb_gadget_server) +binder_call(hal_usb_gadget_server, hal_usb_gadget_client) + +hal_attribute_hwservice(hal_usb_gadget, hal_usb_gadget_hwservice) + +# Configuring usb gadget functions +allow hal_usb_gadget_server configfs:lnk_file { read create unlink}; +allow hal_usb_gadget_server configfs:dir rw_dir_perms; +allow hal_usb_gadget_server configfs:file create_file_perms; +allow hal_usb_gadget_server functionfs:dir { read search }; +allow hal_usb_gadget_server functionfs:file read; + diff --git a/prebuilts/api/32.0/public/hal_vehicle.te b/prebuilts/api/32.0/public/hal_vehicle.te new file mode 100644 index 000000000..6855d1469 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_vehicle.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_vehicle_client, hal_vehicle_server) +binder_call(hal_vehicle_server, hal_vehicle_client) + + +hal_attribute_hwservice(hal_vehicle, hal_vehicle_hwservice) diff --git a/prebuilts/api/32.0/public/hal_vibrator.te b/prebuilts/api/32.0/public/hal_vibrator.te new file mode 100644 index 000000000..c90249571 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_vibrator.te @@ -0,0 +1,14 @@ +# HwBinder IPC client/server +binder_call(hal_vibrator_client, hal_vibrator_server) +binder_call(hal_vibrator_server, hal_vibrator_client); + +hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice) +hal_attribute_service(hal_vibrator, hal_vibrator_service) + +binder_call(hal_vibrator_server, servicemanager) + +allow hal_vibrator_server dumpstate:fifo_file write; + +# vibrator sysfs rw access +allow hal_vibrator sysfs_vibrator:file rw_file_perms; +allow hal_vibrator sysfs_vibrator:dir search; diff --git a/prebuilts/api/32.0/public/hal_vr.te b/prebuilts/api/32.0/public/hal_vr.te new file mode 100644 index 000000000..e52c77fba --- /dev/null +++ b/prebuilts/api/32.0/public/hal_vr.te @@ -0,0 +1,5 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_vr_client, hal_vr_server) +binder_call(hal_vr_server, hal_vr_client) + +hal_attribute_hwservice(hal_vr, hal_vr_hwservice) diff --git a/prebuilts/api/32.0/public/hal_weaver.te b/prebuilts/api/32.0/public/hal_weaver.te new file mode 100644 index 000000000..2b3498992 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_weaver.te @@ -0,0 +1,7 @@ +# HwBinder IPC from client to server +binder_call(hal_weaver_client, hal_weaver_server) + +hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice) +hal_attribute_service(hal_weaver, hal_weaver_service) + +binder_call(hal_weaver_server, servicemanager) diff --git a/prebuilts/api/32.0/public/hal_wifi.te b/prebuilts/api/32.0/public/hal_wifi.te new file mode 100644 index 000000000..2e4fa7859 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_wifi.te @@ -0,0 +1,32 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_wifi_client, hal_wifi_server) +binder_call(hal_wifi_server, hal_wifi_client) + +hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice) + +r_dir_file(hal_wifi, proc_net_type) +r_dir_file(hal_wifi, sysfs_type) + +set_prop(hal_wifi_server, wifi_hal_prop) +set_prop(hal_wifi, wifi_prop) +userdebug_or_eng(`get_prop(hal_wifi, persist_vendor_debug_wifi_prop)') + +# allow hal wifi set interfaces up and down and get the factory MAC +allow hal_wifi self:udp_socket create_socket_perms; +allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; + +allow hal_wifi self:global_capability_class_set { net_admin net_raw }; +# allow hal_wifi to speak to nl80211 in the kernel +allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl; +# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets +allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl; +# hal_wifi writes firmware paths to this file. +allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms }; +# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded +allow hal_wifi proc_modules:file { getattr open read }; +# Allow hal_wifi to send dump info to dumpstate +allow hal_wifi dumpstate:fifo_file write; + +# allow hal_wifi to write into /data/vendor/tombstones/wifi +allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms; +allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms; diff --git a/prebuilts/api/32.0/public/hal_wifi_hostapd.te b/prebuilts/api/32.0/public/hal_wifi_hostapd.te new file mode 100644 index 000000000..12d72b649 --- /dev/null +++ b/prebuilts/api/32.0/public/hal_wifi_hostapd.te @@ -0,0 +1,27 @@ +# HwBinder IPC from client to server +binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server) +binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client) + +hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice) + +allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw }; + +allow hal_wifi_hostapd_server sysfs_net:dir search; + +# Allow hal_wifi_hostapd to access /proc/net/psched +allow hal_wifi_hostapd_server proc_net_type:file { getattr open read }; + +# Various socket permissions. +allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls; +allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl; +allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl; +allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl; +allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write; + +### +### neverallow rules +### + +# hal_wifi_hostapd should not trust any data from sdcards +neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr; +neverallow hal_wifi_hostapd_server sdcard_type:file *; diff --git a/prebuilts/api/32.0/public/hal_wifi_supplicant.te b/prebuilts/api/32.0/public/hal_wifi_supplicant.te new file mode 100644 index 000000000..7361af15f --- /dev/null +++ b/prebuilts/api/32.0/public/hal_wifi_supplicant.te @@ -0,0 +1,38 @@ +# HwBinder IPC from client to server +binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server) +binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client) + +hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice) + +# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. +allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls; + +r_dir_file(hal_wifi_supplicant, sysfs_type) +r_dir_file(hal_wifi_supplicant, proc_net_type) + +allow hal_wifi_supplicant kernel:system module_request; +allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw }; +allow hal_wifi_supplicant cgroup:dir create_dir_perms; +allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms; +allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write; +allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl; +allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl; +allow hal_wifi_supplicant self:packet_socket create_socket_perms; +allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls }; + +use_keystore(hal_wifi_supplicant) +binder_use(hal_wifi_supplicant_server) + +# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key. +allow hal_wifi_supplicant wifi_key:keystore2_key { + get_info + use +}; + +### +### neverallow rules +### + +# wpa_supplicant should not trust any data from sdcards +neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr; +neverallow hal_wifi_supplicant_server sdcard_type:file *; diff --git a/prebuilts/api/32.0/public/healthd.te b/prebuilts/api/32.0/public/healthd.te new file mode 100644 index 000000000..05acb84a0 --- /dev/null +++ b/prebuilts/api/32.0/public/healthd.te @@ -0,0 +1,50 @@ +# healthd - battery/charger monitoring service daemon +type healthd, domain; +type healthd_exec, system_file_type, exec_type, file_type; + +# Write to /dev/kmsg +allow healthd kmsg_device:chr_file rw_file_perms; + +# Read access to pseudo filesystems. +allow healthd sysfs_type:dir search; +# Allow to read /sys/class/power_supply directory. +allow healthd sysfs:dir r_dir_perms; +r_dir_file(healthd, rootfs) +r_dir_file(healthd, cgroup) +r_dir_file(healthd, cgroup_v2) + +allow healthd self:global_capability_class_set { sys_tty_config }; +allow healthd self:global_capability_class_set sys_boot; +dontaudit healthd self:global_capability_class_set sys_resource; + +allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +wakelock_use(healthd) + +hal_client_domain(healthd, hal_health) + +# Read/write to /sys/power/state +allow healthd sysfs_power:file rw_file_perms; + +# TODO: added to match above sysfs rule. Remove me? +allow healthd sysfs_usb:file write; + +r_dir_file(healthd, sysfs_batteryinfo) + +### +### healthd: charger mode +### + +# Read /sys/fs/pstore/console-ramoops +# Don't worry about overly broad permissions for now, as there's +# only one file in /sys/fs/pstore +allow healthd pstorefs:dir r_dir_perms; +allow healthd pstorefs:file r_file_perms; + +allow healthd graphics_device:dir r_dir_perms; +allow healthd graphics_device:chr_file rw_file_perms; +allow healthd input_device:dir r_dir_perms; +allow healthd input_device:chr_file r_file_perms; +allow healthd tty_device:chr_file rw_file_perms; +allow healthd ashmem_device:chr_file execute; +allow healthd proc_sysrq:file rw_file_perms; diff --git a/prebuilts/api/32.0/public/heapprofd.te b/prebuilts/api/32.0/public/heapprofd.te new file mode 100644 index 000000000..7ceb23feb --- /dev/null +++ b/prebuilts/api/32.0/public/heapprofd.te @@ -0,0 +1 @@ +type heapprofd, domain, coredomain; diff --git a/prebuilts/api/32.0/public/hwservice.te b/prebuilts/api/32.0/public/hwservice.te new file mode 100644 index 000000000..11b77f08b --- /dev/null +++ b/prebuilts/api/32.0/public/hwservice.te @@ -0,0 +1,101 @@ +# hwservice types. By default most of the HALs are protected_hwservice, which means +# access from untrusted apps is prohibited. +type default_android_hwservice, hwservice_manager_type, protected_hwservice; +type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type fwk_automotive_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice; +type hal_audio_hwservice, hwservice_manager_type, protected_hwservice; +type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice; +type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice; +type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice; +type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice; +type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice; +type hal_camera_hwservice, hwservice_manager_type, protected_hwservice; +type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice; +type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice; +type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice; +type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice; +type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice; +type hal_evs_hwservice, hwservice_manager_type, protected_hwservice; +type hal_face_hwservice, hwservice_manager_type, protected_hwservice; +type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice; +type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice; +type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice; +type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice; +type hal_health_hwservice, hwservice_manager_type, protected_hwservice; +type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice; +type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice; +type hal_ir_hwservice, hwservice_manager_type, protected_hwservice; +type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice; +type hal_light_hwservice, hwservice_manager_type, protected_hwservice; +type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice; +type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice; +type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice; +type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice; +type hal_power_hwservice, hwservice_manager_type, protected_hwservice; +type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice; +type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice; +type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice; +type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice; +type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice; +type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice; +type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice; +type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice; +type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice; +type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice; +type hal_usb_hwservice, hwservice_manager_type, protected_hwservice; +type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice; +type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice; +type hal_vr_hwservice, hwservice_manager_type, protected_hwservice; +type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice; +type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice; +type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice; +type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice; +type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; + +# Following is the hwservices that are explicitly not marked with protected_hwservice. +# These are directly accessible from untrusted apps. +# - same process services: because they by definition run in the process +# of the client and thus have the same access as the client domain in which +# the process runs +# - coredomain_hwservice: are considered safer than ordinary hwservices which +# are from vendor partition +# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been +# designed for use by any domain. +# - hal_graphics_allocator_hwservice: because these operations are also offered +# by surfaceflinger Binder service, which apps are permitted to access +# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec +# Binder service which apps were permitted to access. +# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice. +# - hal_drm_hwservice: versions > API 29 are designed specifically with +# untrusted app access in mind. +type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice; +type hal_cas_hwservice, hwservice_manager_type; +type hal_codec2_hwservice, hwservice_manager_type; +type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type; +type hal_drm_hwservice, hwservice_manager_type; +type hal_graphics_allocator_hwservice, hwservice_manager_type; +type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice; +type hal_neuralnetworks_hwservice, hwservice_manager_type; +type hal_omx_hwservice, hwservice_manager_type; +type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice; +type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice; +type hidl_base_hwservice, hwservice_manager_type; +type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice; +type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice; +type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice; + +### +### Neverallow rules +### + +# hwservicemanager handles registering or looking up named services. +# It does not make sense to register or lookup something which is not a +# hwservice. Trigger a compile error if this occurs. +neverallow domain ~hwservice_manager_type:hwservice_manager { add find }; diff --git a/prebuilts/api/32.0/public/hwservicemanager.te b/prebuilts/api/32.0/public/hwservicemanager.te new file mode 100644 index 000000000..7ec187233 --- /dev/null +++ b/prebuilts/api/32.0/public/hwservicemanager.te @@ -0,0 +1,20 @@ +# hwservicemanager - the Binder context manager for HAL services +type hwservicemanager, domain, mlstrustedsubject; +type hwservicemanager_exec, system_file_type, exec_type, file_type; + +# Note that we do not use the binder_* macros here. +# hwservicemanager provides name service (aka context manager) +# for hwbinder. +# Additionally, it initiates binder IPC calls to +# clients who request service notifications. The permission +# to do this is granted in the hwbinder_use macro. +allow hwservicemanager self:binder set_context_mgr; + +# Scan through /system/lib64/hw looking for installed HALs +allow hwservicemanager system_file:dir r_dir_perms; + +# Read hwservice_contexts +allow hwservicemanager hwservice_contexts_file:file r_file_perms; + +# Check SELinux permissions. +selinux_check_access(hwservicemanager) diff --git a/prebuilts/api/32.0/public/idmap.te b/prebuilts/api/32.0/public/idmap.te new file mode 100644 index 000000000..f41f573ea --- /dev/null +++ b/prebuilts/api/32.0/public/idmap.te @@ -0,0 +1,31 @@ +# idmap, when executed by installd +type idmap, domain; +type idmap_exec, system_file_type, exec_type, file_type; + +# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077) +# Use open file to /data/resource-cache file inherited from installd. +allow idmap installd:fd use; +allow idmap resourcecache_data_file:file create_file_perms; +allow idmap resourcecache_data_file:dir rw_dir_perms; + +# Ignore reading /proc/<pid>/maps after a fork. +dontaudit idmap installd:file read; + +# Open and read from target and overlay apk files passed by argument. +allow idmap apk_data_file:file r_file_perms; +allow idmap apk_data_file:dir search; + +# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files +allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms; +allow idmap { apk_tmp_file apk_private_tmp_file }:dir search; + +# Allow apps access to /vendor/app +r_dir_file(idmap, vendor_app_file) + +# Allow apps access to /vendor/overlay +r_dir_file(idmap, vendor_overlay_file) + +# Allow the idmap2d binary to register as a service and communicate via AIDL +binder_use(idmap) +binder_service(idmap) +add_service(idmap, idmap_service) diff --git a/prebuilts/api/32.0/public/incident.te b/prebuilts/api/32.0/public/incident.te new file mode 100644 index 000000000..ce57bf650 --- /dev/null +++ b/prebuilts/api/32.0/public/incident.te @@ -0,0 +1,8 @@ +# The incident command is used to call into the incidentd service to +# take an incident report (binary, shared bugreport), download incident +# reports that have already been taken, and monitor for new ones. +# It doesn't do anything else. + +# incident +type incident, domain; + diff --git a/prebuilts/api/32.0/public/incident_helper.te b/prebuilts/api/32.0/public/incident_helper.te new file mode 100644 index 000000000..bca101869 --- /dev/null +++ b/prebuilts/api/32.0/public/incident_helper.te @@ -0,0 +1,5 @@ +# The incident_helper is called by incidentd and +# can only read/write data from/to incidentd + +# incident_helper +type incident_helper, domain; diff --git a/prebuilts/api/32.0/public/incidentd.te b/prebuilts/api/32.0/public/incidentd.te new file mode 100644 index 000000000..b03249c88 --- /dev/null +++ b/prebuilts/api/32.0/public/incidentd.te @@ -0,0 +1,3 @@ +# incidentd +type incidentd, domain; + diff --git a/prebuilts/api/32.0/public/init.te b/prebuilts/api/32.0/public/init.te new file mode 100644 index 000000000..ea5a9793d --- /dev/null +++ b/prebuilts/api/32.0/public/init.te @@ -0,0 +1,659 @@ +# init is its own domain. +type init, domain, mlstrustedsubject; +type init_exec, system_file_type, exec_type, file_type; +type init_tmpfs, file_type; + +# /dev/__null__ node created by init. +allow init tmpfs:chr_file { create setattr unlink rw_file_perms }; + +# +# init direct restorecon calls. +# +# /dev/kmsg +allow init tmpfs:chr_file relabelfrom; +allow init kmsg_device:chr_file { getattr write relabelto }; +# /dev/kmsg_debug +userdebug_or_eng(` + allow init kmsg_debug_device:chr_file { open write relabelto }; +') + +# allow init to mount and unmount debugfs in debug builds +userdebug_or_eng(` + allow init debugfs:dir mounton; +') + +# /dev/__properties__ +allow init properties_device:dir relabelto; +allow init properties_serial:file { write relabelto }; +allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write }; +# /dev/__properties__/property_info +allow init properties_device:file create_file_perms; +allow init property_info:file relabelto; +# /dev/event-log-tags +allow init device:file relabelfrom; +allow init runtime_event_log_tags_file:file { open write setattr relabelto create }; +# /dev/socket +allow init { device socket_device dm_user_device }:dir relabelto; +# allow init to establish connection and communicate with lmkd +unix_socket_connect(init, lmkd, lmkd) +# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom +allow init { null_device ptmx_device random_device } : chr_file relabelto; +# /dev/device-mapper, /dev/block(/.*)? +allow init tmpfs:{ chr_file blk_file } relabelfrom; +allow init tmpfs:blk_file getattr; +allow init block_device:{ dir blk_file lnk_file } relabelto; +allow init dm_device:{ chr_file blk_file } relabelto; +allow init dm_user_device:chr_file relabelto; +allow init kernel:fd use; +# restorecon for early mount device symlinks +allow init tmpfs:lnk_file { getattr read relabelfrom }; +allow init { + metadata_block_device + misc_block_device + recovery_block_device + system_block_device + userdata_block_device +}:{ blk_file lnk_file } relabelto; + +allow init super_block_device:lnk_file relabelto; + +# Create /mnt/sdcard -> /storage/self/primary symlink. +allow init mnt_sdcard_file:lnk_file create; + +# setrlimit +allow init self:global_capability_class_set sys_resource; + +# Remove /dev/.booting and load /debug_ramdisk/* files +allow init tmpfs:file { getattr unlink }; + +# Access pty created for fsck. +allow init devpts:chr_file { read write open }; + +# Create /dev/fscklogs files. +allow init fscklogs:file create_file_perms; + +# Access /dev/__null__ node created prior to initial policy load. +allow init tmpfs:chr_file write; + +# Access /dev/console. +allow init console_device:chr_file rw_file_perms; + +# Access /dev/tty0. +allow init tty_device:chr_file rw_file_perms; + +# Call mount(2). +allow init self:global_capability_class_set sys_admin; + +# Call setns(2). +allow init self:global_capability_class_set sys_chroot; + +# Create and mount on directories in /. +allow init rootfs:dir create_dir_perms; +allow init { + rootfs + cache_file + cgroup + linkerconfig_file + storage_file + mnt_user_file + system_data_file + system_data_root_file + system_file + vendor_file + postinstall_mnt_dir + mirror_data_file +}:dir mounton; + +# Mount bpf fs on sys/fs/bpf +allow init fs_bpf:dir mounton; + +# Mount on /dev/usb-ffs/adb. +allow init device:dir mounton; + +# Mount tmpfs on /apex +allow init apex_mnt_dir:dir mounton; + +# Bind-mount on /system/apex/com.android.art +allow init art_apex_dir:dir mounton; + +# Create and remove symlinks in /. +allow init rootfs:lnk_file { create unlink }; + +# Mount debugfs on /sys/kernel/debug. +allow init sysfs:dir mounton; + +# Create cgroups mount points in tmpfs and mount cgroups on them. +allow init tmpfs:dir create_dir_perms; +allow init tmpfs:dir mounton; +allow init cgroup:dir create_dir_perms; +allow init cgroup:file rw_file_perms; +allow init cgroup_rc_file:file rw_file_perms; +allow init cgroup_desc_file:file r_file_perms; +allow init cgroup_desc_api_file:file r_file_perms; +allow init vendor_cgroup_desc_file:file r_file_perms; +allow init cgroup_v2:dir { mounton create_dir_perms}; +allow init cgroup_v2:file rw_file_perms; + +# /config +allow init configfs:dir mounton; +allow init configfs:dir create_dir_perms; +allow init configfs:{ file lnk_file } create_file_perms; + +# /metadata +allow init metadata_file:dir mounton; + +# Use tmpfs as /data, used for booting when /data is encrypted +allow init tmpfs:dir relabelfrom; + +# Create directories under /dev/cpuctl after chowning it to system. +allow init self:global_capability_class_set { dac_override dac_read_search }; + +# Set system clock. +allow init self:global_capability_class_set sys_time; + +allow init self:global_capability_class_set { sys_rawio mknod }; + +# Mounting filesystems from block devices. +allow init dev_type:blk_file r_file_perms; +allowxperm init dev_type:blk_file ioctl BLKROSET; + +# Mounting filesystems. +# Only allow relabelto for types used in context= mount options, +# which should all be assigned the contextmount_type attribute. +# This can be done in device-specific policy via type or typeattribute +# declarations. +allow init { + fs_type + enforce_debugfs_restriction(`-debugfs_type') +}:filesystem ~relabelto; + +# Allow init to mount/unmount debugfs in non-user builds. +enforce_debugfs_restriction(` + userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };') +') + +# Allow init to mount tracefs in /sys/kernel/tracing +allow init debugfs_tracing_debug:filesystem mount; + +allow init unlabeled:filesystem ~relabelto; +allow init contextmount_type:filesystem relabelto; + +# Allow read-only access to context= mounted filesystems. +allow init contextmount_type:dir r_dir_perms; +allow init contextmount_type:notdevfile_class_set r_file_perms; + +# restorecon /adb_keys or any other rootfs files and directories to a more +# specific type. +allow init rootfs:{ dir file } relabelfrom; + +# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. +# chown/chmod require open+read+setattr required for open()+fchown/fchmod(). +# system/core/init.rc requires at least cache_file and data_file_type. +# init.<board>.rc files often include device-specific types, so +# we just allow all file types except /system files here. +allow init self:global_capability_class_set { chown fowner fsetid }; + +allow init { + file_type + -app_data_file + -exec_type + -misc_logd_file + -nativetest_data_file + -privapp_data_file + -system_app_data_file + -system_file_type + -vendor_file_type +}:dir { create search getattr open read setattr ioctl }; + +allow init { + file_type + -app_data_file + -exec_type + -iorapd_data_file + -credstore_data_file + -keystore_data_file + -misc_logd_file + -nativetest_data_file + -privapp_data_file + -shell_data_file + -system_app_data_file + -system_file_type + -vendor_file_type + -vold_data_file +}:dir { write add_name remove_name rmdir relabelfrom }; + +allow init { + file_type + -apex_info_file + -app_data_file + -exec_type + -gsi_data_file + -iorapd_data_file + -credstore_data_file + -keystore_data_file + -misc_logd_file + -nativetest_data_file + -privapp_data_file + -runtime_event_log_tags_file + -shell_data_file + -system_app_data_file + -system_file_type + -vendor_file_type + -vold_data_file + enforce_debugfs_restriction(`-debugfs_type') +}:file { create getattr open read write setattr relabelfrom unlink map }; + +allow init tracefs_type:file { create_file_perms relabelfrom }; + +allow init { + file_type + -app_data_file + -exec_type + -gsi_data_file + -iorapd_data_file + -credstore_data_file + -keystore_data_file + -misc_logd_file + -nativetest_data_file + -privapp_data_file + -shell_data_file + -system_app_data_file + -system_file_type + -vendor_file_type + -vold_data_file +}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; + +allow init { + file_type + -apex_mnt_dir + -app_data_file + -exec_type + -gsi_data_file + -iorapd_data_file + -credstore_data_file + -keystore_data_file + -misc_logd_file + -nativetest_data_file + -privapp_data_file + -shell_data_file + -system_app_data_file + -system_file_type + -vendor_file_type + -vold_data_file +}:lnk_file { create getattr setattr relabelfrom unlink }; + +allow init cache_file:lnk_file r_file_perms; + +allow init { + file_type + -system_file_type + -vendor_file_type + -exec_type + -app_data_file + -privapp_data_file +}:dir_file_class_set relabelto; + +allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom }; +allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr }; +allow init dev_type:dir create_dir_perms; +allow init dev_type:lnk_file create; + +# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on +allow init debugfs_tracing:file w_file_perms; + +# Setup and control wifi event tracing (see wifi-events.rc) +allow init debugfs_tracing_instances:dir create_dir_perms; +allow init debugfs_tracing_instances:file w_file_perms; +allow init debugfs_wifi_tracing:file w_file_perms; + +# chown/chmod on pseudo files. +allow init { + fs_type + -contextmount_type + -keychord_device + -proc_type + -sdcard_type + -sysfs_type + -rootfs + enforce_debugfs_restriction(`-debugfs_type') +}:file { open read setattr }; +allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search }; + +allow init { + binder_device + console_device + devpts + dm_device + hwbinder_device + input_device + kmsg_device + null_device + owntty_device + pmsg_device + ptmx_device + random_device + tty_device + zero_device +}:chr_file { read open }; + +# Unlabeled file access for upgrades from 4.2. +allow init unlabeled:dir { create_dir_perms relabelfrom }; +allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; + +# Any operation that can modify the kernel ring buffer, e.g. clear +# or a read that consumes the messages that were read. +allow init kernel:system syslog_mod; +allow init self:global_capability2_class_set syslog; + +# init access to /proc. +r_dir_file(init, proc_net_type) +allow init proc_filesystems:file r_file_perms; + +userdebug_or_eng(` + # Overlayfs workdir write access check during mount to permit remount,rw + allow init overlayfs_file:dir { relabelfrom mounton write }; + allow init overlayfs_file:file { append }; + allow init system_block_device:blk_file { write }; +') + +allow init { + proc # b/67049235 processes /proc/<pid>/* files are mislabeled. + proc_bootconfig + proc_cmdline + proc_diskstats + proc_kmsg # Open /proc/kmsg for logd service. + proc_meminfo + proc_stat # Read /proc/stat for bootchart. + proc_uptime + proc_version +}:file r_file_perms; + +allow init { + proc_abi + proc_dirty + proc_hostname + proc_hung_task + proc_extra_free_kbytes + proc_net_type + proc_max_map_count + proc_min_free_order_shift + proc_overcommit_memory # /proc/sys/vm/overcommit_memory + proc_panic + proc_page_cluster + proc_perf + proc_sched + proc_sysrq +}:file w_file_perms; + +allow init { + proc_security +}:file rw_file_perms; + +# init chmod/chown access to /proc files. +allow init { + proc_cmdline + proc_bootconfig + proc_kmsg + proc_net + proc_pagetypeinfo + proc_qtaguid_stat + proc_slabinfo + proc_sysrq + proc_qtaguid_ctrl + proc_vmallocinfo +}:file setattr; + +# init access to /sys files. +allow init { + sysfs_android_usb + sysfs_dm_verity + sysfs_leds + sysfs_power + sysfs_fs_f2fs + sysfs_dm +}:file w_file_perms; + +allow init { + sysfs_dt_firmware_android + sysfs_fs_ext4_features +}:file r_file_perms; + +allow init { + sysfs_zram +}:file rw_file_perms; + +# allow init to create loop devices with /dev/loop-control +allow init loop_control_device:chr_file rw_file_perms; +allow init loop_device:blk_file rw_file_perms; +allowxperm init loop_device:blk_file ioctl { + LOOP_SET_FD + LOOP_CLR_FD + LOOP_CTL_GET_FREE + LOOP_SET_BLOCK_SIZE + LOOP_SET_DIRECT_IO + LOOP_GET_STATUS +}; + +# Allow init to write to vibrator/trigger +allow init sysfs_vibrator:file w_file_perms; + +# init chmod/chown access to /sys files. +allow init { + sysfs_android_usb + sysfs_devices_system_cpu + sysfs_ipv4 + sysfs_leds + sysfs_lowmemorykiller + sysfs_power + sysfs_vibrator + sysfs_wake_lock + sysfs_zram +}:file setattr; + +# Set usermodehelpers. +allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms; + +allow init self:global_capability_class_set net_admin; + +# Reboot. +allow init self:global_capability_class_set sys_boot; + +# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd". +# Init will also walk through the directory as part of a recursive restorecon. +allow init misc_logd_file:dir { add_name open create read getattr setattr search write }; +allow init misc_logd_file:file { open create getattr setattr write }; + +# Support "adb shell stop" +allow init self:global_capability_class_set kill; +allow init domain:process { getpgid sigkill signal }; + +# Init creates credstore's directory on boot, and walks through +# the directory as part of a recursive restorecon. +allow init credstore_data_file:dir { open create read getattr setattr search }; +allow init credstore_data_file:file { getattr }; + +# Init creates keystore's directory on boot, and walks through +# the directory as part of a recursive restorecon. +allow init keystore_data_file:dir { open create read getattr setattr search }; +allow init keystore_data_file:file { getattr }; + +# Init creates vold's directory on boot, and walks through +# the directory as part of a recursive restorecon. +allow init vold_data_file:dir { open create read getattr setattr search }; +allow init vold_data_file:file { getattr }; + +# Init creates /data/local/tmp at boot +allow init shell_data_file:dir { open create read getattr setattr search }; +allow init shell_data_file:file { getattr }; + +# Set UID, GID, and adjust capability bounding set for services. +allow init self:global_capability_class_set { setuid setgid setpcap }; + +# For bootchart to read the /proc/$pid/cmdline file of each process, +# we need to have following line to allow init to have access +# to different domains. +r_dir_file(init, domain) + +# Use setexeccon(), setfscreatecon(), and setsockcreatecon(). +# setexec is for services with seclabel options. +# setfscreate is for labeling directories and socket files. +# setsockcreate is for labeling local/unix domain sockets. +allow init self:process { setexec setfscreate setsockcreate }; + +# Get file context +allow init file_contexts_file:file r_file_perms; + +# sepolicy access +allow init sepolicy_file:file r_file_perms; + +# Perform SELinux access checks on setting properties. +selinux_check_access(init) + +# Ask the kernel for the new context on services to label their sockets. +allow init kernel:security compute_create; + +# Create sockets for the services. +allow init domain:unix_stream_socket { create bind setopt }; +allow init domain:unix_dgram_socket { create bind setopt }; + +# Create /data/property and files within it. +allow init property_data_file:dir create_dir_perms; +allow init property_data_file:file create_file_perms; + +# Set any property. +allow init property_type:property_service set; + +# Send an SELinux userspace denial to the kernel audit subsystem, +# so it can be picked up and processed by logd. These denials are +# generated when an attempt to set a property is denied by policy. +allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay }; +allow init self:global_capability_class_set audit_write; + +# Run "ifup lo" to bring up the localhost interface +allow init self:udp_socket { create ioctl }; +# in addition to unpriv ioctls granted to all domains, init also needs: +allowxperm init self:udp_socket ioctl SIOCSIFFLAGS; +allow init self:global_capability_class_set net_raw; + +# Set scheduling info for psi monitor thread. +# TODO: delete or revise this line b/131761776 +allow init kernel:process { getsched setsched }; + +# swapon() needs write access to swap device +# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all +allow init swap_block_device:blk_file rw_file_perms; + +# Create and access /dev files without a specific type, +# e.g. /dev/.coldboot_done, /dev/.booting +# TODO: Move these files into their own type unless they are +# only ever accessed by init. +allow init device:file create_file_perms; + +# keychord retrieval from /dev/input/ devices +allow init input_device:dir r_dir_perms; +allow init input_device:chr_file rw_file_perms; + +# Access device mapper for setting up dm-verity +allow init dm_device:chr_file rw_file_perms; +allow init dm_device:blk_file rw_file_perms; + +# Access dm-user for OTA boot +allow init dm_user_device:chr_file rw_file_perms; + +# Access metadata block device for storing dm-verity state +allow init metadata_block_device:blk_file rw_file_perms; + +# Read /sys/fs/pstore/console-ramoops to detect restarts caused +# by dm-verity detecting corrupted blocks +allow init pstorefs:dir search; +allow init pstorefs:file r_file_perms; +allow init kernel:system syslog_read; + +# linux keyring configuration +allow init init:key { write search setattr }; + +# Allow init to create /data/unencrypted +allow init unencrypted_data_file:dir create_dir_perms; + +# Set encryption policy on dirs in /data +allowxperm init { data_file_type unlabeled }:dir ioctl { + FS_IOC_GET_ENCRYPTION_POLICY + FS_IOC_SET_ENCRYPTION_POLICY +}; + +# Raw writes to misc block device +allow init misc_block_device:blk_file w_file_perms; + +r_dir_file(init, system_file) +r_dir_file(init, vendor_file_type) + +allow init system_data_file:file { getattr read }; +allow init system_data_file:lnk_file r_file_perms; + +# For init to be able to run shell scripts from vendor +allow init vendor_shell_exec:file execute; + +# Metadata setup +allow init vold_metadata_file:dir create_dir_perms; +allow init vold_metadata_file:file getattr; +allow init metadata_bootstat_file:dir create_dir_perms; +allow init metadata_bootstat_file:file w_file_perms; +allow init userspace_reboot_metadata_file:file w_file_perms; + +# Allow init to touch PSI monitors +allow init proc_pressure_mem:file { rw_file_perms setattr }; + +# init is using bootstrap bionic +allow init system_bootstrap_lib_file:dir r_dir_perms; +allow init system_bootstrap_lib_file:file { execute read open getattr map }; + +# stat the root dir of fuse filesystems (for the mount handler) +allow init fuse:dir { search getattr }; + +# allow filesystem tuning +allow init userdata_sysdev:file create_file_perms; + +### +### neverallow rules +### + +# The init domain is only entered via an exec based transition from the +# kernel domain, never via setcon(). +neverallow domain init:process dyntransition; +neverallow { domain -kernel } init:process transition; +neverallow init { file_type fs_type -init_exec }:file entrypoint; + +# Never read/follow symlinks created by shell or untrusted apps. +neverallow init shell_data_file:lnk_file read; +neverallow init { app_data_file privapp_data_file }:lnk_file read; + +# init should never execute a program without changing to another domain. +neverallow init { file_type fs_type }:file execute_no_trans; + +# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed +# when init is executing other binaries. The use of LD_PRELOAD for init spawned +# services is generally considered a no-no, as it injects libraries which the +# binary was not expecting. This is especially problematic for APEXes. The use +# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads +# code into a process which wasn't expecting that code, with potentially +# unexpected side effects. (b/140789528) +neverallow init *:process noatsecure; + +# init can never add binder services +neverallow init service_manager_type:service_manager { add find }; +# init can never list binder services +neverallow init servicemanager:service_manager list; + +# Init should not be creating subdirectories in /data/local/tmp +neverallow init shell_data_file:dir { write add_name remove_name }; + +# Init should not access sysfs node that are not explicitly labeled. +neverallow init sysfs:file { open read write }; + +# No domain should be allowed to ptrace init. +neverallow * init:process ptrace; + +# init owns the root of /data +# TODO(b/140259336) We want to remove vendor_init +# TODO(b/141108496) We want to remove toolbox +neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name }; diff --git a/prebuilts/api/32.0/public/inputflinger.te b/prebuilts/api/32.0/public/inputflinger.te new file mode 100644 index 000000000..b62c06dbe --- /dev/null +++ b/prebuilts/api/32.0/public/inputflinger.te @@ -0,0 +1,16 @@ +# inputflinger +type inputflinger, domain; +type inputflinger_exec, system_file_type, exec_type, file_type; + +binder_use(inputflinger) +binder_service(inputflinger) + +binder_call(inputflinger, system_server) + +wakelock_use(inputflinger) + +allow inputflinger input_device:dir r_dir_perms; +allow inputflinger input_device:chr_file rw_file_perms; + +r_dir_file(inputflinger, cgroup) +r_dir_file(inputflinger, cgroup_v2) diff --git a/prebuilts/api/32.0/public/installd.te b/prebuilts/api/32.0/public/installd.te new file mode 100644 index 000000000..08060e30d --- /dev/null +++ b/prebuilts/api/32.0/public/installd.te @@ -0,0 +1,179 @@ +# installer daemon +type installd, domain; +type installd_exec, system_file_type, exec_type, file_type; +typeattribute installd mlstrustedsubject; +allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin }; + +# Allow labeling of files under /data/app/com.example/oat/ +allow installd dalvikcache_data_file:dir relabelto; +allow installd dalvikcache_data_file:file { relabelto link }; + +# Allow movement of APK files between volumes +allow installd apk_data_file:dir { create_dir_perms relabelfrom }; +allow installd apk_data_file:file { create_file_perms relabelfrom link }; +allow installd apk_data_file:lnk_file { create r_file_perms unlink }; + +# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd, +# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity. +# TODO(b/120629632): this path is deprecated, remove when possible. +allowxperm installd apk_data_file:file ioctl { + FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY +}; + +allow installd asec_apk_file:file r_file_perms; +allow installd apk_tmp_file:file { r_file_perms unlink }; +allow installd apk_tmp_file:dir { relabelfrom create_dir_perms }; +allow installd oemfs:dir r_dir_perms; +allow installd oemfs:file r_file_perms; +allow installd cgroup:dir create_dir_perms; +allow installd cgroup_v2:dir create_dir_perms; +allow installd mnt_expand_file:dir { search getattr }; +# Check validity of SELinux context before use. +selinux_check_context(installd) + +r_dir_file(installd, rootfs) +# Scan through APKs in /system/app and /system/priv-app +r_dir_file(installd, system_file) +# Scan through APKs in /vendor/app +r_dir_file(installd, vendor_app_file) +# Scan through JARs in /vendor/framework +r_dir_file(installd, vendor_framework_file) +# Scan through Runtime Resource Overlay APKs in /vendor/overlay +r_dir_file(installd, vendor_overlay_file) +# Get file context +allow installd file_contexts_file:file r_file_perms; +# Get seapp_context +allow installd seapp_contexts_file:file r_file_perms; + +# Search /data/app-asec and stat files in it. +allow installd asec_image_file:dir search; +allow installd asec_image_file:file getattr; + +# Create /data/user and /data/user/0 if necessary. +# Also required to initially create /data/data subdirectories +# and lib symlinks before the setfilecon call. May want to +# move symlink creation after setfilecon in installd. +allow installd system_data_file:dir create_dir_perms; +# Also, allow read for lnk_file so that we can process /data/user/0 links when +# optimizing application code. +allow installd system_data_file:lnk_file { create getattr read setattr unlink }; + +# Manage lower filesystem via pass_through mounts +allow installd mnt_pass_through_file:dir r_dir_perms; + +# Upgrade /data/media for multi-user if necessary. +allow installd media_rw_data_file:dir create_dir_perms; +allow installd media_rw_data_file:file { getattr unlink }; +# restorecon new /data/media directory. +allow installd system_data_file:dir relabelfrom; +allow installd media_rw_data_file:dir relabelto; + +# Delete /data/media files through sdcardfs, instead of going behind its back +allow installd tmpfs:dir r_dir_perms; +allow installd storage_file:dir search; +allow installd sdcard_type:dir { search open read write remove_name getattr rmdir }; +allow installd sdcard_type:file { getattr unlink }; + +# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it +allow installd mirror_data_file:dir { create_dir_perms mounton }; + +# Upgrade /data/misc/keychain for multi-user if necessary. +allow installd misc_user_data_file:dir create_dir_perms; +allow installd misc_user_data_file:file create_file_perms; +allow installd keychain_data_file:dir create_dir_perms; +allow installd keychain_data_file:file {r_file_perms unlink}; + +# Create /data/misc/installd/layout_version.* file +allow installd install_data_file:file create_file_perms; +allow installd install_data_file:dir rw_dir_perms; + +# Create files under /data/dalvik-cache. +allow installd dalvikcache_data_file:dir create_dir_perms; +allow installd dalvikcache_data_file:file create_file_perms; +allow installd dalvikcache_data_file:lnk_file getattr; + +# Create files under /data/resource-cache. +allow installd resourcecache_data_file:dir rw_dir_perms; +allow installd resourcecache_data_file:file create_file_perms; + +# Upgrade from unlabeled userdata. +# Just need enough to remove and/or relabel it. +allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir }; +allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr }; +# Read pkg.apk file for input during dexopt. +allow installd unlabeled:file r_file_perms; + +# Upgrade from before system_app_data_file was used for system UID apps. +# Just need enough to relabel it and to unlink removed package files. +# Directory access covered by earlier rule above. +allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink }; + +# Manage /data/data subdirectories, including initially labeling them +# upon creation via setfilecon or running restorecon_recursive, +# setting owner/mode, creating symlinks within them, and deleting them +# upon package uninstall. +allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto }; +allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto }; + +# Similar for the files under /data/misc/profiles/ +allow installd user_profile_root_file:dir { create_dir_perms relabelfrom }; +allow installd user_profile_data_file:dir { create_dir_perms relabelto }; +allow installd user_profile_data_file:file create_file_perms; +allow installd user_profile_data_file:file unlink; + +# Allow zygote to unmount mirror directories +allow installd labeledfs:filesystem unmount; + +# Files created/updated by profman dumps. +allow installd profman_dump_data_file:dir { search add_name write }; +allow installd profman_dump_data_file:file { create setattr open write }; + +# Create and use pty created by android_fork_execvp(). +allow installd devpts:chr_file rw_file_perms; + +# execute toybox for app relocation +allow installd toolbox_exec:file rx_file_perms; + +# Allow installd to publish a binder service and make binder calls. +binder_use(installd) +add_service(installd, installd_service) +allow installd dumpstate:fifo_file { getattr write }; + +# Allow installd to call into the system server so it can check permissions. +binder_call(installd, system_server) +allow installd permission_service:service_manager find; + +# Allow installd to read and write quotas +allow installd block_device:dir { search }; +allow installd labeledfs:filesystem { quotaget quotamod }; + +# Allow installd to delete from /data/preloads when trimming data caches +# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server +allow installd preloads_data_file:file { r_file_perms unlink }; +allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir }; +allow installd preloads_media_file:file { r_file_perms unlink }; +allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir }; + +# Allow installd to read /proc/filesystems +allow installd proc_filesystems:file r_file_perms; + +#add for move app to sd card +get_prop(installd, storage_config_prop) + +# Allow installd to access apps installed on the Incremental File System +# Accessing files on the Incremental File System uses fds opened in the context of vold. +allow installd vold:fd use; + +### +### Neverallow rules +### + +# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder +neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find; +neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call; +neverallow installd { + domain + -system_server + -servicemanager + userdebug_or_eng(`-su') +}:binder call; diff --git a/prebuilts/api/32.0/public/ioctl_defines b/prebuilts/api/32.0/public/ioctl_defines new file mode 100644 index 000000000..5ac4d9458 --- /dev/null +++ b/prebuilts/api/32.0/public/ioctl_defines @@ -0,0 +1,2751 @@ +define(`ADD_NEW_DISK', `0x40140921') +define(`ADV7842_CMD_RAM_TEST', `0x000056c0') +define(`AGPIOC_ACQUIRE', `0x00004101') +define(`AGPIOC_ALLOCATE', `0xc0084106') +define(`AGPIOC_BIND', `0x40084108') +define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a') +define(`AGPIOC_DEALLOCATE', `0x40044107') +define(`AGPIOC_INFO', `0x80084100') +define(`AGPIOC_PROTECT', `0x40084105') +define(`AGPIOC_RELEASE', `0x00004102') +define(`AGPIOC_RESERVE', `0x40084104') +define(`AGPIOC_SETUP', `0x40084103') +define(`AGPIOC_UNBIND', `0x40084109') +define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02') +define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03') +define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05') +define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06') +define(`AMDKFD_IOC_GET_VERSION', `0x80084b01') +define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04') +define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07') +define(`ANDROID_ALARM_SET_RTC', `0x40106105') +define(`ANDROID_ALARM_WAIT', `0x00006101') +define(`APEI_ERST_CLEAR_RECORD', `0x40084501') +define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502') +define(`APM_IOC_STANDBY', `0x00004101') +define(`APM_IOC_SUSPEND', `0x00004102') +define(`ASHMEM_GET_NAME', `0x81007702') +define(`ASHMEM_GET_PIN_STATUS', `0x00007709') +define(`ASHMEM_GET_PROT_MASK', `0x00007706') +define(`ASHMEM_GET_SIZE', `0x00007704') +define(`ASHMEM_PIN', `0x40087707') +define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a') +define(`ASHMEM_SET_NAME', `0x41007701') +define(`ASHMEM_SET_PROT_MASK', `0x40087705') +define(`ASHMEM_SET_SIZE', `0x40087703') +define(`ASHMEM_UNPIN', `0x40087708') +define(`ATM_ADDADDR', `0x40106188') +define(`ATM_ADDLECSADDR', `0x4010618e') +define(`ATM_ADDPARTY', `0x401061f4') +define(`ATMARPD_CTRL', `0x000061e1') +define(`ATMARP_ENCAP', `0x000061e5') +define(`ATMARP_MKIP', `0x000061e2') +define(`ATMARP_SETENTRY', `0x000061e3') +define(`ATM_DELADDR', `0x40106189') +define(`ATM_DELLECSADDR', `0x4010618f') +define(`ATM_DROPPARTY', `0x400461f5') +define(`ATM_GETADDR', `0x40106186') +define(`ATM_GETCIRANGE', `0x4010618a') +define(`ATM_GETESI', `0x40106185') +define(`ATM_GETLECSADDR', `0x40106190') +define(`ATM_GETLINKRATE', `0x40106181') +define(`ATM_GETLOOP', `0x40106152') +define(`ATM_GETNAMES', `0x40106183') +define(`ATM_GETSTAT', `0x40106150') +define(`ATM_GETSTATZ', `0x40106151') +define(`ATM_GETTYPE', `0x40106184') +define(`ATMLEC_CTRL', `0x000061d0') +define(`ATMLEC_DATA', `0x000061d1') +define(`ATMLEC_MCAST', `0x000061d2') +define(`ATMMPC_CTRL', `0x000061d8') +define(`ATMMPC_DATA', `0x000061d9') +define(`ATM_NEWBACKENDIF', `0x400261f3') +define(`ATM_QUERYLOOP', `0x40106154') +define(`ATM_RSTADDR', `0x40106187') +define(`ATM_SETBACKEND', `0x400261f2') +define(`ATM_SETCIRANGE', `0x4010618b') +define(`ATM_SETESI', `0x4010618c') +define(`ATM_SETESIF', `0x4010618d') +define(`ATM_SETLOOP', `0x40106153') +define(`ATM_SETSC', `0x400461f1') +define(`ATMSIGD_CTRL', `0x000061f0') +define(`ATMTCP_CREATE', `0x0000618e') +define(`ATMTCP_REMOVE', `0x0000618f') +define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14') +define(`AUDIO_CHANNEL_SELECT', `0x00006f09') +define(`AUDIO_CLEAR_BUFFER', `0x00006f0c') +define(`AUDIO_CONTINUE', `0x00006f04') +define(`AUDIO_GET_CAPABILITIES', `0x80046f0b') +define(`AUDIO_GET_PTS', `0x80086f13') +define(`AUDIO_GET_STATUS', `0x80206f0a') +define(`AUDIO_PAUSE', `0x00006f03') +define(`AUDIO_PLAY', `0x00006f02') +define(`AUDIO_SELECT_SOURCE', `0x00006f05') +define(`AUDIO_SET_ATTRIBUTES', `0x40026f11') +define(`AUDIO_SET_AV_SYNC', `0x00006f07') +define(`AUDIO_SET_BYPASS_MODE', `0x00006f08') +define(`AUDIO_SET_EXT_ID', `0x00006f10') +define(`AUDIO_SET_ID', `0x00006f0d') +define(`AUDIO_SET_KARAOKE', `0x400c6f12') +define(`AUDIO_SET_MIXER', `0x40086f0e') +define(`AUDIO_SET_MUTE', `0x00006f06') +define(`AUDIO_SET_STREAMTYPE', `0x00006f0f') +define(`AUDIO_STOP', `0x00006f01') +define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d') +define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379') +define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375') +define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c') +define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377') +define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e') +define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374') +define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373') +define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372') +define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376') +define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b') +define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378') +define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a') +define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371') +define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370') +define(`AUTOFS_IOC_CATATONIC', `0x00009362') +define(`AUTOFS_IOC_EXPIRE', `0x810c9365') +define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366') +define(`AUTOFS_IOC_FAIL', `0x00009361') +define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367') +define(`AUTOFS_IOC_PROTOVER', `0x80049363') +define(`AUTOFS_IOC_READY', `0x00009360') +define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364') +define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364') +define(`BC_ACQUIRE', `0x40046305') +define(`BC_ACQUIRE_DONE', `0x40106309') +define(`BC_ACQUIRE_RESULT', `0x40046302') +define(`BC_ATTEMPT_ACQUIRE', `0x4008630a') +define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f') +define(`BC_DEAD_BINDER_DONE', `0x40086310') +define(`BC_DECREFS', `0x40046307') +define(`BC_ENTER_LOOPER', `0x0000630c') +define(`BC_EXIT_LOOPER', `0x0000630d') +define(`BC_FREE_BUFFER', `0x40086303') +define(`BC_INCREFS', `0x40046304') +define(`BC_INCREFS_DONE', `0x40106308') +define(`BC_REGISTER_LOOPER', `0x0000630b') +define(`BC_RELEASE', `0x40046306') +define(`BC_REPLY', `0x40406301') +define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e') +define(`BC_TRANSACTION', `0x40406300') +define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210') +define(`BINDER_FREEZE', `0x400c620e') +define(`BINDER_GET_FROZEN_INFO', `0xc00c620f') +define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b') +define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c') +define(`BINDER_SET_CONTEXT_MGR', `0x40046207') +define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d') +define(`BINDER_SET_IDLE_PRIORITY', `0x40046206') +define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203') +define(`BINDER_SET_MAX_THREADS', `0x40046205') +define(`BINDER_THREAD_EXIT', `0x40046208') +define(`BINDER_VERSION', `0xc0046209') +define(`BINDER_WRITE_READ', `0xc0306201') +define(`BLKALIGNOFF', `0x0000127a') +define(`BLKBSZGET', `0x80081270') +define(`BLKBSZSET', `0x40081271') +define(`BLKDISCARD', `0x00001277') +define(`BLKDISCARDZEROES', `0x0000127c') +define(`BLKFLSBUF', `0x00001261') +define(`BLKFRAGET', `0x00001265') +define(`BLKFRASET', `0x00001264') +define(`BLKGETSIZE', `0x00001260') +define(`BLKGETSIZE64', `0x80081272') +define(`BLKI2OGRSTRAT', `0x80043201') +define(`BLKI2OGWSTRAT', `0x80043202') +define(`BLKI2OSRSTRAT', `0x40043203') +define(`BLKI2OSWSTRAT', `0x40043204') +define(`BLKIOMIN', `0x00001278') +define(`BLKIOOPT', `0x00001279') +define(`BLKPBSZGET', `0x0000127b') +define(`BLKPG', `0x00001269') +define(`BLKRAGET', `0x00001263') +define(`BLKRASET', `0x00001262') +define(`BLKROGET', `0x0000125e') +define(`BLKROSET', `0x0000125d') +define(`BLKROTATIONAL', `0x0000127e') +define(`BLKRRPART', `0x0000125f') +define(`BLKSECDISCARD', `0x0000127d') +define(`BLKSECTGET', `0x00001267') +define(`BLKSECTSET', `0x00001266') +define(`BLKSSZGET', `0x00001268') +define(`BLKTRACESETUP', `0xc0481273') +define(`BLKTRACESTART', `0x00001274') +define(`BLKTRACESTOP', `0x00001275') +define(`BLKTRACETEARDOWN', `0x00001276') +define(`BLKZEROOUT', `0x0000127f') +define(`BR2684_SETFILT', `0x401c6190') +define(`BR_ACQUIRE', `0x80107208') +define(`BR_ACQUIRE_RESULT', `0x80047204') +define(`BR_ATTEMPT_ACQUIRE', `0x8018720b') +define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210') +define(`BR_DEAD_BINDER', `0x8008720f') +define(`BR_DEAD_REPLY', `0x00007205') +define(`BR_DECREFS', `0x8010720a') +define(`BR_ERROR', `0x80047200') +define(`BR_FAILED_REPLY', `0x00007211') +define(`BR_FINISHED', `0x0000720e') +define(`BR_INCREFS', `0x80107207') +define(`BR_NOOP', `0x0000720c') +define(`BR_OK', `0x00007201') +define(`BR_ONEWAY_SPAM_SUSPECT', `0x00007213') +define(`BR_RELEASE', `0x80107209') +define(`BR_REPLY', `0x80407203') +define(`BR_SPAWN_LOOPER', `0x0000720d') +define(`BR_TRANSACTION', `0x80407202') +define(`BR_TRANSACTION_COMPLETE', `0x00007206') +define(`BT819_FIFO_RESET_HIGH', `0x00006201') +define(`BT819_FIFO_RESET_LOW', `0x00006200') +define(`BTRFS_IOC_ADD_DEV', `0x5000940a') +define(`BTRFS_IOC_BALANCE', `0x5000940c') +define(`BTRFS_IOC_BALANCE_CTL', `0x40049421') +define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422') +define(`BTRFS_IOC_BALANCE_V2', `0xc4009420') +define(`BTRFS_IOC_CLONE', `0x40049409') +define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d') +define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413') +define(`BTRFS_IOC_DEFRAG', `0x50009402') +define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410') +define(`BTRFS_IOC_DEVICES_READY', `0x90009427') +define(`BTRFS_IOC_DEV_INFO', `0xd000941e') +define(`BTRFS_IOC_DEV_REPLACE', `0xca289435') +define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436') +define(`BTRFS_IOC_FS_INFO', `0x8400941f') +define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434') +define(`BTRFS_IOC_GET_FEATURES', `0x80189439') +define(`BTRFS_IOC_GET_FSLABEL', `0x81009431') +define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439') +define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412') +define(`BTRFS_IOC_INO_PATHS', `0xc0389423') +define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424') +define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429') +define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a') +define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b') +define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428') +define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c') +define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d') +define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e') +define(`BTRFS_IOC_RESIZE', `0x50009403') +define(`BTRFS_IOC_RM_DEV', `0x5000940b') +define(`BTRFS_IOC_SCAN_DEV', `0x50009404') +define(`BTRFS_IOC_SCRUB', `0xc400941b') +define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c') +define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d') +define(`BTRFS_IOC_SEND', `0x40489426') +define(`BTRFS_IOC_SET_FEATURES', `0x40309439') +define(`BTRFS_IOC_SET_FSLABEL', `0x41009432') +define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425') +define(`BTRFS_IOC_SNAP_CREATE', `0x50009401') +define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417') +define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f') +define(`BTRFS_IOC_SPACE_INFO', `0xc0109414') +define(`BTRFS_IOC_START_SYNC', `0x80089418') +define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e') +define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418') +define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419') +define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a') +define(`BTRFS_IOC_SYNC', `0x00009408') +define(`BTRFS_IOC_TRANS_END', `0x00009407') +define(`BTRFS_IOC_TRANS_START', `0x00009406') +define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411') +define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411') +define(`BTRFS_IOC_WAIT_SYNC', `0x40089416') +define(`CA_GET_CAP', `0x80106f81') +define(`CA_GET_DESCR_INFO', `0x80086f83') +define(`CA_GET_MSG', `0x810c6f84') +define(`CA_GET_SLOT_INFO', `0x800c6f82') +define(`CAPI_CLR_FLAGS', `0x80044325') +define(`CAPI_GET_ERRCODE', `0x80024321') +define(`CAPI_GET_FLAGS', `0x80044323') +define(`CAPI_GET_MANUFACTURER', `0xc0044306') +define(`CAPI_GET_PROFILE', `0xc0404309') +define(`CAPI_GET_SERIAL', `0xc0044308') +define(`CAPI_GET_VERSION', `0xc0104307') +define(`CAPI_INSTALLED', `0x80024322') +define(`CAPI_MANUFACTURER_CMD', `0xc0104320') +define(`CAPI_NCCI_GETUNIT', `0x80044327') +define(`CAPI_NCCI_OPENCOUNT', `0x80044326') +define(`CAPI_REGISTER', `0x400c4301') +define(`CAPI_SET_FLAGS', `0x80044324') +define(`CA_RESET', `0x00006f80') +define(`CA_SEND_MSG', `0x410c6f85') +define(`CA_SET_DESCR', `0x40106f86') +define(`CA_SET_PID', `0x40086f87') +define(`CCISS_BIG_PASSTHRU', `0xc0604212') +define(`CCISS_DEREGDISK', `0x0000420c') +define(`CCISS_GETBUSTYPES', `0x80044207') +define(`CCISS_GETDRIVVER', `0x80044209') +define(`CCISS_GETFIRMVER', `0x80044208') +define(`CCISS_GETHEARTBEAT', `0x80044206') +define(`CCISS_GETINTINFO', `0x80084202') +define(`CCISS_GETLUNINFO', `0x800c4211') +define(`CCISS_GETNODENAME', `0x80104204') +define(`CCISS_GETPCIINFO', `0x80084201') +define(`CCISS_PASSTHRU', `0xc058420b') +define(`CCISS_REGNEWD', `0x0000420e') +define(`CCISS_REGNEWDISK', `0x4004420d') +define(`CCISS_RESCANDISK', `0x00004210') +define(`CCISS_REVALIDVOLS', `0x0000420a') +define(`CCISS_SETINTINFO', `0x40084203') +define(`CCISS_SETNODENAME', `0x40104205') +define(`CDROMAUDIOBUFSIZ', `0x00005382') +define(`CDROM_CHANGER_NSLOTS', `0x00005328') +define(`CDROM_CLEAR_OPTIONS', `0x00005321') +define(`CDROMCLOSETRAY', `0x00005319') +define(`CDROM_DEBUG', `0x00005330') +define(`CDROM_DISC_STATUS', `0x00005327') +define(`CDROM_DRIVE_STATUS', `0x00005326') +define(`CDROMEJECT', `0x00005309') +define(`CDROMEJECT_SW', `0x0000530f') +define(`CDROM_GET_CAPABILITY', `0x00005331') +define(`CDROM_GET_MCN', `0x00005311') +define(`CDROMGETSPINDOWN', `0x0000531d') +define(`CDROM_LAST_WRITTEN', `0x00005395') +define(`CDROM_LOCKDOOR', `0x00005329') +define(`CDROM_MEDIA_CHANGED', `0x00005325') +define(`CDROMMULTISESSION', `0x00005310') +define(`CDROM_NEXT_WRITABLE', `0x00005394') +define(`CDROMPAUSE', `0x00005301') +define(`CDROMPLAYBLK', `0x00005317') +define(`CDROMPLAYMSF', `0x00005303') +define(`CDROMPLAYTRKIND', `0x00005304') +define(`CDROMREADALL', `0x00005318') +define(`CDROMREADAUDIO', `0x0000530e') +define(`CDROMREADCOOKED', `0x00005315') +define(`CDROMREADMODE1', `0x0000530d') +define(`CDROMREADMODE2', `0x0000530c') +define(`CDROMREADRAW', `0x00005314') +define(`CDROMREADTOCENTRY', `0x00005306') +define(`CDROMREADTOCHDR', `0x00005305') +define(`CDROMRESET', `0x00005312') +define(`CDROMRESUME', `0x00005302') +define(`CDROMSEEK', `0x00005316') +define(`CDROM_SELECT_DISC', `0x00005323') +define(`CDROM_SELECT_SPEED', `0x00005322') +define(`CDROM_SEND_PACKET', `0x00005393') +define(`CDROM_SET_OPTIONS', `0x00005320') +define(`CDROMSETSPINDOWN', `0x0000531e') +define(`CDROMSTART', `0x00005308') +define(`CDROMSTOP', `0x00005307') +define(`CDROMSUBCHNL', `0x0000530b') +define(`CDROMVOLCTRL', `0x0000530a') +define(`CDROMVOLREAD', `0x00005313') +define(`CHIOEXCHANGE', `0x401c6302') +define(`CHIOGELEM', `0x406c6310') +define(`CHIOGPARAMS', `0x80146306') +define(`CHIOGPICKER', `0x80046304') +define(`CHIOGSTATUS', `0x40106308') +define(`CHIOGVPARAMS', `0x80706313') +define(`CHIOINITELEM', `0x00006311') +define(`CHIOMOVE', `0x40146301') +define(`CHIOPOSITION', `0x400c6303') +define(`CHIOSPICKER', `0x40046305') +define(`CHIOSVOLTAG', `0x40306312') +define(`CIOC_KERNEL_VERSION', `0xc008630a') +define(`CLEAR_ARRAY', `0x00000920') +define(`CM_IOCARDOFF', `0x00006304') +define(`CM_IOCGATR', `0xc0086301') +define(`CM_IOCGSTATUS', `0x80086300') +define(`CM_IOCSPTS', `0x40086302') +define(`CM_IOCSRDR', `0x00006303') +define(`CM_IOSDBGLVL', `0x400863fa') +define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01') +define(`CXL_IOCTL_START_WORK', `0x4040ca00') +define(`DM_DEV_CREATE', `0xc138fd03') +define(`DM_DEV_REMOVE', `0xc138fd04') +define(`DM_DEV_RENAME', `0xc138fd05') +define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f') +define(`DM_DEV_STATUS', `0xc138fd07') +define(`DM_DEV_SUSPEND', `0xc138fd06') +define(`DM_DEV_WAIT', `0xc138fd08') +define(`DM_LIST_DEVICES', `0xc138fd02') +define(`DM_LIST_VERSIONS', `0xc138fd0d') +define(`DM_REMOVE_ALL', `0xc138fd01') +define(`DM_TABLE_CLEAR', `0xc138fd0a') +define(`DM_TABLE_DEPS', `0xc138fd0b') +define(`DM_TABLE_LOAD', `0xc138fd09') +define(`DM_TABLE_STATUS', `0xc138fd0c') +define(`DM_TARGET_MSG', `0xc138fd0e') +define(`DM_VERSION', `0xc138fd00') +define(`DMX_ADD_PID', `0x40026f33') +define(`DMX_GET_CAPS', `0x80086f30') +define(`DMX_GET_PES_PIDS', `0x800a6f2f') +define(`DMX_GET_STC', `0xc0106f32') +define(`DMX_REMOVE_PID', `0x40026f34') +define(`DMX_SET_BUFFER_SIZE', `0x00006f2d') +define(`DMX_SET_FILTER', `0x403c6f2b') +define(`DMX_SET_PES_FILTER', `0x40146f2c') +define(`DMX_SET_SOURCE', `0x40046f31') +define(`DMX_START', `0x00006f29') +define(`DMX_STOP', `0x00006f2a') +define(`DRM_IOCTL_ADD_BUFS', `0xc0206416') +define(`DRM_IOCTL_ADD_CTX', `0xc0086420') +define(`DRM_IOCTL_ADD_DRAW', `0xc0046427') +define(`DRM_IOCTL_ADD_MAP', `0xc0286415') +define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430') +define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434') +define(`DRM_IOCTL_AGP_BIND', `0x40106436') +define(`DRM_IOCTL_AGP_ENABLE', `0x40086432') +define(`DRM_IOCTL_AGP_FREE', `0x40206435') +define(`DRM_IOCTL_AGP_INFO', `0x80386433') +define(`DRM_IOCTL_AGP_RELEASE', `0x00006431') +define(`DRM_IOCTL_AGP_UNBIND', `0x40106437') +define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411') +define(`DRM_IOCTL_BLOCK', `0xc0046412') +define(`DRM_IOCTL_CONTROL', `0x40086414') +define(`DRM_IOCTL_DMA', `0xc0406429') +define(`DRM_IOCTL_DROP_MASTER', `0x0000641f') +define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462') +define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460') +define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461') +define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440') +define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444') +define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473') +define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470') +define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472') +define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471') +define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447') +define(`DRM_IOCTL_FINISH', `0x4008642c') +define(`DRM_IOCTL_FREE_BUFS', `0x4010641a') +define(`DRM_IOCTL_GEM_CLOSE', `0x40086409') +define(`DRM_IOCTL_GEM_FLINK', `0xc008640a') +define(`DRM_IOCTL_GEM_OPEN', `0xc010640b') +define(`DRM_IOCTL_GET_CAP', `0xc010640c') +define(`DRM_IOCTL_GET_CLIENT', `0xc0286405') +define(`DRM_IOCTL_GET_CTX', `0xc0086423') +define(`DRM_IOCTL_GET_MAGIC', `0x80046402') +define(`DRM_IOCTL_GET_MAP', `0xc0286404') +define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d') +define(`DRM_IOCTL_GET_STATS', `0x80f86406') +define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401') +define(`DRM_IOCTL_I810_CLEAR', `0x400c6442') +define(`DRM_IOCTL_I810_COPY', `0x40106447') +define(`DRM_IOCTL_I810_DOCOPY', `0x00006448') +define(`DRM_IOCTL_I810_FLIP', `0x0000644e') +define(`DRM_IOCTL_I810_FLUSH', `0x00006443') +define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a') +define(`DRM_IOCTL_I810_GETAGE', `0x00006444') +define(`DRM_IOCTL_I810_GETBUF', `0xc0186445') +define(`DRM_IOCTL_I810_INIT', `0x40406440') +define(`DRM_IOCTL_I810_MC', `0x4020644c') +define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b') +define(`DRM_IOCTL_I810_OV0INFO', `0x80086449') +define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d') +define(`DRM_IOCTL_I810_SWAP', `0x00006446') +define(`DRM_IOCTL_I810_VERTEX', `0x400c6441') +define(`DRM_IOCTL_I915_ALLOC', `0xc0186448') +define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443') +define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b') +define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c') +define(`DRM_IOCTL_I915_FLIP', `0x00006442') +define(`DRM_IOCTL_I915_FLUSH', `0x00006441') +define(`DRM_IOCTL_I915_FREE', `0x40086449') +define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457') +define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d') +define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e') +define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b') +define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459') +define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454') +define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469') +define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463') +define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470') +define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462') +define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453') +define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a') +define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466') +define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e') +define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464') +define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455') +define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c') +define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d') +define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f') +define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f') +define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461') +define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460') +define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458') +define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456') +define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473') +define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c') +define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446') +define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465') +define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472') +define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b') +define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e') +define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451') +define(`DRM_IOCTL_I915_INIT', `0x40446440') +define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a') +define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444') +define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445') +define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468') +define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467') +define(`DRM_IOCTL_I915_REG_READ', `0xc0106471') +define(`DRM_IOCTL_I915_SETPARAM', `0x40086447') +define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b') +define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d') +define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f') +define(`DRM_IOCTL_INFO_BUFS', `0xc0106418') +define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403') +define(`DRM_IOCTL_LOCK', `0x4008642a') +define(`DRM_IOCTL_MAP_BUFS', `0xc0186419') +define(`DRM_IOCTL_MARK_BUFS', `0x40206417') +define(`DRM_IOCTL_MGA_BLIT', `0x40346448') +define(`DRM_IOCTL_MGA_CLEAR', `0x40146444') +define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c') +define(`DRM_IOCTL_MGA_FLUSH', `0x40086441') +define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449') +define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447') +define(`DRM_IOCTL_MGA_INDICES', `0x40106446') +define(`DRM_IOCTL_MGA_INIT', `0x40806440') +define(`DRM_IOCTL_MGA_RESET', `0x00006442') +define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a') +define(`DRM_IOCTL_MGA_SWAP', `0x00006443') +define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445') +define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b') +define(`DRM_IOCTL_MOD_CTX', `0x40086422') +define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae') +define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8') +define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8') +define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2') +define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3') +define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb') +define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4') +define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9') +define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1') +define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7') +define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1') +define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6') +define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad') +define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4') +define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6') +define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5') +define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac') +define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa') +define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0') +define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3') +define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9') +define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba') +define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0') +define(`DRM_IOCTL_MODE_RMFB', `0xc00464af') +define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2') +define(`DRM_IOCTL_MODESET_CTL', `0x40086408') +define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5') +define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7') +define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab') +define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445') +define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444') +define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443') +define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442') +define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446') +define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440') +define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447') +define(`DRM_IOCTL_NEW_CTX', `0x40086425') +define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483') +define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482') +define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484') +define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480') +define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481') +define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445') +define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444') +define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446') +define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443') +define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440') +define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441') +define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e') +define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d') +define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440') +define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446') +define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445') +define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442') +define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444') +define(`DRM_IOCTL_QXL_MAP', `0xc0106441') +define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443') +define(`DRM_IOCTL_R128_BLIT', `0x4018644b') +define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444') +define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443') +define(`DRM_IOCTL_R128_CCE_START', `0x00006441') +define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442') +define(`DRM_IOCTL_R128_CLEAR', `0x40146448') +define(`DRM_IOCTL_R128_DEPTH', `0x4028644c') +define(`DRM_IOCTL_R128_FLIP', `0x00006453') +define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450') +define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452') +define(`DRM_IOCTL_R128_INDICES', `0x4014644a') +define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f') +define(`DRM_IOCTL_R128_INIT', `0x40786440') +define(`DRM_IOCTL_R128_RESET', `0x00006446') +define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d') +define(`DRM_IOCTL_R128_SWAP', `0x00006447') +define(`DRM_IOCTL_R128_VERTEX', `0x40106449') +define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453') +define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448') +define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450') +define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444') +define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440') +define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443') +define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458') +define(`DRM_IOCTL_RADEON_CP_START', `0x00006441') +define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442') +define(`DRM_IOCTL_RADEON_CS', `0xc0206466') +define(`DRM_IOCTL_RADEON_FLIP', `0x00006452') +define(`DRM_IOCTL_RADEON_FREE', `0x40086454') +define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446') +define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a') +define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d') +define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469') +define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c') +define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e') +define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c') +define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461') +define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462') +define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463') +define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468') +define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d') +define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b') +define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464') +define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451') +define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a') +define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d') +define(`DRM_IOCTL_RADEON_INFO', `0xc0106467') +define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455') +define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456') +define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457') +define(`DRM_IOCTL_RADEON_RESET', `0x00006445') +define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459') +define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c') +define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a') +define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b') +define(`DRM_IOCTL_RADEON_SWAP', `0x00006447') +define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e') +define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449') +define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f') +define(`DRM_IOCTL_RES_CTX', `0xc0106426') +define(`DRM_IOCTL_RM_CTX', `0xc0086421') +define(`DRM_IOCTL_RM_DRAW', `0xc0046428') +define(`DRM_IOCTL_RM_MAP', `0x4028641b') +define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441') +define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442') +define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443') +define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440') +define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d') +define(`DRM_IOCTL_SET_MASTER', `0x0000641e') +define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c') +define(`DRM_IOCTL_SET_UNIQUE', `0x40106410') +define(`DRM_IOCTL_SET_VERSION', `0xc0106407') +define(`DRM_IOCTL_SG_ALLOC', `0xc0106438') +define(`DRM_IOCTL_SG_FREE', `0x40106439') +define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454') +define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455') +define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453') +define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444') +define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445') +define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456') +define(`DRM_IOCTL_SWITCH_CTX', `0x40086424') +define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446') +define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440') +define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d') +define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b') +define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441') +define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c') +define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a') +define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447') +define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449') +define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445') +define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448') +define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443') +define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442') +define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444') +define(`DRM_IOCTL_UNBLOCK', `0xc0046413') +define(`DRM_IOCTL_UNLOCK', `0x4008642b') +define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f') +define(`DRM_IOCTL_VERSION', `0xc0406400') +define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442') +define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440') +define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f') +define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448') +define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b') +define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445') +define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e') +define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447') +define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443') +define(`DRM_IOCTL_VIA_FLUSH', `0x00006449') +define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441') +define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444') +define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a') +define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d') +define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a') +define(`DVD_AUTH', `0x00005392') +define(`DVD_READ_STRUCT', `0x00005390') +define(`DVD_WRITE_STRUCT', `0x00005391') +define(`ECCGETLAYOUT', `0x81484d11') +define(`ECCGETSTATS', `0x80104d12') +define(`ENI_MEMDUMP', `0x40106160') +define(`ENI_SETMULT', `0x40106167') +define(`EVIOCGEFFECTS', `0x80044584') +define(`EVIOCGID', `0x80084502') +define(`EVIOCGKEYCODE', `0x80084504') +define(`EVIOCGKEYCODE_V2', `0x80284504') +define(`EVIOCGRAB', `0x40044590') +define(`EVIOCGREP', `0x80084503') +define(`EVIOCGVERSION', `0x80044501') +define(`EVIOCREVOKE', `0x40044591') +define(`EVIOCRMFF', `0x40044581') +define(`EVIOCSCLOCKID', `0x400445a0') +define(`EVIOCSFF', `0x40304580') +define(`EVIOCSKEYCODE', `0x40084504') +define(`EVIOCSKEYCODE_V2', `0x40284504') +define(`EVIOCSREP', `0x40084503') +define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501') +define(`F2FS_IOC_COMMIT_ATOMIC_WRITE', `0xf502') +define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503') +define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504') +define(`F2FS_IOC_ABORT_VOLATILE_WRITE', `0xf505') +define(`F2FS_IOC_GARBAGE_COLLECT', `0xf506') +define(`F2FS_IOC_WRITE_CHECKPOINT', `0xf507') +define(`F2FS_IOC_DEFRAGMENT', `0xf508') +define(`F2FS_IOC_MOVE_RANGE', `0xf509') +define(`F2FS_IOC_FLUSH_DEVICE', `0xf50a') +define(`F2FS_IOC_GARBAGE_COLLECT_RANGE', `0xf50b') +define(`F2FS_IOC_GET_FEATURES', `0xf50c') +define(`F2FS_IOC_SET_PIN_FILE', `0xf50d') +define(`F2FS_IOC_GET_PIN_FILE', `0xf50e') +define(`F2FS_IOC_PRECACHE_EXTENTS', `0xf50f') +define(`F2FS_IOC_RESIZE_FS', `0xf510') +define(`F2FS_IOC_GET_COMPRESS_BLOCKS', `0xf511') +define(`F2FS_IOC_RELEASE_COMPRESS_BLOCKS', `0xf512') +define(`F2FS_IOC_RESERVE_COMPRESS_BLOCKS', `0xf513') +define(`F2FS_IOC_SEC_TRIM_FILE', `0xf514') +define(`F2FS_IOC_GET_COMPRESS_OPTION', `0xf515') +define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516') +define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517') +define(`F2FS_IOC_COMPRESS_FILE', `0xf518') +define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210') +define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213') +define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211') +define(`FBIGET_BRIGHTNESS', `0x80044603') +define(`FBIGET_COLOR', `0x80044605') +define(`FBIO_ALLOC', `0x00004613') +define(`FBIOBLANK', `0x00004611') +define(`FBIO_CURSOR', `0xc0684608') +define(`FBIO_FREE', `0x00004614') +define(`FBIOGETCMAP', `0x00004604') +define(`FBIOGET_CON2FBMAP', `0x0000460f') +define(`FBIOGET_CONTRAST', `0x80044601') +define(`FBIO_GETCONTROL2', `0x80084689') +define(`FBIOGET_DISPINFO', `0x00004618') +define(`FBIOGET_FSCREENINFO', `0x00004602') +define(`FBIOGET_GLYPH', `0x00004615') +define(`FBIOGET_HWCINFO', `0x00004616') +define(`FBIOGET_VBLANK', `0x80204612') +define(`FBIOGET_VSCREENINFO', `0x00004600') +define(`FBIOPAN_DISPLAY', `0x00004606') +define(`FBIOPUTCMAP', `0x00004605') +define(`FBIOPUT_CON2FBMAP', `0x00004610') +define(`FBIOPUT_CONTRAST', `0x40044602') +define(`FBIOPUT_MODEINFO', `0x00004617') +define(`FBIOPUT_VSCREENINFO', `0x00004601') +define(`FBIO_RADEON_GET_MIRROR', `0x80084003') +define(`FBIO_RADEON_SET_MIRROR', `0x40084004') +define(`FBIO_WAITEVENT', `0x00004688') +define(`FBIO_WAITFORVSYNC', `0x40044620') +define(`FBIPUT_BRIGHTNESS', `0x40044603') +define(`FBIPUT_COLOR', `0x40044606') +define(`FBIPUT_HSYNC', `0x40044609') +define(`FBIPUT_VSYNC', `0x4004460a') +define(`FDCLRPRM', `0x00000241') +define(`FDDEFPRM', `0x40200243') +define(`FDEJECT', `0x0000025a') +define(`FDFLUSH', `0x0000024b') +define(`FDFMTBEG', `0x00000247') +define(`FDFMTEND', `0x00000249') +define(`FDFMTTRK', `0x400c0248') +define(`FDGETDRVPRM', `0x80800211') +define(`FDGETDRVSTAT', `0x80500212') +define(`FDGETDRVTYP', `0x8010020f') +define(`FDGETFDCSTAT', `0x80280215') +define(`FDGETMAXERRS', `0x8014020e') +define(`FDGETPRM', `0x80200204') +define(`FDMSGOFF', `0x00000246') +define(`FDMSGON', `0x00000245') +define(`FDPOLLDRVSTAT', `0x80500213') +define(`FDRAWCMD', `0x00000258') +define(`FDRESET', `0x00000254') +define(`FDSETDRVPRM', `0x40800290') +define(`FDSETEMSGTRESH', `0x0000024a') +define(`FDSETMAXERRS', `0x4014024c') +define(`FDSETPRM', `0x40200242') +define(`FDTWADDLE', `0x00000259') +define(`FDWERRORCLR', `0x00000256') +define(`FDWERRORGET', `0x80280217') +define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40') +define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e') +define(`FE_DISEQC_SEND_BURST', `0x00006f41') +define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f') +define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50') +define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44') +define(`FE_GET_EVENT', `0x80286f4e') +define(`FE_GET_FRONTEND', `0x80246f4d') +define(`FE_GET_INFO', `0x80a86f3d') +define(`FE_GET_PROPERTY', `0x80106f53') +define(`FE_READ_BER', `0x80046f46') +define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47') +define(`FE_READ_SNR', `0x80026f48') +define(`FE_READ_STATUS', `0x80046f45') +define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49') +define(`FE_SET_FRONTEND', `0x40246f4c') +define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51') +define(`FE_SET_PROPERTY', `0x40106f52') +define(`FE_SET_TONE', `0x00006f42') +define(`FE_SET_VOLTAGE', `0x00006f43') +define(`FIBMAP', `0x00000001') +define(`FIFREEZE', `0xc0045877') +define(`FIGETBSZ', `0x00000002') +define(`FIOASYNC', `0x00005452') +define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451)) +define(`FIOGETOWN', `0x00008903') +define(`FIONBIO', `0x00005421') +define(`FIONCLEX', ifelse(target_arch, mips, 0x00006602, 0x00005450)) +define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b)) +define(`FIOQSIZE', `0x00005460') +define(`FIOSETOWN', `0x00008901') +define(`FITHAW', `0xc0045878') +define(`FITRIM', `0xc0185879') +define(`FS_IOC32_GETFLAGS', `0x80046601') +define(`FS_IOC32_GETVERSION', `0x80047601') +define(`FS_IOC32_SETFLAGS', `0x40046602') +define(`FS_IOC32_SETVERSION', `0x40047602') +define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617') +define(`FS_IOC_ENABLE_VERITY', `0x6685') +define(`FS_IOC_FIEMAP', `0xc020660b') +define(`FS_IOC_FSGETXATTR', `0x801c581f') +define(`FS_IOC_FSSETXATTR', `0x401c5820') +define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615') +define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616') +define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614') +define(`FS_IOC_GETFLAGS', `0x80086601') +define(`FS_IOC_GETVERSION', `0x80087601') +define(`FS_IOC_MEASURE_VERITY', `0x6686') +define(`FS_IOC_REMOVE_ENCRYPTION_KEY', `0xc0406618') +define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613') +define(`FS_IOC_SETFLAGS', `0x40086602') +define(`FS_IOC_SETVERSION', `0x40087602') +define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06') +define(`FSL_HV_IOCTL_GETPROP', `0xc028af07') +define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05') +define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02') +define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01') +define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03') +define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04') +define(`FSL_HV_IOCTL_SETPROP', `0xc028af08') +define(`FUNCTIONFS_CLEAR_HALT', `0x00006703') +define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782') +define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781') +define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702') +define(`FUNCTIONFS_FIFO_STATUS', `0x00006701') +define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780') +define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306') +define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302') +define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d') +define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f') +define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308') +define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303') +define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e') +define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310') +define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318') +define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c') +define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314') +define(`FW_CDEV_IOC_GET_INFO', `0xc0282300') +define(`FW_CDEV_IOC_GET_SPEED', `0x00002311') +define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305') +define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309') +define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316') +define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307') +define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312') +define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315') +define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301') +define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304') +define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313') +define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317') +define(`FW_CDEV_IOC_START_ISO', `0x4010230a') +define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b') +define(`GADGETFS_CLEAR_HALT', `0x00006703') +define(`GADGETFS_FIFO_FLUSH', `0x00006702') +define(`GADGETFS_FIFO_STATUS', `0x00006701') +define(`GADGET_GET_PRINTER_STATUS', `0x80016721') +define(`GADGET_SET_PRINTER_STATUS', `0xc0016722') +define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532') +define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533') +define(`GENWQE_GET_CARD_STATE', `0x8004a524') +define(`GENWQE_PIN_MEM', `0xc020a528') +define(`GENWQE_READ_REG16', `0x8010a522') +define(`GENWQE_READ_REG32', `0x8010a520') +define(`GENWQE_READ_REG64', `0x8010a51e') +define(`GENWQE_SLU_READ', `0xc038a551') +define(`GENWQE_SLU_UPDATE', `0xc038a550') +define(`GENWQE_UNPIN_MEM', `0xc020a529') +define(`GENWQE_WRITE_REG16', `0x4010a523') +define(`GENWQE_WRITE_REG32', `0x4010a521') +define(`GENWQE_WRITE_REG64', `0x4010a51f') +define(`GET_ARRAY_INFO', `0x80480911') +define(`GET_BITMAP_FILE', `0x90000915') +define(`GET_DISK_INFO', `0x80140912') +define(`GIGASET_BRKCHARS', `0x40064702') +define(`GIGASET_CONFIG', `0xc0044701') +define(`GIGASET_REDIR', `0xc0044700') +define(`GIGASET_VERSION', `0xc0104703') +define(`GIO_CMAP', `0x00004b70') +define(`GIO_FONT', `0x00004b60') +define(`GIO_FONTX', `0x00004b6b') +define(`GIO_SCRNMAP', `0x00004b40') +define(`GIO_UNIMAP', `0x00004b66') +define(`GIO_UNISCRNMAP', `0x00004b69') +define(`GSMIOC_DISABLE_NET', `0x00004703') +define(`GSMIOC_ENABLE_NET', `0x40344702') +define(`GSMIOC_GETCONF', `0x804c4700') +define(`GSMIOC_SETCONF', `0x404c4701') +define(`HCIBLOCKADDR', `0x400448e6') +define(`HCIDEVDOWN', `0x400448ca') +define(`HCIDEVRESET', `0x400448cb') +define(`HCIDEVRESTAT', `0x400448cc') +define(`HCIDEVUP', `0x400448c9') +define(`HCIGETAUTHINFO', `0x800448d7') +define(`HCIGETCONNINFO', `0x800448d5') +define(`HCIGETCONNLIST', `0x800448d4') +define(`HCIGETDEVINFO', `0x800448d3') +define(`HCIGETDEVLIST', `0x800448d2') +define(`HCIINQUIRY', `0x800448f0') +define(`HCISETACLMTU', `0x400448e3') +define(`HCISETAUTH', `0x400448de') +define(`HCISETENCRYPT', `0x400448df') +define(`HCISETLINKMODE', `0x400448e2') +define(`HCISETLINKPOL', `0x400448e1') +define(`HCISETPTYPE', `0x400448e0') +define(`HCISETRAW', `0x400448dc') +define(`HCISETSCAN', `0x400448dd') +define(`HCISETSCOMTU', `0x400448e4') +define(`HCIUNBLOCKADDR', `0x400448e7') +define(`HDA_IOCTL_GET_WCAP', `0xc0084812') +define(`HDA_IOCTL_PVERSION', `0x80044810') +define(`HDA_IOCTL_VERB_WRITE', `0xc0084811') +define(`HDIO_DRIVE_CMD', `0x0000031f') +define(`HDIO_DRIVE_RESET', `0x0000031c') +define(`HDIO_DRIVE_TASK', `0x0000031e') +define(`HDIO_DRIVE_TASKFILE', `0x0000031d') +define(`HDIO_GET_32BIT', `0x00000309') +define(`HDIO_GET_ACOUSTIC', `0x0000030f') +define(`HDIO_GET_ADDRESS', `0x00000310') +define(`HDIO_GET_BUSSTATE', `0x0000031a') +define(`HDIO_GET_DMA', `0x0000030b') +define(`HDIO_GETGEO', `0x00000301') +define(`HDIO_GET_IDENTITY', `0x0000030d') +define(`HDIO_GET_KEEPSETTINGS', `0x00000308') +define(`HDIO_GET_MULTCOUNT', `0x00000304') +define(`HDIO_GET_NICE', `0x0000030c') +define(`HDIO_GET_NOWERR', `0x0000030a') +define(`HDIO_GET_QDMA', `0x00000305') +define(`HDIO_GET_UNMASKINTR', `0x00000302') +define(`HDIO_GET_WCACHE', `0x0000030e') +define(`HDIO_OBSOLETE_IDENTITY', `0x00000307') +define(`HDIO_SCAN_HWIF', `0x00000328') +define(`HDIO_SET_32BIT', `0x00000324') +define(`HDIO_SET_ACOUSTIC', `0x0000032c') +define(`HDIO_SET_ADDRESS', `0x0000032f') +define(`HDIO_SET_BUSSTATE', `0x0000032d') +define(`HDIO_SET_DMA', `0x00000326') +define(`HDIO_SET_KEEPSETTINGS', `0x00000323') +define(`HDIO_SET_MULTCOUNT', `0x00000321') +define(`HDIO_SET_NICE', `0x00000329') +define(`HDIO_SET_NOWERR', `0x00000325') +define(`HDIO_SET_PIO_MODE', `0x00000327') +define(`HDIO_SET_QDMA', `0x0000032e') +define(`HDIO_SET_UNMASKINTR', `0x00000322') +define(`HDIO_SET_WCACHE', `0x0000032b') +define(`HDIO_SET_XFER', `0x00000306') +define(`HDIO_TRISTATE_HWIF', `0x0000031b') +define(`HDIO_UNREGISTER_HWIF', `0x0000032a') +define(`HE_GET_REG', `0x40106160') +define(`HIDIOCAPPLICATION', `0x00004802') +define(`HIDIOCGCOLLECTIONINDEX', `0x40184810') +define(`HIDIOCGCOLLECTIONINFO', `0xc0104811') +define(`HIDIOCGDEVINFO', `0x801c4803') +define(`HIDIOCGFIELDINFO', `0xc038480a') +define(`HIDIOCGFLAG', `0x8004480e') +define(`HIDIOCGRAWINFO', `0x80084803') +define(`HIDIOCGRDESC', `0x90044802') +define(`HIDIOCGRDESCSIZE', `0x80044801') +define(`HIDIOCGREPORT', `0x400c4807') +define(`HIDIOCGREPORTINFO', `0xc00c4809') +define(`HIDIOCGSTRING', `0x81044804') +define(`HIDIOCGUCODE', `0xc018480d') +define(`HIDIOCGUSAGE', `0xc018480b') +define(`HIDIOCGUSAGES', `0xd01c4813') +define(`HIDIOCGVERSION', `0x80044801') +define(`HIDIOCINITREPORT', `0x00004805') +define(`HIDIOCSFLAG', `0x4004480f') +define(`HIDIOCSREPORT', `0x400c4808') +define(`HIDIOCSUSAGE', `0x4018480c') +define(`HIDIOCSUSAGES', `0x501c4814') +define(`HOT_ADD_DISK', `0x00000928') +define(`HOT_GENERATE_ERROR', `0x0000092a') +define(`HOT_REMOVE_DISK', `0x00000922') +define(`HPET_DPI', `0x00006805') +define(`HPET_EPI', `0x00006804') +define(`HPET_IE_OFF', `0x00006802') +define(`HPET_IE_ON', `0x00006801') +define(`HPET_INFO', `0x80186803') +define(`HPET_IRQFREQ', `0x40086806') +define(`HSC_GET_RX', `0x400c6b14') +define(`HSC_GET_TX', `0x40106b16') +define(`HSC_RESET', `0x00006b10') +define(`HSC_SEND_BREAK', `0x00006b12') +define(`HSC_SET_PM', `0x00006b11') +define(`HSC_SET_RX', `0x400c6b13') +define(`HSC_SET_TX', `0x40106b15') +define(`I2OEVTGET', `0x8068690b') +define(`I2OEVTREG', `0x400c690a') +define(`I2OGETIOPS', `0x80206900') +define(`I2OHRTGET', `0xc0186901') +define(`I2OHTML', `0xc0306909') +define(`I2OLCTGET', `0xc0186902') +define(`I2OPARMGET', `0xc0286904') +define(`I2OPARMSET', `0xc0286903') +define(`I2OPASSTHRU', `0x8010690c') +define(`I2OPASSTHRU32', `0x8008690c') +define(`I2OSWDEL', `0xc0306907') +define(`I2OSWDL', `0xc0306905') +define(`I2OSWUL', `0xc0306906') +define(`I2OVALIDATE', `0x80046908') +define(`I8K_BIOS_VERSION', `0x80046980') +define(`I8K_FN_STATUS', `0x80086983') +define(`I8K_GET_FAN', `0xc0086986') +define(`I8K_GET_SPEED', `0xc0086985') +define(`I8K_GET_TEMP', `0x80086984') +define(`I8K_MACHINE_ID', `0x80046981') +define(`I8K_POWER_STATUS', `0x80086982') +define(`I8K_SET_FAN', `0xc0086987') +define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03') +define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01') +define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04') +define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02') +define(`IDT77105_GETSTAT', `0x40106132') +define(`IDT77105_GETSTATZ', `0x40106133') +define(`IIOCDBGVAR', `0x0000497f') +define(`IIOCDRVCTL', `0x00004980') +define(`IIOCGETCPS', `0x00004915') +define(`IIOCGETDVR', `0x00004916') +define(`IIOCGETMAP', `0x00004911') +define(`IIOCGETPRF', `0x0000490f') +define(`IIOCGETSET', `0x00004908') +define(`IIOCNETAIF', `0x00004901') +define(`IIOCNETALN', `0x00004920') +define(`IIOCNETANM', `0x00004905') +define(`IIOCNETASL', `0x00004913') +define(`IIOCNETDIF', `0x00004902') +define(`IIOCNETDIL', `0x00004914') +define(`IIOCNETDLN', `0x00004921') +define(`IIOCNETDNM', `0x00004906') +define(`IIOCNETDWRSET', `0x00004918') +define(`IIOCNETGCF', `0x00004904') +define(`IIOCNETGNM', `0x00004907') +define(`IIOCNETGPN', `0x00004922') +define(`IIOCNETHUP', `0x0000490b') +define(`IIOCNETLCR', `0x00004917') +define(`IIOCNETSCF', `0x00004903') +define(`IIOCSETBRJ', `0x0000490d') +define(`IIOCSETGST', `0x0000490c') +define(`IIOCSETMAP', `0x00004912') +define(`IIOCSETPRF', `0x00004910') +define(`IIOCSETSET', `0x00004909') +define(`IIOCSETVER', `0x0000490a') +define(`IIOCSIGPRF', `0x0000490e') +define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990') +define(`IMADDTIMER', `0x80044940') +define(`IMCLEAR_L2', `0x80044946') +define(`IMCTRLREQ', `0x80044945') +define(`IMDELTIMER', `0x80044941') +define(`IMGETCOUNT', `0x80044943') +define(`IMGETDEVINFO', `0x80044944') +define(`IMGETVERSION', `0x80044942') +define(`IMHOLD_L1', `0x80044948') +define(`IMSETDEVNAME', `0x80184947') +define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e') +define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f') +define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720') +define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721') +define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722') +define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723') +define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724') +define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725') +define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726') +define(`INCFS_IOCTL_GET_LAST_READ_ERROR', `0x00006727') +define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501') +define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502') +define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500') +define(`IOCTL_EVTCHN_NOTIFY', `0x00044504') +define(`IOCTL_EVTCHN_RESET', `0x00004505') +define(`IOCTL_EVTCHN_UNBIND', `0x00044503') +define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801') +define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af') +define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1') +define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0') +define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2') +define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac') +define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab') +define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3') +define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0') +define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6') +define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5') +define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8') +define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa') +define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9') +define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4') +define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb') +define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8') +define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9') +define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4') +define(`IOCTL_VMCI_VERSION', `0x0000079f') +define(`IOCTL_VMCI_VERSION2', `0x000007a7') +define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9') +define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0') +define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200') +define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201') +define(`ION_IOC_ALLOC', `0xc0204900') +define(`ION_IOC_CUSTOM', `0xc0104906') +define(`ION_IOC_FREE', `0xc0044901') +define(`ION_IOC_IMPORT', `0xc0084905') +define(`ION_IOC_MAP', `0xc0084902') +define(`ION_IOC_SHARE', `0xc0084904') +define(`ION_IOC_SYNC', `0xc0084907') +define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1') +define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2') +define(`ION_IOC_TEST_SET_FD', `0x000049f0') +define(`IOW_GETINFO', `0x8028c003') +define(`IOW_READ', `0x4008c002') +define(`IOW_WRITE', `0x4008c001') +define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e') +define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912') +define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919') +define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b') +define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914') +define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917') +define(`IPMICTL_RECEIVE_MSG', `0xc030690c') +define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b') +define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e') +define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c') +define(`IPMICTL_SEND_COMMAND', `0x8028690d') +define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915') +define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910') +define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f') +define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911') +define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918') +define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a') +define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913') +define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916') +define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f') +define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d') +define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0') +define(`IVTV_IOC_DMA_FRAME', `0x404056c0') +define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1') +define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd') +define(`IXJCTL_AEC_START', `0x400471cb') +define(`IXJCTL_AEC_STOP', `0x000071cc') +define(`IXJCTL_CARDTYPE', `0x800471c1') +define(`IXJCTL_CID', `0x800871d4') +define(`IXJCTL_CIDCW', `0x400871d9') +define(`IXJCTL_DAA_AGAIN', `0x400471d2') +define(`IXJCTL_DAA_COEFF_SET', `0x400471d0') +define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7') +define(`IXJCTL_DRYBUFFER_READ', `0x800871e6') +define(`IXJCTL_DSP_IDLE', `0x000071c5') +define(`IXJCTL_DSP_RESET', `0x000071c0') +define(`IXJCTL_DSP_TYPE', `0x800471c3') +define(`IXJCTL_DSP_VERSION', `0x800471c4') +define(`IXJCTL_DTMF_PRESCALE', `0x400471e8') +define(`IXJCTL_FILTER_CADENCE', `0x400871d6') +define(`IXJCTL_FRAMES_READ', `0x800871e2') +define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3') +define(`IXJCTL_GET_FILTER_HIST', `0x400471c8') +define(`IXJCTL_HZ', `0x400471e0') +define(`IXJCTL_INIT_TONE', `0x400871c9') +define(`IXJCTL_INTERCOM_START', `0x400471fd') +define(`IXJCTL_INTERCOM_STOP', `0x400471fe') +define(`IXJCTL_MIXER', `0x400471cf') +define(`IXJCTL_PLAY_CID', `0x000071d7') +define(`IXJCTL_PORT', `0x400471d1') +define(`IXJCTL_POTS_PSTN', `0x400471d5') +define(`IXJCTL_PSTN_LINETEST', `0x000071d3') +define(`IXJCTL_RATE', `0x400471e1') +define(`IXJCTL_READ_WAIT', `0x800871e4') +define(`IXJCTL_SC_RXG', `0x400471ea') +define(`IXJCTL_SC_TXG', `0x400471eb') +define(`IXJCTL_SERIAL', `0x800471c2') +define(`IXJCTL_SET_FILTER', `0x400871c7') +define(`IXJCTL_SET_FILTER_RAW', `0x400871dd') +define(`IXJCTL_SET_LED', `0x400471ce') +define(`IXJCTL_SIGCTL', `0x400871e9') +define(`IXJCTL_TESTRAM', `0x000071c6') +define(`IXJCTL_TONE_CADENCE', `0x400871ca') +define(`IXJCTL_VERSION', `0x800871da') +define(`IXJCTL_VMWI', `0x800471d8') +define(`IXJCTL_WRITE_WAIT', `0x800871e5') +define(`JSIOCGAXES', `0x80016a11') +define(`JSIOCGAXMAP', `0x80406a32') +define(`JSIOCGBTNMAP', `0x84006a34') +define(`JSIOCGBUTTONS', `0x80016a12') +define(`JSIOCGCORR', `0x80246a22') +define(`JSIOCGVERSION', `0x80046a01') +define(`JSIOCSAXMAP', `0x40406a31') +define(`JSIOCSBTNMAP', `0x44006a33') +define(`JSIOCSCORR', `0x40246a21') +define(`KCOV_DISABLE', `0x00006365') +define(`KCOV_ENABLE', `0x00006364') +define(`KCOV_INIT_TRACE', `0x80086301') +define(`KDADDIO', `0x00004b34') +define(`KDDELIO', `0x00004b35') +define(`KDDISABIO', `0x00004b37') +define(`KDENABIO', `0x00004b36') +define(`KDFONTOP', `0x00004b72') +define(`KDGETKEYCODE', `0x00004b4c') +define(`KDGETLED', `0x00004b31') +define(`KDGETMODE', `0x00004b3b') +define(`KDGKBDIACR', `0x00004b4a') +define(`KDGKBDIACRUC', `0x00004bfa') +define(`KDGKBENT', `0x00004b46') +define(`KDGKBLED', `0x00004b64') +define(`KDGKBMETA', `0x00004b62') +define(`KDGKBMODE', `0x00004b44') +define(`KDGKBSENT', `0x00004b48') +define(`KDGKBTYPE', `0x00004b33') +define(`KDKBDREP', `0x00004b52') +define(`KDMAPDISP', `0x00004b3c') +define(`KDMKTONE', `0x00004b30') +define(`KDSETKEYCODE', `0x00004b4d') +define(`KDSETLED', `0x00004b32') +define(`KDSETMODE', `0x00004b3a') +define(`KDSIGACCEPT', `0x00004b4e') +define(`KDSKBDIACR', `0x00004b4b') +define(`KDSKBDIACRUC', `0x00004bfb') +define(`KDSKBENT', `0x00004b47') +define(`KDSKBLED', `0x00004b65') +define(`KDSKBMETA', `0x00004b63') +define(`KDSKBMODE', `0x00004b45') +define(`KDSKBSENT', `0x00004b49') +define(`KDUNMAPDISP', `0x00004b3d') +define(`KIOCSOUND', `0x00004b2f') +define(`KVM_ALLOCATE_RMA', `0x8008aea9') +define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf') +define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab') +define(`KVM_ARM_VCPU_INIT', `0x4020aeae') +define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70') +define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69') +define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4') +define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74') +define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73') +define(`KVM_CHECK_EXTENSION', `0x0000ae03') +define(`KVM_CREATE_DEVICE', `0xc00caee0') +define(`KVM_CREATE_IRQCHIP', `0x0000ae60') +define(`KVM_CREATE_PIT', `0x0000ae64') +define(`KVM_CREATE_PIT2', `0x4040ae77') +define(`KVM_CREATE_SPAPR_TCE', `0x400caea8') +define(`KVM_CREATE_VCPU', `0x0000ae41') +define(`KVM_CREATE_VM', `0x0000ae01') +define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75') +define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72') +define(`KVM_DIRTY_TLB', `0x4010aeaa') +define(`KVM_ENABLE_CAP', `0x4068aea3') +define(`KVM_GET_API_VERSION', `0x0000ae00') +define(`KVM_GET_CLOCK', `0x8030ae7c') +define(`KVM_GET_CPUID2', `0xc008ae91') +define(`KVM_GET_DEBUGREGS', `0x8080aea1') +define(`KVM_GET_DEVICE_ATTR', `0x4018aee2') +define(`KVM_GET_DIRTY_LOG', `0x4010ae42') +define(`KVM_GET_EMULATED_CPUID', `0xc008ae09') +define(`KVM_GET_FPU', `0x81a0ae8c') +define(`KVM_GET_IRQCHIP', `0xc208ae62') +define(`KVM_GET_LAPIC', `0x8400ae8e') +define(`KVM_GET_MP_STATE', `0x8004ae98') +define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02') +define(`KVM_GET_MSRS', `0xc008ae88') +define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45') +define(`KVM_GET_ONE_REG', `0x4010aeab') +define(`KVM_GET_PIT', `0xc048ae65') +define(`KVM_GET_PIT2', `0x8070ae9f') +define(`KVM_GET_REG_LIST', `0xc008aeb0') +define(`KVM_GET_REGS', `0x8090ae81') +define(`KVM_GET_SREGS', `0x8138ae83') +define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05') +define(`KVM_GET_TSC_KHZ', `0x0000aea3') +define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f') +define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04') +define(`KVM_GET_XCRS', `0x8188aea6') +define(`KVM_GET_XSAVE', `0x9000aea4') +define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3') +define(`KVM_INTERRUPT', `0x4004ae86') +define(`KVM_IOEVENTFD', `0x4040ae79') +define(`KVM_IRQFD', `0x4020ae76') +define(`KVM_IRQ_LINE', `0x4008ae61') +define(`KVM_IRQ_LINE_STATUS', `0xc008ae67') +define(`KVM_KVMCLOCK_CTRL', `0x0000aead') +define(`KVM_NMI', `0x0000ae9a') +define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7') +define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa') +define(`KVM_PPC_GET_PVINFO', `0x4080aea1') +define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6') +define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac') +define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67') +define(`KVM_REINJECT_CONTROL', `0x0000ae71') +define(`KVM_RUN', `0x0000ae80') +define(`KVM_S390_ENABLE_SIE', `0x0000ae06') +define(`KVM_S390_INITIAL_RESET', `0x0000ae97') +define(`KVM_S390_INTERRUPT', `0x4010ae94') +define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96') +define(`KVM_S390_STORE_STATUS', `0x4008ae95') +define(`KVM_S390_UCAS_MAP', `0x4018ae50') +define(`KVM_S390_UCAS_UNMAP', `0x4018ae51') +define(`KVM_S390_VCPU_FAULT', `0x4008ae52') +define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78') +define(`KVM_SET_CLOCK', `0x4030ae7b') +define(`KVM_SET_CPUID', `0x4008ae8a') +define(`KVM_SET_CPUID2', `0x4008ae90') +define(`KVM_SET_DEBUGREGS', `0x4080aea2') +define(`KVM_SET_DEVICE_ATTR', `0x4018aee1') +define(`KVM_SET_FPU', `0x41a0ae8d') +define(`KVM_SET_GSI_ROUTING', `0x4008ae6a') +define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b') +define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48') +define(`KVM_SET_IRQCHIP', `0x8208ae63') +define(`KVM_SET_LAPIC', `0x4400ae8f') +define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43') +define(`KVM_SET_MEMORY_REGION', `0x4018ae40') +define(`KVM_SET_MP_STATE', `0x4004ae99') +define(`KVM_SET_MSRS', `0x4008ae89') +define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44') +define(`KVM_SET_ONE_REG', `0x4010aeac') +define(`KVM_SET_PIT', `0x8048ae66') +define(`KVM_SET_PIT2', `0x4070aea0') +define(`KVM_SET_REGS', `0x4090ae82') +define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b') +define(`KVM_SET_SREGS', `0x4138ae84') +define(`KVM_SET_TSC_KHZ', `0x0000aea2') +define(`KVM_SET_TSS_ADDR', `0x0000ae47') +define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46') +define(`KVM_SET_VAPIC_ADDR', `0x4008ae93') +define(`KVM_SET_VCPU_EVENTS', `0x4040aea0') +define(`KVM_SET_XCRS', `0x4188aea7') +define(`KVM_SET_XSAVE', `0x5000aea5') +define(`KVM_SIGNAL_MSI', `0x4020aea5') +define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92') +define(`KVM_TRANSLATE', `0xc018ae85') +define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68') +define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d') +define(`KVM_X86_SET_MCE', `0x4040ae9e') +define(`KVM_X86_SETUP_MCE', `0x4008ae9c') +define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a') +define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00') +define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04') +define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01') +define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02') +define(`KYRO_IOCTL_STRIDE', `0x00006b05') +define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03') +define(`LIRC_GET_FEATURES', `0x80046900') +define(`LIRC_GET_LENGTH', `0x8004690f') +define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b') +define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d') +define(`LIRC_GET_MAX_TIMEOUT', `0x80046909') +define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a') +define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c') +define(`LIRC_GET_MIN_TIMEOUT', `0x80046908') +define(`LIRC_GET_REC_CARRIER', `0x80046904') +define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906') +define(`LIRC_GET_REC_MODE', `0x80046902') +define(`LIRC_GET_REC_RESOLUTION', `0x80046907') +define(`LIRC_GET_SEND_CARRIER', `0x80046903') +define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905') +define(`LIRC_GET_SEND_MODE', `0x80046901') +define(`LIRC_NOTIFY_DECODE', `0x00006920') +define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d') +define(`LIRC_SET_REC_CARRIER', `0x40046914') +define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f') +define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916') +define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e') +define(`LIRC_SET_REC_FILTER', `0x4004691c') +define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a') +define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b') +define(`LIRC_SET_REC_MODE', `0x40046912') +define(`LIRC_SET_REC_TIMEOUT', `0x40046918') +define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919') +define(`LIRC_SET_SEND_CARRIER', `0x40046913') +define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915') +define(`LIRC_SET_SEND_MODE', `0x40046911') +define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917') +define(`LIRC_SETUP_END', `0x00006922') +define(`LIRC_SETUP_START', `0x00006921') +define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923') +define(`LOGGER_FLUSH_LOG', `0x0000ae04') +define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01') +define(`LOGGER_GET_LOG_LEN', `0x0000ae02') +define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03') +define(`LOGGER_GET_VERSION', `0x0000ae05') +define(`LOGGER_SET_VERSION', `0x0000ae06') +define(`LOOP_CHANGE_FD', `0x00004c06') +define(`LOOP_CLR_FD', `0x00004c01') +define(`LOOP_CONFIGURE', `0x00004c0a') +define(`LOOP_CTL_ADD', `0x00004c80') +define(`LOOP_CTL_GET_FREE', `0x00004c82') +define(`LOOP_CTL_REMOVE', `0x00004c81') +define(`LOOP_GET_STATUS', `0x00004c03') +define(`LOOP_GET_STATUS64', `0x00004c05') +define(`LOOP_SET_BLOCK_SIZE', `0x00004c09') +define(`LOOP_SET_CAPACITY', `0x00004c07') +define(`LOOP_SET_DIRECT_IO', `0x00004c08') +define(`LOOP_SET_FD', `0x00004c00') +define(`LOOP_SET_STATUS', `0x00004c02') +define(`LOOP_SET_STATUS64', `0x00004c04') +define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb') +define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9') +define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8') +define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa') +define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8') +define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa') +define(`MBXFB_IOCG_ALPHA', `0x8018f401') +define(`MBXFB_IOCS_ALPHA', `0x4018f402') +define(`MBXFB_IOCS_PLANEORDER', `0x8002f403') +define(`MBXFB_IOCS_REG', `0x400cf404') +define(`MBXFB_IOCX_OVERLAY', `0xc030f400') +define(`MBXFB_IOCX_REG', `0xc00cf405') +define(`MCE_GETCLEAR_FLAGS', `0x80044d03') +define(`MCE_GET_LOG_LEN', `0x80044d02') +define(`MCE_GET_RECORD_LEN', `0x80044d01') +define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00') +define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01') +define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02') +define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03') +define(`MEMERASE', `0x40084d02') +define(`MEMERASE64', `0x40104d14') +define(`MEMGETBADBLOCK', `0x40084d0b') +define(`MEMGETINFO', `0x80204d01') +define(`MEMGETOOBSEL', `0x80c84d0a') +define(`MEMGETREGIONCOUNT', `0x80044d07') +define(`MEMGETREGIONINFO', `0xc0104d08') +define(`MEMISLOCKED', `0x80084d17') +define(`MEMLOCK', `0x40084d05') +define(`MEMREADOOB', `0xc0104d04') +define(`MEMREADOOB64', `0xc0184d16') +define(`MEMSETBADBLOCK', `0x40084d0c') +define(`MEMUNLOCK', `0x40084d06') +define(`MEMWRITE', `0xc0304d18') +define(`MEMWRITEOOB', `0xc0104d03') +define(`MEMWRITEOOB64', `0xc0184d15') +define(`MEYEIOC_G_PARAMS', `0x800676c0') +define(`MEYEIOC_QBUF_CAPT', `0x400476c2') +define(`MEYEIOC_S_PARAMS', `0x400676c1') +define(`MEYEIOC_STILLCAPT', `0x000076c4') +define(`MEYEIOC_STILLJCAPT', `0x800476c5') +define(`MEYEIOC_SYNC', `0xc00476c3') +define(`MFB_GET_ALPHA', `0x80014d00') +define(`MFB_GET_AOID', `0x80084d04') +define(`MFB_GET_GAMMA', `0x80014d01') +define(`MFB_GET_PIXFMT', `0x80044d08') +define(`MFB_SET_ALPHA', `0x40014d00') +define(`MFB_SET_AOID', `0x40084d04') +define(`MFB_SET_BRIGHTNESS', `0x40014d03') +define(`MFB_SET_CHROMA_KEY', `0x400c4d01') +define(`MFB_SET_GAMMA', `0x40014d01') +define(`MFB_SET_PIXFMT', `0x40044d08') +define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f') +define(`MGSL_IOCGGPIO', `0x80106d11') +define(`MGSL_IOCGIF', `0x00006d0b') +define(`MGSL_IOCGPARAMS', `0x80306d01') +define(`MGSL_IOCGSTATS', `0x00006d07') +define(`MGSL_IOCGTXIDLE', `0x00006d03') +define(`MGSL_IOCGXCTRL', `0x00006d16') +define(`MGSL_IOCGXSYNC', `0x00006d14') +define(`MGSL_IOCLOOPTXDONE', `0x00006d09') +define(`MGSL_IOCRXENABLE', `0x00006d05') +define(`MGSL_IOCSGPIO', `0x40106d10') +define(`MGSL_IOCSIF', `0x00006d0a') +define(`MGSL_IOCSPARAMS', `0x40306d00') +define(`MGSL_IOCSTXIDLE', `0x00006d02') +define(`MGSL_IOCSXCTRL', `0x00006d15') +define(`MGSL_IOCSXSYNC', `0x00006d13') +define(`MGSL_IOCTXABORT', `0x00006d06') +define(`MGSL_IOCTXENABLE', `0x00006d04') +define(`MGSL_IOCWAITEVENT', `0xc0046d08') +define(`MGSL_IOCWAITGPIO', `0xc0106d12') +define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301') +define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305') +define(`MIC_VIRTIO_COPY_DESC', `0xc0087302') +define(`MMC_IOC_CMD', `0xc048b300') +define(`MMTIMER_GETBITS', `0x00006d04') +define(`MMTIMER_GETCOUNTER', `0x80086d09') +define(`MMTIMER_GETFREQ', `0x80086d02') +define(`MMTIMER_GETOFFSET', `0x00006d00') +define(`MMTIMER_GETRES', `0x80086d01') +define(`MMTIMER_MMAPAVAIL', `0x00006d06') +define(`MSMFB_BLIT', `0x40046d02') +define(`MSMFB_GRP_DISP', `0x40046d01') +define(`MTDFILEMODE', `0x00004d13') +define(`MTIOCGET', `0x80306d02') +define(`MTIOCPOS', `0x80086d03') +define(`MTIOCTOP', `0x40086d01') +define(`MTRRIOC_ADD_ENTRY', `0x40104d00') +define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05') +define(`MTRRIOC_DEL_ENTRY', `0x40104d02') +define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07') +define(`MTRRIOC_GET_ENTRY', `0xc0184d03') +define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08') +define(`MTRRIOC_KILL_ENTRY', `0x40104d04') +define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09') +define(`MTRRIOC_SET_ENTRY', `0x40104d01') +define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06') +define(`NBD_CLEAR_QUE', `0x0000ab05') +define(`NBD_CLEAR_SOCK', `0x0000ab04') +define(`NBD_DISCONNECT', `0x0000ab08') +define(`NBD_DO_IT', `0x0000ab03') +define(`NBD_PRINT_DEBUG', `0x0000ab06') +define(`NBD_SET_BLKSIZE', `0x0000ab01') +define(`NBD_SET_FLAGS', `0x0000ab0a') +define(`NBD_SET_SIZE', `0x0000ab02') +define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07') +define(`NBD_SET_SOCK', `0x0000ab00') +define(`NBD_SET_TIMEOUT', `0x0000ab09') +define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03') +define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b') +define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c') +define(`NCP_IOC_GET_FS_INFO', `0xc0286e04') +define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04') +define(`NCP_IOC_GETMOUNTUID', `0x40026e02') +define(`NCP_IOC_GETMOUNTUID2', `0x40086e02') +define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09') +define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a') +define(`NCP_IOC_GETROOT', `0x400c6e08') +define(`NCP_IOC_LOCKUNLOCK', `0x80146e07') +define(`NCP_IOC_NCPREQUEST', `0x80106e01') +define(`NCP_IOC_SETCHARSETS', `0x802a6e0b') +define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c') +define(`NCP_IOC_SETOBJECTNAME', `0x80186e09') +define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a') +define(`NCP_IOC_SETROOT', `0x800c6e08') +define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06') +define(`NCP_IOC_SIGN_INIT', `0x80186e05') +define(`NCP_IOC_SIGN_WANTED', `0x80046e06') +define(`NET_ADD_IF', `0xc0066f34') +define(`NET_GET_IF', `0xc0066f36') +define(`NET_REMOVE_IF', `0x00006f35') +define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80') +define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88') +define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81') +define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87') +define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82') +define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83') +define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84') +define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85') +define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86') +define(`NILFS_IOCTL_RESIZE', `0x40086e8b') +define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c') +define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d') +define(`NILFS_IOCTL_SYNC', `0x80086e8a') +define(`NS_ADJBUFLEV', `0x00006163') +define(`NS_GETPSTAT', `0xc0106161') +define(`NS_SETBUFLEV', `0x40106162') +define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41') +define(`NVME_IOCTL_ID', `0x00004e40') +define(`NVME_IOCTL_IO_CMD', `0xc0484e43') +define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42') +define(`NVRAM_INIT', `0x00007040') +define(`NVRAM_SETCKS', `0x00007041') +define(`OLD_PHONE_RING_START', `0x00007187') +define(`OMAPFB_CTRL_TEST', `0x40044f2e') +define(`OMAPFB_GET_CAPS', `0x800c4f2a') +define(`OMAPFB_GET_COLOR_KEY', `0x40104f33') +define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f') +define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b') +define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b') +define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d') +define(`OMAPFB_LCD_TEST', `0x40044f2d') +define(`OMAPFB_MEMORY_READ', `0x80184f3a') +define(`OMAPFB_MIRROR', `0x40044f1f') +define(`OMAPFB_QUERY_MEM', `0x40084f38') +define(`OMAPFB_QUERY_PLANE', `0x40444f35') +define(`OMAPFB_SET_COLOR_KEY', `0x40104f32') +define(`OMAPFB_SET_TEARSYNC', `0x40084f3e') +define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28') +define(`OMAPFB_SETUP_MEM', `0x40084f37') +define(`OMAPFB_SETUP_PLANE', `0x40444f34') +define(`OMAPFB_SYNC_GFX', `0x00004f25') +define(`OMAPFB_UPDATE_WINDOW', `0x40444f36') +define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f') +define(`OMAPFB_VSYNC', `0x00004f26') +define(`OMAPFB_WAITFORGO', `0x00004f3c') +define(`OMAPFB_WAITFORVSYNC', `0x00004f39') +define(`OSD_GET_CAPABILITY', `0x80106fa1') +define(`OSD_SEND_CMD', `0x40206fa0') +define(`OSIOCGNETADDR', `0x800489e1') +define(`OSIOCSNETADDR', `0x400489e0') +define(`OSS_GETVERSION', `0x80044d76') +define(`OTPGETREGIONCOUNT', `0x40044d0e') +define(`OTPGETREGIONINFO', `0x400c4d0f') +define(`OTPLOCK', `0x800c4d10') +define(`OTPSELECT', `0x80044d0d') +define(`PACKET_CTRL_CMD', `0xc0185801') +define(`PERF_EVENT_IOC_DISABLE', `0x00002401') +define(`PERF_EVENT_IOC_ENABLE', `0x00002400') +define(`PERF_EVENT_IOC_ID', `0x80082407') +define(`PERF_EVENT_IOC_PERIOD', `0x40082404') +define(`PERF_EVENT_IOC_REFRESH', `0x00002402') +define(`PERF_EVENT_IOC_RESET', `0x00002403') +define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406') +define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405') +define(`PHN_GET_REG', `0xc0087000') +define(`PHN_GETREG', `0xc0087005') +define(`PHN_GET_REGS', `0xc0087002') +define(`PHN_GETREGS', `0xc0287007') +define(`PHN_NOT_OH', `0x00007004') +define(`PHN_SET_REG', `0x40087001') +define(`PHN_SETREG', `0x40087006') +define(`PHN_SET_REGS', `0x40087003') +define(`PHN_SETREGS', `0x40287008') +define(`PHONE_BUSY', `0x000071a1') +define(`PHONE_CAPABILITIES', `0x00007180') +define(`PHONE_CAPABILITIES_CHECK', `0x40087182') +define(`PHONE_CAPABILITIES_LIST', `0x80087181') +define(`PHONE_CPT_STOP', `0x000071a4') +define(`PHONE_DIALTONE', `0x000071a3') +define(`PHONE_DTMF_OOB', `0x40047199') +define(`PHONE_DTMF_READY', `0x80047196') +define(`PHONE_EXCEPTION', `0x8004719a') +define(`PHONE_FRAME', `0x4004718d') +define(`PHONE_GET_DTMF', `0x80047197') +define(`PHONE_GET_DTMF_ASCII', `0x80047198') +define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f') +define(`PHONE_GET_TONE_ON_TIME', `0x0000719e') +define(`PHONE_GET_TONE_STATE', `0x000071a0') +define(`PHONE_HOOKSTATE', `0x00007184') +define(`PHONE_MAXRINGS', `0x40017185') +define(`PHONE_PLAY_CODEC', `0x40047190') +define(`PHONE_PLAY_DEPTH', `0x40047193') +define(`PHONE_PLAY_LEVEL', `0x00007195') +define(`PHONE_PLAY_START', `0x00007191') +define(`PHONE_PLAY_STOP', `0x00007192') +define(`PHONE_PLAY_TONE', `0x4001719b') +define(`PHONE_PLAY_VOLUME', `0x40047194') +define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc') +define(`PHONE_PSTN_GET_STATE', `0x000071a5') +define(`PHONE_PSTN_LINETEST', `0x000071a8') +define(`PHONE_PSTN_SET_STATE', `0x400471a4') +define(`PHONE_QUERY_CODEC', `0xc00871a7') +define(`PHONE_REC_CODEC', `0x40047189') +define(`PHONE_REC_DEPTH', `0x4004718c') +define(`PHONE_REC_LEVEL', `0x0000718f') +define(`PHONE_REC_START', `0x0000718a') +define(`PHONE_REC_STOP', `0x0000718b') +define(`PHONE_REC_VOLUME', `0x4004718e') +define(`PHONE_REC_VOLUME_LINEAR', `0x400471db') +define(`PHONE_RING', `0x00007183') +define(`PHONE_RINGBACK', `0x000071a2') +define(`PHONE_RING_CADENCE', `0x40027186') +define(`PHONE_RING_START', `0x40087187') +define(`PHONE_RING_STOP', `0x00007188') +define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d') +define(`PHONE_SET_TONE_ON_TIME', `0x4004719c') +define(`PHONE_VAD', `0x400471a9') +define(`PHONE_WINK', `0x400471aa') +define(`PHONE_WINK_DURATION', `0x400471a6') +define(`PIO_CMAP', `0x00004b71') +define(`PIO_FONT', `0x00004b61') +define(`PIO_FONTRESET', `0x00004b6d') +define(`PIO_FONTX', `0x00004b6c') +define(`PIO_SCRNMAP', `0x00004b41') +define(`PIO_UNIMAP', `0x00004b67') +define(`PIO_UNIMAPCLR', `0x00004b68') +define(`PIO_UNISCRNMAP', `0x00004b6a') +define(`PMU_IOC_CAN_SLEEP', `0x80084205') +define(`PMU_IOC_GET_BACKLIGHT', `0x80084201') +define(`PMU_IOC_GET_MODEL', `0x80084203') +define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206') +define(`PMU_IOC_HAS_ADB', `0x80084204') +define(`PMU_IOC_SET_BACKLIGHT', `0x40084202') +define(`PMU_IOC_SLEEP', `0x00004200') +define(`PPCLAIM', `0x0000708b') +define(`PPCLRIRQ', `0x80047093') +define(`PPDATADIR', `0x40047090') +define(`PPEXCL', `0x0000708f') +define(`PPFCONTROL', `0x4002708e') +define(`PPGETFLAGS', `0x8004709a') +define(`PPGETMODE', `0x80047098') +define(`PPGETMODES', `0x80047097') +define(`PPGETPHASE', `0x80047099') +define(`PPGETTIME', `0x80107095') +define(`PPNEGOT', `0x40047091') +define(`PPPIOCATTACH', `0x743d') +define(`PPPIOCATTCHAN', `0x7438') +define(`PPPIOCBUNDLE', `0x7481') +define(`PPPIOCCONNECT', `0x743a') +define(`PPPIOCDETACH', `0x743c') +define(`PPPIOCDISCONN', `0x7439') +define(`PPPIOCGASYNCMAP', `0x7458') +define(`PPPIOCGCALLINFO', `0x7480') +define(`PPPIOCGCHAN', `0x7437') +define(`PPPIOCGCOMPRESSORS', `0x7486') +define(`PPPIOCGDEBUG', `0x7441') +define(`PPPIOCGFLAGS', `0x745a') +define(`PPPIOCGIDLE', `0x743f') +define(`PPPIOCGIFNAME', `0x7488') +define(`PPPIOCGL2TPSTATS', `0x7436') +define(`PPPIOCGMPFLAGS', `0x7482') +define(`PPPIOCGMRU', `0x7453') +define(`PPPIOCGNPMODE', `0x744c') +define(`PPPIOCGRASYNCMAP', `0x7455') +define(`PPPIOCGUNIT', `0x7456') +define(`PPPIOCGXASYNCMAP', `0x7450') +define(`PPPIOCNEWUNIT', `0x743e') +define(`PPPIOCSACTIVE', `0x7446') +define(`PPPIOCSASYNCMAP', `0x7457') +define(`PPPIOCSCOMPRESS', `0x744d') +define(`PPPIOCSCOMPRESSOR', `0x7487') +define(`PPPIOCSDEBUG', `0x7440') +define(`PPPIOCSFLAGS', `0x7459') +define(`PPPIOCSMAXCID', `0x7451') +define(`PPPIOCSMPFLAGS', `0x7483') +define(`PPPIOCSMPMRU', `0x7485') +define(`PPPIOCSMPMTU', `0x7484') +define(`PPPIOCSMRRU', `0x743b') +define(`PPPIOCSMRU', `0x7452') +define(`PPPIOCSNPMODE', `0x744b') +define(`PPPIOCSPASS', `0x7447') +define(`PPPIOCSRASYNCMAP', `0x7454') +define(`PPPIOCSXASYNCMAP', `0x744f') +define(`PPPIOCXFERUNIT', `0x744e') +define(`PPPOEIOCDFWD', `0x0000b101') +define(`PPPOEIOCSFWD', `0x4008b100') +define(`PPRCONTROL', `0x80017083') +define(`PPRDATA', `0x80017085') +define(`PPRELEASE', `0x0000708c') +define(`PPRSTATUS', `0x80017081') +define(`PPSETFLAGS', `0x4004709b') +define(`PPSETMODE', `0x40047080') +define(`PPSETPHASE', `0x40047094') +define(`PPSETTIME', `0x40107096') +define(`PPS_FETCH', `0xc00870a4') +define(`PPS_GETCAP', `0x800870a3') +define(`PPS_GETPARAMS', `0x800870a1') +define(`PPS_KC_BIND', `0x400870a5') +define(`PPS_SETPARAMS', `0x400870a2') +define(`PPWCONTROL', `0x40017084') +define(`PPWCTLONIRQ', `0x40017092') +define(`PPWDATA', `0x40017086') +define(`PPYIELD', `0x0000708d') +define(`PROTECT_ARRAY', `0x00000927') +define(`PTP_CLOCK_GETCAPS', `0x80503d01') +define(`PTP_ENABLE_PPS', `0x40043d04') +define(`PTP_EXTTS_REQUEST', `0x40103d02') +define(`PTP_PEROUT_REQUEST', `0x40383d03') +define(`PTP_PIN_GETFUNC', `0xc0603d06') +define(`PTP_PIN_SETFUNC', `0x40603d07') +define(`PTP_SYS_OFFSET', `0x43403d05') +define(`RAID_AUTORUN', `0x00000914') +define(`RAID_VERSION', `0x800c0910') +define(`RAW_GETBIND', `0x0000ac01') +define(`RAW_SETBIND', `0x0000ac00') +define(`REISERFS_IOC_UNPACK', `0x4008cd01') +define(`RESTART_ARRAY_RW', `0x00000934') +define(`RFCOMMCREATEDEV', `0x400452c8') +define(`RFCOMMGETDEVINFO', `0x800452d3') +define(`RFCOMMGETDEVLIST', `0x800452d2') +define(`RFCOMMRELEASEDEV', `0x400452c9') +define(`RFCOMMSTEALDLC', `0x400452dc') +define(`RFKILL_IOCTL_NOINPUT', `0x00005201') +define(`RNDADDENTROPY', `0x40085203') +define(`RNDADDTOENTCNT', `0x40045201') +define(`RNDCLEARPOOL', `0x00005206') +define(`RNDGETENTCNT', `0x80045200') +define(`RNDGETPOOL', `0x80085202') +define(`RNDZAPENTCNT', `0x00005204') +define(`ROCCATIOCGREPSIZE', `0x800448f1') +define(`RTC_AIE_OFF', `0x00007002') +define(`RTC_AIE_ON', `0x00007001') +define(`RTC_ALM_READ', `0x80247008') +define(`RTC_ALM_SET', `0x40247007') +define(`RTC_EPOCH_READ', `0x8008700d') +define(`RTC_EPOCH_SET', `0x4008700e') +define(`RTC_IRQP_READ', `0x8008700b') +define(`RTC_IRQP_SET', `0x4008700c') +define(`RTC_PIE_OFF', `0x00007006') +define(`RTC_PIE_ON', `0x00007005') +define(`RTC_PLL_GET', `0x80207011') +define(`RTC_PLL_SET', `0x40207012') +define(`RTC_RD_TIME', `0x80247009') +define(`RTC_SET_TIME', `0x4024700a') +define(`RTC_UIE_OFF', `0x00007004') +define(`RTC_UIE_ON', `0x00007003') +define(`RTC_VL_CLR', `0x00007014') +define(`RTC_VL_READ', `0x80047013') +define(`RTC_WIE_OFF', `0x00007010') +define(`RTC_WIE_ON', `0x0000700f') +define(`RTC_WKALM_RD', `0x80287010') +define(`RTC_WKALM_SET', `0x4028700f') +define(`RUN_ARRAY', `0x400c0930') +define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500') +define(`SAA6588_CMD_CLOSE', `0x40045202') +define(`SAA6588_CMD_POLL', `0x80045204') +define(`SAA6588_CMD_READ', `0x80045203') +define(`SCSI_IOCTL_DOORLOCK', `0x00005380') +define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381') +define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386') +define(`SCSI_IOCTL_GET_IDLUN', `0x00005382') +define(`SCSI_IOCTL_GET_PCI', `0x00005387') +define(`SCSI_IOCTL_PROBE_HOST', `0x00005385') +define(`SET_ARRAY_INFO', `0x40480923') +define(`SET_BITMAP_FILE', `0x4004092b') +define(`SET_DISK_FAULTY', `0x00000929') +define(`SET_DISK_INFO', `0x00000924') +define(`SG_EMULATED_HOST', `0x00002203') +define(`SG_GET_ACCESS_COUNT', `0x00002289') +define(`SG_GET_COMMAND_Q', `0x00002270') +define(`SG_GET_KEEP_ORPHAN', `0x00002288') +define(`SG_GET_LOW_DMA', `0x0000227a') +define(`SG_GET_NUM_WAITING', `0x0000227d') +define(`SG_GET_PACK_ID', `0x0000227c') +define(`SG_GET_REQUEST_TABLE', `0x00002286') +define(`SG_GET_RESERVED_SIZE', `0x00002272') +define(`SG_GET_SCSI_ID', `0x00002276') +define(`SG_GET_SG_TABLESIZE', `0x0000227f') +define(`SG_GET_TIMEOUT', `0x00002202') +define(`SG_GET_TRANSFORM', `0x00002205') +define(`SG_GET_VERSION_NUM', `0x00002282') +define(`SG_IO', `0x00002285') +define(`SG_NEXT_CMD_LEN', `0x00002283') +define(`SG_SCSI_RESET', `0x00002284') +define(`SG_SET_COMMAND_Q', `0x00002271') +define(`SG_SET_DEBUG', `0x0000227e') +define(`SG_SET_FORCE_LOW_DMA', `0x00002279') +define(`SG_SET_FORCE_PACK_ID', `0x0000227b') +define(`SG_SET_KEEP_ORPHAN', `0x00002287') +define(`SG_SET_RESERVED_SIZE', `0x00002275') +define(`SG_SET_TIMEOUT', `0x00002201') +define(`SG_SET_TRANSFORM', `0x00002204') +define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0') +define(`SIOCADDDLCI', `0x00008980') +define(`SIOCADDMULTI', `0x00008931') +define(`SIOCADDRT', `0x0000890b') +define(`SIOCATMARK', `0x00008905') +define(`SIOCBONDCHANGEACTIVE', `0x00008995') +define(`SIOCBONDENSLAVE', `0x00008990') +define(`SIOCBONDINFOQUERY', `0x00008994') +define(`SIOCBONDRELEASE', `0x00008991') +define(`SIOCBONDSETHWADDR', `0x00008992') +define(`SIOCBONDSLAVEINFOQUERY', `0x00008993') +define(`SIOCBRADDBR', `0x000089a0') +define(`SIOCBRADDIF', `0x000089a2') +define(`SIOCBRDELBR', `0x000089a1') +define(`SIOCBRDELIF', `0x000089a3') +define(`SIOCDARP', `0x00008953') +define(`SIOCDELDLCI', `0x00008981') +define(`SIOCDELMULTI', `0x00008932') +define(`SIOCDELRT', `0x0000890c') +define(`SIOCDEVPRIVATE', `0x000089f0') +define(`SIOCDEVPRIVATE_1', `0x000089f1') +define(`SIOCDEVPRIVATE_2', `0x000089f2') +define(`SIOCDEVPRIVATE_3', `0x000089f3') +define(`SIOCDEVPRIVATE_4', `0x000089f4') +define(`SIOCDEVPRIVATE_5', `0x000089f5') +define(`SIOCDEVPRIVATE_6', `0x000089f6') +define(`SIOCDEVPRIVATE_7', `0x000089f7') +define(`SIOCDEVPRIVATE_8', `0x000089f8') +define(`SIOCDEVPRIVATE_9', `0x000089f9') +define(`SIOCDEVPRIVATE_A', `0x000089fa') +define(`SIOCDEVPRIVATE_B', `0x000089fb') +define(`SIOCDEVPRIVATE_C', `0x000089fc') +define(`SIOCDEVPRIVATE_D', `0x000089fd') +define(`SIOCDEVPRIVATE_E', `0x000089fe') +define(`SIOCDEVPRIVLAST', `0x000089ff') +define(`SIOCDIFADDR', `0x00008936') +define(`SIOCDRARP', `0x00008960') +define(`SIOCETHTOOL', `0x00008946') +define(`SIOCGARP', `0x00008954') +define(`SIOCGHWTSTAMP', `0x000089b1') +define(`SIOCGIFADDR', `0x00008915') +define(`SIOCGIFBR', `0x00008940') +define(`SIOCGIFBRDADDR', `0x00008919') +define(`SIOCGIFCONF', `0x00008912') +define(`SIOCGIFCOUNT', `0x00008938') +define(`SIOCGIFDSTADDR', `0x00008917') +define(`SIOCGIFENCAP', `0x00008925') +define(`SIOCGIFFLAGS', `0x00008913') +define(`SIOCGIFHWADDR', `0x00008927') +define(`SIOCGIFINDEX', `0x00008933') +define(`SIOCGIFMAP', `0x00008970') +define(`SIOCGIFMEM', `0x0000891f') +define(`SIOCGIFMETRIC', `0x0000891d') +define(`SIOCGIFMTU', `0x00008921') +define(`SIOCGIFNAME', `0x00008910') +define(`SIOCGIFNETMASK', `0x0000891b') +define(`SIOCGIFPFLAGS', `0x00008935') +define(`SIOCGIFSLAVE', `0x00008929') +define(`SIOCGIFTXQLEN', `0x00008942') +define(`SIOCGIFVLAN', `0x00008982') +define(`SIOCGIWAP', `0x00008b15') +define(`SIOCGIWAPLIST', `0x00008b17') +define(`SIOCGIWAUTH', `0x00008b33') +define(`SIOCGIWENCODE', `0x00008b2b') +define(`SIOCGIWENCODEEXT', `0x00008b35') +define(`SIOCGIWESSID', `0x00008b1b') +define(`SIOCGIWFRAG', `0x00008b25') +define(`SIOCGIWFREQ', `0x00008b05') +define(`SIOCGIWGENIE', `0x00008b31') +define(`SIOCGIWMODE', `0x00008b07') +define(`SIOCGIWNAME', `0x00008b01') +define(`SIOCGIWNICKN', `0x00008b1d') +define(`SIOCGIWNWID', `0x00008b03') +define(`SIOCGIWPOWER', `0x00008b2d') +define(`SIOCGIWPRIV', `0x00008b0d') +define(`SIOCGIWRANGE', `0x00008b0b') +define(`SIOCGIWRATE', `0x00008b21') +define(`SIOCGIWRETRY', `0x00008b29') +define(`SIOCGIWRTS', `0x00008b23') +define(`SIOCGIWSCAN', `0x00008b19') +define(`SIOCGIWSENS', `0x00008b09') +define(`SIOCGIWSPY', `0x00008b11') +define(`SIOCGIWSTATS', `0x00008b0f') +define(`SIOCGIWTHRSPY', `0x00008b13') +define(`SIOCGIWTXPOW', `0x00008b27') +define(`SIOCGMIIPHY', `0x00008947') +define(`SIOCGMIIREG', `0x00008948') +define(`SIOCGNETADDR', `0x800489e1') +define(`SIOCGPGRP', `0x00008904') +define(`SIOCGRARP', `0x00008961') +define(`SIOCGSTAMP', `0x00008906') +define(`SIOCGSTAMPNS', `0x00008907') +define(`SIOCIWFIRST', `0x00008b00') +define(`SIOCIWFIRSTPRIV_01', `0x00008be1') +define(`SIOCIWFIRSTPRIV_02', `0x00008be2') +define(`SIOCIWFIRSTPRIV_03', `0x00008be3') +define(`SIOCIWFIRSTPRIV_04', `0x00008be4') +define(`SIOCIWFIRSTPRIV_05', `0x00008be5') +define(`SIOCIWFIRSTPRIV_06', `0x00008be6') +define(`SIOCIWFIRSTPRIV_07', `0x00008be7') +define(`SIOCIWFIRSTPRIV_08', `0x00008be8') +define(`SIOCIWFIRSTPRIV_09', `0x00008be9') +define(`SIOCIWFIRSTPRIV_0A', `0x00008bea') +define(`SIOCIWFIRSTPRIV_0B', `0x00008beb') +define(`SIOCIWFIRSTPRIV_0C', `0x00008bec') +define(`SIOCIWFIRSTPRIV_0D', `0x00008bed') +define(`SIOCIWFIRSTPRIV_0E', `0x00008bee') +define(`SIOCIWFIRSTPRIV_0F', `0x00008bef') +define(`SIOCIWFIRSTPRIV', `0x00008be0') +define(`SIOCIWFIRSTPRIV_10', `0x00008bf0') +define(`SIOCIWFIRSTPRIV_11', `0x00008bf1') +define(`SIOCIWFIRSTPRIV_12', `0x00008bf2') +define(`SIOCIWFIRSTPRIV_13', `0x00008bf3') +define(`SIOCIWFIRSTPRIV_14', `0x00008bf4') +define(`SIOCIWFIRSTPRIV_15', `0x00008bf5') +define(`SIOCIWFIRSTPRIV_16', `0x00008bf6') +define(`SIOCIWFIRSTPRIV_17', `0x00008bf7') +define(`SIOCIWFIRSTPRIV_18', `0x00008bf8') +define(`SIOCIWFIRSTPRIV_19', `0x00008bf9') +define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa') +define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb') +define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc') +define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd') +define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe') +define(`SIOCIWLASTPRIV', `0x00008bff') +define(`SIOCKILLADDR', `0x00008939') +define(`SIOCMKCLIP', `0x000061e0') +define(`SIOCOUTQNSD', `0x0000894b') +define(`SIOCPROTOPRIVATE', `0x000089e0') +define(`SIOCPROTOPRIVATE_1', `0x000089e1') +define(`SIOCPROTOPRIVATE_2', `0x000089e2') +define(`SIOCPROTOPRIVATE_3', `0x000089e3') +define(`SIOCPROTOPRIVATE_4', `0x000089e4') +define(`SIOCPROTOPRIVATE_5', `0x000089e5') +define(`SIOCPROTOPRIVATE_6', `0x000089e6') +define(`SIOCPROTOPRIVATE_7', `0x000089e7') +define(`SIOCPROTOPRIVATE_8', `0x000089e8') +define(`SIOCPROTOPRIVATE_9', `0x000089e9') +define(`SIOCPROTOPRIVATE_A', `0x000089ea') +define(`SIOCPROTOPRIVATE_B', `0x000089eb') +define(`SIOCPROTOPRIVATE_C', `0x000089ec') +define(`SIOCPROTOPRIVATE_D', `0x000089ed') +define(`SIOCPROTOPRIVATE_E', `0x000089ee') +define(`SIOCPROTOPRIVLAST', `0x000089ef') +define(`SIOCRTMSG', `0x0000890d') +define(`SIOCSARP', `0x00008955') +define(`SIOCSHWTSTAMP', `0x000089b0') +define(`SIOCSIFADDR', `0x00008916') +define(`SIOCSIFATMTCP', `0x00006180') +define(`SIOCSIFBR', `0x00008941') +define(`SIOCSIFBRDADDR', `0x0000891a') +define(`SIOCSIFDSTADDR', `0x00008918') +define(`SIOCSIFENCAP', `0x00008926') +define(`SIOCSIFFLAGS', `0x00008914') +define(`SIOCSIFHWADDR', `0x00008924') +define(`SIOCSIFHWBROADCAST', `0x00008937') +define(`SIOCSIFLINK', `0x00008911') +define(`SIOCSIFMAP', `0x00008971') +define(`SIOCSIFMEM', `0x00008920') +define(`SIOCSIFMETRIC', `0x0000891e') +define(`SIOCSIFMTU', `0x00008922') +define(`SIOCSIFNAME', `0x00008923') +define(`SIOCSIFNETMASK', `0x0000891c') +define(`SIOCSIFPFLAGS', `0x00008934') +define(`SIOCSIFSLAVE', `0x00008930') +define(`SIOCSIFTXQLEN', `0x00008943') +define(`SIOCSIFVLAN', `0x00008983') +define(`SIOCSIWAP', `0x00008b14') +define(`SIOCSIWAUTH', `0x00008b32') +define(`SIOCSIWCOMMIT', `0x00008b00') +define(`SIOCSIWENCODE', `0x00008b2a') +define(`SIOCSIWENCODEEXT', `0x00008b34') +define(`SIOCSIWESSID', `0x00008b1a') +define(`SIOCSIWFRAG', `0x00008b24') +define(`SIOCSIWFREQ', `0x00008b04') +define(`SIOCSIWGENIE', `0x00008b30') +define(`SIOCSIWMLME', `0x00008b16') +define(`SIOCSIWMODE', `0x00008b06') +define(`SIOCSIWNICKN', `0x00008b1c') +define(`SIOCSIWNWID', `0x00008b02') +define(`SIOCSIWPMKSA', `0x00008b36') +define(`SIOCSIWPOWER', `0x00008b2c') +define(`SIOCSIWPRIV', `0x00008b0c') +define(`SIOCSIWRANGE', `0x00008b0a') +define(`SIOCSIWRATE', `0x00008b20') +define(`SIOCSIWRETRY', `0x00008b28') +define(`SIOCSIWRTS', `0x00008b22') +define(`SIOCSIWSCAN', `0x00008b18') +define(`SIOCSIWSENS', `0x00008b08') +define(`SIOCSIWSPY', `0x00008b10') +define(`SIOCSIWSTATS', `0x00008b0e') +define(`SIOCSIWTHRSPY', `0x00008b12') +define(`SIOCSIWTXPOW', `0x00008b26') +define(`SIOCSMIIREG', `0x00008949') +define(`SIOCSNETADDR', `0x400489e0') +define(`SIOCSPGRP', `0x00008902') +define(`SIOCSRARP', `0x00008962') +define(`SIOCWANDEV', `0x0000894a') +define(`SISFB_COMMAND', `0xc054f305') +define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303') +define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa') +define(`SISFB_GET_INFO', `0x811cf301') +define(`SISFB_GET_INFO_OLD', `0x80046ef8') +define(`SISFB_GET_INFO_SIZE', `0x8004f300') +define(`SISFB_GET_TVPOSOFFSET', `0x8004f304') +define(`SISFB_GET_VBRSTATUS', `0x8004f302') +define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9') +define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303') +define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa') +define(`SISFB_SET_LOCK', `0x4004f306') +define(`SISFB_SET_TVPOSOFFSET', `0x4004f304') +define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314') +define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304') +define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313') +define(`SNAPSHOT_CREATE_IMAGE', `0x40043311') +define(`SNAPSHOT_FREE', `0x00003305') +define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309') +define(`SNAPSHOT_FREEZE', `0x00003301') +define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e') +define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f') +define(`SNAPSHOT_POWER_OFF', `0x00003310') +define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312') +define(`SNAPSHOT_S2RAM', `0x0000330b') +define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d') +define(`SNAPSHOT_UNFREEZE', `0x00003302') +define(`SNDCTL_COPR_HALT', `0xc0144307') +define(`SNDCTL_COPR_LOAD', `0xcfb04301') +define(`SNDCTL_COPR_RCODE', `0xc0144303') +define(`SNDCTL_COPR_RCVMSG', `0x8fa44309') +define(`SNDCTL_COPR_RDATA', `0xc0144302') +define(`SNDCTL_COPR_RESET', `0x00004300') +define(`SNDCTL_COPR_RUN', `0xc0144306') +define(`SNDCTL_COPR_SENDMSG', `0xcfa44308') +define(`SNDCTL_COPR_WCODE', `0x40144305') +define(`SNDCTL_COPR_WDATA', `0x40144304') +define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041') +define(`SNDCTL_DSP_CHANNELS', `0xc0045006') +define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004') +define(`SNDCTL_DSP_GETCAPS', `0x8004500f') +define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040') +define(`SNDCTL_DSP_GETFMTS', `0x8004500b') +define(`SNDCTL_DSP_GETIPTR', `0x800c5011') +define(`SNDCTL_DSP_GETISPACE', `0x8010500d') +define(`SNDCTL_DSP_GETODELAY', `0x80045017') +define(`SNDCTL_DSP_GETOPTR', `0x800c5012') +define(`SNDCTL_DSP_GETOSPACE', `0x8010500c') +define(`SNDCTL_DSP_GETSPDIF', `0x80045043') +define(`SNDCTL_DSP_GETTRIGGER', `0x80045010') +define(`SNDCTL_DSP_MAPINBUF', `0x80105013') +define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014') +define(`SNDCTL_DSP_NONBLOCK', `0x0000500e') +define(`SNDCTL_DSP_POST', `0x00005008') +define(`SNDCTL_DSP_PROFILE', `0x40045017') +define(`SNDCTL_DSP_RESET', `0x00005000') +define(`SNDCTL_DSP_SETDUPLEX', `0x00005016') +define(`SNDCTL_DSP_SETFMT', `0xc0045005') +define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a') +define(`SNDCTL_DSP_SETSPDIF', `0x40045042') +define(`SNDCTL_DSP_SETSYNCRO', `0x00005015') +define(`SNDCTL_DSP_SETTRIGGER', `0x40045010') +define(`SNDCTL_DSP_SPEED', `0xc0045002') +define(`SNDCTL_DSP_STEREO', `0xc0045003') +define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009') +define(`SNDCTL_DSP_SYNC', `0x00005001') +define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f') +define(`SNDCTL_FM_LOAD_INSTR', `0x40285107') +define(`SNDCTL_MIDI_INFO', `0xc074510c') +define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02') +define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01') +define(`SNDCTL_MIDI_PRETIME', `0xc0046d00') +define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103') +define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105') +define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104') +define(`SNDCTL_SEQ_GETTIME', `0x80045113') +define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b') +define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a') +define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112') +define(`SNDCTL_SEQ_PANIC', `0x00005111') +define(`SNDCTL_SEQ_PERCMODE', `0x40045106') +define(`SNDCTL_SEQ_RESET', `0x00005100') +define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109') +define(`SNDCTL_SEQ_SYNC', `0x00005101') +define(`SNDCTL_SEQ_TESTMIDI', `0x40045108') +define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d') +define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115') +define(`SNDCTL_SYNTH_ID', `0xc08c5114') +define(`SNDCTL_SYNTH_INFO', `0xc08c5102') +define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e') +define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116') +define(`SNDCTL_TMR_CONTINUE', `0x00005404') +define(`SNDCTL_TMR_METRONOME', `0x40045407') +define(`SNDCTL_TMR_SELECT', `0x40045408') +define(`SNDCTL_TMR_SOURCE', `0xc0045406') +define(`SNDCTL_TMR_START', `0x00005402') +define(`SNDCTL_TMR_STOP', `0x00005403') +define(`SNDCTL_TMR_TEMPO', `0xc0045405') +define(`SNDCTL_TMR_TIMEBASE', `0xc0045401') +define(`SNDRV_COMPRESS_AVAIL', `0x801c4321') +define(`SNDRV_COMPRESS_DRAIN', `0x00004334') +define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310') +define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311') +define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315') +define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313') +define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300') +define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335') +define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336') +define(`SNDRV_COMPRESS_PAUSE', `0x00004330') +define(`SNDRV_COMPRESS_RESUME', `0x00004331') +define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314') +define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312') +define(`SNDRV_COMPRESS_START', `0x00004332') +define(`SNDRV_COMPRESS_STOP', `0x00004333') +define(`SNDRV_COMPRESS_TSTAMP', `0x80144320') +define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501') +define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517') +define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511') +define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510') +define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514') +define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512') +define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519') +define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518') +define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515') +define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513') +define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521') +define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520') +define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531') +define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530') +define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532') +define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0') +define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1') +define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500') +define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541') +define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540') +define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542') +define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516') +define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c') +define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a') +define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b') +define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840') +define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820') +define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822') +define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821') +define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826') +define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825') +define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824') +define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823') +define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812') +define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811') +define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881') +define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884') +define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810') +define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831') +define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830') +define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840') +define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883') +define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880') +define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822') +define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821') +define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820') +define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882') +define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881') +define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884') +define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884') +define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883') +define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882') +define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880') +define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8') +define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9') +define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa') +define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845') +define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841') +define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844') +define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840') +define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843') +define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842') +define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841') +define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846') +define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844') +define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842') +define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847') +define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848') +define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803') +define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802') +define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801') +define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800') +define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132') +define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121') +define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144') +define(`SNDRV_PCM_IOCTL_DROP', `0x00004143') +define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149') +define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112') +define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111') +define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110') +define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122') +define(`SNDRV_PCM_IOCTL_INFO', `0x81204101') +define(`SNDRV_PCM_IOCTL_LINK', `0x40044160') +define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145') +define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140') +define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100') +define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151') +define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153') +define(`SNDRV_PCM_IOCTL_RESET', `0x00004141') +define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147') +define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146') +define(`SNDRV_PCM_IOCTL_START', `0x00004142') +define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120') +define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113') +define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123') +define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102') +define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103') +define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161') +define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150') +define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152') +define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148') +define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731') +define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730') +define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701') +define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710') +define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700') +define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720') +define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810') +define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811') +define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815') +define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816') +define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813') +define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814') +define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812') +define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301') +define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320') +define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332') +define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321') +define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333') +define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310') +define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b') +define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336') +define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322') +define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349') +define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334') +define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343') +define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340') +define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341') +define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345') +define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350') +define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300') +define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351') +define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352') +define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f') +define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e') +define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303') +define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311') +define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c') +define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323') +define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a') +define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335') +define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344') +define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342') +define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346') +define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330') +define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302') +define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331') +define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2') +define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403') +define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404') +define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405') +define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411') +define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401') +define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412') +define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3') +define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400') +define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410') +define(`SNDRV_TIMER_IOCTL_START', `0x000054a0') +define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414') +define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1') +define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402') +define(`SONET_CLRDIAG', `0xc0046113') +define(`SONET_GETDIAG', `0x80046114') +define(`SONET_GETFRAMING', `0x80046116') +define(`SONET_GETFRSENSE', `0x80066117') +define(`SONET_GETSTAT', `0x80246110') +define(`SONET_GETSTATZ', `0x80246111') +define(`SONET_SETDIAG', `0xc0046112') +define(`SONET_SETFRAMING', `0x40046115') +define(`SONYPI_IOCGBAT1CAP', `0x80027602') +define(`SONYPI_IOCGBAT1REM', `0x80027603') +define(`SONYPI_IOCGBAT2CAP', `0x80027604') +define(`SONYPI_IOCGBAT2REM', `0x80027605') +define(`SONYPI_IOCGBATFLAGS', `0x80017607') +define(`SONYPI_IOCGBLUE', `0x80017608') +define(`SONYPI_IOCGBRT', `0x80017600') +define(`SONYPI_IOCGFAN', `0x8001760a') +define(`SONYPI_IOCGTEMP', `0x8001760c') +define(`SONYPI_IOCSBLUE', `0x40017609') +define(`SONYPI_IOCSBRT', `0x40017600') +define(`SONYPI_IOCSFAN', `0x4001760b') +define(`SOUND_MIXER_3DSE', `0xc0044d68') +define(`SOUND_MIXER_ACCESS', `0xc0804d66') +define(`SOUND_MIXER_AGC', `0xc0044d67') +define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74') +define(`SOUND_MIXER_INFO', `0x805c4d65') +define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f') +define(`SOUND_MIXER_PRIVATE2', `0xc0044d70') +define(`SOUND_MIXER_PRIVATE3', `0xc0044d71') +define(`SOUND_MIXER_PRIVATE4', `0xc0044d72') +define(`SOUND_MIXER_PRIVATE5', `0xc0044d73') +define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75') +define(`SOUND_OLD_MIXER_INFO', `0x80304d65') +define(`SOUND_PCM_READ_BITS', `0x80045005') +define(`SOUND_PCM_READ_CHANNELS', `0x80045006') +define(`SOUND_PCM_READ_FILTER', `0x80045007') +define(`SOUND_PCM_READ_RATE', `0x80045002') +define(`SOUND_PCM_WRITE_FILTER', `0xc0045007') +define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03') +define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02') +define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04') +define(`SPI_IOC_RD_MODE', `0x80016b01') +define(`SPI_IOC_RD_MODE32', `0x80046b05') +define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03') +define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02') +define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04') +define(`SPI_IOC_WR_MODE', `0x40016b01') +define(`SPI_IOC_WR_MODE32', `0x40046b05') +define(`SPIOCSTYPE', `0x40087101') +define(`SSTFB_GET_VGAPASS', `0x800446dd') +define(`SSTFB_SET_VGAPASS', `0x400446dd') +define(`STOP_ARRAY', `0x00000932') +define(`STOP_ARRAY_RO', `0x00000933') +define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700') +define(`SW_SYNC_IOC_INC', `0x40045701') +define(`SYNC_IOC_FENCE_INFO', `0xc0283e02') +define(`SYNC_IOC_MERGE', `0xc0283e01') +define(`SYNC_IOC_WAIT', `0x40043e00') +define(`TCFLSH', `0x0000540b') +define(`TCGETA', `0x00005405') +define(`TCGETS2', `0x802c542a') +define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401)) +define(`TCGETX', `0x00005432') +define(`TCSBRK', `0x00005409') +define(`TCSBRKP', `0x00005425') +define(`TCSETA', `0x00005406') +define(`TCSETAF', `0x00005408') +define(`TCSETAW', `0x00005407') +define(`TCSETS', `0x00005402') +define(`TCSETS2', `0x402c542b') +define(`TCSETSF', `0x00005404') +define(`TCSETSF2', `0x402c542d') +define(`TCSETSW', `0x00005403') +define(`TCSETSW2', `0x402c542c') +define(`TCSETX', `0x00005433') +define(`TCSETXF', `0x00005434') +define(`TCSETXW', `0x00005435') +define(`TCXONC', `0x0000540a') +define(`TFD_IOC_SET_TICKS', `0x40085400') +define(`TIOCCBRK', `0x00005428') +define(`TIOCCONS', `0x0000541d') +define(`TIOCEXCL', `0x0000540c') +define(`TIOCGDEV', `0x80045432') +define(`TIOCGETD', `0x00005424') +define(`TIOCGEXCL', `0x80045440') +define(`TIOCGICOUNT', `0x0000545d') +define(`TIOCGLCKTRMIOS', `0x00005456') +define(`TIOCGPGRP', `0x0000540f') +define(`TIOCGPKT', `0x80045438') +define(`TIOCGPTLCK', `0x80045439') +define(`TIOCGPTN', `0x80045430') +define(`TIOCGRS485', `0x0000542e') +define(`TIOCGSERIAL', `0x0000541e') +define(`TIOCGSID', `0x00005429') +define(`TIOCGSOFTCAR', `0x00005419') +define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413)) +define(`TIOCLINUX', `0x0000541c') +define(`TIOCMBIC', `0x00005417') +define(`TIOCMBIS', `0x00005416') +define(`TIOCMGET', `0x00005415') +define(`TIOCMIWAIT', `0x0000545c') +define(`TIOCMSET', `0x00005418') +define(`TIOCNOTTY', `0x00005422') +define(`TIOCNXCL', `0x0000540d') +define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411)) +define(`TIOCPKT', `0x00005420') +define(`TIOCSBRK', `0x00005427') +define(`TIOCSCTTY', ifelse(target_arch, mips, 0x00005480, 0x0000540e)) +define(`TIOCSERCONFIG', `0x00005453') +define(`TIOCSERGETLSR', `0x00005459') +define(`TIOCSERGETMULTI', `0x0000545a') +define(`TIOCSERGSTRUCT', `0x00005458') +define(`TIOCSERGWILD', `0x00005454') +define(`TIOCSERSETMULTI', `0x0000545b') +define(`TIOCSERSWILD', `0x00005455') +define(`TIOCSETD', `0x00005423') +define(`TIOCSIG', `0x40045436') +define(`TIOCSLCKTRMIOS', `0x00005457') +define(`TIOCSPGRP', `0x00005410') +define(`TIOCSPTLCK', `0x40045431') +define(`TIOCSRS485', `0x0000542f') +define(`TIOCSSERIAL', `0x0000541f') +define(`TIOCSSOFTCAR', `0x0000541a') +define(`TIOCSTI', `0x00005412') +define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414)) +define(`TIOCVHANGUP', `0x00005437') +define(`TOSH_SMM', `0xc0047490') +define(`TUNATTACHFILTER', `0x401054d5') +define(`TUNDETACHFILTER', `0x401054d6') +define(`TUNER_SET_CONFIG', `0x4010645c') +define(`TUNGETFEATURES', `0x800454cf') +define(`TUNGETFILTER', `0x801054db') +define(`TUNGETIFF', `0x800454d2') +define(`TUNGETSNDBUF', `0x800454d3') +define(`TUNGETVNETHDRSZ', `0x800454d7') +define(`TUNGETVNETLE', `0x800454dd') +define(`TUNSETDEBUG', `0x400454c9') +define(`TUNSETGROUP', `0x400454ce') +define(`TUNSETIFF', `0x400454ca') +define(`TUNSETIFINDEX', `0x400454da') +define(`TUNSETLINK', `0x400454cd') +define(`TUNSETNOCSUM', `0x400454c8') +define(`TUNSETOFFLOAD', `0x400454d0') +define(`TUNSETOWNER', `0x400454cc') +define(`TUNSETPERSIST', `0x400454cb') +define(`TUNSETQUEUE', `0x400454d9') +define(`TUNSETSNDBUF', `0x400454d4') +define(`TUNSETTXFILTER', `0x400454d1') +define(`TUNSETVNETHDRSZ', `0x400454d8') +define(`TUNSETVNETLE', `0x400454dc') +define(`UBI_IOCATT', `0x40186f40') +define(`UBI_IOCDET', `0x40046f41') +define(`UBI_IOCEBCH', `0x40044f02') +define(`UBI_IOCEBER', `0x40044f01') +define(`UBI_IOCEBISMAP', `0x80044f05') +define(`UBI_IOCEBMAP', `0x40084f03') +define(`UBI_IOCEBUNMAP', `0x40044f04') +define(`UBI_IOCMKVOL', `0x40986f00') +define(`UBI_IOCRMVOL', `0x40046f01') +define(`UBI_IOCRNVOL', `0x51106f03') +define(`UBI_IOCRSVOL', `0x400c6f02') +define(`UBI_IOCSETVOLPROP', `0x40104f06') +define(`UBI_IOCVOLCRBLK', `0x40804f07') +define(`UBI_IOCVOLRMBLK', `0x00004f08') +define(`UBI_IOCVOLUP', `0x40084f00') +define(`UDF_GETEABLOCK', `0x80086c41') +define(`UDF_GETEASIZE', `0x80046c40') +define(`UDF_GETVOLIDENT', `0x80086c42') +define(`UDF_RELOCATE_BLOCKS', `0xc0086c43') +define(`UI_BEGIN_FF_ERASE', `0xc00c55ca') +define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8') +define(`UI_DEV_CREATE', `0x00005501') +define(`UI_DEV_DESTROY', `0x00005502') +define(`UI_END_FF_ERASE', `0x400c55cb') +define(`UI_END_FF_UPLOAD', `0x406855c9') +define(`UI_GET_VERSION', `0x8004552d') +define(`UI_SET_ABSBIT', `0x40045567') +define(`UI_SET_EVBIT', `0x40045564') +define(`UI_SET_FFBIT', `0x4004556b') +define(`UI_SET_KEYBIT', `0x40045565') +define(`UI_SET_LEDBIT', `0x40045569') +define(`UI_SET_MSCBIT', `0x40045568') +define(`UI_SET_PHYS', `0x4008556c') +define(`UI_SET_PROPBIT', `0x4004556e') +define(`UI_SET_RELBIT', `0x40045566') +define(`UI_SET_SNDBIT', `0x4004556a') +define(`UI_SET_SWBIT', `0x4004556d') +define(`UNPROTECT_ARRAY', `0x00000926') +define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c') +define(`USBDEVFS_BULK', `0xc0185502') +define(`USBDEVFS_BULK32', `0xc0105502') +define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f') +define(`USBDEVFS_CLAIM_PORT', `0x80045518') +define(`USBDEVFS_CLEAR_HALT', `0x80045515') +define(`USBDEVFS_CONNECT', `0x00005517') +define(`USBDEVFS_CONNECTINFO', `0x40085511') +define(`USBDEVFS_CONTROL', `0xc0185500') +define(`USBDEVFS_CONTROL32', `0xc0105500') +define(`USBDEVFS_DISCARDURB', `0x0000550b') +define(`USBDEVFS_DISCONNECT', `0x00005516') +define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b') +define(`USBDEVFS_DISCSIGNAL', `0x8010550e') +define(`USBDEVFS_DISCSIGNAL32', `0x8008550e') +define(`USBDEVFS_FREE_STREAMS', `0x8008551d') +define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a') +define(`USBDEVFS_GETDRIVER', `0x41045508') +define(`USBDEVFS_HUB_PORTINFO', `0x80805513') +define(`USBDEVFS_IOCTL', `0xc0105512') +define(`USBDEVFS_IOCTL32', `0xc00c5512') +define(`USBDEVFS_REAPURB', `0x4008550c') +define(`USBDEVFS_REAPURB32', `0x4004550c') +define(`USBDEVFS_REAPURBNDELAY', `0x4008550d') +define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d') +define(`USBDEVFS_RELEASEINTERFACE', `0x80045510') +define(`USBDEVFS_RELEASE_PORT', `0x80045519') +define(`USBDEVFS_RESET', `0x00005514') +define(`USBDEVFS_RESETEP', `0x80045503') +define(`USBDEVFS_SETCONFIGURATION', `0x80045505') +define(`USBDEVFS_SETINTERFACE', `0x80085504') +define(`USBDEVFS_SUBMITURB', `0x8038550a') +define(`USBDEVFS_SUBMITURB32', `0x802a550a') +define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04') +define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03') +define(`USBTMC_IOCTL_CLEAR', `0x00005b02') +define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07') +define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06') +define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01') +define(`UVCIOC_CTRL_MAP', `0xc0607520') +define(`UVCIOC_CTRL_QUERY', `0xc0107521') +define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600') +define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601') +define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201') +define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202') +define(`VFIO_CHECK_EXTENSION', `0x00003b65') +define(`VFIO_DEVICE_GET_INFO', `0x00003b6b') +define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d') +define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70') +define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c') +define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71') +define(`VFIO_DEVICE_RESET', `0x00003b6f') +define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e') +define(`VFIO_EEH_PE_OP', `0x00003b79') +define(`VFIO_GET_API_VERSION', `0x00003b64') +define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a') +define(`VFIO_GROUP_GET_STATUS', `0x00003b67') +define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68') +define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69') +define(`VFIO_IOMMU_DISABLE', `0x00003b74') +define(`VFIO_IOMMU_ENABLE', `0x00003b73') +define(`VFIO_IOMMU_GET_INFO', `0x00003b70') +define(`VFIO_IOMMU_MAP_DMA', `0x00003b71') +define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70') +define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72') +define(`VFIO_SET_IOMMU', `0x00003b66') +define(`VHOST_GET_FEATURES', `0x8008af00') +define(`VHOST_GET_VRING_BASE', `0xc008af12') +define(`VHOST_NET_SET_BACKEND', `0x4008af30') +define(`VHOST_RESET_OWNER', `0x0000af02') +define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41') +define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42') +define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44') +define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40') +define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43') +define(`VHOST_SET_FEATURES', `0x4008af00') +define(`VHOST_SET_LOG_BASE', `0x4008af04') +define(`VHOST_SET_LOG_FD', `0x4004af07') +define(`VHOST_SET_MEM_TABLE', `0x4008af03') +define(`VHOST_SET_OWNER', `0x0000af01') +define(`VHOST_SET_VRING_ADDR', `0x4028af11') +define(`VHOST_SET_VRING_BASE', `0x4008af12') +define(`VHOST_SET_VRING_CALL', `0x4008af21') +define(`VHOST_SET_VRING_ERR', `0x4008af22') +define(`VHOST_SET_VRING_KICK', `0x4008af20') +define(`VHOST_SET_VRING_NUM', `0x4008af10') +define(`VIDEO_CLEAR_BUFFER', `0x00006f22') +define(`VIDEO_COMMAND', `0xc0486f3b') +define(`VIDEO_CONTINUE', `0x00006f18') +define(`VIDEO_FAST_FORWARD', `0x00006f1f') +define(`VIDEO_FREEZE', `0x00006f17') +define(`VIDEO_GET_CAPABILITIES', `0x80046f21') +define(`VIDEO_GET_EVENT', `0x80206f1c') +define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a') +define(`VIDEO_GET_FRAME_RATE', `0x80046f38') +define(`VIDEO_GET_NAVI', `0x84046f34') +define(`VIDEO_GET_PTS', `0x80086f39') +define(`VIDEO_GET_SIZE', `0x800c6f37') +define(`VIDEO_GET_STATUS', `0x80146f1b') +define(`VIDEO_PLAY', `0x00006f16') +define(`VIDEO_SELECT_SOURCE', `0x00006f19') +define(`VIDEO_SET_ATTRIBUTES', `0x00006f35') +define(`VIDEO_SET_BLANK', `0x00006f1a') +define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d') +define(`VIDEO_SET_FORMAT', `0x00006f25') +define(`VIDEO_SET_HIGHLIGHT', `0x40106f27') +define(`VIDEO_SET_ID', `0x00006f23') +define(`VIDEO_SET_SPU', `0x40086f32') +define(`VIDEO_SET_SPU_PALETTE', `0x40106f33') +define(`VIDEO_SET_STREAMTYPE', `0x00006f24') +define(`VIDEO_SET_SYSTEM', `0x00006f26') +define(`VIDEO_SLOWMOTION', `0x00006f20') +define(`VIDEO_STILLPICTURE', `0x40106f1e') +define(`VIDEO_STOP', `0x00006f15') +define(`VIDEO_TRY_COMMAND', `0xc0486f3c') +define(`VIDIOC_CREATE_BUFS', `0xc100565c') +define(`VIDIOC_CROPCAP', `0xc02c563a') +define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666') +define(`VIDIOC_DBG_G_REGISTER', `0xc0385650') +define(`VIDIOC_DBG_S_REGISTER', `0x4038564f') +define(`VIDIOC_DECODER_CMD', `0xc0485660') +define(`VIDIOC_DQBUF', `0xc0585611') +define(`VIDIOC_DQEVENT', `0x80885659') +define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664') +define(`VIDIOC_ENCODER_CMD', `0xc028564d') +define(`VIDIOC_ENUMAUDIO', `0xc0345641') +define(`VIDIOC_ENUMAUDOUT', `0xc0345642') +define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662') +define(`VIDIOC_ENUM_FMT', `0xc0405602') +define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b') +define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a') +define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665') +define(`VIDIOC_ENUMINPUT', `0xc050561a') +define(`VIDIOC_ENUMOUTPUT', `0xc0485630') +define(`VIDIOC_ENUMSTD', `0xc0485619') +define(`VIDIOC_EXPBUF', `0xc0405610') +define(`VIDIOC_G_AUDIO', `0x80345621') +define(`VIDIOC_G_AUDOUT', `0x80345631') +define(`VIDIOC_G_CROP', `0xc014563b') +define(`VIDIOC_G_CTRL', `0xc008561b') +define(`VIDIOC_G_DV_TIMINGS', `0xc0845658') +define(`VIDIOC_G_EDID', `0xc0285628') +define(`VIDIOC_G_ENC_INDEX', `0x8818564c') +define(`VIDIOC_G_EXT_CTRLS', `0xc0205647') +define(`VIDIOC_G_FBUF', `0x8030560a') +define(`VIDIOC_G_FMT', `0xc0d05604') +define(`VIDIOC_G_FREQUENCY', `0xc02c5638') +define(`VIDIOC_G_INPUT', `0x80045626') +define(`VIDIOC_G_JPEGCOMP', `0x808c563d') +define(`VIDIOC_G_MODULATOR', `0xc0445636') +define(`VIDIOC_G_OUTPUT', `0x8004562e') +define(`VIDIOC_G_PARM', `0xc0cc5615') +define(`VIDIOC_G_PRIORITY', `0x80045643') +define(`VIDIOC_G_SELECTION', `0xc040565e') +define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645') +define(`VIDIOC_G_STD', `0x80085617') +define(`VIDIOC_G_TUNER', `0xc054561d') +define(`VIDIOC_INT_RESET', `0x40046466') +define(`VIDIOC_LOG_STATUS', `0x00005646') +define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3') +define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5') +define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1') +define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4') +define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2') +define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7') +define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6') +define(`VIDIOC_OVERLAY', `0x4004560e') +define(`VIDIOC_PREPARE_BUF', `0xc058565d') +define(`VIDIOC_QBUF', `0xc058560f') +define(`VIDIOC_QUERYBUF', `0xc0585609') +define(`VIDIOC_QUERYCAP', `0x80685600') +define(`VIDIOC_QUERYCTRL', `0xc0445624') +define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663') +define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667') +define(`VIDIOC_QUERYMENU', `0xc02c5625') +define(`VIDIOC_QUERYSTD', `0x8008563f') +define(`VIDIOC_REQBUFS', `0xc0145608') +define(`VIDIOC_RESERVED', `0x00005601') +define(`VIDIOC_S_AUDIO', `0x40345622') +define(`VIDIOC_S_AUDOUT', `0x40345632') +define(`VIDIOC_S_CROP', `0x4014563c') +define(`VIDIOC_S_CTRL', `0xc008561c') +define(`VIDIOC_S_DV_TIMINGS', `0xc0845657') +define(`VIDIOC_S_EDID', `0xc0285629') +define(`VIDIOC_S_EXT_CTRLS', `0xc0205648') +define(`VIDIOC_S_FBUF', `0x4030560b') +define(`VIDIOC_S_FMT', `0xc0d05605') +define(`VIDIOC_S_FREQUENCY', `0x402c5639') +define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652') +define(`VIDIOC_S_INPUT', `0xc0045627') +define(`VIDIOC_S_JPEGCOMP', `0x408c563e') +define(`VIDIOC_S_MODULATOR', `0x40445637') +define(`VIDIOC_S_OUTPUT', `0xc004562f') +define(`VIDIOC_S_PARM', `0xc0cc5616') +define(`VIDIOC_S_PRIORITY', `0x40045644') +define(`VIDIOC_S_SELECTION', `0xc040565f') +define(`VIDIOC_S_STD', `0x40085618') +define(`VIDIOC_STREAMOFF', `0x40045613') +define(`VIDIOC_STREAMON', `0x40045612') +define(`VIDIOC_S_TUNER', `0x4054561e') +define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664') +define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662') +define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b') +define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a') +define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602') +define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b') +define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658') +define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628') +define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604') +define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615') +define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d') +define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663') +define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c') +define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657') +define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629') +define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605') +define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616') +define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e') +define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a') +define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661') +define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e') +define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649') +define(`VIDIOC_TRY_FMT', `0xc0d05640') +define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b') +define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1') +define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1') +define(`VT_ACTIVATE', `0x00005606') +define(`VT_DISALLOCATE', `0x00005608') +define(`VT_GETHIFONTMASK', `0x0000560d') +define(`VT_GETMODE', `0x00005601') +define(`VT_GETSTATE', `0x00005603') +define(`VT_LOCKSWITCH', `0x0000560b') +define(`VT_OPENQRY', `0x00005600') +define(`VT_RELDISP', `0x00005605') +define(`VT_RESIZE', `0x00005609') +define(`VT_RESIZEX', `0x0000560a') +define(`VT_SENDSIG', `0x00005604') +define(`VT_SETACTIVATE', `0x0000560f') +define(`VT_SETMODE', `0x00005602') +define(`VT_UNLOCKSWITCH', `0x0000560c') +define(`VT_WAITACTIVE', `0x00005607') +define(`VT_WAITEVENT', `0x0000560e') +define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902') +define(`WAN_IOC_ADD_FLT_RULE', `0x00006900') +define(`WDIOC_GETBOOTSTATUS', `0x80045702') +define(`WDIOC_GETPRETIMEOUT', `0x80045709') +define(`WDIOC_GETSTATUS', `0x80045701') +define(`WDIOC_GETSUPPORT', `0x80285700') +define(`WDIOC_GETTEMP', `0x80045703') +define(`WDIOC_GETTIMELEFT', `0x8004570a') +define(`WDIOC_GETTIMEOUT', `0x80045707') +define(`WDIOC_KEEPALIVE', `0x80045705') +define(`WDIOC_SETOPTIONS', `0x80045704') +define(`WDIOC_SETPRETIMEOUT', `0xc0045708') +define(`WDIOC_SETTIMEOUT', `0xc0045706') +define(`WRITE_RAID_INFO', `0x00000925') +define(`X86_IOC_RDMSR_REGS', `0xc02063a0') +define(`X86_IOC_WRMSR_REGS', `0xc02063a1') +define(`ZATM_GETPOOL', `0x40106161') +define(`ZATM_GETPOOLZ', `0x40106162') +define(`ZATM_SETPOOL', `0x40106163') diff --git a/prebuilts/api/32.0/public/ioctl_macros b/prebuilts/api/32.0/public/ioctl_macros new file mode 100644 index 000000000..47a515715 --- /dev/null +++ b/prebuilts/api/32.0/public/ioctl_macros @@ -0,0 +1,76 @@ +# socket ioctls allowed to unprivileged apps +define(`unpriv_sock_ioctls', ` +{ +# Socket ioctls for gathering information about the interface +SIOCGSTAMP SIOCGSTAMPNS +SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR +SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN +# Wireless extension ioctls. Primarily get functions. +SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV +SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS +SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER +}') + +# socket ioctls never allowed to unprivileged apps +define(`priv_sock_ioctls', ` +{ +# qualcomm rmnet ioctls +WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX +# socket ioctls +SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR +SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM +SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP +SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI +SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR +SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV +SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP +SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE +SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY +SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP +# device and protocol specific ioctls +SIOCDEVPRIVATE-SIOCDEVPRIVLAST +SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST +# Wireless extension ioctls +SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE +SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST +SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN +SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE +SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH +SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA +# Dev private ioctl i.e. hardware specific ioctls +SIOCIWFIRSTPRIV-SIOCIWLASTPRIV +}') + +# commonly used ioctls on unix sockets +define(`unpriv_unix_sock_ioctls', `{ + TIOCOUTQ FIOCLEX FIONCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD +}') + +# commonly used TTY ioctls +# merge with unpriv_unix_sock_ioctls? +define(`unpriv_tty_ioctls', `{ + TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ + TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP +}') + +# point to point ioctls +define(`ppp_ioctls', `{ +PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN +PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH +PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG +PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE +PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP +PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU +PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP +PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO +PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU +PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME +}') + +# unprivileged binder ioctls +define(`unpriv_binder_ioctls', `{ +BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS +BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT +BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF +BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION +}') diff --git a/prebuilts/api/32.0/public/iorap_inode2filename.te b/prebuilts/api/32.0/public/iorap_inode2filename.te new file mode 100644 index 000000000..6f119eedf --- /dev/null +++ b/prebuilts/api/32.0/public/iorap_inode2filename.te @@ -0,0 +1,70 @@ +# iorap.inode2filename -> look up file paths from an inode +type iorap_inode2filename, domain; +type iorap_inode2filename_exec, exec_type, file_type, system_file_type; +type iorap_inode2filename_tmpfs, file_type; + +r_dir_file(iorap_inode2filename, rootfs) + +# Allow usage of pipes (child stdout -> parent pipe). +allow iorap_inode2filename iorapd:fd use; +allow iorap_inode2filename iorapd:fifo_file { read write getattr }; + +# Allow reading most files under / ignoring usual access controls. +allow iorap_inode2filename self:capability dac_read_search; + +typeattribute iorap_inode2filename mlstrustedsubject; + +# Grant access to open most of the files under / +allow iorap_inode2filename apex_data_file:dir { getattr open read search }; +allow iorap_inode2filename apex_data_file:file { getattr }; +allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search }; +allow iorap_inode2filename apex_mnt_dir:file { getattr }; +allow iorap_inode2filename apk_data_file:dir { getattr open read search }; +allow iorap_inode2filename apk_data_file:file { getattr }; +allow iorap_inode2filename app_data_file_type:dir { getattr open read search }; +allow iorap_inode2filename app_data_file_type:file { getattr }; +allow iorap_inode2filename backup_data_file:dir { getattr open read search }; +allow iorap_inode2filename backup_data_file:file { getattr }; +allow iorap_inode2filename bootchart_data_file:dir { getattr open read search }; +allow iorap_inode2filename bootchart_data_file:file { getattr }; +allow iorap_inode2filename metadata_file:dir { getattr open read search search }; +allow iorap_inode2filename metadata_file:file { getattr }; +allow iorap_inode2filename packages_list_file:dir { getattr open read search }; +allow iorap_inode2filename packages_list_file:file { getattr }; +allow iorap_inode2filename property_data_file:dir { getattr open read search }; +allow iorap_inode2filename property_data_file:file { getattr }; +allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search }; +allow iorap_inode2filename resourcecache_data_file:file { getattr }; +allow iorap_inode2filename recovery_data_file:dir { getattr open read search }; +allow iorap_inode2filename ringtone_file:dir { getattr open read search }; +allow iorap_inode2filename ringtone_file:file { getattr }; +allow iorap_inode2filename same_process_hal_file:dir { getattr open read search }; +allow iorap_inode2filename same_process_hal_file:file { getattr }; +allow iorap_inode2filename sepolicy_file:file { getattr }; +allow iorap_inode2filename staging_data_file:dir { getattr open read search }; +allow iorap_inode2filename staging_data_file:file { getattr }; +allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search }; +allow iorap_inode2filename system_bootstrap_lib_file:file { getattr }; +allow iorap_inode2filename system_data_file:dir { getattr open read search }; +allow iorap_inode2filename system_data_file:file { getattr }; +allow iorap_inode2filename system_data_file:lnk_file { getattr open read }; +allow iorap_inode2filename system_data_root_file:dir { getattr open read search }; +allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search }; +allow iorap_inode2filename textclassifier_data_file:file { getattr }; +allow iorap_inode2filename toolbox_exec:file getattr; +allow iorap_inode2filename user_profile_root_file:dir { getattr open read search }; +allow iorap_inode2filename user_profile_data_file:dir { getattr open read search }; +allow iorap_inode2filename user_profile_data_file:file { getattr }; +allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search }; +allow iorap_inode2filename unlabeled:file { getattr }; +allow iorap_inode2filename vendor_file:dir { getattr open read search }; +allow iorap_inode2filename vendor_file:file { getattr }; +allow iorap_inode2filename vendor_overlay_file:file { getattr }; +allow iorap_inode2filename zygote_exec:file { getattr }; + +### +### neverallow rules +### + +neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition }; +neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/prebuilts/api/32.0/public/iorap_prefetcherd.te b/prebuilts/api/32.0/public/iorap_prefetcherd.te new file mode 100644 index 000000000..4b218fbbb --- /dev/null +++ b/prebuilts/api/32.0/public/iorap_prefetcherd.te @@ -0,0 +1,55 @@ +# volume manager +type iorap_prefetcherd, domain; +type iorap_prefetcherd_exec, exec_type, file_type, system_file_type; +type iorap_prefetcherd_tmpfs, file_type; + +r_dir_file(iorap_prefetcherd, rootfs) + +# Allow read/write /proc/sys/vm/drop/caches +allow iorap_prefetcherd proc_drop_caches:file rw_file_perms; + +# iorap_prefetcherd temporarily changes its priority when running benchmarks +allow iorap_prefetcherd self:global_capability_class_set sys_nice; + +# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters). +allow iorap_prefetcherd iorapd:fd use; +allow iorap_prefetcherd iorapd:fifo_file { read write }; + +# Allow reading most files under / ignoring usual access controls. +allow iorap_prefetcherd self:capability dac_read_search; + +typeattribute iorap_prefetcherd mlstrustedsubject; + +# Grant logcat access +allow iorap_prefetcherd logcat_exec:file { open read }; + +# Grant access to open most of the files under / +allow iorap_prefetcherd apk_data_file:dir { open read search }; +allow iorap_prefetcherd apk_data_file:file { open read }; +allow iorap_prefetcherd app_data_file:dir { open read search }; +allow iorap_prefetcherd app_data_file:file { open read }; +allow iorap_prefetcherd dalvikcache_data_file:dir { open read search }; +allow iorap_prefetcherd dalvikcache_data_file:file{ open read }; +allow iorap_prefetcherd packages_list_file:dir { open read search }; +allow iorap_prefetcherd packages_list_file:file { open read }; +allow iorap_prefetcherd privapp_data_file:dir { open read search }; +allow iorap_prefetcherd privapp_data_file:file { open read }; +allow iorap_prefetcherd same_process_hal_file:dir{ open read search }; +allow iorap_prefetcherd same_process_hal_file:file { open read }; +allow iorap_prefetcherd system_data_file:dir { open read search }; +allow iorap_prefetcherd system_data_file:file { open read }; +allow iorap_prefetcherd system_data_file:lnk_file { open read }; +allow iorap_prefetcherd user_profile_root_file:dir { open read search }; +allow iorap_prefetcherd user_profile_data_file:dir { open read search }; +allow iorap_prefetcherd user_profile_data_file:file { open read }; +allow iorap_prefetcherd vendor_overlay_file:dir { open read search }; +allow iorap_prefetcherd vendor_overlay_file:file { open read }; +# Note: Do not add any /vendor labels because they can be customized +# by the vendor and we won't know about them beforehand. + +### +### neverallow rules +### + +neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition }; +neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/prebuilts/api/32.0/public/iorapd.te b/prebuilts/api/32.0/public/iorapd.te new file mode 100644 index 000000000..b9706994e --- /dev/null +++ b/prebuilts/api/32.0/public/iorapd.te @@ -0,0 +1,97 @@ +# volume manager +type iorapd, domain; +type iorapd_exec, exec_type, file_type, system_file_type; +type iorapd_tmpfs, file_type; + +r_dir_file(iorapd, rootfs) + +# Allow read/write /proc/sys/vm/drop/caches +allow iorapd proc_drop_caches:file rw_file_perms; + +# Give iorapd a place where only iorapd can store files; everyone else is off limits +allow iorapd iorapd_data_file:dir create_dir_perms; +allow iorapd iorapd_data_file:file create_file_perms; + +# Allow iorapd to publish a binder service and make binder calls. +binder_use(iorapd) +add_service(iorapd, iorapd_service) + +# Allow iorapd to call into the system server so it can check permissions. +binder_call(iorapd, system_server) +allow iorapd permission_service:service_manager find; +# IUserManager +allow iorapd user_service:service_manager find; +# IPackageManagerNative +allow iorapd package_native_service:service_manager find; +# Allow dumpstate (bugreport) to call into iorapd. +allow iorapd dumpstate:fd use; +allow iorapd dumpstate:fifo_file write; + +# talk to batteryservice +binder_call(iorapd, healthd) + +# TODO: does each of the service_manager allow finds above need the binder_call? + +# iorapd temporarily changes its priority when running benchmarks +allow iorapd self:global_capability_class_set sys_nice; + +# Allow to access Perfetto traced's privileged consumer socket to start/stop +# tracing sessions and read trace data. +unix_socket_connect(iorapd, traced_consumer, traced) + +# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time. +allow iorapd system_file:file rx_file_perms; + +# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd. +allow iorapd iorap_inode2filename:process signull; +allow iorapd iorap_prefetcherd:process signull; + +# Allowing system_server to check for the existence and size of files under iorapd +# dir without collecting any sensitive app data. +# This is used to predict if iorapd is doing prefetching or not. +allow system_server iorapd_data_file:dir { getattr open read search }; +allow system_server iorapd_data_file:file getattr; + +### +### neverallow rules +### + +neverallow { + domain + -iorapd +} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; + +neverallow { + domain + -init + -iorapd + -system_server +} iorapd_data_file:dir *; + +neverallow { + domain + -kernel + -iorapd +} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr }; + +neverallow { + domain + -init + -kernel + -vendor_init + -iorapd + -system_server +} { iorapd_data_file }:notdevfile_class_set *; + +# Only system_server and shell (for dumpsys) can interact with iorapd over binder +neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find; +neverallow iorapd { + domain + -healthd + -servicemanager + -system_server + userdebug_or_eng(`-su') +}:binder call; + +neverallow { domain -init } iorapd:process { transition dyntransition }; +neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/prebuilts/api/32.0/public/isolated_app.te b/prebuilts/api/32.0/public/isolated_app.te new file mode 100644 index 000000000..a907dacc2 --- /dev/null +++ b/prebuilts/api/32.0/public/isolated_app.te @@ -0,0 +1,9 @@ +### +### Services with isolatedProcess=true in their manifest. +### +### This file defines the rules for isolated apps. An "isolated +### app" is an APP with UID between AID_ISOLATED_START (99000) +### and AID_ISOLATED_END (99999). +### + +type isolated_app, domain; diff --git a/prebuilts/api/32.0/public/kernel.te b/prebuilts/api/32.0/public/kernel.te new file mode 100644 index 000000000..9aa40ccf1 --- /dev/null +++ b/prebuilts/api/32.0/public/kernel.te @@ -0,0 +1,141 @@ +# Life begins with the kernel. +type kernel, domain, mlstrustedsubject; + +allow kernel self:global_capability_class_set sys_nice; + +# Root fs. +r_dir_file(kernel, rootfs) + +# Used to read androidboot.selinux property +allow kernel { + proc_bootconfig + proc_cmdline +}:file r_file_perms; + +# Get SELinux enforcing status. +allow kernel selinuxfs:dir r_dir_perms; +allow kernel selinuxfs:file r_file_perms; + +# Get file contexts during first stage +allow kernel file_contexts_file:file r_file_perms; + +# Allow init relabel itself. +allow kernel rootfs:file relabelfrom; +allow kernel init_exec:file relabelto; +# TODO: investigate why we need this. +allow kernel init:process share; + +# cgroup filesystem initialization prior to setting the cgroup root directory label. +allow kernel unlabeled:dir search; + +# Mount usbfs. +allow kernel usbfs:filesystem mount; +allow kernel usbfs:dir search; + +# Initial setenforce by init prior to switching to init domain. +# We use dontaudit instead of allow to prevent a kernel spawned userspace +# process from turning off SELinux once enabled. +dontaudit kernel self:security setenforce; + +# Write to /proc/1/oom_adj prior to switching to init domain. +allow kernel self:global_capability_class_set sys_resource; + +# Init reboot before switching selinux domains under certain error +# conditions. Allow it. +# As part of rebooting, init writes "u" to /proc/sysrq-trigger to +# remount filesystems read-only. /data is not mounted at this point, +# so we could ignore this. For now, we allow it. +allow kernel self:global_capability_class_set sys_boot; +allow kernel proc_sysrq:file w_file_perms; + +# Allow writing to /dev/kmsg which was created prior to loading policy. +allow kernel tmpfs:chr_file write; + +# Set checkreqprot by init.rc prior to switching to init domain. +allow kernel selinuxfs:file write; +allow kernel self:security setcheckreqprot; + +# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) +allow kernel sdcard_type:file { read write }; + +# f_mtp driver accesses files from kernel context. +allow kernel mediaprovider:fd use; + +# Allow the kernel to read OBB files from app directories. (b/17428116) +# Kernel thread "loop0" reads a vold supplied file descriptor. +# Fixes CTS tests: +# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal +# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs +allow kernel vold:fd use; +allow kernel { app_data_file privapp_data_file }:file read; +allow kernel asec_image_file:file read; + +# Allow mounting loop device in update_engine_unittests. (b/28319454) +# and for LTP kernel tests (b/73220071) +userdebug_or_eng(` + allow kernel update_engine_data_file:file { read write }; + allow kernel nativetest_data_file:file { read write }; +') + +# Access to /data/media. +# This should be removed if sdcardfs is modified to alter the secontext for its +# accesses to the underlying FS. +allow kernel media_rw_data_file:dir create_dir_perms; +allow kernel media_rw_data_file:file create_file_perms; + +# Access to /data/misc/vold/virtual_disk. +allow kernel vold_data_file:file { read write }; + +# Allow the kernel to read APEX file descriptors and (staged) data files; +# Needed because APEX uses the loopback driver, which issues requests from +# a kernel thread in earlier kernel version. +allow kernel apexd:fd use; +allow kernel { + apex_data_file + staging_data_file + vendor_apex_file +}:file read; + +# Allow the first-stage init (which is running in the kernel domain) to execute the +# dynamic linker when it re-executes /init to switch into the second stage. +# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed +# before the domain is switched to the target domain. So, we need to allow the kernel +# domain (the source domain) to execute the dynamic linker (system_file type). +# TODO(b/110147943) remove these allow rules when we no longer need to support Linux +# kernel older than 4.8. +allow kernel system_file:file execute; +# The label for the dynamic linker is rootfs in the recovery partition. This is because +# the recovery partition which is rootfs does not support xattr and thus labeling can't be +# done at build-time. All files are by default labeled as rootfs upon booting. +recovery_only(` + allow kernel rootfs:file execute; +') + +# required by VTS lidbm unit test +allow kernel appdomain_tmpfs:file { read write }; + +### +### neverallow rules +### + +# The initial task starts in the kernel domain (assigned via +# initial_sid_contexts), but nothing ever transitions to it. +neverallow * kernel:process { transition dyntransition }; + +# The kernel domain is never entered via an exec, nor should it +# ever execute a program outside the rootfs without changing to another domain. +# If you encounter an execute_no_trans denial on the kernel domain, then +# possible causes include: +# - The program is a kernel usermodehelper. In this case, define a domain +# for the program and domain_auto_trans() to it. +# - You are running an exploit which switched to the init task credentials +# and is then trying to exec a shell or other program. You lose! +neverallow kernel *:file { entrypoint execute_no_trans }; + +# the kernel should not be accessing files owned by other users. +# Instead of adding dac_{read_search,override}, fix the unix permissions +# on files being accessed. +neverallow kernel self:global_capability_class_set { dac_override dac_read_search }; + +# Nobody should be ptracing kernel threads +neverallow * kernel:process ptrace; diff --git a/prebuilts/api/32.0/public/keystore.te b/prebuilts/api/32.0/public/keystore.te new file mode 100644 index 000000000..b7d509059 --- /dev/null +++ b/prebuilts/api/32.0/public/keystore.te @@ -0,0 +1,45 @@ +type keystore, domain, keystore2_key_type; +type keystore_exec, system_file_type, exec_type, file_type; + +# keystore daemon +typeattribute keystore mlstrustedsubject; +binder_use(keystore) +binder_service(keystore) +binder_call(keystore, system_server) +binder_call(keystore, wificond) + +allow keystore keystore_data_file:dir create_dir_perms; +allow keystore keystore_data_file:notdevfile_class_set create_file_perms; +allow keystore keystore_exec:file { getattr }; + +add_service(keystore, keystore_service) +add_service(keystore, remoteprovisioning_service) +allow keystore sec_key_att_app_id_provider_service:service_manager find; +allow keystore dropbox_service:service_manager find; +add_service(keystore, apc_service) +add_service(keystore, keystore_compat_hal_service) +add_service(keystore, authorization_service) +add_service(keystore, keystore_maintenance_service) +add_service(keystore, keystore_metrics_service) +add_service(keystore, legacykeystore_service) + +# Check SELinux permissions. +selinux_check_access(keystore) + +r_dir_file(keystore, cgroup) +r_dir_file(keystore, cgroup_v2) + +### +### Neverallow rules +### +### Protect ourself from others +### + +neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; +neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; + +neverallow { domain -keystore -init } keystore_data_file:dir *; +neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; + +# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?) +neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace; diff --git a/prebuilts/api/32.0/public/keystore_keys.te b/prebuilts/api/32.0/public/keystore_keys.te new file mode 100644 index 000000000..3c3598487 --- /dev/null +++ b/prebuilts/api/32.0/public/keystore_keys.te @@ -0,0 +1,2 @@ +# A keystore2 namespace for WI-FI. +type wifi_key, keystore2_key_type; diff --git a/prebuilts/api/32.0/public/llkd.te b/prebuilts/api/32.0/public/llkd.te new file mode 100644 index 000000000..1faa42995 --- /dev/null +++ b/prebuilts/api/32.0/public/llkd.te @@ -0,0 +1,3 @@ +# llkd Live LocK Daemon +type llkd, domain, mlstrustedsubject; +type llkd_exec, system_file_type, exec_type, file_type; diff --git a/prebuilts/api/32.0/public/lmkd.te b/prebuilts/api/32.0/public/lmkd.te new file mode 100644 index 000000000..de6052da8 --- /dev/null +++ b/prebuilts/api/32.0/public/lmkd.te @@ -0,0 +1,72 @@ +# lmkd low memory killer daemon +type lmkd, domain, mlstrustedsubject; +type lmkd_exec, system_file_type, exec_type, file_type; + +allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill }; + +# lmkd locks itself in memory, to prevent it from being +# swapped out and unable to kill other memory hogs. +# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35 +# b/16236289 +allow lmkd self:global_capability_class_set ipc_lock; + +## Open and write to /proc/PID/oom_score_adj and /proc/PID/timerslack_ns +## TODO: maybe scope this down? +r_dir_file(lmkd, domain) +allow lmkd domain:file write; + +## Writes to /sys/module/lowmemorykiller/parameters/minfree +r_dir_file(lmkd, sysfs_lowmemorykiller) +allow lmkd sysfs_lowmemorykiller:file w_file_perms; + +# setsched and send kill signals to any registered process +allow lmkd domain:process { setsched sigkill }; +# TODO: delete this line b/131761776 +allow lmkd kernel:process { setsched }; + +# Clean up old cgroups +allow lmkd cgroup:dir { remove_name rmdir }; +allow lmkd cgroup_v2:dir { remove_name rmdir }; + +# Allow to read memcg stats +allow lmkd cgroup:file r_file_perms; +allow lmkd cgroup_v2:file r_file_perms; + +# Set self to SCHED_FIFO +allow lmkd self:global_capability_class_set sys_nice; + +allow lmkd proc_zoneinfo:file r_file_perms; +allow lmkd proc_vmstat:file r_file_perms; + +# live lock watchdog process allowed to look through /proc/ +allow lmkd domain:dir { search open read }; +allow lmkd domain:file { open read }; + +# live lock watchdog process allowed to dump process trace and +# reboot because orderly shutdown may not be possible. +allow lmkd proc_sysrq:file rw_file_perms; + +# Read /proc/lowmemorykiller +allow lmkd proc_lowmemorykiller:file r_file_perms; + +# Read /proc/meminfo +allow lmkd proc_meminfo:file r_file_perms; + +# Read /proc/pressure/cpu and /proc/pressure/io +allow lmkd proc_pressure_cpu:file r_file_perms; +allow lmkd proc_pressure_io:file r_file_perms; + +# Read/Write /proc/pressure/memory +allow lmkd proc_pressure_mem:file rw_file_perms; + +# Allow lmkd to connect during reinit. +allow lmkd lmkd_socket:sock_file write; + +# Allow lmkd to write to statsd. +unix_socket_send(lmkd, statsdw, statsd) + +### neverallow rules + +# never honor LD_PRELOAD +neverallow * lmkd:process noatsecure; +neverallow lmkd self:global_capability_class_set sys_ptrace; diff --git a/prebuilts/api/32.0/public/logd.te b/prebuilts/api/32.0/public/logd.te new file mode 100644 index 000000000..81871798a --- /dev/null +++ b/prebuilts/api/32.0/public/logd.te @@ -0,0 +1,74 @@ +# android user-space log manager +type logd, domain, mlstrustedsubject; +type logd_exec, system_file_type, exec_type, file_type; + +# Read access to pseudo filesystems. +r_dir_file(logd, cgroup) +r_dir_file(logd, cgroup_v2) +r_dir_file(logd, proc_kmsg) +r_dir_file(logd, proc_meminfo) + +allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control }; +allow logd self:global_capability2_class_set syslog; +allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write }; +allow logd kernel:system syslog_read; +allow logd kmsg_device:chr_file { getattr w_file_perms }; +allow logd system_data_file:{ file lnk_file } r_file_perms; +allow logd packages_list_file:file r_file_perms; +allow logd pstorefs:dir search; +allow logd pstorefs:file r_file_perms; +userdebug_or_eng(` + # Access to /data/misc/logd/event-log-tags + allow logd misc_logd_file:dir r_dir_perms; + allow logd misc_logd_file:file rw_file_perms; +') +allow logd runtime_event_log_tags_file:file rw_file_perms; + +r_dir_file(logd, domain) + +allow logd kernel:system syslog_mod; + +control_logd(logd) +read_runtime_log_tags(logd) + +allow runtime_event_log_tags_file tmpfs:filesystem associate; +# Typically harmlessly blindly trying to access via liblog +# event tag mapping while in the untrusted_app domain. +# Access for that domain is controlled and gated via the +# event log tag service (albeit at a performance penalty, +# expected to be locally cached). +dontaudit domain runtime_event_log_tags_file:file { map open read }; + +# Logd sets defaults if certain properties are empty. +set_prop(logd, logd_prop) + +### +### Neverallow rules +### +### logd should NEVER do any of this + +# Block device access. +neverallow logd dev_type:blk_file { read write }; + +# ptrace any other app +neverallow logd domain:process ptrace; + +# ... and nobody may ptrace me (except on userdebug or eng builds) +neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace; + +# Write to /system. +neverallow logd system_file:dir_file_class_set write; + +# Write to files in /data/data or system files on /data +neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write; + +# Only init is allowed to enter the logd domain via exec() +neverallow { domain -init } logd:process transition; +neverallow * logd:process dyntransition; + +# protect the event-log-tags file +neverallow { + domain + -init + -logd +} runtime_event_log_tags_file:file no_w_file_perms; diff --git a/prebuilts/api/32.0/public/logpersist.te b/prebuilts/api/32.0/public/logpersist.te new file mode 100644 index 000000000..c8e6af4e1 --- /dev/null +++ b/prebuilts/api/32.0/public/logpersist.te @@ -0,0 +1,30 @@ +# android debug logging, logpersist domains +type logpersist, domain; + +# logcatd is a shell script that execs logcat with various parameters. +allow logpersist shell_exec:file rx_file_perms; +allow logpersist logcat_exec:file rx_file_perms; + +### +### Neverallow rules +### +### logpersist should NEVER do any of this + +# Block device access. +neverallow logpersist dev_type:blk_file { read write }; + +# ptrace any other app +neverallow logpersist domain:process ptrace; + +# Write to files in /data/data or system files on /data except misc_logd_file +neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write; + +# Only init should be allowed to enter the logpersist domain via exec() +# Following is a list of debug domains we know that transition to logpersist +# neverallow_with_undefined_domains { +# domain +# -init # goldfish, logcatd, raft +# -mmi # bat, mtp8996, msmcobalt +# -system_app # Smith.apk +# } logpersist:process transition; +neverallow * logpersist:process dyntransition; diff --git a/prebuilts/api/32.0/public/mdnsd.te b/prebuilts/api/32.0/public/mdnsd.te new file mode 100644 index 000000000..ef7b065d8 --- /dev/null +++ b/prebuilts/api/32.0/public/mdnsd.te @@ -0,0 +1,2 @@ +# mdns daemon +type mdnsd, domain; diff --git a/prebuilts/api/32.0/public/mediadrmserver.te b/prebuilts/api/32.0/public/mediadrmserver.te new file mode 100644 index 000000000..a52295e2c --- /dev/null +++ b/prebuilts/api/32.0/public/mediadrmserver.te @@ -0,0 +1,33 @@ +# mediadrmserver - mediadrm daemon +type mediadrmserver, domain; +type mediadrmserver_exec, system_file_type, exec_type, file_type; + +typeattribute mediadrmserver mlstrustedsubject; + +net_domain(mediadrmserver) +binder_use(mediadrmserver) +binder_call(mediadrmserver, binderservicedomain) +binder_call(mediadrmserver, appdomain) +binder_service(mediadrmserver) +hal_client_domain(mediadrmserver, hal_drm) + +add_service(mediadrmserver, mediadrmserver_service) +allow mediadrmserver mediaserver_service:service_manager find; +allow mediadrmserver mediametrics_service:service_manager find; +allow mediadrmserver processinfo_service:service_manager find; +allow mediadrmserver surfaceflinger_service:service_manager find; +allow mediadrmserver system_file:dir r_dir_perms; + +# TODO(b/80317992): remove +binder_call(mediadrmserver, hal_omx_server) + +### +### neverallow rules +### + +# mediadrmserver should never execute any executable without a +# domain transition +neverallow mediadrmserver { file_type fs_type }:file execute_no_trans; + +# do not allow privileged socket ioctl commands +neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; diff --git a/prebuilts/api/32.0/public/mediaextractor.te b/prebuilts/api/32.0/public/mediaextractor.te new file mode 100644 index 000000000..06f7928f1 --- /dev/null +++ b/prebuilts/api/32.0/public/mediaextractor.te @@ -0,0 +1,72 @@ +# mediaextractor - multimedia daemon +type mediaextractor, domain; +type mediaextractor_exec, system_file_type, exec_type, file_type; +type mediaextractor_tmpfs, file_type; + +typeattribute mediaextractor mlstrustedsubject; + +binder_use(mediaextractor) +binder_call(mediaextractor, binderservicedomain) +binder_call(mediaextractor, appdomain) +binder_service(mediaextractor) + +add_service(mediaextractor, mediaextractor_service) +allow mediaextractor mediametrics_service:service_manager find; +allow mediaextractor hidl_token_hwservice:hwservice_manager find; + +allow mediaextractor system_server:fd use; + +hal_client_domain(mediaextractor, hal_cas) +hal_client_domain(mediaextractor, hal_allocator) + +r_dir_file(mediaextractor, cgroup) +r_dir_file(mediaextractor, cgroup_v2) +allow mediaextractor proc_meminfo:file r_file_perms; + +crash_dump_fallback(mediaextractor) + +# allow mediaextractor read permissions for file sources +allow mediaextractor sdcard_type:file { getattr read }; +allow mediaextractor media_rw_data_file:file { getattr read }; +allow mediaextractor { app_data_file privapp_data_file }:file { getattr read }; + +# Read resources from open apk files passed over Binder +allow mediaextractor apk_data_file:file { read getattr }; +allow mediaextractor asec_apk_file:file { read getattr }; +allow mediaextractor ringtone_file:file { read getattr }; + +# overlay package access +allow mediaextractor vendor_overlay_file:file { read map }; + +# scan extractor library directory to dynamically load extractors +allow mediaextractor system_file:dir { read open }; + +### +### neverallow rules +### + +# mediaextractor should never execute any executable without a +# domain transition +neverallow mediaextractor { file_type fs_type }:file execute_no_trans; + +# The goal of the mediaserver split is to place media processing code into +# restrictive sandboxes with limited responsibilities and thus limited +# permissions. Example: Audioserver is only responsible for controlling audio +# hardware and processing audio content. Cameraserver does the same for camera +# hardware/content. Etc. +# +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *; + +# mediaextractor should not be opening /data files directly. Any files +# it touches (with a few exceptions) need to be passed to it via a file +# descriptor opened outside the process. +neverallow mediaextractor { + data_file_type + -zoneinfo_data_file # time zone data from /data/misc/zoneinfo + userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins + with_native_coverage(`-method_trace_data_file') +}:file open; diff --git a/prebuilts/api/32.0/public/mediametrics.te b/prebuilts/api/32.0/public/mediametrics.te new file mode 100644 index 000000000..468c0d02c --- /dev/null +++ b/prebuilts/api/32.0/public/mediametrics.te @@ -0,0 +1,45 @@ +# mediametrics - daemon for collecting media.metrics data +type mediametrics, domain; +type mediametrics_exec, system_file_type, exec_type, file_type; + + +binder_use(mediametrics) +binder_call(mediametrics, binderservicedomain) +binder_service(mediametrics) + +add_service(mediametrics, mediametrics_service) + +allow mediametrics system_server:fd use; + +r_dir_file(mediametrics, cgroup) +r_dir_file(mediametrics, cgroup_v2) +allow mediametrics proc_meminfo:file r_file_perms; + +# allows interactions with dumpsys to GMScore +allow mediametrics { app_data_file privapp_data_file }:file write; + +# allow access to package manager for uid->apk mapping +allow mediametrics package_native_service:service_manager find; + +# Allow metrics service to send information to statsd socket. +unix_socket_send(mediametrics, statsdw, statsd) + +### +### neverallow rules +### + +# mediametrics should never execute any executable without a +# domain transition +neverallow mediametrics { file_type fs_type }:file execute_no_trans; + +# The goal of the mediaserver split is to place media processing code into +# restrictive sandboxes with limited responsibilities and thus limited +# permissions. Example: Audioserver is only responsible for controlling audio +# hardware and processing audio content. Cameraserver does the same for camera +# hardware/content. Etc. +# +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/prebuilts/api/32.0/public/mediaprovider.te b/prebuilts/api/32.0/public/mediaprovider.te new file mode 100644 index 000000000..24170a5cf --- /dev/null +++ b/prebuilts/api/32.0/public/mediaprovider.te @@ -0,0 +1,6 @@ +### +### A domain for android.process.media, which contains both +### MediaProvider and DownloadProvider and associated services. +### + +type mediaprovider, domain; diff --git a/prebuilts/api/32.0/public/mediaserver.te b/prebuilts/api/32.0/public/mediaserver.te new file mode 100644 index 000000000..ad460e127 --- /dev/null +++ b/prebuilts/api/32.0/public/mediaserver.te @@ -0,0 +1,149 @@ +# mediaserver - multimedia daemon +type mediaserver, domain; +type mediaserver_exec, system_file_type, exec_type, file_type; +type mediaserver_tmpfs, file_type; + +typeattribute mediaserver mlstrustedsubject; + +net_domain(mediaserver) + +r_dir_file(mediaserver, sdcard_type) +r_dir_file(mediaserver, cgroup) +r_dir_file(mediaserver, cgroup_v2) + +# stat /proc/self +allow mediaserver proc:lnk_file getattr; + +# open /vendor/lib/mediadrm +allow mediaserver system_file:dir r_dir_perms; + +userdebug_or_eng(` + # ptrace to processes in the same domain for memory leak detection + allow mediaserver self:process ptrace; +') + +binder_use(mediaserver) +binder_call(mediaserver, binderservicedomain) +binder_call(mediaserver, appdomain) +binder_service(mediaserver) + +allow mediaserver media_data_file:dir create_dir_perms; +allow mediaserver media_data_file:file create_file_perms; +allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write }; +allow mediaserver sdcard_type:file write; +allow mediaserver gpu_device:chr_file rw_file_perms; +allow mediaserver video_device:dir r_dir_perms; +allow mediaserver video_device:chr_file rw_file_perms; + +# Read resources from open apk files passed over Binder. +allow mediaserver apk_data_file:file { read getattr }; +allow mediaserver asec_apk_file:file { read getattr }; +allow mediaserver ringtone_file:file { read getattr }; + +# Read /data/data/com.android.providers.telephony files passed over Binder. +allow mediaserver radio_data_file:file { read getattr }; + +# Use pipes passed over Binder from app domains. +allow mediaserver appdomain:fifo_file { getattr read write }; + +allow mediaserver rpmsg_device:chr_file rw_file_perms; + +# Inter System processes communicate over named pipe (FIFO) +allow mediaserver system_server:fifo_file r_file_perms; + +r_dir_file(mediaserver, media_rw_data_file) + +# Grant access to read files on appfuse. +allow mediaserver app_fuse_file:file { read getattr }; + +# Needed on some devices for playing DRM protected content, +# but seems expected and appropriate for all devices. +unix_socket_connect(mediaserver, drmserver, drmserver) + +# Needed on some devices for playing audio on paired BT device, +# but seems appropriate for all devices. +unix_socket_connect(mediaserver, bluetooth, bluetooth) + +add_service(mediaserver, mediaserver_service) +allow mediaserver activity_service:service_manager find; +allow mediaserver appops_service:service_manager find; +allow mediaserver audio_service:service_manager find; +allow mediaserver audioserver_service:service_manager find; +allow mediaserver cameraserver_service:service_manager find; +allow mediaserver batterystats_service:service_manager find; +allow mediaserver drmserver_service:service_manager find; +allow mediaserver mediaextractor_service:service_manager find; +allow mediaserver mediametrics_service:service_manager find; +allow mediaserver media_session_service:service_manager find; +allow mediaserver permission_service:service_manager find; +allow mediaserver permission_checker_service:service_manager find; +allow mediaserver power_service:service_manager find; +allow mediaserver processinfo_service:service_manager find; +allow mediaserver scheduling_policy_service:service_manager find; +allow mediaserver surfaceflinger_service:service_manager find; + +# for ModDrm/MediaPlayer +allow mediaserver mediadrmserver_service:service_manager find; + +# For hybrid interfaces +allow mediaserver hidl_token_hwservice:hwservice_manager find; + +# /oem access +allow mediaserver oemfs:dir search; +allow mediaserver oemfs:file r_file_perms; + +# /vendor apk access +allow mediaserver vendor_app_file:file { read map getattr }; + +use_drmservice(mediaserver) +allow mediaserver drmserver:drmservice { + consumeRights + setPlaybackStatus + openDecryptSession + closeDecryptSession + initializeDecryptUnit + decrypt + finalizeDecryptUnit + pread +}; + +# only allow unprivileged socket ioctl commands +allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } + ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; + +# Access to /data/media. +# This should be removed if sdcardfs is modified to alter the secontext for its +# accesses to the underlying FS. +allow mediaserver media_rw_data_file:dir create_dir_perms; +allow mediaserver media_rw_data_file:file create_file_perms; + +# Access to media in /data/preloads +allow mediaserver preloads_media_file:file { getattr read ioctl }; + +allow mediaserver ion_device:chr_file r_file_perms; +allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms; +allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow mediaserver hal_graphics_allocator:fd use; +allow mediaserver hal_graphics_composer:fd use; +allow mediaserver hal_camera:fd use; + +allow mediaserver system_server:fd use; + +# b/120491318 allow mediaserver to access void:fd +allow mediaserver vold:fd use; + +# overlay package access +allow mediaserver vendor_overlay_file:file { read getattr map }; + +hal_client_domain(mediaserver, hal_allocator) + +### +### neverallow rules +### + +# mediaserver should never execute any executable without a +# domain transition +neverallow mediaserver { file_type fs_type }:file execute_no_trans; + +# do not allow privileged socket ioctl commands +neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; diff --git a/prebuilts/api/32.0/public/mediaswcodec.te b/prebuilts/api/32.0/public/mediaswcodec.te new file mode 100644 index 000000000..5726842a7 --- /dev/null +++ b/prebuilts/api/32.0/public/mediaswcodec.te @@ -0,0 +1,27 @@ +type mediaswcodec, domain; +type mediaswcodec_exec, system_file_type, exec_type, file_type; + +hal_server_domain(mediaswcodec, hal_codec2) + +# mediaswcodec may use an input surface from a different Codec2 service or an +# OMX service +hal_client_domain(mediaswcodec, hal_codec2) +hal_client_domain(mediaswcodec, hal_omx) + +hal_client_domain(mediaswcodec, hal_allocator) +hal_client_domain(mediaswcodec, hal_graphics_allocator) + +crash_dump_fallback(mediaswcodec) + +# mediaswcodec_server should never execute any executable without a +# domain transition +neverallow mediaswcodec { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *; + +allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms; +allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms; diff --git a/prebuilts/api/32.0/public/modprobe.te b/prebuilts/api/32.0/public/modprobe.te new file mode 100644 index 000000000..2c7d64b0b --- /dev/null +++ b/prebuilts/api/32.0/public/modprobe.te @@ -0,0 +1,10 @@ +type modprobe, domain; + +allow modprobe proc_modules:file r_file_perms; +allow modprobe proc_cmdline:file r_file_perms; +allow modprobe self:global_capability_class_set sys_module; +allow modprobe kernel:key search; +recovery_only(` + allow modprobe rootfs:system module_load; + allow modprobe rootfs:file r_file_perms; +') diff --git a/prebuilts/api/32.0/public/mtp.te b/prebuilts/api/32.0/public/mtp.te new file mode 100644 index 000000000..add63c0f5 --- /dev/null +++ b/prebuilts/api/32.0/public/mtp.te @@ -0,0 +1,11 @@ +# vpn tunneling protocol manager +type mtp, domain; +type mtp_exec, system_file_type, exec_type, file_type; + +net_domain(mtp) + +# pptp policy +allow mtp self:{ socket pppox_socket } create_socket_perms_no_ioctl; +allow mtp self:global_capability_class_set net_raw; +allow mtp ppp:process signal; +allow mtp vpn_data_file:dir search; diff --git a/prebuilts/api/32.0/public/net.te b/prebuilts/api/32.0/public/net.te new file mode 100644 index 000000000..e90715e66 --- /dev/null +++ b/prebuilts/api/32.0/public/net.te @@ -0,0 +1,39 @@ +## Network types +type node, node_type; +type netif, netif_type; +type port, port_type; + +### +### Domain with network access +### + +# Use network sockets. +allow netdomain self:tcp_socket create_stream_socket_perms; +allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms; + +# Connect to ports. +allow netdomain port_type:tcp_socket name_connect; +# Bind to ports. +allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind; +allow {netdomain -ephemeral_app} port_type:udp_socket name_bind; +allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind; +# See changes to the routing table. +allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read }; +# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from +# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere +# to avoid app-compat breakage. +allow { + netdomain + -ephemeral_app + -mediaprovider + -untrusted_app_all +} self:netlink_route_socket { bind nlmsg_readpriv }; + +# Talks to netd via dnsproxyd socket. +unix_socket_connect(netdomain, dnsproxyd, netd) + +# Talks to netd via fwmarkd socket. +unix_socket_connect(netdomain, fwmarkd, netd) + +# Connect to mdnsd via mdnsd socket. +unix_socket_connect(netdomain, mdnsd, mdnsd) diff --git a/prebuilts/api/32.0/public/netd.te b/prebuilts/api/32.0/public/netd.te new file mode 100644 index 000000000..ff0bff6c9 --- /dev/null +++ b/prebuilts/api/32.0/public/netd.te @@ -0,0 +1,176 @@ +# network manager +type netd, domain, mlstrustedsubject; +type netd_exec, system_file_type, exec_type, file_type; + +net_domain(netd) +# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls. +allowxperm netd self:udp_socket ioctl priv_sock_ioctls; + +r_dir_file(netd, cgroup) + +allow netd system_server:fd use; + +allow netd self:global_capability_class_set { net_admin net_raw kill }; +# Note: fsetid is deliberately not included above. fsetid checks are +# triggered by chmod on a directory or file owned by a group other +# than one of the groups assigned to the current process to see if +# the setgid bit should be cleared, regardless of whether the setgid +# bit was even set. We do not appear to truly need this capability +# for netd to operate. +dontaudit netd self:global_capability_class_set fsetid; + +# Allow netd to open /dev/tun, set it up and pass it to clatd +allow netd tun_device:chr_file rw_file_perms; +allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; +allow netd self:tun_socket create; + +allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow netd self:netlink_route_socket nlmsg_write; +allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl; +allow netd self:netlink_socket create_socket_perms_no_ioctl; +allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +allow netd self:netlink_generic_socket create_socket_perms_no_ioctl; +allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl; +allow netd shell_exec:file rx_file_perms; +allow netd system_file:file x_file_perms; +not_full_treble(`allow netd vendor_file:file x_file_perms;') +allow netd devpts:chr_file rw_file_perms; + +# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't +# exist, suppress the denial. +allow netd system_file:file lock; +dontaudit netd system_file:dir write; + +# Allow netd to write to qtaguid ctrl file. +# TODO: Add proper rules to prevent other process to access qtaguid_proc file +# after migration complete +allow netd proc_qtaguid_ctrl:file rw_file_perms; +# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have. +allow netd qtaguid_device:chr_file r_file_perms; + +r_dir_file(netd, proc_net_type) +# For /proc/sys/net/ipv[46]/route/flush. +allow netd proc_net_type:file rw_file_perms; + +# Enables PppController and interface enumeration (among others) +allow netd sysfs:dir r_dir_perms; +r_dir_file(netd, sysfs_net) + +# Allows setting interface MTU +allow netd sysfs_net:file w_file_perms; + +# TODO: added to match above sysfs rule. Remove me? +allow netd sysfs_usb:file write; + +r_dir_file(netd, cgroup_v2) + +allow netd fs_bpf:dir search; +allow netd fs_bpf:file { read write }; + +# TODO: netd previously thought it needed these permissions to do WiFi related +# work. However, after all the WiFi stuff is gone, we still need them. +# Why? +allow netd self:global_capability_class_set { dac_override dac_read_search chown }; + +# Needed to update /data/misc/net/rt_tables +allow netd net_data_file:file create_file_perms; +allow netd net_data_file:dir rw_dir_perms; +allow netd self:global_capability_class_set fowner; + +# Needed to lock the iptables lock. +allow netd system_file:file lock; + +# Allow netd to spawn dnsmasq in it's own domain +allow netd dnsmasq:process signal; + +# Allow netd to publish a binder service and make binder calls. +binder_use(netd) +add_service(netd, netd_service) +add_service(netd, dnsresolver_service) +allow netd dumpstate:fifo_file { getattr write }; + +# Allow netd to call into the system server so it can check permissions. +allow netd system_server:binder call; +allow netd permission_service:service_manager find; + +# Allow netd to talk to the framework service which collects netd events. +allow netd netd_listener_service:service_manager find; + +# Allow netd to operate on sockets that are passed to it. +allow netd netdomain:{ + icmp_socket + tcp_socket + udp_socket + rawip_socket + tun_socket +} { read write getattr setattr getopt setopt }; +allow netd netdomain:fd use; + +# give netd permission to read and write netlink xfrm +allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read }; + +# Allow netd to register as hal server. +add_hwservice(netd, system_net_netd_hwservice) +hwbinder_use(netd) + +### +### Neverallow rules +### +### netd should NEVER do any of this + +# Block device access. +neverallow netd dev_type:blk_file { read write }; + +# ptrace any other app +neverallow netd { domain }:process ptrace; + +# Write to /system. +neverallow netd system_file:dir_file_class_set write; + +# Write to files in /data/data or system files on /data +neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write; + +# only system_server, dumpstate and network stack app may find netd service +neverallow { + domain + -system_server + -dumpstate + -network_stack + -netd + -netutils_wrapper +} netd_service:service_manager find; + +# only system_server, dumpstate and network stack app may find dnsresolver service +neverallow { + domain + -system_server + -dumpstate + -network_stack + -netd + -netutils_wrapper +} dnsresolver_service:service_manager find; + +# apps may not interact with netd over binder. +neverallow { appdomain -network_stack } netd:binder call; +neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call; + +# If an already existing file is opened with O_CREATE, the kernel might generate +# a false report of a create denial. Silence these denials and make sure that +# inappropriate permissions are not granted. +neverallow netd proc_net:dir no_w_dir_perms; +dontaudit netd proc_net:dir write; + +neverallow netd sysfs_net:dir no_w_dir_perms; +dontaudit netd sysfs_net:dir write; + +# Netd should not have SYS_ADMIN privs. +neverallow netd self:capability sys_admin; +dontaudit netd self:capability sys_admin; + +# Netd should not have SYS_MODULE privs, nor should it be requesting module loads +# (things it requires should be built directly into the kernel) +dontaudit netd self:capability sys_module; + +dontaudit netd kernel:system module_request; + +dontaudit netd appdomain:unix_stream_socket { read write }; diff --git a/prebuilts/api/32.0/public/netutils_wrapper.te b/prebuilts/api/32.0/public/netutils_wrapper.te new file mode 100644 index 000000000..27aa7496c --- /dev/null +++ b/prebuilts/api/32.0/public/netutils_wrapper.te @@ -0,0 +1,4 @@ +type netutils_wrapper, domain; +type netutils_wrapper_exec, system_file_type, exec_type, file_type; + +neverallow domain netutils_wrapper_exec:file execute_no_trans; diff --git a/prebuilts/api/32.0/public/network_stack.te b/prebuilts/api/32.0/public/network_stack.te new file mode 100644 index 000000000..feff66460 --- /dev/null +++ b/prebuilts/api/32.0/public/network_stack.te @@ -0,0 +1,2 @@ +# Network stack service app +type network_stack, domain; diff --git a/prebuilts/api/32.0/public/neverallow_macros b/prebuilts/api/32.0/public/neverallow_macros new file mode 100644 index 000000000..59fa441d2 --- /dev/null +++ b/prebuilts/api/32.0/public/neverallow_macros @@ -0,0 +1,15 @@ +# +# Common neverallow permissions +define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }') +define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }') +define(`no_x_file_perms', `{ execute execute_no_trans }') +define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }') + +##################################### +# neverallow_establish_socket_comms(src, dst) +# neverallow src domain establishing socket connections to dst domain. +# +define(`neverallow_establish_socket_comms', ` + neverallow $1 $2:socket_class_set { connect sendto }; + neverallow $1 $2:unix_stream_socket connectto; +') diff --git a/prebuilts/api/32.0/public/nfc.te b/prebuilts/api/32.0/public/nfc.te new file mode 100644 index 000000000..e3a03e796 --- /dev/null +++ b/prebuilts/api/32.0/public/nfc.te @@ -0,0 +1,2 @@ +# nfc subsystem +type nfc, domain; diff --git a/prebuilts/api/32.0/public/otapreopt_chroot.te b/prebuilts/api/32.0/public/otapreopt_chroot.te new file mode 100644 index 000000000..db8dd1a1e --- /dev/null +++ b/prebuilts/api/32.0/public/otapreopt_chroot.te @@ -0,0 +1,4 @@ +# otapreopt_chroot seclabel + +# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons. +type otapreopt_chroot, domain; diff --git a/prebuilts/api/32.0/public/perfetto.te b/prebuilts/api/32.0/public/perfetto.te new file mode 100644 index 000000000..cec0e6f09 --- /dev/null +++ b/prebuilts/api/32.0/public/perfetto.te @@ -0,0 +1 @@ +type perfetto, domain, coredomain; diff --git a/prebuilts/api/32.0/public/performanced.te b/prebuilts/api/32.0/public/performanced.te new file mode 100644 index 000000000..d694fda9d --- /dev/null +++ b/prebuilts/api/32.0/public/performanced.te @@ -0,0 +1,31 @@ +# performanced +type performanced, domain, mlstrustedsubject; +type performanced_exec, system_file_type, exec_type, file_type; + +# Needed to check for app permissions. +binder_use(performanced) +binder_call(performanced, system_server) +allow performanced permission_service:service_manager find; + +pdx_server(performanced, performance_client) + +# TODO: use file caps to obtain sys_nice instead of setuid / setgid. +allow performanced self:global_capability_class_set { setuid setgid sys_nice }; + +# Access /proc to validate we're only affecting threads in the same thread group. +# Performanced also shields unbound kernel threads. It scans every task in the +# root cpu set, but only affects the kernel threads. +r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger }) +dontaudit performanced domain:dir read; +allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched; + +# These /proc accesses only show up in permissive mode but they +# generate a lot of noise in the log. +userdebug_or_eng(` + dontaudit performanced domain:dir open; + dontaudit performanced domain:file { open read getattr }; +') + +# Access /dev/cpuset/cpuset.cpus +r_dir_file(performanced, cgroup) +r_dir_file(performanced, cgroup_v2) diff --git a/prebuilts/api/32.0/public/platform_app.te b/prebuilts/api/32.0/public/platform_app.te new file mode 100644 index 000000000..9b1faf0f6 --- /dev/null +++ b/prebuilts/api/32.0/public/platform_app.te @@ -0,0 +1,5 @@ +### +### Apps signed with the platform key. +### + +type platform_app, domain; diff --git a/prebuilts/api/32.0/public/postinstall.te b/prebuilts/api/32.0/public/postinstall.te new file mode 100644 index 000000000..bcea2dcbf --- /dev/null +++ b/prebuilts/api/32.0/public/postinstall.te @@ -0,0 +1,45 @@ +# Domain where the postinstall program runs during the update. +# Extend the permissions in this domain to allow this program to access other +# files needed by the specific device on your device's sepolicy directory. +type postinstall, domain; + +# Allow postinstall to write to its stdout/stderr when redirected via pipes to +# update_engine. +allow postinstall update_engine_common:fd use; +allow postinstall update_engine_common:fifo_file rw_file_perms; + +# Allow postinstall to read and execute directories and files in the same +# mounted location. +allow postinstall postinstall_file:file rx_file_perms; +allow postinstall postinstall_file:lnk_file r_file_perms; +allow postinstall postinstall_file:dir r_dir_perms; + +# Allow postinstall to execute the shell or other system executables. +allow postinstall shell_exec:file rx_file_perms; +allow postinstall system_file:file rx_file_perms; +allow postinstall toolbox_exec:file rx_file_perms; + +# Allow postinstall to execute shell in recovery. +recovery_only(` + allow postinstall rootfs:file rx_file_perms; +') + +# +# For OTA dexopt. +# + +# Allow postinstall scripts to talk to the system server. +binder_use(postinstall) +binder_call(postinstall, system_server) + +# Need to talk to the otadexopt service. +allow postinstall otadexopt_service:service_manager find; + +# Allow postinstall scripts to trigger f2fs garbage collection +allow postinstall sysfs_fs_f2fs:file rw_file_perms; +allow postinstall sysfs_fs_f2fs:dir r_dir_perms; + +# No domain other than update_engine and recovery (via update_engine_sideload) +# should transition to postinstall, as it is only meant to run during the +# update. +neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition }; diff --git a/prebuilts/api/32.0/public/ppp.te b/prebuilts/api/32.0/public/ppp.te new file mode 100644 index 000000000..b736deff5 --- /dev/null +++ b/prebuilts/api/32.0/public/ppp.te @@ -0,0 +1,23 @@ +# Point to Point Protocol daemon +type ppp, domain; +type ppp_device, dev_type; +type ppp_exec, system_file_type, exec_type, file_type; + +net_domain(ppp) + +r_dir_file(ppp, proc_net_type) + +allow ppp mtp:{ socket pppox_socket } rw_socket_perms; + +# ioctls needed for VPN. +allowxperm ppp self:udp_socket ioctl priv_sock_ioctls; +allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls; + +allow ppp mtp:unix_dgram_socket rw_socket_perms; +allow ppp ppp_device:chr_file rw_file_perms; +allow ppp self:global_capability_class_set net_admin; +allow ppp system_file:file rx_file_perms; +not_full_treble(`allow ppp vendor_file:file rx_file_perms;') +allow ppp vpn_data_file:dir w_dir_perms; +allow ppp vpn_data_file:file create_file_perms; +allow ppp mtp:fd use; diff --git a/prebuilts/api/32.0/public/priv_app.te b/prebuilts/api/32.0/public/priv_app.te new file mode 100644 index 000000000..0761fc30f --- /dev/null +++ b/prebuilts/api/32.0/public/priv_app.te @@ -0,0 +1,5 @@ +### +### A domain for further sandboxing privileged apps. +### + +type priv_app, domain; diff --git a/prebuilts/api/32.0/public/profman.te b/prebuilts/api/32.0/public/profman.te new file mode 100644 index 000000000..c014d7954 --- /dev/null +++ b/prebuilts/api/32.0/public/profman.te @@ -0,0 +1,33 @@ +# profman +type profman, domain; +type profman_exec, system_file_type, exec_type, file_type; + +allow profman user_profile_data_file:file { getattr read write lock map }; + +# Dumping profile info opens the application APK file for pretty printing. +allow profman asec_apk_file:file { read map }; +allow profman apk_data_file:file { getattr read map }; +allow profman apk_data_file:dir { getattr read search }; + +allow profman oemfs:file { read map }; +# Reading an APK opens a ZipArchive, which unpack to tmpfs. +allow profman tmpfs:file { read map }; +allow profman profman_dump_data_file:file { write map }; + +allow profman installd:fd use; + +# Allow profman to analyze profiles for the secondary dex files. These +# are application dex files reported back to the framework when using +# BaseDexClassLoader. +allow profman { privapp_data_file app_data_file }:file { getattr read write lock map }; +allow profman { privapp_data_file app_data_file }:dir { getattr read search }; + +# Allow query ART device config properties +get_prop(profman, device_config_runtime_native_prop) +get_prop(profman, device_config_runtime_native_boot_prop) + +### +### neverallow rules +### + +neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open; diff --git a/prebuilts/api/32.0/public/property.te b/prebuilts/api/32.0/public/property.te new file mode 100644 index 000000000..2b2af6d19 --- /dev/null +++ b/prebuilts/api/32.0/public/property.te @@ -0,0 +1,331 @@ +# Properties used only in /system +# +# DO NOT ADD system_internal_prop here. +# Instead, add to private/property.te. +# TODO(b/150331497): move these to private/property.te +system_internal_prop(apexd_prop) +system_internal_prop(bootloader_boot_reason_prop) +system_internal_prop(device_config_activity_manager_native_boot_prop) +system_internal_prop(device_config_boot_count_prop) +system_internal_prop(device_config_input_native_boot_prop) +system_internal_prop(device_config_media_native_prop) +system_internal_prop(device_config_netd_native_prop) +system_internal_prop(device_config_reset_performed_prop) +system_internal_prop(firstboot_prop) + +compatible_property_only(` + # DO NOT ADD ANY PROPERTIES HERE + system_internal_prop(boottime_prop) + system_internal_prop(bpf_progs_loaded_prop) + system_internal_prop(charger_prop) + system_internal_prop(cold_boot_done_prop) + system_internal_prop(ctl_adbd_prop) + system_internal_prop(ctl_apexd_prop) + system_internal_prop(ctl_bootanim_prop) + system_internal_prop(ctl_bugreport_prop) + system_internal_prop(ctl_console_prop) + system_internal_prop(ctl_dumpstate_prop) + system_internal_prop(ctl_fuse_prop) + system_internal_prop(ctl_gsid_prop) + system_internal_prop(ctl_interface_restart_prop) + system_internal_prop(ctl_interface_stop_prop) + system_internal_prop(ctl_mdnsd_prop) + system_internal_prop(ctl_restart_prop) + system_internal_prop(ctl_rildaemon_prop) + system_internal_prop(ctl_sigstop_prop) + system_internal_prop(dynamic_system_prop) + system_internal_prop(heapprofd_enabled_prop) + system_internal_prop(llkd_prop) + system_internal_prop(lpdumpd_prop) + system_internal_prop(mmc_prop) + system_internal_prop(mock_ota_prop) + system_internal_prop(net_dns_prop) + system_internal_prop(overlay_prop) + system_internal_prop(persistent_properties_ready_prop) + system_internal_prop(safemode_prop) + system_internal_prop(system_lmk_prop) + system_internal_prop(system_trace_prop) + system_internal_prop(test_boot_reason_prop) + system_internal_prop(time_prop) + system_internal_prop(traced_enabled_prop) + system_internal_prop(traced_lazy_prop) +') + +# Properties which can't be written outside system +system_restricted_prop(aac_drc_prop) +system_restricted_prop(arm64_memtag_prop) +system_restricted_prop(binder_cache_bluetooth_server_prop) +system_restricted_prop(binder_cache_system_server_prop) +system_restricted_prop(binder_cache_telephony_server_prop) +system_restricted_prop(boot_status_prop) +system_restricted_prop(bootanim_system_prop) +system_restricted_prop(bootloader_prop) +system_restricted_prop(boottime_public_prop) +system_restricted_prop(bq_config_prop) +system_restricted_prop(build_bootimage_prop) +system_restricted_prop(build_prop) +system_restricted_prop(charger_status_prop) +system_restricted_prop(device_config_runtime_native_boot_prop) +system_restricted_prop(device_config_runtime_native_prop) +system_restricted_prop(fingerprint_prop) +system_restricted_prop(hal_instrumentation_prop) +system_restricted_prop(hypervisor_prop) +system_restricted_prop(init_service_status_prop) +system_restricted_prop(libc_debug_prop) +system_restricted_prop(module_sdkextensions_prop) +system_restricted_prop(nnapi_ext_deny_product_prop) +system_restricted_prop(power_debug_prop) +system_restricted_prop(property_service_version_prop) +system_restricted_prop(provisioned_prop) +system_restricted_prop(restorecon_prop) +system_restricted_prop(retaildemo_prop) +system_restricted_prop(socket_hook_prop) +system_restricted_prop(sqlite_log_prop) +system_restricted_prop(surfaceflinger_display_prop) +system_restricted_prop(system_boot_reason_prop) +system_restricted_prop(system_jvmti_agent_prop) +system_restricted_prop(ab_update_gki_prop) +system_restricted_prop(usb_prop) +system_restricted_prop(userspace_reboot_exported_prop) +system_restricted_prop(vold_status_prop) +system_restricted_prop(vts_status_prop) + +compatible_property_only(` + # DO NOT ADD ANY PROPERTIES HERE + system_restricted_prop(config_prop) + system_restricted_prop(cppreopt_prop) + system_restricted_prop(dalvik_prop) + system_restricted_prop(debuggerd_prop) + system_restricted_prop(device_logging_prop) + system_restricted_prop(dhcp_prop) + system_restricted_prop(dumpstate_prop) + system_restricted_prop(exported3_system_prop) + system_restricted_prop(exported_dumpstate_prop) + system_restricted_prop(exported_secure_prop) + system_restricted_prop(heapprofd_prop) + system_restricted_prop(net_radio_prop) + system_restricted_prop(pan_result_prop) + system_restricted_prop(persist_debug_prop) + system_restricted_prop(shell_prop) + system_restricted_prop(test_harness_prop) + system_restricted_prop(theme_prop) + system_restricted_prop(use_memfd_prop) + system_restricted_prop(vold_prop) +') + +# Properties which can be written only by vendor_init +system_vendor_config_prop(apexd_config_prop) +system_vendor_config_prop(aaudio_config_prop) +system_vendor_config_prop(apk_verity_prop) +system_vendor_config_prop(audio_config_prop) +system_vendor_config_prop(bootanim_config_prop) +system_vendor_config_prop(build_config_prop) +system_vendor_config_prop(build_odm_prop) +system_vendor_config_prop(build_vendor_prop) +system_vendor_config_prop(camera_calibration_prop) +system_vendor_config_prop(camera_config_prop) +system_vendor_config_prop(camera2_extensions_prop) +system_vendor_config_prop(camerax_extensions_prop) +system_vendor_config_prop(charger_config_prop) +system_vendor_config_prop(codec2_config_prop) +system_vendor_config_prop(cpu_variant_prop) +system_vendor_config_prop(dalvik_config_prop) +system_vendor_config_prop(debugfs_restriction_prop) +system_vendor_config_prop(drm_service_config_prop) +system_vendor_config_prop(exported_camera_prop) +system_vendor_config_prop(exported_config_prop) +system_vendor_config_prop(exported_default_prop) +system_vendor_config_prop(ffs_config_prop) +system_vendor_config_prop(framework_watchdog_config_prop) +system_vendor_config_prop(graphics_config_prop) +system_vendor_config_prop(hdmi_config_prop) +system_vendor_config_prop(hw_timeout_multiplier_prop) +system_vendor_config_prop(incremental_prop) +system_vendor_config_prop(keyguard_config_prop) +system_vendor_config_prop(lmkd_config_prop) +system_vendor_config_prop(media_config_prop) +system_vendor_config_prop(media_variant_prop) +system_vendor_config_prop(mediadrm_config_prop) +system_vendor_config_prop(mm_events_config_prop) +system_vendor_config_prop(oem_unlock_prop) +system_vendor_config_prop(packagemanager_config_prop) +system_vendor_config_prop(recovery_config_prop) +system_vendor_config_prop(sendbug_config_prop) +system_vendor_config_prop(soc_prop) +system_vendor_config_prop(storage_config_prop) +system_vendor_config_prop(storagemanager_config_prop) +system_vendor_config_prop(surfaceflinger_prop) +system_vendor_config_prop(suspend_prop) +system_vendor_config_prop(systemsound_config_prop) +system_vendor_config_prop(telephony_config_prop) +system_vendor_config_prop(tombstone_config_prop) +system_vendor_config_prop(usb_config_prop) +system_vendor_config_prop(userspace_reboot_config_prop) +system_vendor_config_prop(vehicle_hal_prop) +system_vendor_config_prop(vendor_security_patch_level_prop) +system_vendor_config_prop(vendor_socket_hook_prop) +system_vendor_config_prop(virtual_ab_prop) +system_vendor_config_prop(vndk_prop) +system_vendor_config_prop(vts_config_prop) +system_vendor_config_prop(vold_config_prop) +system_vendor_config_prop(wifi_config_prop) +system_vendor_config_prop(zram_config_prop) +system_vendor_config_prop(zygote_config_prop) +system_vendor_config_prop(dck_prop) + +# Properties with no restrictions +system_public_prop(adbd_config_prop) +system_public_prop(audio_prop) +system_public_prop(bluetooth_a2dp_offload_prop) +system_public_prop(bluetooth_audio_hal_prop) +system_public_prop(bluetooth_prop) +system_public_prop(ctl_default_prop) +system_public_prop(ctl_interface_start_prop) +system_public_prop(ctl_start_prop) +system_public_prop(ctl_stop_prop) +system_public_prop(dalvik_runtime_prop) +system_public_prop(debug_prop) +system_public_prop(dumpstate_options_prop) +system_public_prop(exported_system_prop) +system_public_prop(exported_bluetooth_prop) +system_public_prop(exported_overlay_prop) +system_public_prop(exported_pm_prop) +system_public_prop(ffs_control_prop) +system_public_prop(hal_dumpstate_config_prop) +system_public_prop(sota_prop) +system_public_prop(hwservicemanager_prop) +system_public_prop(lmkd_prop) +system_public_prop(logd_prop) +system_public_prop(logpersistd_logging_prop) +system_public_prop(log_prop) +system_public_prop(log_tag_prop) +system_public_prop(lowpan_prop) +system_public_prop(nfc_prop) +system_public_prop(ota_prop) +system_public_prop(powerctl_prop) +system_public_prop(qemu_hw_prop) +system_public_prop(qemu_sf_lcd_density_prop) +system_public_prop(radio_control_prop) +system_public_prop(radio_prop) +system_public_prop(serialno_prop) +system_public_prop(surfaceflinger_color_prop) +system_public_prop(system_prop) +system_public_prop(telephony_status_prop) +system_public_prop(usb_control_prop) +system_public_prop(vold_post_fs_data_prop) +system_public_prop(wifi_hal_prop) +system_public_prop(wifi_log_prop) +system_public_prop(wifi_prop) +system_public_prop(zram_control_prop) + +# Properties which don't have entries on property_contexts +system_internal_prop(default_prop) + +# Properties used in default HAL implementations +vendor_internal_prop(rebootescrow_hal_prop) + +vendor_public_prop(persist_vendor_debug_wifi_prop) + +# Properties which are public for devices launching with Android O or earlier +# This should not be used for any new properties. +not_compatible_property(` + # DO NOT ADD ANY PROPERTIES HERE + system_public_prop(boottime_prop) + system_public_prop(bpf_progs_loaded_prop) + system_public_prop(charger_prop) + system_public_prop(cold_boot_done_prop) + system_public_prop(ctl_adbd_prop) + system_public_prop(ctl_apexd_prop) + system_public_prop(ctl_bootanim_prop) + system_public_prop(ctl_bugreport_prop) + system_public_prop(ctl_console_prop) + system_public_prop(ctl_dumpstate_prop) + system_public_prop(ctl_fuse_prop) + system_public_prop(ctl_gsid_prop) + system_public_prop(ctl_interface_restart_prop) + system_public_prop(ctl_interface_stop_prop) + system_public_prop(ctl_mdnsd_prop) + system_public_prop(ctl_restart_prop) + system_public_prop(ctl_rildaemon_prop) + system_public_prop(ctl_sigstop_prop) + system_public_prop(dynamic_system_prop) + system_public_prop(heapprofd_enabled_prop) + system_public_prop(llkd_prop) + system_public_prop(lpdumpd_prop) + system_public_prop(mmc_prop) + system_public_prop(mock_ota_prop) + system_public_prop(net_dns_prop) + system_public_prop(overlay_prop) + system_public_prop(persistent_properties_ready_prop) + system_public_prop(safemode_prop) + system_public_prop(system_lmk_prop) + system_public_prop(system_trace_prop) + system_public_prop(test_boot_reason_prop) + system_public_prop(time_prop) + system_public_prop(traced_enabled_prop) + system_public_prop(traced_lazy_prop) + + system_public_prop(config_prop) + system_public_prop(cppreopt_prop) + system_public_prop(dalvik_prop) + system_public_prop(debuggerd_prop) + system_public_prop(device_logging_prop) + system_public_prop(dhcp_prop) + system_public_prop(dumpstate_prop) + system_public_prop(exported3_system_prop) + system_public_prop(exported_dumpstate_prop) + system_public_prop(exported_secure_prop) + system_public_prop(heapprofd_prop) + system_public_prop(net_radio_prop) + system_public_prop(pan_result_prop) + system_public_prop(persist_debug_prop) + system_public_prop(shell_prop) + system_public_prop(test_harness_prop) + system_public_prop(theme_prop) + system_public_prop(use_memfd_prop) + system_public_prop(vold_prop) +') + +not_compatible_property(` + vendor_public_prop(vendor_default_prop) +') + +compatible_property_only(` + vendor_internal_prop(vendor_default_prop) +') + +typeattribute log_prop log_property_type; +typeattribute log_tag_prop log_property_type; +typeattribute wifi_log_prop log_property_type; + +allow property_type tmpfs:filesystem associate; + +# core_property_type should not be used for new properties or +# device specific properties. Properties with this attribute +# are readable to everyone, which is overly broad and should +# be avoided. +# New properties should have appropriate read / write access +# control rules written. + +typeattribute audio_prop core_property_type; +typeattribute config_prop core_property_type; +typeattribute cppreopt_prop core_property_type; +typeattribute dalvik_prop core_property_type; +typeattribute debuggerd_prop core_property_type; +typeattribute debug_prop core_property_type; +typeattribute dhcp_prop core_property_type; +typeattribute dumpstate_prop core_property_type; +typeattribute logd_prop core_property_type; +typeattribute net_radio_prop core_property_type; +typeattribute nfc_prop core_property_type; +typeattribute ota_prop core_property_type; +typeattribute pan_result_prop core_property_type; +typeattribute persist_debug_prop core_property_type; +typeattribute powerctl_prop core_property_type; +typeattribute radio_prop core_property_type; +typeattribute restorecon_prop core_property_type; +typeattribute shell_prop core_property_type; +typeattribute system_prop core_property_type; +typeattribute usb_prop core_property_type; +typeattribute vold_prop core_property_type; + diff --git a/prebuilts/api/32.0/public/racoon.te b/prebuilts/api/32.0/public/racoon.te new file mode 100644 index 000000000..e4b299e98 --- /dev/null +++ b/prebuilts/api/32.0/public/racoon.te @@ -0,0 +1,35 @@ +# IKE key management daemon +type racoon, domain; +type racoon_exec, system_file_type, exec_type, file_type; + +typeattribute racoon mlstrustedsubject; + +net_domain(racoon) +allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK }; + +binder_use(racoon) + +allow racoon tun_device:chr_file r_file_perms; +allowxperm racoon tun_device:chr_file ioctl TUNSETIFF; +allow racoon cgroup:dir { add_name create }; +allow racoon cgroup_v2:dir { add_name create }; +allow racoon kernel:system module_request; + +allow racoon self:key_socket create_socket_perms_no_ioctl; +allow racoon self:tun_socket create_socket_perms_no_ioctl; +allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw }; + +# XXX: should we give ip-up-vpn its own label (currently racoon domain) +allow racoon system_file:file rx_file_perms; +not_full_treble(`allow racoon vendor_file:file rx_file_perms;') +allow racoon vpn_data_file:file create_file_perms; +allow racoon vpn_data_file:dir w_dir_perms; + +use_keystore(racoon) + +# Racoon (VPN) has a restricted set of permissions from the default. +allow racoon keystore:keystore_key { + get + sign + verify +}; diff --git a/prebuilts/api/32.0/public/radio.te b/prebuilts/api/32.0/public/radio.te new file mode 100644 index 000000000..e03b706e9 --- /dev/null +++ b/prebuilts/api/32.0/public/radio.te @@ -0,0 +1,36 @@ +# phone subsystem +type radio, domain, mlstrustedsubject; + +net_domain(radio) +bluetooth_domain(radio) +binder_service(radio) + +# Talks to hal_telephony_server via the rild socket only for devices without full treble +not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)') + +# Data file accesses. +allow radio radio_data_file:dir create_dir_perms; +allow radio radio_data_file:notdevfile_class_set create_file_perms; +allow radio radio_core_data_file:dir r_dir_perms; +allow radio radio_core_data_file:file r_file_perms; + +allow radio net_data_file:dir search; +allow radio net_data_file:file r_file_perms; + +add_service(radio, radio_service) +allow radio audioserver_service:service_manager find; +allow radio cameraserver_service:service_manager find; +allow radio drmserver_service:service_manager find; +allow radio mediaserver_service:service_manager find; +allow radio nfc_service:service_manager find; +allow radio app_api_service:service_manager find; +allow radio system_api_service:service_manager find; +allow radio timedetector_service:service_manager find; +allow radio timezonedetector_service:service_manager find; + +# Perform HwBinder IPC. +hwbinder_use(radio) +hal_client_domain(radio, hal_telephony) + +# Used by TelephonyManager +allow radio proc_cmdline:file r_file_perms; diff --git a/prebuilts/api/32.0/public/recovery.te b/prebuilts/api/32.0/public/recovery.te new file mode 100644 index 000000000..33658e86f --- /dev/null +++ b/prebuilts/api/32.0/public/recovery.te @@ -0,0 +1,167 @@ +# recovery console (used in recovery init.rc for /sbin/recovery) + +# Declare the domain unconditionally so we can always reference it +# in neverallow rules. +type recovery, domain; + +# But the allow rules are only included in the recovery policy. +# Otherwise recovery is only allowed the domain rules. +recovery_only(` + # Allow recovery to perform an update as update_engine would do. + typeattribute recovery update_engine_common; + # Recovery can only use HALs in passthrough mode + passthrough_hal_client_domain(recovery, hal_bootctl) + + allow recovery self:global_capability_class_set { + chown + dac_override + dac_read_search + fowner + setuid + setgid + sys_admin + sys_tty_config + }; + + # Run helpers from / or /system without changing domain. + r_dir_file(recovery, rootfs) + allow recovery rootfs:file execute_no_trans; + allow recovery system_file:file execute_no_trans; + allow recovery toolbox_exec:file rx_file_perms; + + # Mount filesystems. + allow recovery rootfs:dir mounton; + allow recovery tmpfs:dir mounton; + allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto; + allow recovery unlabeled:filesystem ~relabelto; + allow recovery contextmount_type:filesystem relabelto; + + # We may be asked to set an SELinux label for a type not known to the + # currently loaded policy. Allow it. + allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto }; + allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto }; + + # Get file contexts + allow recovery file_contexts_file:file r_file_perms; + + # Write to /proc/sys/vm/drop_caches + allow recovery proc_drop_caches:file w_file_perms; + + # Read /proc/swaps + allow recovery proc_swaps:file r_file_perms; + + # Read kernel config through libvintf for OTA matching + allow recovery config_gz:file { open read getattr }; + + # Write to /sys/class/android_usb/android0/enable. + r_dir_file(recovery, sysfs_android_usb) + allow recovery sysfs_android_usb:file w_file_perms; + + # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq. + allow recovery sysfs_devices_system_cpu:file w_file_perms; + + allow recovery sysfs_batteryinfo:file r_file_perms; + + # Read /sysfs/fs/ext4/features + r_dir_file(recovery, sysfs_fs_ext4_features) + + # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to + # control backlight brightness. + allow recovery sysfs_leds:dir r_dir_perms; + allow recovery sysfs_leds:file rw_file_perms; + allow recovery sysfs_leds:lnk_file read; + + allow recovery kernel:system syslog_read; + + # Access /dev/usb-ffs/adb/ep0 + allow recovery functionfs:dir search; + allow recovery functionfs:file rw_file_perms; + allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC; + + # Access to /sys/fs/selinux/policyvers for compatibility check + allow recovery selinuxfs:file r_file_perms; + + # Required to e.g. wipe userdata/cache. + allow recovery device:dir r_dir_perms; + allow recovery block_device:dir r_dir_perms; + allow recovery dev_type:blk_file rw_file_perms; + allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET; + + # GUI + allow recovery graphics_device:chr_file rw_file_perms; + allow recovery graphics_device:dir r_dir_perms; + allow recovery input_device:dir r_dir_perms; + allow recovery input_device:chr_file r_file_perms; + allow recovery tty_device:chr_file rw_file_perms; + + # Create /tmp/recovery.log and execute /tmp/update_binary. + allow recovery tmpfs:file { create_file_perms x_file_perms }; + allow recovery tmpfs:dir create_dir_perms; + + # Manage files on /cache and /cache/recovery + allow recovery { cache_file cache_recovery_file }:dir create_dir_perms; + allow recovery { cache_file cache_recovery_file }:file create_file_perms; + + # Read /sys/class/thermal/*/temp for thermal info. + r_dir_file(recovery, sysfs_thermal) + + # Read files on /oem. + r_dir_file(recovery, oemfs); + + # Use setfscreatecon() to label files for OTA updates. + allow recovery self:process setfscreate; + + # Allow recovery to create a fuse filesystem, and read files from it. + allow recovery fuse_device:chr_file rw_file_perms; + allow recovery fuse:dir r_dir_perms; + allow recovery fuse:file r_file_perms; + + wakelock_use(recovery) + + # This line seems suspect, as it should not really need to + # set scheduling parameters for a kernel domain task. + allow recovery kernel:process setsched; + + # These are needed to update dynamic partitions in recovery. + r_dir_file(recovery, sysfs_dm) + allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF }; + + # Allow using libfiemap/gsid directly (no binder in recovery). + allow recovery gsi_metadata_file_type:dir search; + allow recovery ota_metadata_file:dir rw_dir_perms; + allow recovery ota_metadata_file:file create_file_perms; + + # Allow mounting /metadata for writing update states + allow recovery metadata_file:dir { getattr mounton }; + + # Recovery uses liblogwrap to write fsck logs to kmsg, liblogwrap requires devpts. + allow recovery devpts:chr_file rw_file_perms; + allow recovery kmsg_device:chr_file { getattr w_file_perms }; +') + +### +### neverallow rules +### + +# Recovery should never touch /data. +# +# In particular, if /data is encrypted, it is not accessible +# to recovery anyway. +# +# For now, we only enforce write/execute restrictions, as domain.te +# contains a number of read-only rules that apply to all +# domains, including recovery. +# +# TODO: tighten this up further. +neverallow recovery { + data_file_type + -cache_file + -cache_recovery_file + with_native_coverage(`-method_trace_data_file') +}:file { no_w_file_perms no_x_file_perms }; +neverallow recovery { + data_file_type + -cache_file + -cache_recovery_file + with_native_coverage(`-method_trace_data_file') +}:dir no_w_dir_perms; diff --git a/prebuilts/api/32.0/public/recovery_persist.te b/prebuilts/api/32.0/public/recovery_persist.te new file mode 100644 index 000000000..d4b456201 --- /dev/null +++ b/prebuilts/api/32.0/public/recovery_persist.te @@ -0,0 +1,32 @@ +# android recovery persistent log manager +type recovery_persist, domain; +type recovery_persist_exec, system_file_type, exec_type, file_type; + +allow recovery_persist pstorefs:dir search; +allow recovery_persist pstorefs:file r_file_perms; + +allow recovery_persist recovery_data_file:file create_file_perms; +allow recovery_persist recovery_data_file:dir create_dir_perms; + +allow recovery_persist cache_file:dir search; +allow recovery_persist cache_file:lnk_file read; +allow recovery_persist cache_recovery_file:dir rw_dir_perms; +allow recovery_persist cache_recovery_file:file { r_file_perms unlink }; + +### +### Neverallow rules +### +### recovery_persist should NEVER do any of this + +# Block device access. +neverallow recovery_persist dev_type:blk_file { read write }; + +# ptrace any other app +neverallow recovery_persist domain:process ptrace; + +# Write to /system. +neverallow recovery_persist system_file:dir_file_class_set write; + +# Write to files in /data/data +neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write; + diff --git a/prebuilts/api/32.0/public/recovery_refresh.te b/prebuilts/api/32.0/public/recovery_refresh.te new file mode 100644 index 000000000..d6870dcb2 --- /dev/null +++ b/prebuilts/api/32.0/public/recovery_refresh.te @@ -0,0 +1,24 @@ +# android recovery refresh log manager +type recovery_refresh, domain; +type recovery_refresh_exec, system_file_type, exec_type, file_type; + +allow recovery_refresh pstorefs:dir search; +allow recovery_refresh pstorefs:file r_file_perms; +# NB: domain inherits write_logd which hands us write to pmsg_device + +### +### Neverallow rules +### +### recovery_refresh should NEVER do any of this + +# Block device access. +neverallow recovery_refresh dev_type:blk_file { read write }; + +# ptrace any other app +neverallow recovery_refresh domain:process ptrace; + +# Write to /system. +neverallow recovery_refresh system_file:dir_file_class_set write; + +# Write to files in /data/data or system files on /data +neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write; diff --git a/prebuilts/api/32.0/public/roles b/prebuilts/api/32.0/public/roles new file mode 100644 index 000000000..ca9293439 --- /dev/null +++ b/prebuilts/api/32.0/public/roles @@ -0,0 +1 @@ +role r types domain; diff --git a/prebuilts/api/32.0/public/rs.te b/prebuilts/api/32.0/public/rs.te new file mode 100644 index 000000000..16b6e9630 --- /dev/null +++ b/prebuilts/api/32.0/public/rs.te @@ -0,0 +1,2 @@ +type rs, domain, coredomain; +type rs_exec, system_file_type, exec_type, file_type; diff --git a/prebuilts/api/32.0/public/rss_hwm_reset.te b/prebuilts/api/32.0/public/rss_hwm_reset.te new file mode 100644 index 000000000..163e1acde --- /dev/null +++ b/prebuilts/api/32.0/public/rss_hwm_reset.te @@ -0,0 +1,2 @@ +# rss_hwm_reset resets RSS high-water mark counters for all procesess. +type rss_hwm_reset, domain, coredomain, mlstrustedsubject; diff --git a/prebuilts/api/32.0/public/runas.te b/prebuilts/api/32.0/public/runas.te new file mode 100644 index 000000000..356a0190c --- /dev/null +++ b/prebuilts/api/32.0/public/runas.te @@ -0,0 +1,43 @@ +type runas, domain, mlstrustedsubject; +type runas_exec, system_file_type, exec_type, file_type; + +allow runas adbd:fd use; +allow runas adbd:process sigchld; +allow runas adbd:unix_stream_socket { read write }; +allow runas shell:fd use; +allow runas shell:fifo_file { read write }; +allow runas shell:unix_stream_socket { read write }; +allow runas devpts:chr_file { read write ioctl }; +allow runas shell_data_file:file { read write }; + +# run-as reads package information. +allow runas system_data_file:file r_file_perms; +allow runas system_data_file:lnk_file getattr; +allow runas packages_list_file:file r_file_perms; + +# The app's data dir may be accessed through a symlink. +allow runas system_data_file:lnk_file read; + +# run-as checks and changes to the app data dir. +dontaudit runas self:global_capability_class_set { dac_override dac_read_search }; +allow runas app_data_file:dir { getattr search }; + +# run-as switches to the app UID/GID. +allow runas self:global_capability_class_set { setuid setgid }; + +# run-as switches to the app security context. +selinux_check_context(runas) # validate context +allow runas self:process setcurrent; +allow runas non_system_app_set:process dyntransition; # setcon + +# runas/libselinux needs access to seapp_contexts_file to +# determine which domain to transition to. +allow runas seapp_contexts_file:file r_file_perms; + +### +### neverallow rules +### + +# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID +neverallow runas self:global_capability_class_set ~{ setuid setgid }; +neverallow runas self:global_capability2_class_set *; diff --git a/prebuilts/api/32.0/public/runas_app.te b/prebuilts/api/32.0/public/runas_app.te new file mode 100644 index 000000000..cdaa799c9 --- /dev/null +++ b/prebuilts/api/32.0/public/runas_app.te @@ -0,0 +1 @@ +type runas_app, domain; diff --git a/prebuilts/api/32.0/public/scheduler_service_server.te b/prebuilts/api/32.0/public/scheduler_service_server.te new file mode 100644 index 000000000..b3cede168 --- /dev/null +++ b/prebuilts/api/32.0/public/scheduler_service_server.te @@ -0,0 +1 @@ +add_hwservice(scheduler_service_server, fwk_scheduler_hwservice) diff --git a/prebuilts/api/32.0/public/sdcardd.te b/prebuilts/api/32.0/public/sdcardd.te new file mode 100644 index 000000000..bb1c919e8 --- /dev/null +++ b/prebuilts/api/32.0/public/sdcardd.te @@ -0,0 +1,46 @@ +type sdcardd, domain; +type sdcardd_exec, system_file_type, exec_type, file_type; + +allow sdcardd cgroup:dir create_dir_perms; +allow sdcardd cgroup_v2:dir create_dir_perms; +allow sdcardd fuse_device:chr_file rw_file_perms; +allow sdcardd rootfs:dir mounton; # TODO: deprecated in M +allow sdcardd sdcardfs:filesystem remount; +allow sdcardd tmpfs:dir r_dir_perms; +allow sdcardd mnt_media_rw_file:dir r_dir_perms; +allow sdcardd storage_file:dir search; +allow sdcardd storage_stub_file:dir { search mounton }; +allow sdcardd sdcard_type:filesystem { mount unmount }; +allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource }; + +allow sdcardd sdcard_type:dir create_dir_perms; +allow sdcardd sdcard_type:file create_file_perms; + +allow sdcardd media_rw_data_file:dir create_dir_perms; +allow sdcardd media_rw_data_file:file create_file_perms; + +# Read /data/system/packages.list. +allow sdcardd system_data_file:file r_file_perms; +allow sdcardd packages_list_file:file r_file_perms; + +# Read /data/misc/installd/layout_version +allow sdcardd install_data_file:file r_file_perms; +allow sdcardd install_data_file:dir search; + +# Allow stdin/out back to vold +allow sdcardd vold:fd use; +allow sdcardd vold:fifo_file { read write getattr }; + +# Allow running on top of expanded storage +allow sdcardd mnt_expand_file:dir search; + +# access /proc/filesystems +allow sdcardd proc_filesystems:file r_file_perms; + +### +### neverallow rules +### + +# The sdcard daemon should no longer be started from init +neverallow init sdcardd_exec:file execute; +neverallow init sdcardd:process { transition dyntransition }; diff --git a/prebuilts/api/32.0/public/secure_element.te b/prebuilts/api/32.0/public/secure_element.te new file mode 100644 index 000000000..4ce6714f6 --- /dev/null +++ b/prebuilts/api/32.0/public/secure_element.te @@ -0,0 +1,2 @@ +# secure_element subsystem +type secure_element, domain; diff --git a/prebuilts/api/32.0/public/sensor_service_server.te b/prebuilts/api/32.0/public/sensor_service_server.te new file mode 100644 index 000000000..7c526a5f3 --- /dev/null +++ b/prebuilts/api/32.0/public/sensor_service_server.te @@ -0,0 +1 @@ +add_hwservice(sensor_service_server, fwk_sensor_hwservice) diff --git a/prebuilts/api/32.0/public/service.te b/prebuilts/api/32.0/public/service.te new file mode 100644 index 000000000..ba7837d56 --- /dev/null +++ b/prebuilts/api/32.0/public/service.te @@ -0,0 +1,279 @@ +type aidl_lazy_test_service, service_manager_type; +type apc_service, service_manager_type; +type apex_service, service_manager_type; +type audioserver_service, service_manager_type; +type authorization_service, service_manager_type; +type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type; +type bluetooth_service, service_manager_type; +type cameraserver_service, service_manager_type; +type default_android_service, service_manager_type; +type dnsresolver_service, service_manager_type; +type drmserver_service, service_manager_type; +type dumpstate_service, service_manager_type; +type fingerprintd_service, service_manager_type; +type gatekeeper_service, app_api_service, service_manager_type; +type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type; +type idmap_service, service_manager_type; +type iorapd_service, service_manager_type; +type incident_service, service_manager_type; +type installd_service, service_manager_type; +type credstore_service, app_api_service, service_manager_type; +type keystore_compat_hal_service, service_manager_type; +type keystore_maintenance_service, service_manager_type; +type keystore_metrics_service, service_manager_type; +type keystore_service, service_manager_type; +type legacykeystore_service, service_manager_type; +type lpdump_service, service_manager_type; +type mediaserver_service, service_manager_type; +type mediametrics_service, service_manager_type; +type mediaextractor_service, service_manager_type; +type mediadrmserver_service, service_manager_type; +type mediatranscoding_service, app_api_service, service_manager_type; +type netd_service, service_manager_type; +type nfc_service, service_manager_type; +type radio_service, service_manager_type; +type remoteprovisioning_service, service_manager_type; +type secure_element_service, service_manager_type; +type service_manager_service, service_manager_type; +type storaged_service, service_manager_type; +type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type; +type system_app_service, service_manager_type; +type system_suspend_control_internal_service, service_manager_type; +type system_suspend_control_service, service_manager_type; +type update_engine_service, service_manager_type; +type update_engine_stable_service, service_manager_type; +type virtualization_service, service_manager_type; +type virtual_touchpad_service, service_manager_type; +type vold_service, service_manager_type; +type vr_hwc_service, service_manager_type; +type vrflinger_vsync_service, service_manager_type; + +# system_server_services broken down +type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type adb_service, system_api_service, system_server_service, service_manager_type; +type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type app_binding_service, system_server_service, service_manager_type; +type app_hibernation_service, system_api_service, system_server_service, service_manager_type; +type app_integrity_service, system_api_service, system_server_service, service_manager_type; +type app_prediction_service, app_api_service, system_server_service, service_manager_type; +type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type auth_service, app_api_service, system_server_service, service_manager_type; +type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type battery_service, system_server_service, service_manager_type; +type binder_calls_stats_service, system_server_service, service_manager_type; +type blob_store_service, app_api_service, system_server_service, service_manager_type; +type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type broadcastradio_service, system_server_service, service_manager_type; +type cacheinfo_service, system_api_service, system_server_service, service_manager_type; +type cameraproxy_service, system_server_service, service_manager_type; +type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type contexthub_service, app_api_service, system_server_service, service_manager_type; +type crossprofileapps_service, app_api_service, system_server_service, service_manager_type; +type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled +# with EMMA_INSTRUMENT=true. We should consider locking this down in the future. +type coverage_service, system_server_service, service_manager_type; +type cpuinfo_service, system_api_service, system_server_service, service_manager_type; +type dataloader_manager_service, system_server_service, service_manager_type; +type dbinfo_service, system_api_service, system_server_service, service_manager_type; +type device_config_service, system_server_service, service_manager_type; +type device_policy_service, app_api_service, system_server_service, service_manager_type; +type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type; +type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type devicestoragemonitor_service, system_server_service, service_manager_type; +type diskstats_service, system_api_service, system_server_service, service_manager_type; +type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type domain_verification_service, app_api_service, system_server_service, service_manager_type; +type color_display_service, system_api_service, system_server_service, service_manager_type; +type external_vibrator_service, system_server_service, service_manager_type; +type file_integrity_service, app_api_service, system_server_service, service_manager_type; +type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type netd_listener_service, system_server_service, service_manager_type; +type network_watchlist_service, system_server_service, service_manager_type; +type DockObserver_service, system_server_service, service_manager_type; +type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type lowpan_service, system_api_service, system_server_service, service_manager_type; +type ethernet_service, app_api_service, system_server_service, service_manager_type; +type biometric_service, app_api_service, system_server_service, service_manager_type; +type bugreport_service, app_api_service, system_server_service, service_manager_type; +type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type face_service, app_api_service, system_server_service, service_manager_type; +type fingerprint_service, app_api_service, system_server_service, service_manager_type; +type fwk_stats_service, app_api_service, system_server_service, service_manager_type; +type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type gfxinfo_service, system_api_service, system_server_service, service_manager_type; +type gnss_time_update_service, system_server_service, service_manager_type; +type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type hardware_service, system_server_service, service_manager_type; +type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type hdmi_control_service, app_api_service, system_server_service, service_manager_type; +type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type incremental_service, system_server_service, service_manager_type; +type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type iris_service, app_api_service, system_server_service, service_manager_type; +type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type legacy_permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type location_time_zone_manager_service, system_server_service, service_manager_type; +type lock_settings_service, app_api_service, system_api_service, system_server_service, service_manager_type; +type looper_stats_service, system_server_service, service_manager_type; +type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type meminfo_service, system_api_service, system_server_service, service_manager_type; +type memtrackproxy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type network_score_service, system_api_service, system_server_service, service_manager_type; +type network_stack_service, system_server_service, service_manager_type; +type network_time_update_service, system_server_service, service_manager_type; +type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type oem_lock_service, system_api_service, system_server_service, service_manager_type; +type otadexopt_service, system_server_service, service_manager_type; +type overlay_service, system_api_service, system_server_service, service_manager_type; +type pac_proxy_service, app_api_service, system_server_service, service_manager_type; +type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type people_service, app_api_service, system_server_service, service_manager_type; +type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type persistent_data_block_service, system_api_service, system_server_service, service_manager_type; +type pinner_service, system_server_service, service_manager_type; +type powerstats_service, app_api_service, system_server_service, service_manager_type; +type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type processinfo_service, system_server_service, service_manager_type; +type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type reboot_readiness_service, app_api_service, system_server_service, service_manager_type; +type recovery_service, system_server_service, service_manager_type; +type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type role_service, app_api_service, system_server_service, service_manager_type; +type rollback_service, app_api_service, system_server_service, service_manager_type; +type runtime_service, system_server_service, service_manager_type; +type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type samplingprofiler_service, system_server_service, service_manager_type; +type scheduling_policy_service, system_server_service, service_manager_type; +type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type search_ui_service, app_api_service, system_server_service, service_manager_type; +type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type; +type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type serial_service, system_api_service, system_server_service, service_manager_type; +type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type shortcut_service, app_api_service, system_server_service, service_manager_type; +type slice_service, app_api_service, system_server_service, service_manager_type; +type smartspace_service, app_api_service, system_server_service, service_manager_type; +type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type system_config_service, system_api_service, system_server_service, service_manager_type; +type system_server_dumper_service, system_api_service, system_server_service, service_manager_type; +type system_update_service, system_server_service, service_manager_type; +type soundtrigger_middleware_service, system_server_service, service_manager_type; +type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type task_service, system_server_service, service_manager_type; +type testharness_service, system_server_service, service_manager_type; +type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type timedetector_service, app_api_service, system_server_service, service_manager_type; +type timezone_service, system_server_service, service_manager_type; +type timezonedetector_service, app_api_service, system_server_service, service_manager_type; +type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type trust_service, app_api_service, system_server_service, service_manager_type; +type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type; +type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type updatelock_service, system_api_service, system_server_service, service_manager_type; +type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type usb_service, app_api_service, system_server_service, service_manager_type; +type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type uwb_service, app_api_service, system_server_service, service_manager_type; +type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type vpn_management_service, app_api_service, system_server_service, service_manager_type; +type vr_manager_service, system_server_service, service_manager_type; +type wallpaper_service, app_api_service, system_server_service, service_manager_type; +type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type wifip2p_service, app_api_service, system_server_service, service_manager_type; +type wifiscanner_service, system_api_service, system_server_service, service_manager_type; +type wifi_service, app_api_service, system_server_service, service_manager_type; +type wifinl80211_service, service_manager_type; +type wifiaware_service, app_api_service, system_server_service, service_manager_type; +type window_service, system_api_service, system_server_service, service_manager_type; +type inputflinger_service, system_api_service, system_server_service, service_manager_type; +type wpantund_service, system_api_service, service_manager_type; +type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type emergency_affordance_service, system_server_service, service_manager_type; + +### +### HAL Services +### + +type hal_audio_service, vendor_service, protected_service, service_manager_type; +type hal_audiocontrol_service, vendor_service, service_manager_type; +type hal_authsecret_service, vendor_service, protected_service, service_manager_type; +type hal_face_service, vendor_service, protected_service, service_manager_type; +type hal_fingerprint_service, vendor_service, protected_service, service_manager_type; +type hal_gnss_service, vendor_service, protected_service, service_manager_type; +type hal_health_storage_service, vendor_service, protected_service, service_manager_type; +type hal_identity_service, vendor_service, protected_service, service_manager_type; +type hal_keymint_service, vendor_service, protected_service, service_manager_type; +type hal_light_service, vendor_service, protected_service, service_manager_type; +type hal_memtrack_service, vendor_service, protected_service, service_manager_type; +type hal_neuralnetworks_service, vendor_service, service_manager_type; +type hal_oemlock_service, vendor_service, protected_service, service_manager_type; +type hal_power_service, vendor_service, protected_service, service_manager_type; +type hal_power_stats_service, vendor_service, protected_service, service_manager_type; +type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type; +type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type; +type hal_secureclock_service, vendor_service, protected_service, service_manager_type; +type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type; +type hal_vibrator_service, vendor_service, protected_service, service_manager_type; +type hal_weaver_service, vendor_service, protected_service, service_manager_type; + +### +### Neverallow rules +### + +# servicemanager handles registering or looking up named services. +# It does not make sense to register or lookup something which is not a service. +# Trigger a compile error if this occurs. +neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find }; diff --git a/prebuilts/api/32.0/public/servicemanager.te b/prebuilts/api/32.0/public/servicemanager.te new file mode 100644 index 000000000..63fc2273a --- /dev/null +++ b/prebuilts/api/32.0/public/servicemanager.te @@ -0,0 +1,32 @@ +# servicemanager - the Binder context manager +type servicemanager, domain, mlstrustedsubject; +type servicemanager_exec, system_file_type, exec_type, file_type; + +# Note that we do not use the binder_* macros here. +# servicemanager is unique in that it only provides +# name service (aka context manager) for Binder. +# As such, it only ever receives and transfers other references +# created by other domains. It never passes its own references +# or initiates a Binder IPC. +allow servicemanager self:binder set_context_mgr; +allow servicemanager { + domain + -init + -vendor_init + -hwservicemanager + -vndservicemanager +}:binder transfer; + +allow servicemanager service_contexts_file:file r_file_perms; + +allow servicemanager vendor_service_contexts_file:file r_file_perms; + +# nonplat_service_contexts only accessible on non full-treble devices +not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;') + +add_service(servicemanager, service_manager_service) +allow servicemanager dumpstate:fd use; +allow servicemanager dumpstate:fifo_file write; + +# Check SELinux permissions. +selinux_check_access(servicemanager) diff --git a/prebuilts/api/32.0/public/sgdisk.te b/prebuilts/api/32.0/public/sgdisk.te new file mode 100644 index 000000000..e5a9152e2 --- /dev/null +++ b/prebuilts/api/32.0/public/sgdisk.te @@ -0,0 +1,36 @@ +# sgdisk called from vold +type sgdisk, domain; +type sgdisk_exec, system_file_type, exec_type, file_type; + +# Allowed to read/write low-level partition tables +allow sgdisk block_device:dir search; +allow sgdisk vold_device:blk_file rw_file_perms; +# HDIO_GETGEO needed to get the number of disk heads +# on vold_device. How quaint. +allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO }; +# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64 +# is granted to all block device users in domain.te, so +# no need to mention it here. sgdisk should not be +# using the BLKGETSIZE ioctl as it is useless for devices over +# 2T in size, but we allow it for now and hope that sgdisk +# will fix their bug. +allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE }; +# Force a re-read of the partition table. +allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART }; +# Allow reading of the physical block size. +allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET }; + +# Inherit and use pty created by android_fork_execvp() +allow sgdisk devpts:chr_file { read write ioctl getattr }; + +# Allow stdin/out back to vold +allow sgdisk vold:fd use; +allow sgdisk vold:fifo_file { read write getattr }; + +# Used to probe kernel to reload partition tables +allow sgdisk self:global_capability_class_set sys_admin; + +# Only allow entry from vold +neverallow { domain -vold } sgdisk:process transition; +neverallow * sgdisk:process dyntransition; +neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; diff --git a/prebuilts/api/32.0/public/shared_relro.te b/prebuilts/api/32.0/public/shared_relro.te new file mode 100644 index 000000000..6dd5bd77f --- /dev/null +++ b/prebuilts/api/32.0/public/shared_relro.te @@ -0,0 +1,2 @@ +# Process which creates/updates shared RELRO files to be used by other apps. +type shared_relro, domain; diff --git a/prebuilts/api/32.0/public/shell.te b/prebuilts/api/32.0/public/shell.te new file mode 100644 index 000000000..70a7fb484 --- /dev/null +++ b/prebuilts/api/32.0/public/shell.te @@ -0,0 +1,232 @@ +# Domain for shell processes spawned by ADB or console service. +type shell, domain, mlstrustedsubject; +type shell_exec, system_file_type, exec_type, file_type; + +# Create and use network sockets. +net_domain(shell) + +# logcat +read_logd(shell) +control_logd(shell) +# logcat -L (directly, or via dumpstate) +allow shell pstorefs:dir search; +allow shell pstorefs:file r_file_perms; + +# Root fs. +allow shell rootfs:dir r_dir_perms; + +# read files in /data/anr +allow shell anr_data_file:dir r_dir_perms; +allow shell anr_data_file:file r_file_perms; + +# Access /data/local/tmp. +allow shell shell_data_file:dir create_dir_perms; +allow shell shell_data_file:file create_file_perms; +allow shell shell_data_file:file rx_file_perms; +allow shell shell_data_file:lnk_file create_file_perms; + +# Access /data/local/tests. +allow shell shell_test_data_file:dir create_dir_perms; +allow shell shell_test_data_file:file create_file_perms; +allow shell shell_test_data_file:file rx_file_perms; +allow shell shell_test_data_file:lnk_file create_file_perms; +allow shell shell_test_data_file:sock_file create_file_perms; + +# Read and delete from /data/local/traces. +allow shell trace_data_file:file { r_file_perms unlink }; +allow shell trace_data_file:dir { r_dir_perms remove_name write }; + +# Access /data/misc/profman. +allow shell profman_dump_data_file:dir { write remove_name r_dir_perms }; +allow shell profman_dump_data_file:file { unlink r_file_perms }; + +# Read/execute files in /data/nativetest +userdebug_or_eng(` + allow shell nativetest_data_file:dir r_dir_perms; + allow shell nativetest_data_file:file rx_file_perms; +') + +# adb bugreport +unix_socket_connect(shell, dumpstate, dumpstate) + +allow shell devpts:chr_file rw_file_perms; +allow shell tty_device:chr_file rw_file_perms; +allow shell console_device:chr_file rw_file_perms; + +allow shell input_device:dir r_dir_perms; +allow shell input_device:chr_file r_file_perms; + +r_dir_file(shell, system_file) +allow shell system_file:file x_file_perms; +allow shell toolbox_exec:file rx_file_perms; +allow shell tzdatacheck_exec:file rx_file_perms; +allow shell shell_exec:file rx_file_perms; +allow shell zygote_exec:file rx_file_perms; + +r_dir_file(shell, apk_data_file) + +userdebug_or_eng(` + # "systrace --boot" support - allow boottrace service to run + allow shell boottrace_data_file:dir rw_dir_perms; + allow shell boottrace_data_file:file create_file_perms; +') + +# allow shell access to services +allow shell servicemanager:service_manager list; +# don't allow shell to access GateKeeper service +# TODO: why is this so broad? Tightening candidate? It needs at list: +# - dumpstate_service (so it can receive dumpstate progress updates) +allow shell { + service_manager_type + -apex_service + -dnsresolver_service + -gatekeeper_service + -incident_service + -installd_service + -iorapd_service + -netd_service + -system_suspend_control_internal_service + -system_suspend_control_service + -virtual_touchpad_service + -vold_service + -vr_hwc_service + -default_android_service +}:service_manager find; +allow shell dumpstate:binder call; + +# allow shell to get information from hwservicemanager +# for instance, listing hardware services with lshal +hwbinder_use(shell) +allow shell hwservicemanager:hwservice_manager list; + +# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat. +r_dir_file(shell, proc_net_type) + +allow shell { + proc_asound + proc_filesystems + proc_interrupts + proc_loadavg # b/124024827 + proc_meminfo + proc_modules + proc_pid_max + proc_slabinfo + proc_stat + proc_timer + proc_uptime + proc_version + proc_vmstat + proc_zoneinfo +}:file r_file_perms; + +# allow listing network interfaces under /sys/class/net. +allow shell sysfs_net:dir r_dir_perms; + +r_dir_file(shell, cgroup) +allow shell cgroup_desc_file:file r_file_perms; +allow shell cgroup_desc_api_file:file r_file_perms; +allow shell vendor_cgroup_desc_file:file r_file_perms; +r_dir_file(shell, cgroup_v2) +allow shell domain:dir { search open read getattr }; +allow shell domain:{ file lnk_file } { open read getattr }; + +# statvfs() of /proc and other labeled filesystems +# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay) +allow shell { proc labeledfs }:filesystem getattr; + +# stat() of /dev +allow shell device:dir getattr; + +# allow shell to read /proc/pid/attr/current for ps -Z +allow shell domain:process getattr; + +# Allow pulling the SELinux policy for CTS purposes +allow shell selinuxfs:dir r_dir_perms; +allow shell selinuxfs:file r_file_perms; + +# enable shell domain to read/write files/dirs for bootchart data +# User will creates the start and stop file via adb shell +# and read other files created by init process under /data/bootchart +allow shell bootchart_data_file:dir rw_dir_perms; +allow shell bootchart_data_file:file create_file_perms; + +# Make sure strace works for the non-privileged shell user +allow shell self:process ptrace; + +# allow shell to get battery info +allow shell sysfs:dir r_dir_perms; +allow shell sysfs_batteryinfo:dir r_dir_perms; +allow shell sysfs_batteryinfo:file r_file_perms; + +# allow shell to list /sys/class/block/ to get storage type for CTS +allow shell sysfs_block:dir r_dir_perms; + +# Allow access to ion memory allocation device. +allow shell ion_device:chr_file rw_file_perms; + +# +# filesystem test for insecure chr_file's is done +# via a host side test +# +allow shell dev_type:dir r_dir_perms; +allow shell dev_type:chr_file getattr; + +# /dev/fd is a symlink +allow shell proc:lnk_file getattr; + +# +# filesystem test for insucre blk_file's is done +# via hostside test +# +allow shell dev_type:blk_file getattr; + +# read selinux policy files +allow shell file_contexts_file:file r_file_perms; +allow shell property_contexts_file:file r_file_perms; +allow shell seapp_contexts_file:file r_file_perms; +allow shell service_contexts_file:file r_file_perms; +allow shell sepolicy_file:file r_file_perms; + +# Allow shell to start up vendor shell +allow shell vendor_shell_exec:file rx_file_perms; + +# Everything is labeled as rootfs in recovery mode. Allow shell to +# execute them. +recovery_only(` + allow shell rootfs:file rx_file_perms; +') + +### +### Neverallow rules +### + +# Do not allow shell to hard link to any files. +# In particular, if shell hard links to app data +# files, installd will not be able to guarantee the deletion +# of the linked to file. Hard links also contribute to security +# bugs, so we want to ensure the shell user never has this +# capability. +neverallow shell file_type:file link; + +# Do not allow privileged socket ioctl commands +neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; + +# limit shell access to sensitive char drivers to +# only getattr required for host side test. +neverallow shell { + fuse_device + hw_random_device + port_device +}:chr_file ~getattr; + +# Limit shell to only getattr on blk devices for host side tests. +neverallow shell dev_type:blk_file ~getattr; + +# b/30861057: Shell access to existing input devices is an abuse +# vector. The shell user can inject events that look like they +# originate from the touchscreen etc. +# Everyone should have already moved to UiAutomation#injectInputEvent +# if they are running instrumentation tests (i.e. CTS), Monkey for +# their stress tests, and the input command (adb shell input ...) for +# injecting swipes and things. +neverallow shell input_device:chr_file no_w_file_perms; diff --git a/prebuilts/api/32.0/public/simpleperf.te b/prebuilts/api/32.0/public/simpleperf.te new file mode 100644 index 000000000..218fee77a --- /dev/null +++ b/prebuilts/api/32.0/public/simpleperf.te @@ -0,0 +1 @@ +type simpleperf, domain; diff --git a/prebuilts/api/32.0/public/simpleperf_app_runner.te b/prebuilts/api/32.0/public/simpleperf_app_runner.te new file mode 100644 index 000000000..2ed007e10 --- /dev/null +++ b/prebuilts/api/32.0/public/simpleperf_app_runner.te @@ -0,0 +1,44 @@ +type simpleperf_app_runner, domain, mlstrustedsubject; +type simpleperf_app_runner_exec, system_file_type, exec_type, file_type; + +# run simpleperf_app_runner in adb shell. +allow simpleperf_app_runner adbd:fd use; +allow simpleperf_app_runner shell:fd use; +allow simpleperf_app_runner devpts:chr_file { read write ioctl }; + +# simpleperf_app_runner reads package information. +allow simpleperf_app_runner system_data_file:file r_file_perms; +allow simpleperf_app_runner system_data_file:lnk_file getattr; +allow simpleperf_app_runner packages_list_file:file r_file_perms; + +# The app's data dir may be accessed through a symlink. +allow simpleperf_app_runner system_data_file:lnk_file read; + +# simpleperf_app_runner switches to the app UID/GID. +allow simpleperf_app_runner self:global_capability_class_set { setuid setgid }; + +# simpleperf_app_runner switches to the app security context. +selinux_check_context(simpleperf_app_runner) # validate context +allow simpleperf_app_runner self:process setcurrent; +allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon + +# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to +# determine which domain to transition to. +allow simpleperf_app_runner seapp_contexts_file:file r_file_perms; + +# simpleperf_app_runner passes pipe fds. +# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds. +allow simpleperf_app_runner shell:fifo_file { read write }; + +# simpleperf_app_runner checks shell data paths. +# simpleperf_app_runner passes shell data fds. +allow simpleperf_app_runner shell_data_file:dir { getattr search }; +allow simpleperf_app_runner shell_data_file:file { getattr write }; + +### +### neverallow rules +### + +# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID +neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid }; +neverallow simpleperf_app_runner self:global_capability2_class_set *; diff --git a/prebuilts/api/32.0/public/slideshow.te b/prebuilts/api/32.0/public/slideshow.te new file mode 100644 index 000000000..10fbbb852 --- /dev/null +++ b/prebuilts/api/32.0/public/slideshow.te @@ -0,0 +1,14 @@ +# slideshow seclabel is specified in init.rc since +# it lives in the rootfs and has no unique file type. +type slideshow, domain; + +allow slideshow kmsg_device:chr_file rw_file_perms; +wakelock_use(slideshow) +allow slideshow device:dir r_dir_perms; +allow slideshow self:global_capability_class_set sys_tty_config; +allow slideshow graphics_device:dir r_dir_perms; +allow slideshow graphics_device:chr_file rw_file_perms; +allow slideshow input_device:dir r_dir_perms; +allow slideshow input_device:chr_file r_file_perms; +allow slideshow tty_device:chr_file rw_file_perms; + diff --git a/prebuilts/api/32.0/public/stats_service_server.te b/prebuilts/api/32.0/public/stats_service_server.te new file mode 100644 index 000000000..ab8e58a8e --- /dev/null +++ b/prebuilts/api/32.0/public/stats_service_server.te @@ -0,0 +1,4 @@ +add_hwservice(stats_service_server, fwk_stats_hwservice) +add_service(stats_service_server, fwk_stats_service) + +binder_use(stats_service_server) diff --git a/prebuilts/api/32.0/public/statsd.te b/prebuilts/api/32.0/public/statsd.te new file mode 100644 index 000000000..670f4c702 --- /dev/null +++ b/prebuilts/api/32.0/public/statsd.te @@ -0,0 +1,86 @@ +type statsd, domain, mlstrustedsubject; + +type statsd_exec, system_file_type, exec_type, file_type; +binder_use(statsd) + +# Allow statsd to scan through /proc/pid for all processes. +r_dir_file(statsd, domain) + +# Allow executing files on system, such as running a shell or running: +# /system/bin/toolbox +# /system/bin/logcat +# /system/bin/dumpsys +allow statsd devpts:chr_file { getattr ioctl read write }; +allow statsd shell_exec:file rx_file_perms; +allow statsd system_file:file execute_no_trans; +allow statsd toolbox_exec:file rx_file_perms; + +userdebug_or_eng(` + allow statsd su:fifo_file read; +') + +# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system. +allow statsd stats_data_file:dir create_dir_perms; +allow statsd stats_data_file:file create_file_perms; + +# Allow statsd to make binder calls to any binder service. +binder_call(statsd, appdomain) +binder_call(statsd, healthd) +binder_call(statsd, incidentd) +binder_call(statsd, system_server) + +# Allow statsd to interact with gpuservice +allow statsd gpu_service:service_manager find; +binder_call(statsd, gpuservice) + +# Allow statsd to interact with keystore to pull atoms +allow statsd keystore_service:service_manager find; +binder_call(statsd, keystore) + +# Allow statsd to interact with mediametrics +allow statsd mediametrics_service:service_manager find; +binder_call(statsd, mediametrics) + +# Allow logd access. +read_logd(statsd) +control_logd(statsd) + +# Grant statsd with permissions to register the services. +allow statsd { + app_api_service + incident_service + system_api_service +}:service_manager find; + +# Grant statsd to access health hal to access battery metrics. +allow statsd hal_health_hwservice:hwservice_manager find; + +# Allow statsd to send dump info to dumpstate +allow statsd dumpstate:fd use; +allow statsd dumpstate:fifo_file { getattr write }; + +# Allow access to with hardware layer and process stats. +allow statsd proc_uid_cputime_showstat:file { getattr open read }; +hal_client_domain(statsd, hal_health) +hal_client_domain(statsd, hal_power) +hal_client_domain(statsd, hal_power_stats) +hal_client_domain(statsd, hal_thermal) + +# Allow 'adb shell cmd' to upload configs and download output. +allow statsd adbd:fd use; +allow statsd adbd:unix_stream_socket { getattr read write }; +allow statsd shell:fifo_file { getattr read write }; + +unix_socket_send(statsd, statsdw, statsd) + +### +### neverallow rules +### + +# Only statsd and the other root services in limited circumstances. +# can get to the files in /data/misc/stats-data, /data/misc/stats-service. +# Other services are prohibitted from accessing the file. +neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *; + +# Limited access to the directory itself. +neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *; diff --git a/prebuilts/api/32.0/public/su.te b/prebuilts/api/32.0/public/su.te new file mode 100644 index 000000000..074ff2e5d --- /dev/null +++ b/prebuilts/api/32.0/public/su.te @@ -0,0 +1,108 @@ +# All types must be defined regardless of build variant to ensure +# policy compilation succeeds with userdebug/user combination at boot +type su, domain; + +# File types must be defined for file_contexts. +type su_exec, system_file_type, exec_type, file_type; + +userdebug_or_eng(` + # Domain used for su processes, as well as for adbd and adb shell + # after performing an adb root command. The domain definition is + # wrapped to ensure that it does not exist at all on -user builds. + typeattribute su mlstrustedsubject; + + # Add su to various domains + net_domain(su) + + # grant su access to vndbinder + vndbinder_use(su) + + dontaudit su self:capability_class_set *; + dontaudit su self:capability2 *; + dontaudit su kernel:security *; + dontaudit su { kernel file_type }:system *; + dontaudit su self:memprotect *; + dontaudit su domain:{ process process2 } *; + dontaudit su domain:fd *; + dontaudit su domain:dir *; + dontaudit su domain:lnk_file *; + dontaudit su domain:{ fifo_file file } *; + dontaudit su domain:socket_class_set *; + dontaudit su domain:ipc_class_set *; + dontaudit su domain:key *; + dontaudit su fs_type:filesystem *; + dontaudit su {fs_type dev_type file_type}:dir_file_class_set *; + dontaudit su node_type:node *; + dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *; + dontaudit su netif_type:netif *; + dontaudit su port_type:socket_class_set *; + dontaudit su port_type:{ tcp_socket dccp_socket } *; + dontaudit su domain:peer *; + dontaudit su domain:binder *; + dontaudit su property_type:property_service *; + dontaudit su property_type:file *; + dontaudit su service_manager_type:service_manager *; + dontaudit su hwservice_manager_type:hwservice_manager *; + dontaudit su vndservice_manager_type:service_manager *; + dontaudit su servicemanager:service_manager list; + dontaudit su hwservicemanager:hwservice_manager list; + dontaudit su vndservicemanager:service_manager list; + dontaudit su keystore:keystore_key *; + dontaudit su keystore:keystore2 *; + dontaudit su domain:drmservice *; + dontaudit su unlabeled:filesystem *; + dontaudit su postinstall_file:filesystem *; + dontaudit su domain:bpf *; + dontaudit su unlabeled:vsock_socket *; + dontaudit su self:perf_event *; + + # VTS tests run in the permissive su domain on debug builds, but the HALs + # being tested run in enforcing mode. Because hal_foo_server is enforcing + # su needs to be declared as hal_foo_client to grant hal_foo_server + # permission to interact with it. + typeattribute su halclientdomain; + typeattribute su hal_allocator_client; + typeattribute su hal_atrace_client; + typeattribute su hal_audio_client; + typeattribute su hal_authsecret_client; + typeattribute su hal_bluetooth_client; + typeattribute su hal_bootctl_client; + typeattribute su hal_camera_client; + typeattribute su hal_configstore_client; + typeattribute su hal_confirmationui_client; + typeattribute su hal_contexthub_client; + typeattribute su hal_drm_client; + typeattribute su hal_cas_client; + typeattribute su hal_dumpstate_client; + typeattribute su hal_fingerprint_client; + typeattribute su hal_gatekeeper_client; + typeattribute su hal_gnss_client; + typeattribute su hal_graphics_allocator_client; + typeattribute su hal_graphics_composer_client; + typeattribute su hal_health_client; + typeattribute su hal_input_classifier_client; + typeattribute su hal_ir_client; + typeattribute su hal_keymaster_client; + typeattribute su hal_light_client; + typeattribute su hal_memtrack_client; + typeattribute su hal_neuralnetworks_client; + typeattribute su hal_nfc_client; + typeattribute su hal_oemlock_client; + typeattribute su hal_power_client; + typeattribute su hal_rebootescrow_client; + typeattribute su hal_secure_element_client; + typeattribute su hal_sensors_client; + typeattribute su hal_telephony_client; + typeattribute su hal_tetheroffload_client; + typeattribute su hal_thermal_client; + typeattribute su hal_tv_cec_client; + typeattribute su hal_tv_input_client; + typeattribute su hal_tv_tuner_client; + typeattribute su hal_usb_client; + typeattribute su hal_vibrator_client; + typeattribute su hal_vr_client; + typeattribute su hal_weaver_client; + typeattribute su hal_wifi_client; + typeattribute su hal_wifi_hostapd_client; + typeattribute su hal_wifi_supplicant_client; +') diff --git a/prebuilts/api/32.0/public/surfaceflinger.te b/prebuilts/api/32.0/public/surfaceflinger.te new file mode 100644 index 000000000..c1e4844a0 --- /dev/null +++ b/prebuilts/api/32.0/public/surfaceflinger.te @@ -0,0 +1,3 @@ +# surfaceflinger - display compositor service +type surfaceflinger, domain; +type surfaceflinger_tmpfs, file_type; diff --git a/prebuilts/api/32.0/public/system_app.te b/prebuilts/api/32.0/public/system_app.te new file mode 100644 index 000000000..023058ee0 --- /dev/null +++ b/prebuilts/api/32.0/public/system_app.te @@ -0,0 +1,7 @@ +### +### Apps that run with the system UID, e.g. com.android.system.ui, +### com.android.settings. These are not as privileged as the system +### server. +### + +type system_app, domain; diff --git a/prebuilts/api/32.0/public/system_server.te b/prebuilts/api/32.0/public/system_server.te new file mode 100644 index 000000000..4016ba398 --- /dev/null +++ b/prebuilts/api/32.0/public/system_server.te @@ -0,0 +1,19 @@ +# +# System Server aka system_server spawned by zygote. +# Most of the framework services run in this process. +# +type system_server, domain; +type system_server_tmpfs, file_type, mlstrustedobject; + +# Power controls for debugging/diagnostics +get_prop(system_server, power_debug_prop) +set_prop(system_server, power_debug_prop) + +neverallow { + domain + -init + -vendor_init + -system_server +} power_debug_prop:property_service set; +# Read ro.gfx.* properties +get_prop(system_server, graphics_config_prop) diff --git a/prebuilts/api/32.0/public/system_suspend_internal_server.te b/prebuilts/api/32.0/public/system_suspend_internal_server.te new file mode 100644 index 000000000..67bff770c --- /dev/null +++ b/prebuilts/api/32.0/public/system_suspend_internal_server.te @@ -0,0 +1,11 @@ +# To serve ISuspendControlServiceInternal. +add_service(system_suspend_internal_server, system_suspend_control_internal_service) + +neverallow { + domain + -atrace # tracing + -dumpstate # bug reports + -system_suspend_internal_server # implements system_suspend_control_internal_service + -system_server # configures system_suspend via ISuspendControlServiceInternal + -traceur_app # tracing +} system_suspend_control_internal_service:service_manager find; diff --git a/prebuilts/api/32.0/public/system_suspend_server.te b/prebuilts/api/32.0/public/system_suspend_server.te new file mode 100644 index 000000000..8e8310d5e --- /dev/null +++ b/prebuilts/api/32.0/public/system_suspend_server.te @@ -0,0 +1,6 @@ +# Required to export a HIDL interface. +hwbinder_use(system_suspend_server) +get_prop(system_suspend_server, hwservicemanager_prop) + +# To serve ISystemSuspend.hal. +add_hwservice(system_suspend_server, system_suspend_hwservice) diff --git a/prebuilts/api/32.0/public/te_macros b/prebuilts/api/32.0/public/te_macros new file mode 100644 index 000000000..7dc5062c5 --- /dev/null +++ b/prebuilts/api/32.0/public/te_macros @@ -0,0 +1,993 @@ +##################################### +# domain_trans(olddomain, type, newdomain) +# Allow a transition from olddomain to newdomain +# upon executing a file labeled with type. +# This only allows the transition; it does not +# cause it to occur automatically - use domain_auto_trans +# if that is what you want. +# +define(`domain_trans', ` +# Old domain may exec the file and transition to the new domain. +allow $1 $2:file { getattr open read execute map }; +allow $1 $3:process transition; +# New domain is entered by executing the file. +allow $3 $2:file { entrypoint open read execute getattr map }; +# New domain can send SIGCHLD to its caller. +ifelse($1, `init', `', `allow $3 $1:process sigchld;') +# Enable AT_SECURE, i.e. libc secure mode. +dontaudit $1 $3:process noatsecure; +# XXX dontaudit candidate but requires further study. +allow $1 $3:process { siginh rlimitinh }; +') + +##################################### +# domain_auto_trans(olddomain, type, newdomain) +# Automatically transition from olddomain to newdomain +# upon executing a file labeled with type. +# +define(`domain_auto_trans', ` +# Allow the necessary permissions. +domain_trans($1,$2,$3) +# Make the transition occur by default. +type_transition $1 $2:process $3; +') + +##################################### +# file_type_trans(domain, dir_type, file_type) +# Allow domain to create a file labeled file_type in a +# directory labeled dir_type. +# This only allows the transition; it does not +# cause it to occur automatically - use file_type_auto_trans +# if that is what you want. +# +define(`file_type_trans', ` +# Allow the domain to add entries to the directory. +allow $1 $2:dir ra_dir_perms; +# Allow the domain to create the file. +allow $1 $3:notdevfile_class_set create_file_perms; +allow $1 $3:dir create_dir_perms; +') + +##################################### +# file_type_auto_trans(domain, dir_type, file_type) +# Automatically label new files with file_type when +# they are created by domain in directories labeled dir_type. +# +define(`file_type_auto_trans', ` +# Allow the necessary permissions. +file_type_trans($1, $2, $3) +# Make the transition occur by default. +type_transition $1 $2:dir $3; +type_transition $1 $2:notdevfile_class_set $3; +') + +##################################### +# r_dir_file(domain, type) +# Allow the specified domain to read directories, files +# and symbolic links of the specified type. +define(`r_dir_file', ` +allow $1 $2:dir r_dir_perms; +allow $1 $2:{ file lnk_file } r_file_perms; +') + +##################################### +# tmpfs_domain(domain) +# Allow access to a unique type for this domain when creating tmpfs / ashmem files. +define(`tmpfs_domain', ` +type_transition $1 tmpfs:file $1_tmpfs; +allow $1 $1_tmpfs:file { read write getattr map }; +') + +# pdx macros for IPC. pdx is a high-level name which contains transport-specific +# rules from underlying transport (e.g. UDS-based implementation). + +##################################### +# pdx_service_attributes(service) +# Defines type attribute used to identify various service-related types. +define(`pdx_service_attributes', ` +attribute pdx_$1_endpoint_dir_type; +attribute pdx_$1_endpoint_socket_type; +attribute pdx_$1_channel_socket_type; +attribute pdx_$1_server_type; +') + +##################################### +# pdx_service_socket_types(service, endpoint_dir_t) +# Define types for endpoint and channel sockets. +define(`pdx_service_socket_types', ` +typeattribute $2 pdx_$1_endpoint_dir_type; +type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject; +type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket; +userdebug_or_eng(` +dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *; +dontaudit su pdx_$1_channel_socket:unix_stream_socket *; +') +') + +##################################### +# pdx_server(server_domain, service) +define(`pdx_server', ` +# Mark the server domain as a PDX server. +typeattribute $1 pdx_$2_server_type; +# Allow the init process to create the initial endpoint socket. +allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind }; +# Allow the server domain to use the endpoint socket and accept connections on it. +# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights +# than we need (e.g. we don"t need "bind" or "connect"). +allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept }; +# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()). +allow $1 self:process setsockcreate; +# Allow the server domain to create a client channel socket. +allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms; +# Prevent other processes from claiming to be a server for the same service. +neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept }; +') + +##################################### +# pdx_connect(client, service) +define(`pdx_connect', ` +# Allow client to open the service endpoint file. +allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms; +allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms; +# Allow the client to connect to endpoint socket. +allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; +') + +##################################### +# pdx_use(client, service) +define(`pdx_use', ` +# Allow the client to use the PDX channel socket. +# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights +# than we need (e.g. we don"t need "bind" or "connect"). +allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; +# Client needs to use an channel event fd from the server. +allow $1 pdx_$2_server_type:fd use; +# Servers may receive sync fences, gralloc buffers, etc, from clients. +# This could be tightened on a per-server basis, but keeping track of service +# clients is error prone. +allow pdx_$2_server_type $1:fd use; +') + +##################################### +# pdx_client(client, service) +define(`pdx_client', ` +pdx_connect($1, $2) +pdx_use($1, $2) +') + +##################################### +# init_daemon_domain(domain) +# Set up a transition from init to the daemon domain +# upon executing its binary. +define(`init_daemon_domain', ` +domain_auto_trans(init, $1_exec, $1) +') + +#################################### +# userfaultfd_use(domain) +# Allow domain to create/use userfaultfd. +define(`userfaultfd_use', ` +# Set up a type_transition to "userfaultfd" named anonymous inode object. +type $1_userfaultfd; +type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]"; +# Allow domain to create/use userfaultfd anon_inode. +allow $1 $1_userfaultfd:anon_inode { create ioctl read }; +# Other domains may not use userfaultfd anon_inodes created by this domain. +neverallow { domain -$1 } $1_userfaultfd:anon_inode *; +# This domain may not use userfaultfd anon_inodes created by other domains. +neverallow $1 ~$1_userfaultfd:anon_inode *; +') + +##################################### +# app_domain(domain) +# Allow a base set of permissions required for all apps. +define(`app_domain', ` +typeattribute $1 appdomain; +# Label tmpfs objects for all apps. +type_transition $1 tmpfs:file appdomain_tmpfs; +userfaultfd_use($1) +allow $1 appdomain_tmpfs:file { execute getattr map read write }; +neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms; +neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms; +# The Android security model guarantees the confidentiality and integrity +# of application data and execution state. Ptrace bypasses those +# confidentiality guarantees. Disallow ptrace access from system components to +# apps. crash_dump is excluded, as it needs ptrace access to produce stack +# traces. runas_app is excluded, as it operates only on debuggable apps. +# simpleperf is excluded, as it operates only on debuggable or profileable +# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for +# live lock conditions. +neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace; +') + +##################################### +# untrusted_app_domain(domain) +# Allow a base set of permissions required for all untrusted apps. +define(`untrusted_app_domain', ` +typeattribute $1 untrusted_app_all; +') + +##################################### +# net_domain(domain) +# Allow a base set of permissions required for network access. +define(`net_domain', ` +typeattribute $1 netdomain; +') + +##################################### +# bluetooth_domain(domain) +# Allow a base set of permissions required for bluetooth access. +define(`bluetooth_domain', ` +typeattribute $1 bluetoothdomain; +') + +##################################### +# hal_attribute(hal_name) +# Add an attribute for hal implementations along with necessary +# restrictions. +define(`hal_attribute', ` +attribute hal_$1; +expandattribute hal_$1 true; +attribute hal_$1_client; +expandattribute hal_$1_client true; +attribute hal_$1_server; +expandattribute hal_$1_server false; + +neverallow { hal_$1_server -halserverdomain } domain:process fork; +# hal_*_client and halclientdomain attributes are always expanded for +# performance reasons. Neverallow rules targeting expanded attributes can not be +# verified by CTS since these attributes are already expanded by that time. +build_test_only(` +neverallow { hal_$1_server -hal_$1 } domain:process fork; +neverallow { hal_$1_client -halclientdomain } domain:process fork; +') +') + +##################################### +# hal_server_domain(domain, hal_type) +# Allow a base set of permissions required for a domain to offer a +# HAL implementation of the specified type over HwBinder. +# +# For example, default implementation of Foo HAL: +# type hal_foo_default, domain; +# hal_server_domain(hal_foo_default, hal_foo) +# +define(`hal_server_domain', ` +typeattribute $1 halserverdomain; +typeattribute $1 $2_server; +typeattribute $1 $2; +') + +##################################### +# hal_client_domain(domain, hal_type) +# Allow a base set of permissions required for a domain to be a +# client of a HAL of the specified type. +# +# For example, make some_domain a client of Foo HAL: +# hal_client_domain(some_domain, hal_foo) +# +define(`hal_client_domain', ` +typeattribute $1 halclientdomain; +typeattribute $1 $2_client; + +# TODO(b/34170079): Make the inclusion of the rules below conditional also on +# non-Treble devices. For now, on non-Treble device, always grant clients of a +# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). +not_full_treble(` +typeattribute $1 $2; +# Find passthrough HAL implementations +allow $2 system_file:dir r_dir_perms; +allow $2 vendor_file:dir r_dir_perms; +allow $2 vendor_file:file { read open getattr execute map }; +') +') + +##################################### +# passthrough_hal_client_domain(domain, hal_type) +# Allow a base set of permissions required for a domain to be a +# client of a passthrough HAL of the specified type. +# +# For example, make some_domain a client of passthrough Foo HAL: +# passthrough_hal_client_domain(some_domain, hal_foo) +# +define(`passthrough_hal_client_domain', ` +typeattribute $1 halclientdomain; +typeattribute $1 $2_client; +typeattribute $1 $2; +# Find passthrough HAL implementations +allow $2 system_file:dir r_dir_perms; +allow $2 vendor_file:dir r_dir_perms; +allow $2 vendor_file:file { read open getattr execute map }; +') + +##################################### +# unix_socket_connect(clientdomain, socket, serverdomain) +# Allow a local socket connection from clientdomain via +# socket to serverdomain. +# +# Note: If you see denial records that distill to the +# following allow rules: +# allow clientdomain property_socket:sock_file write; +# allow clientdomain init:unix_stream_socket connectto; +# allow clientdomain something_prop:property_service set; +# +# This sequence is indicative of attempting to set a property. +# use set_prop(sourcedomain, targetproperty) +# +define(`unix_socket_connect', ` +allow $1 $2_socket:sock_file write; +allow $1 $3:unix_stream_socket connectto; +') + +##################################### +# set_prop(sourcedomain, targetproperty) +# Allows source domain to set the +# targetproperty. +# +define(`set_prop', ` +unix_socket_connect($1, property, init) +allow $1 $2:property_service set; +get_prop($1, $2) +') + +##################################### +# get_prop(sourcedomain, targetproperty) +# Allows source domain to read the +# targetproperty. +# +define(`get_prop', ` +allow $1 $2:file { getattr open read map }; +') + +##################################### +# unix_socket_send(clientdomain, socket, serverdomain) +# Allow a local socket send from clientdomain via +# socket to serverdomain. +define(`unix_socket_send', ` +allow $1 $2_socket:sock_file write; +allow $1 $3:unix_dgram_socket sendto; +') + +##################################### +# binder_use(domain) +# Allow domain to use Binder IPC. +define(`binder_use', ` +# Call the servicemanager and transfer references to it. +allow $1 servicemanager:binder { call transfer }; +# Allow servicemanager to send out callbacks +allow servicemanager $1:binder { call transfer }; +# servicemanager performs getpidcon on clients. +allow servicemanager $1:dir search; +allow servicemanager $1:file { read open }; +allow servicemanager $1:process getattr; +# rw access to /dev/binder and /dev/ashmem is presently granted to +# all domains in domain.te. +') + +##################################### +# hwbinder_use(domain) +# Allow domain to use HwBinder IPC. +define(`hwbinder_use', ` +# Call the hwservicemanager and transfer references to it. +allow $1 hwservicemanager:binder { call transfer }; +# Allow hwservicemanager to send out callbacks +allow hwservicemanager $1:binder { call transfer }; +# hwservicemanager performs getpidcon on clients. +allow hwservicemanager $1:dir search; +allow hwservicemanager $1:file { read open map }; +allow hwservicemanager $1:process getattr; +# rw access to /dev/hwbinder and /dev/ashmem is presently granted to +# all domains in domain.te. +') + +##################################### +# vndbinder_use(domain) +# Allow domain to use Binder IPC. +define(`vndbinder_use', ` +# Talk to the vndbinder device node +allow $1 vndbinder_device:chr_file rw_file_perms; +# Call the vndservicemanager and transfer references to it. +allow $1 vndservicemanager:binder { call transfer }; +# vndservicemanager performs getpidcon on clients. +allow vndservicemanager $1:dir search; +allow vndservicemanager $1:file { read open map }; +allow vndservicemanager $1:process getattr; +') + +##################################### +# binder_call(clientdomain, serverdomain) +# Allow clientdomain to perform binder IPC to serverdomain. +define(`binder_call', ` +# Call the server domain and optionally transfer references to it. +allow $1 $2:binder { call transfer }; +# Allow the serverdomain to transfer references to the client on the reply. +allow $2 $1:binder transfer; +# Receive and use open files from the server. +allow $1 $2:fd use; +') + +##################################### +# binder_service(domain) +# Mark a domain as being a Binder service domain. +# Used to allow binder IPC to the various system services. +define(`binder_service', ` +typeattribute $1 binderservicedomain; +') + +##################################### +# wakelock_use(domain) +# Allow domain to manage wake locks +define(`wakelock_use', ` +# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is +# deprecated. +# Access /sys/power/wake_lock and /sys/power/wake_unlock +allow $1 sysfs_wake_lock:file rw_file_perms; +# Accessing these files requires CAP_BLOCK_SUSPEND +allow $1 self:global_capability2_class_set block_suspend; +# system_suspend permissions +binder_call($1, system_suspend_server) +allow $1 system_suspend_hwservice:hwservice_manager find; +# halclientdomain permissions +hwbinder_use($1) +get_prop($1, hwservicemanager_prop) +allow $1 hidl_manager_hwservice:hwservice_manager find; +') + +##################################### +# selinux_check_access(domain) +# Allow domain to check SELinux permissions via selinuxfs. +define(`selinux_check_access', ` +r_dir_file($1, selinuxfs) +allow $1 selinuxfs:file w_file_perms; +allow $1 kernel:security compute_av; +allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; +') + +##################################### +# selinux_check_context(domain) +# Allow domain to check SELinux contexts via selinuxfs. +define(`selinux_check_context', ` +r_dir_file($1, selinuxfs) +allow $1 selinuxfs:file w_file_perms; +allow $1 kernel:security check_context; +') + +##################################### +# create_pty(domain) +# Allow domain to create and use a pty, isolated from any other domain ptys. +define(`create_pty', ` +# Each domain gets a unique devpts type. +type $1_devpts, fs_type; +# Label the pty with the unique type when created. +type_transition $1 devpts:chr_file $1_devpts; +# Allow use of the pty after creation. +allow $1 $1_devpts:chr_file { open getattr read write ioctl }; +allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls; +# TIOCSTI is only ever used for exploits. Block it. +# b/33073072, b/7530569 +# http://www.openwall.com/lists/oss-security/2016/09/26/14 +neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI; +# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms +# allowed to everyone via domain.te. +') + +##################################### +# Non system_app application set +# +define(`non_system_app_set', `{ appdomain -system_app }') + +##################################### +# Recovery only +# SELinux rules which apply only to recovery mode +# +define(`recovery_only', ifelse(target_recovery, `true', $1, )) + +##################################### +# Not recovery +# SELinux rules which apply only to non-recovery (normal) mode +# +define(`not_recovery', ifelse(target_recovery, `true', , $1)) + +##################################### +# Full TREBLE only +# SELinux rules which apply only to full TREBLE devices +# +define(`full_treble_only', ifelse(target_full_treble, `true', $1, +ifelse(target_full_treble, `cts', +# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify +$1 +# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify +, ))) + +##################################### +# Not full TREBLE +# SELinux rules which apply only to devices which are not full TREBLE devices +# +define(`not_full_treble', ifelse(target_full_treble, `true', , $1)) + +##################################### +# enforce_debugfs_restriction +# SELinux rules which apply to devices that enable debugfs restrictions. +# The keyword "cts" is used to insert markers to only CTS test the neverallows +# added by the macro for S-launch devices and newer. +define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1, +ifelse(target_enforce_debugfs_restriction, `cts', +# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify +$1 +# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify +, ))) + +##################################### +# no_debugfs_restriction +# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds. +define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1)) + +##################################### +# Compatible property only +# SELinux rules which apply only to devices with compatible property +# +define(`compatible_property_only', ifelse(target_compatible_property, `true', $1, +ifelse(target_compatible_property, `cts', +# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify +$1 +# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify +, ))) + +##################################### +# Not compatible property +# SELinux rules which apply only to devices without compatible property +# +define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1)) + +##################################### +# Userdebug or eng builds +# SELinux rules which apply only to userdebug or eng builds +# +define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) + +##################################### +# asan builds +# SELinux rules which apply only to asan builds +# +define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), )) + +##################################### +# native coverage builds +# SELinux rules which apply only to builds with native coverage +# +define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), )) + +##################################### +# Build-time-only test +# SELinux rules which are verified during build, but not as part of *TS testing. +# +define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1)) + +#################################### +# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp). +# +define(`crash_dump_fallback', ` +userdebug_or_eng(` + allow $1 su:fifo_file append; +') +allow $1 anr_data_file:file append; +allow $1 dumpstate:fd use; +allow $1 incidentd:fd use; +# TODO: Figure out why write is needed. +allow $1 dumpstate:fifo_file { append write }; +allow $1 incidentd:fifo_file { append write }; +allow $1 system_server:fifo_file { append write }; +allow $1 tombstoned:unix_stream_socket connectto; +allow $1 tombstoned:fd use; +allow $1 tombstoned_crash_socket:sock_file write; +allow $1 tombstone_data_file:file append; +') + +##################################### +# WITH_DEXPREOPT builds +# SELinux rules which apply only when pre-opting. +# +define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1)) + +##################################### +# write_logd(domain) +# Ability to write to android log +# daemon via sockets +define(`write_logd', ` +unix_socket_send($1, logdw, logd) +allow $1 pmsg_device:chr_file w_file_perms; +') + +##################################### +# read_logd(domain) +# Ability to run logcat and read from android +# log daemon via sockets +define(`read_logd', ` +allow $1 logcat_exec:file rx_file_perms; +unix_socket_connect($1, logdr, logd) +') + +##################################### +# read_runtime_log_tags(domain) +# ability to directly map the runtime event log tags +define(`read_runtime_log_tags', ` +allow $1 runtime_event_log_tags_file:file r_file_perms; +') + +##################################### +# control_logd(domain) +# Ability to control +# android log daemon via sockets +define(`control_logd', ` +# Group AID_LOG checked by filesystem & logd +# to permit control commands +unix_socket_connect($1, logd, logd) +') + +##################################### +# use_keystore(domain) +# Ability to use keystore. +# Keystore is requires the following permissions +# to call getpidcon. +define(`use_keystore', ` + allow keystore $1:dir search; + allow keystore $1:file { read open }; + allow keystore $1:process getattr; + allow $1 apc_service:service_manager find; + allow $1 keystore_service:service_manager find; + allow $1 legacykeystore_service:service_manager find; + binder_call($1, keystore) + binder_call(keystore, $1) +') + +##################################### +# use_credstore(domain) +# Ability to use credstore. +define(`use_credstore', ` + allow credstore $1:dir search; + allow credstore $1:file { read open }; + allow credstore $1:process getattr; + allow $1 credstore_service:service_manager find; + binder_call($1, credstore) + binder_call(credstore, $1) +') + +########################################### +# use_drmservice(domain) +# Ability to use DrmService which requires +# DrmService to call getpidcon. +define(`use_drmservice', ` + allow drmserver $1:dir search; + allow drmserver $1:file { read open }; + allow drmserver $1:process getattr; +') + +########################################### +# add_service(domain, service) +# Ability for domain to add a service to service_manager +# and find it. It also creates a neverallow preventing +# others from adding it. +define(`add_service', ` + allow $1 $2:service_manager { add find }; + neverallow { domain -$1 } $2:service_manager add; +') + +########################################### +# add_hwservice(domain, service) +# Ability for domain to add a service to hwservice_manager +# and find it. It also creates a neverallow preventing +# others from adding it. +define(`add_hwservice', ` + allow $1 $2:hwservice_manager { add find }; + allow $1 hidl_base_hwservice:hwservice_manager add; + neverallow { domain -$1 } $2:hwservice_manager add; +') + +########################################### +# hal_attribute_hwservice(attribute, service) +# Ability for domain to get a service to hwservice_manager +# and find it. It also creates a neverallow preventing +# others from adding it. +# +# Used to pair hal_foo_client with hal_foo_hwservice +define(`hal_attribute_hwservice', ` + allow $1_client $2:hwservice_manager find; + add_hwservice($1_server, $2) + + build_test_only(` + # if you are hitting this neverallow, try using: + # hal_client_domain(<your domain>, hal_<foo>) + # instead + neverallow { domain -$1_client -$1_server } $2:hwservice_manager find; + ') +') + +########################################### +# hal_attribute_service(attribute, service) +# Ability for domain to get a service to service_manager +# and find it. It also creates a neverallow preventing +# others from adding it. +# +# Used to pair hal_foo_client with hal_foo_service +define(`hal_attribute_service', ` + allow $1_client $2:service_manager find; + add_service($1_server, $2) + + build_test_only(` + # if you are hitting this neverallow, try using: + # hal_client_domain(<your domain>, hal_<foo>) + # instead + neverallow { + domain + -$1_client + -$1_server + # some services are allowed to find all services + -atrace + -dumpstate + -shell + -system_app + -traceur_app + } $2:service_manager find; + ') +') + +################################### +# can_profile_heap(domain) +# Allow processes within the domain to have their heap profiled by central +# heapprofd. +define(`can_profile_heap', ` + # Allow central daemon to send signal for client initialization. + allow heapprofd $1:process signal; + # Allow connecting to the daemon. + unix_socket_connect($1, heapprofd, heapprofd) + # Allow daemon to use the passed fds. + allow heapprofd $1:fd use; + # Allow to read and write to heapprofd shmem. + # The client needs to read the read and write pointers in order to write. + allow $1 heapprofd_tmpfs:file { read write getattr map }; + # Use shared memory received over the unix socket. + allow $1 heapprofd:fd use; + + # To read and write from the received file descriptors. + # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the + # process they relate to. + # We need to write to /proc/$PID/page_idle to find idle allocations. + # The client only opens /proc/self/page_idle with RDWR, everything else + # with RDONLY. + # heapprofd cannot open /proc/$PID/mem itself, as it does not have + # sys_ptrace. + allow heapprofd $1:file rw_file_perms; + # Allow searching the /proc/[pid] directory for cmdline. + allow heapprofd $1:dir r_dir_perms; +') + +################################### +# never_profile_heap(domain) +# Opt out of heap profiling by heapprofd. +define(`never_profile_heap', ` + neverallow heapprofd $1:file read; + neverallow heapprofd $1:process signal; +') + +################################### +# can_profile_perf(domain) +# Allow processes within the domain to be profiled, and have their stacks +# sampled, by traced_perf. +define(`can_profile_perf', ` + # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and + # reads /proc/[pid]/cmdline. + allow traced_perf $1:file r_file_perms; + allow traced_perf $1:dir r_dir_perms; + + # Allow central daemon to send signal to request /proc/[pid]/maps and + # /proc/[pid]/mem fds from this process. + allow traced_perf $1:process signal; + + # Allow connecting to the daemon. + unix_socket_connect($1, traced_perf, traced_perf) + # Allow daemon to use the passed fds. + allow traced_perf $1:fd use; +') + +################################### +# never_profile_perf(domain) +# Opt out of profiling by traced_perf. +define(`never_profile_perf', ` + neverallow traced_perf $1:file read; + neverallow traced_perf $1:process signal; +') + +################################### +# perfetto_producer(domain) +# Allow processes within the domain to write data to Perfetto. +# When applying this macro, you might need to also allow traced to use the +# producer tmpfs domain, if the producer will be the one creating the shared +# memory. +define(`perfetto_producer', ` + allow $1 traced:fd use; + allow $1 traced_tmpfs:file { read write getattr map }; + unix_socket_connect($1, traced_producer, traced) + + # Also allow the service to use the producer file descriptors. This is + # necessary when the producer is creating the shared memory, as it will be + # passed to the service as a file descriptor (obtained from memfd_create). + allow traced $1:fd use; +') + +########################################### +# dump_hal(hal_type) +# Ability to dump the hal debug info +# +define(`dump_hal', ` + hal_client_domain(dumpstate, $1); + allow $1_server dumpstate:fifo_file write; + allow $1_server dumpstate:fd use; +') + +##################################### +# treble_sysprop_neverallow(rules) +# SELinux neverallow rules which enforces the accessibility of each property +# outside the owner. +# +# For devices launching with R or later, exported properties must be explicitly marked as +# "restricted" or "public", depending on the accessibility outside the owner. +# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk. +# See {partition}_{accessibility}_prop macros below. +# +# CTS uses these rules only for devices launching with R or later. +# +# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW +# +define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1, +ifelse(target_treble_sysprop_neverallow, `cts', +# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify +$1 +# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify +, ))) + +##################################### +# enforce_sysprop_owner(rules) +# SELinux neverallow rules which enforces the owner of each property. +# +# For devices launching with S or later, all properties must be explicitly marked as one of: +# system_property_type, vendor_property_type, or product_property_type. +# For devices launching with R or eariler, this neverallow rules can be relaxed with defining +# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk. +# See {partition}_{accessibility}_prop macros below. +# +# CTS uses these ules only for devices launching with S or later. +# +define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1, +ifelse(target_enforce_sysprop_owner, `cts', +# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify +$1 +# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify +, ))) + +########################################### +# define_prop(name, owner, scope) +# Define a property with given owner and scope +# +define(`define_prop', ` + type $1, property_type, $2_property_type, $2_$3_property_type; +') + +########################################### +# system_internal_prop(name) +# Define a /system-owned property used only in /system +# For devices launching with Q or eariler, this restriction can be relaxed with +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true +# +define(`system_internal_prop', ` + define_prop($1, system, internal) + treble_sysprop_neverallow(` + neverallow { domain -coredomain } $1:file no_rw_file_perms; + ') +') + +########################################### +# system_restricted_prop(name) +# Define a /system-owned property which can't be written outside /system +# For devices launching with Q or eariler, this restriction can be relaxed with +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true +# +define(`system_restricted_prop', ` + define_prop($1, system, restricted) + treble_sysprop_neverallow(` + neverallow { domain -coredomain } $1:property_service set; + ') +') + +########################################### +# system_public_prop(name) +# Define a /system-owned property with no restrictions +# +define(`system_public_prop', `define_prop($1, system, public)') + +########################################### +# system_vendor_config_prop(name) +# Define a /system-owned property which can only be written by vendor_init +# This is a macro for vendor-specific configuration properties which is meant +# to be set once from vendor_init. +# +define(`system_vendor_config_prop', ` + system_public_prop($1) + set_prop(vendor_init, $1) + neverallow { domain -init -vendor_init } $1:property_service set; +') + +########################################### +# product_internal_prop(name) +# Define a /product-owned property used only in /product +# For devices launching with Q or eariler, this restriction can be relaxed with +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true +# +define(`product_internal_prop', ` + define_prop($1, product, internal) + treble_sysprop_neverallow(` + neverallow { domain -coredomain } $1:file no_rw_file_perms; + ') +') + +########################################### +# product_restricted_prop(name) +# Define a /product-owned property which can't be written outside /product +# For devices launching with Q or eariler, this restriction can be relaxed with +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true +# +define(`product_restricted_prop', ` + define_prop($1, product, restricted) + treble_sysprop_neverallow(` + neverallow { domain -coredomain } $1:property_service set; + ') +') + +########################################### +# product_public_prop(name) +# Define a /product-owned property with no restrictions +# +define(`product_public_prop', `define_prop($1, product, public)') + +########################################### +# vendor_internal_prop(name) +# Define a /vendor-owned property used only in /vendor +# For devices launching with Q or eariler, this restriction can be relaxed with +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true +# +define(`vendor_internal_prop', ` + define_prop($1, vendor, internal) + treble_sysprop_neverallow(` +# init and dumpstate are in coredomain, but should be able to read all props. + neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms; + ') +') + +########################################### +# vendor_restricted_prop(name) +# Define a /vendor-owned property which can't be written outside /vendor +# For devices launching with Q or eariler, this restriction can be relaxed with +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true +# +define(`vendor_restricted_prop', ` + define_prop($1, vendor, restricted) + treble_sysprop_neverallow(` +# init is in coredomain, but should be able to write all props. + neverallow { coredomain -init } $1:property_service set; + ') +') + +########################################### +# vendor_public_prop(name) +# Define a /vendor-owned property with no restrictions +# +define(`vendor_public_prop', `define_prop($1, vendor, public)') + +##################################### +# read_fstab(domain) +# Ability to call ReadDefaultFstab() and ReadFstabFromFile(). +# +define(`read_fstab', ` + allow $1 { metadata_file gsi_metadata_file_type }:dir search; + allow $1 gsi_public_metadata_file:file r_file_perms; +') diff --git a/prebuilts/api/32.0/public/tee.te b/prebuilts/api/32.0/public/tee.te new file mode 100644 index 000000000..0f9b32dc9 --- /dev/null +++ b/prebuilts/api/32.0/public/tee.te @@ -0,0 +1,11 @@ +## +# trusted execution environment (tee) daemon +# +type tee, domain; + +# Device(s) for communicating with the TEE +type tee_device, dev_type; + +allow tee fingerprint_vendor_data_file:dir rw_dir_perms; +allow tee fingerprint_vendor_data_file:file create_file_perms; + diff --git a/prebuilts/api/32.0/public/tombstoned.te b/prebuilts/api/32.0/public/tombstoned.te new file mode 100644 index 000000000..ea2abbb75 --- /dev/null +++ b/prebuilts/api/32.0/public/tombstoned.te @@ -0,0 +1,17 @@ +# debugger interface +type tombstoned, domain, mlstrustedsubject; +type tombstoned_exec, system_file_type, exec_type, file_type; + +# Write to arbitrary pipes given to us. +allow tombstoned domain:fd use; +allow tombstoned domain:fifo_file write; + +allow tombstoned domain:dir r_dir_perms; +allow tombstoned domain:file r_file_perms; +allow tombstoned tombstone_data_file:dir rw_dir_perms; +allow tombstoned tombstone_data_file:file { create_file_perms link }; + +# Changes for the new stack dumping mechanism. Each trace goes into a +# separate file, and these files are managed by tombstoned. +allow tombstoned anr_data_file:dir rw_dir_perms; +allow tombstoned anr_data_file:file { append create getattr open link unlink }; diff --git a/prebuilts/api/32.0/public/toolbox.te b/prebuilts/api/32.0/public/toolbox.te new file mode 100644 index 000000000..4c2cc3eab --- /dev/null +++ b/prebuilts/api/32.0/public/toolbox.te @@ -0,0 +1,38 @@ +# Any toolbox command run by init. +# At present, the only known usage is for running mkswap via fs_mgr. +# Do NOT use this domain for toolbox when run by any other domain. +type toolbox, domain; +type toolbox_exec, system_file_type, exec_type, file_type; + +# /dev/__null__ created by init prior to policy load, +# open fd inherited by fsck. +allow toolbox tmpfs:chr_file { read write ioctl }; + +# Inherit and use pty created by android_fork_execvp_ext(). +allow toolbox devpts:chr_file { read write getattr ioctl }; + +# mkswap-specific. +# Read/write block devices used for swap partitions. +# Assign swap_block_device type any such partition in your +# device/<vendor>/<product>/sepolicy/file_contexts file. +allow toolbox block_device:dir search; +allow toolbox swap_block_device:blk_file rw_file_perms; + +# Only allow entry from init via the toolbox binary. +neverallow { domain -init } toolbox:process transition; +neverallow * toolbox:process dyntransition; +neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint; + +# rm -rf directories in /data +allow toolbox system_data_root_file:dir { remove_name write }; +allow toolbox system_data_file:dir { rmdir rw_dir_perms }; +allow toolbox system_data_file:file { getattr unlink }; + +# chattr +F and chattr +P /data/media in init +allow toolbox media_rw_data_file:dir { r_dir_perms setattr }; +allowxperm toolbox media_rw_data_file:dir ioctl { + FS_IOC_FSGETXATTR + FS_IOC_FSSETXATTR + FS_IOC_GETFLAGS + FS_IOC_SETFLAGS +}; diff --git a/prebuilts/api/32.0/public/traced.te b/prebuilts/api/32.0/public/traced.te new file mode 100644 index 000000000..922d46e08 --- /dev/null +++ b/prebuilts/api/32.0/public/traced.te @@ -0,0 +1,3 @@ +type traced, domain, coredomain, mlstrustedsubject; +type traced_tmpfs, file_type; + diff --git a/prebuilts/api/32.0/public/traced_perf.te b/prebuilts/api/32.0/public/traced_perf.te new file mode 100644 index 000000000..f9a0324b1 --- /dev/null +++ b/prebuilts/api/32.0/public/traced_perf.te @@ -0,0 +1 @@ +type traced_perf, domain; diff --git a/prebuilts/api/32.0/public/traced_probes.te b/prebuilts/api/32.0/public/traced_probes.te new file mode 100644 index 000000000..3e587c8ef --- /dev/null +++ b/prebuilts/api/32.0/public/traced_probes.te @@ -0,0 +1 @@ +type traced_probes, domain, coredomain, mlstrustedsubject; diff --git a/prebuilts/api/32.0/public/traceur_app.te b/prebuilts/api/32.0/public/traceur_app.te new file mode 100644 index 000000000..ce9b844d5 --- /dev/null +++ b/prebuilts/api/32.0/public/traceur_app.te @@ -0,0 +1,27 @@ +type traceur_app, domain; + +allow traceur_app servicemanager:service_manager list; +allow traceur_app hwservicemanager:hwservice_manager list; + +allow traceur_app { + service_manager_type + -apex_service + -dnsresolver_service + -gatekeeper_service + -incident_service + -installd_service + -iorapd_service + -lpdump_service + -netd_service + -virtual_touchpad_service + -vold_service + -vr_hwc_service + -default_android_service +}:service_manager find; + +# Allow traceur_app to use atrace HAL +hal_client_domain(traceur_app, hal_atrace) + +dontaudit traceur_app service_manager_type:service_manager find; +dontaudit traceur_app hwservice_manager_type:hwservice_manager find; +dontaudit traceur_app domain:binder call; diff --git a/prebuilts/api/32.0/public/tzdatacheck.te b/prebuilts/api/32.0/public/tzdatacheck.te new file mode 100644 index 000000000..cf9b95de9 --- /dev/null +++ b/prebuilts/api/32.0/public/tzdatacheck.te @@ -0,0 +1,18 @@ +# The tzdatacheck command run by init. +type tzdatacheck, domain; +type tzdatacheck_exec, system_file_type, exec_type, file_type; + +allow tzdatacheck zoneinfo_data_file:dir create_dir_perms; +allow tzdatacheck zoneinfo_data_file:file unlink; + +# Below are strong assertion that only init, system_server and tzdatacheck +# can modify the /data time zone rules directories. This is to make it very +# clear that only these domains should modify the actual time zone rules data. +# The tzdatacheck binary itself may be executed by shell for tests but it must +# not be able to modify the real rules. +# If other users / binaries could modify time zone rules on device this might +# have negative implications for users (who may get incorrect local times) +# or break assumptions made / invalidate data held by the components actually +# responsible for updating time zone rules. +neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms; +neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms; diff --git a/prebuilts/api/32.0/public/ueventd.te b/prebuilts/api/32.0/public/ueventd.te new file mode 100644 index 000000000..d5d43017d --- /dev/null +++ b/prebuilts/api/32.0/public/ueventd.te @@ -0,0 +1,83 @@ +# ueventd seclabel is specified in init.rc since +# it lives in the rootfs and has no unique file type. +type ueventd, domain; +type ueventd_tmpfs, file_type; + +# Write to /dev/kmsg. +allow ueventd kmsg_device:chr_file rw_file_perms; + +allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid }; +allow ueventd device:file create_file_perms; + +r_dir_file(ueventd, rootfs) + +# ueventd needs write access to files in /sys to regenerate uevents +allow ueventd sysfs_type:file w_file_perms; +r_dir_file(ueventd, sysfs_type) +allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr }; +allow ueventd sysfs_type:dir { relabelfrom relabelto setattr }; +allow ueventd tmpfs:chr_file rw_file_perms; +allow ueventd dev_type:dir create_dir_perms; +allow ueventd dev_type:lnk_file { create unlink }; +allow ueventd dev_type:chr_file { getattr create setattr unlink }; +allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink }; +allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow ueventd efs_file:dir search; +allow ueventd efs_file:file r_file_perms; + +# Get SELinux enforcing status. +r_dir_file(ueventd, selinuxfs) + +# Access for /vendor/ueventd.rc and /vendor/firmware +r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file }) + +# Access for /apex/*/firmware +allow ueventd apex_mnt_dir:dir r_dir_perms; + +# Get file contexts for new device nodes +allow ueventd file_contexts_file:file r_file_perms; + +# Use setfscreatecon() to label /dev directories and files. +allow ueventd self:process setfscreate; + +# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig. +allow ueventd proc_cmdline:file r_file_perms; +allow ueventd proc_bootconfig:file r_file_perms; + +# Everything is labeled as rootfs in recovery mode. ueventd has to execute +# the dynamic linker and shared libraries. +recovery_only(` + allow ueventd rootfs:file { r_file_perms execute }; +') + +# Suppress denials for ueventd to getattr /postinstall. This occurs when the +# linker tries to resolve paths in ld.config.txt. +dontaudit ueventd postinstall_mnt_dir:dir getattr; + +# ueventd loads modules in response to modalias events. +allow ueventd self:global_capability_class_set sys_module; +allow ueventd vendor_file:system module_load; +allow ueventd kernel:key search; + +# ueventd is using bootstrap bionic +allow ueventd system_bootstrap_lib_file:dir r_dir_perms; +allow ueventd system_bootstrap_lib_file:file { execute read open getattr map }; + +# Allow ueventd to run shell scripts from vendor +allow ueventd vendor_shell_exec:file execute; + +##### +##### neverallow rules +##### + +# Restrict ueventd access on block devices to maintenence operations. +neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink }; + +# Only relabelto as we would never want to relabelfrom port_device +neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto }; + +# Nobody should be able to ptrace ueventd +neverallow * ueventd:process ptrace; + +# ueventd should never execute a program without changing to another domain. +neverallow ueventd { file_type fs_type }:file execute_no_trans; diff --git a/prebuilts/api/32.0/public/uncrypt.te b/prebuilts/api/32.0/public/uncrypt.te new file mode 100644 index 000000000..3b04671b2 --- /dev/null +++ b/prebuilts/api/32.0/public/uncrypt.te @@ -0,0 +1,46 @@ +# uncrypt +type uncrypt, domain, mlstrustedsubject; +type uncrypt_exec, system_file_type, exec_type, file_type; + +allow uncrypt self:global_capability_class_set { dac_override dac_read_search }; + +userdebug_or_eng(` + # For debugging, allow /data/local/tmp access + r_dir_file(uncrypt, shell_data_file) +') + +# Read /cache/recovery/command +# Read /cache/recovery/uncrypt_file +allow uncrypt cache_file:dir search; +allow uncrypt cache_recovery_file:dir rw_dir_perms; +allow uncrypt cache_recovery_file:file create_file_perms; + +# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/. +allow uncrypt ota_package_file:dir r_dir_perms; +allow uncrypt ota_package_file:file rw_file_perms; + +# Write to /dev/socket/uncrypt +unix_socket_connect(uncrypt, uncrypt, uncrypt) + +# Raw writes to block device +allow uncrypt self:global_capability_class_set sys_rawio; +allow uncrypt misc_block_device:blk_file w_file_perms; +allow uncrypt block_device:dir r_dir_perms; + +# Access userdata block device. +allow uncrypt userdata_block_device:blk_file w_file_perms; + +r_dir_file(uncrypt, rootfs) + +# Access to bootconfig is needed when calling ReadDefaultFstab. +allow uncrypt { + proc_bootconfig + proc_cmdline + +}:file r_file_perms; + +# Read files in /sys +r_dir_file(uncrypt, sysfs_dt_firmware_android) + +# Allow ReadDefaultFstab(). +read_fstab(uncrypt) diff --git a/prebuilts/api/32.0/public/untrusted_app.te b/prebuilts/api/32.0/public/untrusted_app.te new file mode 100644 index 000000000..43fe19a03 --- /dev/null +++ b/prebuilts/api/32.0/public/untrusted_app.te @@ -0,0 +1,30 @@ +### +### Untrusted apps. +### +### Apps are labeled based on mac_permissions.xml (maps signer and +### optionally package name to seinfo value) and seapp_contexts (maps UID +### and optionally seinfo value to domain for process and type for data +### directory). The untrusted_app domain is the default assignment in +### seapp_contexts for any app with UID between APP_AID (10000) +### and AID_ISOLATED_START (99000) if the app has no specific seinfo +### value as determined from mac_permissions.xml. In current AOSP, this +### domain is assigned to all non-system apps as well as to any system apps +### that are not signed by the platform key. To move +### a system app into a specific domain, add a signer entry for it to +### mac_permissions.xml and assign it one of the pre-existing seinfo values +### or define and use a new seinfo value in both mac_permissions.xml and +### seapp_contexts. +### + +# This file defines the rules for untrusted apps running with +# targetSdkVersion >= 30. +type untrusted_app, domain; +# This file defines the rules for untrusted apps running with +# targetSdkVersion = 29. +type untrusted_app_29, domain; +# This file defines the rules for untrusted apps running with +# 25 < targetSdkVersion <= 28. +type untrusted_app_27, domain; +# This file defines the rules for untrusted apps running with +# targetSdkVersion <= 25. +type untrusted_app_25, domain; diff --git a/prebuilts/api/32.0/public/update_engine.te b/prebuilts/api/32.0/public/update_engine.te new file mode 100644 index 000000000..ab7090bbc --- /dev/null +++ b/prebuilts/api/32.0/public/update_engine.te @@ -0,0 +1,78 @@ +# Domain for update_engine daemon. +type update_engine, domain, update_engine_common; +type update_engine_exec, system_file_type, exec_type, file_type; + +net_domain(update_engine); + +# Following permissions are needed for update_engine. +allow update_engine self:process { setsched }; +allow update_engine self:global_capability_class_set { fowner sys_admin }; +# Note: fsetid checks are triggered when creating a file in a directory with +# the setgid bit set to determine if the file should inherit setgid. In this +# case, setgid on the file is undesirable so we should just suppress the +# denial. +dontaudit update_engine self:global_capability_class_set fsetid; + +allow update_engine kmsg_device:chr_file { getattr w_file_perms }; +allow update_engine update_engine_exec:file rx_file_perms; +wakelock_use(update_engine); + +# Ignore these denials. +dontaudit update_engine kernel:process setsched; +dontaudit update_engine self:global_capability_class_set sys_rawio; + +# Allow using persistent storage in /data/misc/update_engine. +allow update_engine update_engine_data_file:dir create_dir_perms; +allow update_engine update_engine_data_file:file create_file_perms; + +# Allow using persistent storage in /data/misc/update_engine_log. +allow update_engine update_engine_log_data_file:dir create_dir_perms; +allow update_engine update_engine_log_data_file:file create_file_perms; + +# Don't allow kernel module loading, just silence the logs. +dontaudit update_engine kernel:system module_request; + +# Register the service to perform Binder IPC. +binder_use(update_engine) +add_service(update_engine, update_engine_service) +add_service(update_engine, update_engine_stable_service) + +# Allow update_engine to call the callback function provided by priv_app/GMS core. +binder_call(update_engine, priv_app) +# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain. +userdebug_or_eng(` + auditallow update_engine priv_app:binder { call transfer }; + auditallow priv_app update_engine:binder transfer; + auditallow update_engine priv_app:fd use; +') + +binder_call(update_engine, gmscore_app) + +# Allow update_engine to call the callback function provided by system_server. +binder_call(update_engine, system_server) + +# Read OTA zip file at /data/ota_package/. +allow update_engine ota_package_file:file r_file_perms; +allow update_engine ota_package_file:dir r_dir_perms; + +# Use Boot Control HAL +hal_client_domain(update_engine, hal_bootctl) + +# access /proc/misc +allow update_engine proc_misc:file r_file_perms; + +# read directories on /system and /vendor +allow update_engine system_file:dir r_dir_perms; + +# Allow ReadDefaultFstab(). +# update_engine tries to determine the parent path for all devices (e.g. +# /dev/block/by-name) by reading the default fstab and looking for the misc +# device. +read_fstab(update_engine) + +# Allow to write to snapshotctl_log logs. +# TODO(b/148818798) revert when parent bug is fixed. +userdebug_or_eng(` +allow update_engine snapshotctl_log_data_file:dir rw_dir_perms; +allow update_engine snapshotctl_log_data_file:file create_file_perms; +') diff --git a/prebuilts/api/32.0/public/update_engine_common.te b/prebuilts/api/32.0/public/update_engine_common.te new file mode 100644 index 000000000..e8fd29e41 --- /dev/null +++ b/prebuilts/api/32.0/public/update_engine_common.te @@ -0,0 +1,98 @@ +# update_engine payload application permissions. These are shared between the +# background daemon and the recovery tool to sideload an update. + +# Allow update_engine to reach block devices in /dev/block. +allow update_engine_common block_device:dir search; + +# Allow read/write on system and boot partitions. +allow update_engine_common boot_block_device:blk_file rw_file_perms; +allow update_engine_common system_block_device:blk_file rw_file_perms; + +# Where ioctls are granted via standard allow rules to block devices, +# automatically allow common ioctls that are generally needed by +# update_engine. +allowxperm update_engine_common dev_type:blk_file ioctl { + BLKDISCARD + BLKDISCARDZEROES + BLKROGET + BLKROSET + BLKSECDISCARD + BLKZEROOUT +}; + +# Allow to set recovery options in the BCB. Used to trigger factory reset when +# the update to an older version (channel change) or incompatible version +# requires it. +allow update_engine_common misc_block_device:blk_file rw_file_perms; + +# read fstab +allow update_engine_common rootfs:dir getattr; +allow update_engine_common rootfs:file r_file_perms; + +# Allow update_engine_common to mount on the /postinstall directory and reset the +# labels on the mounted filesystem to postinstall_file. +allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search }; +allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto }; +allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom }; + +# Allow update_engine_common to read and execute postinstall_file. +allow update_engine_common postinstall_file:file rx_file_perms; +allow update_engine_common postinstall_file:lnk_file r_file_perms; +allow update_engine_common postinstall_file:dir r_dir_perms; + +# install update.zip from cache +r_dir_file(update_engine_common, cache_file) + +# A postinstall program is typically a shell script (with a #!), so we allow +# to execute those. +allow update_engine_common shell_exec:file rx_file_perms; + +# Allow update_engine_common to suspend, resume and kill the postinstall program. +allow update_engine_common postinstall:process { signal sigstop sigkill }; + +# access /proc/cmdline +allow update_engine_common proc_cmdline:file r_file_perms; + +# Read files in /sys/firmware/devicetree/base/firmware/android/ +r_dir_file(update_engine_common, sysfs_dt_firmware_android) + +# Needed because libdm reads sysfs to validate when a dm path is ready. +r_dir_file(update_engine_common, sysfs_dm) + +# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics. +allow update_engine_common sysfs:dir r_dir_perms; +allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms; + +# read / write on /dev/device-mapper to map / unmap devices +allow update_engine_common dm_device:chr_file rw_file_perms; + +# apply / verify updates on devices mapped via device mapper +allow update_engine_common dm_device:blk_file rw_file_perms; + +# read /dev/dm-user, so that we can inotify wait for control devices to be +# asynchronously created by ueventd. +allow update_engine dm_user_device:dir r_dir_perms; + +# read / write metadata on super device to resize partitions +allow update_engine_common super_block_device_type:blk_file rw_file_perms; + +# ioctl on super device to get block device alignment and alignment offset +allowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF }; + +# get physical block device to map logical partitions on device mapper +allow update_engine_common block_device:dir r_dir_perms; + +# Allow update_engine_common to write to statsd socket. +unix_socket_send(update_engine_common, statsdw, statsd) + +# Allow to read Virtual A/B feature flags. +get_prop(update_engine_common, virtual_ab_prop) + +# Allow to read GKI related flags. +get_prop(update_engine_common, ab_update_gki_prop) +get_prop(update_engine_common, build_bootimage_prop) + +# Allow to read/write/create OTA metadata files for snapshot status and COW file status. +allow update_engine_common metadata_file:dir search; +allow update_engine_common ota_metadata_file:dir rw_dir_perms; +allow update_engine_common ota_metadata_file:file create_file_perms; diff --git a/prebuilts/api/32.0/public/update_verifier.te b/prebuilts/api/32.0/public/update_verifier.te new file mode 100644 index 000000000..68b43f089 --- /dev/null +++ b/prebuilts/api/32.0/public/update_verifier.te @@ -0,0 +1,33 @@ +# update_verifier +type update_verifier, domain; +type update_verifier_exec, system_file_type, exec_type, file_type; + +# Allow update_verifier to reach block devices in /dev/block. +allow update_verifier block_device:dir search; + +# Read care map in /data/ota_package/. +allow update_verifier ota_package_file:dir r_dir_perms; +allow update_verifier ota_package_file:file r_file_perms; + +# Read /sys/block to find all the DM directories like (/sys/block/dm-X). +allow update_verifier sysfs:dir r_dir_perms; + +# Read /sys/block/dm-X/dm/name (which is a symlink to +# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between +# dm-X and system/vendor partitions. +allow update_verifier sysfs_dm:dir r_dir_perms; +allow update_verifier sysfs_dm:file r_file_perms; + +# Read all blocks in DM wrapped system partition. +allow update_verifier dm_device:blk_file r_file_perms; + +# Write to kernel message. +allow update_verifier kmsg_device:chr_file { getattr w_file_perms }; + +# Use Boot Control HAL +hal_client_domain(update_verifier, hal_bootctl) + +# Access Checkpoint commands over binder +allow update_verifier vold_service:service_manager find; +binder_call(update_verifier, servicemanager) +binder_call(update_verifier, vold) diff --git a/prebuilts/api/32.0/public/usbd.te b/prebuilts/api/32.0/public/usbd.te new file mode 100644 index 000000000..6f349541b --- /dev/null +++ b/prebuilts/api/32.0/public/usbd.te @@ -0,0 +1,2 @@ +type usbd, domain; +type usbd_exec, system_file_type, exec_type, file_type; diff --git a/prebuilts/api/32.0/public/userdata_sysdev.te b/prebuilts/api/32.0/public/userdata_sysdev.te new file mode 100644 index 000000000..9974f36dc --- /dev/null +++ b/prebuilts/api/32.0/public/userdata_sysdev.te @@ -0,0 +1 @@ +allow userdata_sysdev sysfs:filesystem associate; diff --git a/prebuilts/api/32.0/public/vdc.te b/prebuilts/api/32.0/public/vdc.te new file mode 100644 index 000000000..e638e50a6 --- /dev/null +++ b/prebuilts/api/32.0/public/vdc.te @@ -0,0 +1,20 @@ +# vdc spawned from init for the following services: +# defaultcrypto +# encrypt +# +# We also transition into this domain from dumpstate, when +# collecting bug reports. + +type vdc, domain; +type vdc_exec, system_file_type, exec_type, file_type; + +# vdc can be invoked with logwrapper, so let it write to pty +allow vdc devpts:chr_file rw_file_perms; + +# vdc writes directly to kmsg during the boot process +allow vdc kmsg_device:chr_file { getattr w_file_perms }; + +# vdc talks to vold over Binder +binder_use(vdc) +binder_call(vdc, vold) +allow vdc vold_service:service_manager find; diff --git a/prebuilts/api/32.0/public/vendor_init.te b/prebuilts/api/32.0/public/vendor_init.te new file mode 100644 index 000000000..0999f4880 --- /dev/null +++ b/prebuilts/api/32.0/public/vendor_init.te @@ -0,0 +1,296 @@ +# vendor_init is its own domain. +type vendor_init, domain, mlstrustedsubject; + +# Communication to the main init process +allow vendor_init init:unix_stream_socket { read write }; + +# Logging to kmsg +allow vendor_init kmsg_device:chr_file { open getattr write }; + +# Mount on /dev/usb-ffs/adb. +allow vendor_init device:dir mounton; + +# Create and remove symlinks in /. +allow vendor_init rootfs:lnk_file { create unlink }; + +# Create cgroups mount points in tmpfs and mount cgroups on them. +allow vendor_init cgroup:dir create_dir_perms; +allow vendor_init cgroup:file w_file_perms; +allow vendor_init cgroup_v2:dir create_dir_perms; +allow vendor_init cgroup_v2:file w_file_perms; + +# /config +allow vendor_init configfs:dir mounton; +allow vendor_init configfs:dir create_dir_perms; +allow vendor_init configfs:{ file lnk_file } create_file_perms; + +# Create directories under /dev/cpuctl after chowning it to system. +allow vendor_init self:global_capability_class_set { dac_override dac_read_search }; + +# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. +# chown/chmod require open+read+setattr required for open()+fchown/fchmod(). +# system/core/init.rc requires at least cache_file and data_file_type. +# init.<board>.rc files often include device-specific types, so +# we just allow all file types except /system files here. +allow vendor_init self:global_capability_class_set { chown fowner fsetid }; + +# mkdir with FBE requires reading /data/unencrypted/{ref,mode}. +allow vendor_init unencrypted_data_file:dir search; +allow vendor_init unencrypted_data_file:file r_file_perms; + +# Set encryption policy on dirs in /data +allowxperm vendor_init data_file_type:dir ioctl { + FS_IOC_GET_ENCRYPTION_POLICY + FS_IOC_SET_ENCRYPTION_POLICY +}; + +allow vendor_init system_data_file:dir getattr; + +allow vendor_init { + file_type + -core_data_file_type + -exec_type + -system_file_type + -mnt_product_file + -password_slot_metadata_file + -ota_metadata_file + -unlabeled + -vendor_file_type + -vold_metadata_file + -gsi_metadata_file_type + -apex_metadata_file + -userspace_reboot_metadata_file +}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom }; + +allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom }; + +allow vendor_init { + file_type + -core_data_file_type + -exec_type + -password_slot_metadata_file + -ota_metadata_file + -runtime_event_log_tags_file + -system_file_type + -unlabeled + -vendor_file_type + -vold_metadata_file + -gsi_metadata_file_type + -apex_metadata_file + -apex_info_file + -userspace_reboot_metadata_file + enforce_debugfs_restriction(`-debugfs_type') +}:file { create getattr open read write setattr relabelfrom unlink map }; + +allow vendor_init { + file_type + -core_data_file_type + -exec_type + -password_slot_metadata_file + -ota_metadata_file + -system_file_type + -unlabeled + -vendor_file_type + -vold_metadata_file + -gsi_metadata_file_type + -apex_metadata_file + -userspace_reboot_metadata_file +}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; + +allow vendor_init { + file_type + -apex_mnt_dir + -core_data_file_type + -exec_type + -password_slot_metadata_file + -ota_metadata_file + -system_file_type + -unlabeled + -vendor_file_type + -vold_metadata_file + -gsi_metadata_file_type + -apex_metadata_file + -userspace_reboot_metadata_file +}:lnk_file { create getattr setattr relabelfrom unlink }; + +allow vendor_init { + file_type + -core_data_file_type + -exec_type + -mnt_product_file + -password_slot_metadata_file + -ota_metadata_file + -system_file_type + -vendor_file_type + -vold_metadata_file + -gsi_metadata_file_type + -apex_metadata_file + -userspace_reboot_metadata_file +}:dir_file_class_set relabelto; + +allow vendor_init dev_type:dir create_dir_perms; +allow vendor_init dev_type:lnk_file create; + +# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on +allow vendor_init debugfs_tracing:file w_file_perms; + +# chown/chmod on pseudo files. +allow vendor_init { + fs_type + -contextmount_type + -keychord_device + -sdcard_type + -rootfs + -proc_uid_time_in_state + -proc_uid_concurrent_active_time + -proc_uid_concurrent_policy_time + enforce_debugfs_restriction(`-debugfs_type') +}:file { open read setattr map }; + +allow vendor_init tracefs_type:file { open read setattr map }; + +allow vendor_init { + fs_type + -contextmount_type + -sdcard_type + -rootfs + -proc_uid_time_in_state + -proc_uid_concurrent_active_time + -proc_uid_concurrent_policy_time +}:dir { open read setattr search }; + +allow vendor_init dev_type:blk_file getattr; + +# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files. +r_dir_file(vendor_init, proc_net_type) +allow vendor_init proc_net_type:file w_file_perms; +allow vendor_init self:global_capability_class_set net_admin; + +# Write to /proc/sys/vm/page-cluster +allow vendor_init proc_page_cluster:file w_file_perms; + +# Write to sysfs nodes. +allow vendor_init sysfs_type:dir r_dir_perms; +allow vendor_init sysfs_type:lnk_file read; +allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms; + +# setfscreatecon() for labeling directories and socket files. +allow vendor_init self:process { setfscreate }; + +r_dir_file(vendor_init, vendor_file_type) + +# Vendor init can read properties +allow vendor_init serialno_prop:file { getattr open read map }; + +# Vendor init can perform operations on trusted and security Extended Attributes +allow vendor_init self:global_capability_class_set sys_admin; + +# Raw writes to misc block device +allow vendor_init misc_block_device:blk_file w_file_perms; + +# vendor_init is using bootstrap bionic +allow vendor_init system_bootstrap_lib_file:dir r_dir_perms; +allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map }; + +# allow filesystem tuning +allow vendor_init userdata_sysdev:file create_file_perms; + +# Everything is labeled as rootfs in recovery mode. Vendor init has to execute +# the dynamic linker and shared libraries. +recovery_only(` + allow vendor_init rootfs:file { r_file_perms execute }; +') + +not_compatible_property(` + set_prop(vendor_init, { + property_type + -system_internal_property_type + -system_restricted_property_type + }) +') + +# Get file context +allow vendor_init file_contexts_file:file r_file_perms; + +# Allow vendor_init to (re)set nice +allow vendor_init self:capability sys_nice; + +set_prop(vendor_init, apk_verity_prop) +set_prop(vendor_init, bluetooth_a2dp_offload_prop) +set_prop(vendor_init, bluetooth_audio_hal_prop) +set_prop(vendor_init, camera2_extensions_prop) +set_prop(vendor_init, camerax_extensions_prop) +set_prop(vendor_init, cpu_variant_prop) +set_prop(vendor_init, dalvik_runtime_prop) +set_prop(vendor_init, debug_prop) +set_prop(vendor_init, exported_bluetooth_prop) +set_prop(vendor_init, exported_camera_prop) +set_prop(vendor_init, exported_config_prop) +set_prop(vendor_init, exported_default_prop) +set_prop(vendor_init, exported_overlay_prop) +set_prop(vendor_init, exported_pm_prop) +set_prop(vendor_init, ffs_control_prop) +set_prop(vendor_init, hw_timeout_multiplier_prop) +set_prop(vendor_init, incremental_prop) +set_prop(vendor_init, lmkd_prop) +set_prop(vendor_init, logd_prop) +set_prop(vendor_init, log_tag_prop) +set_prop(vendor_init, log_prop) +set_prop(vendor_init, qemu_hw_prop) +set_prop(vendor_init, radio_control_prop) +set_prop(vendor_init, rebootescrow_hal_prop) +set_prop(vendor_init, serialno_prop) +set_prop(vendor_init, soc_prop) +set_prop(vendor_init, surfaceflinger_color_prop) +set_prop(vendor_init, usb_control_prop) +set_prop(vendor_init, userspace_reboot_config_prop) +set_prop(vendor_init, vehicle_hal_prop) +set_prop(vendor_init, vendor_default_prop) +set_prop(vendor_init, vendor_security_patch_level_prop) +set_prop(vendor_init, vndk_prop) +set_prop(vendor_init, virtual_ab_prop) +set_prop(vendor_init, vold_post_fs_data_prop) +set_prop(vendor_init, wifi_hal_prop) +set_prop(vendor_init, wifi_log_prop) +set_prop(vendor_init, zram_control_prop) + +get_prop(vendor_init, boot_status_prop) +get_prop(vendor_init, exported3_system_prop) +get_prop(vendor_init, ota_prop) +get_prop(vendor_init, power_debug_prop) +get_prop(vendor_init, provisioned_prop) +get_prop(vendor_init, retaildemo_prop) +get_prop(vendor_init, surfaceflinger_display_prop) +get_prop(vendor_init, test_harness_prop) +get_prop(vendor_init, theme_prop) +set_prop(vendor_init, dck_prop) + + +### +### neverallow rules +### + +# Vendor init shouldn't communicate with any vendor process, nor most system processes. +neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init }); + +# The vendor_init domain is only entered via an exec based transition from the +# init domain, never via setcon(). +neverallow domain vendor_init:process dyntransition; +neverallow { domain -init } vendor_init:process transition; +neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint; + +# Never read/follow symlinks created by shell or untrusted apps. +neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read; +neverallow vendor_init shell_data_file:lnk_file read; +# Init should not be creating subdirectories in /data/local/tmp +neverallow vendor_init shell_data_file:dir { write add_name remove_name }; + +# init should never execute a program without changing to another domain. +neverallow vendor_init { file_type fs_type }:file execute_no_trans; + +# Init never adds or uses services via service_manager. +neverallow vendor_init service_manager_type:service_manager { add find }; +neverallow vendor_init servicemanager:service_manager list; + +# vendor_init should never be ptraced +neverallow * vendor_init:process ptrace; diff --git a/prebuilts/api/32.0/public/vendor_misc_writer.te b/prebuilts/api/32.0/public/vendor_misc_writer.te new file mode 100644 index 000000000..3bc3a9f67 --- /dev/null +++ b/prebuilts/api/32.0/public/vendor_misc_writer.te @@ -0,0 +1,16 @@ +# vendor_misc_writer +type vendor_misc_writer, domain; +type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type; + +# Raw writes to misc_block_device +allow vendor_misc_writer misc_block_device:blk_file w_file_perms; +allow vendor_misc_writer block_device:dir r_dir_perms; + +# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to +# load DT fstab. +dontaudit vendor_misc_writer proc_cmdline:file r_file_perms; +dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search; +dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms; + +# Allow ReadDefaultFstab(). +read_fstab(vendor_misc_writer) diff --git a/prebuilts/api/32.0/public/vendor_modprobe.te b/prebuilts/api/32.0/public/vendor_modprobe.te new file mode 100644 index 000000000..529c4aa27 --- /dev/null +++ b/prebuilts/api/32.0/public/vendor_modprobe.te @@ -0,0 +1 @@ +type vendor_modprobe, domain; diff --git a/prebuilts/api/32.0/public/vendor_shell.te b/prebuilts/api/32.0/public/vendor_shell.te new file mode 100644 index 000000000..5d7cb3165 --- /dev/null +++ b/prebuilts/api/32.0/public/vendor_shell.te @@ -0,0 +1,21 @@ +type vendor_shell, domain; +type vendor_shell_exec, exec_type, vendor_file_type, file_type; + +allow vendor_shell vendor_shell_exec:file rx_file_perms; +allow vendor_shell vendor_toolbox_exec:file rx_file_perms; + +# Use fd from shell when vendor_shell is started from shell +allow vendor_shell shell:fd use; + +# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh` +allow vendor_shell adbd:fd use; +allow vendor_shell adbd:process sigchld; +allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write }; + +allow vendor_shell devpts:chr_file rw_file_perms; +allow vendor_shell tty_device:chr_file rw_file_perms; +allow vendor_shell console_device:chr_file rw_file_perms; +allow vendor_shell input_device:dir r_dir_perms; +allow vendor_shell input_device:chr_file rw_file_perms; + +userdebug_or_eng(`set_prop(vendor_shell, persist_vendor_debug_wifi_prop)') diff --git a/prebuilts/api/32.0/public/vendor_toolbox.te b/prebuilts/api/32.0/public/vendor_toolbox.te new file mode 100644 index 000000000..63f938de1 --- /dev/null +++ b/prebuilts/api/32.0/public/vendor_toolbox.te @@ -0,0 +1,16 @@ +# Toolbox installation for vendor binaries / scripts +# Non-vendor processes are not allowed to execute the binary +# and is always executed without transition. +type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; + +# Do not allow domains to transition to vendor toolbox +# or read, execute the vendor_toolbox file. +full_treble_only(` + # Do not allow non-vendor domains to transition + # to vendor toolbox except for the allowlisted domains. + neverallow { + coredomain + -init + -modprobe + } vendor_toolbox_exec:file { entrypoint execute execute_no_trans }; +') diff --git a/prebuilts/api/32.0/public/virtual_touchpad.te b/prebuilts/api/32.0/public/virtual_touchpad.te new file mode 100644 index 000000000..49c87044c --- /dev/null +++ b/prebuilts/api/32.0/public/virtual_touchpad.te @@ -0,0 +1,16 @@ +type virtual_touchpad, domain; +type virtual_touchpad_exec, system_file_type, exec_type, file_type; + +binder_use(virtual_touchpad) +binder_service(virtual_touchpad) +add_service(virtual_touchpad, virtual_touchpad_service) + +# Needed to check app permissions. +binder_call(virtual_touchpad, system_server) + +# Requires access to /dev/uinput to create and feed the virtual device. +allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl }; + +# Requires access to the permission service to validate that clients have the +# appropriate VR permissions. +allow virtual_touchpad permission_service:service_manager find; diff --git a/prebuilts/api/32.0/public/vndservice.te b/prebuilts/api/32.0/public/vndservice.te new file mode 100644 index 000000000..efd9adf92 --- /dev/null +++ b/prebuilts/api/32.0/public/vndservice.te @@ -0,0 +1,2 @@ +type service_manager_vndservice, vndservice_manager_type; +type default_android_vndservice, vndservice_manager_type; diff --git a/prebuilts/api/32.0/public/vndservicemanager.te b/prebuilts/api/32.0/public/vndservicemanager.te new file mode 100644 index 000000000..6b9f73dc0 --- /dev/null +++ b/prebuilts/api/32.0/public/vndservicemanager.te @@ -0,0 +1,2 @@ +# vndservicemanager - the Binder context manager for vendor processes +type vndservicemanager, domain; diff --git a/prebuilts/api/32.0/public/vold.te b/prebuilts/api/32.0/public/vold.te new file mode 100644 index 000000000..7796ba851 --- /dev/null +++ b/prebuilts/api/32.0/public/vold.te @@ -0,0 +1,361 @@ +# volume manager +type vold, domain; +type vold_exec, exec_type, file_type, system_file_type; + +# Read already opened /cache files. +allow vold cache_file:dir r_dir_perms; +allow vold cache_file:file { getattr read }; +allow vold cache_file:lnk_file r_file_perms; + +r_dir_file(vold, { sysfs_type -sysfs_batteryinfo }) +# XXX Label sysfs files with a specific type? +allow vold { + sysfs # writing to /sys/*/uevent during coldboot. + sysfs_devices_block + sysfs_dm + sysfs_loop # writing to /sys/block/loop*/uevent during coldboot. + sysfs_usb + sysfs_zram_uevent + sysfs_fs_f2fs +}:file w_file_perms; + +r_dir_file(vold, rootfs) +r_dir_file(vold, metadata_file) +allow vold { + proc # b/67049235 processes /proc/<pid>/* files are mislabeled. + proc_bootconfig + proc_cmdline + proc_drop_caches + proc_filesystems + proc_meminfo + proc_mounts +}:file r_file_perms; + +#Get file contexts +allow vold file_contexts_file:file r_file_perms; + +# Allow us to jump into execution domains of above tools +allow vold self:process setexec; + +# For formatting adoptable storage devices +allow vold e2fs_exec:file rx_file_perms; + +# Run fstrim on mounted partitions +# allowxperm still requires the ioctl permission for the individual type +allowxperm vold { fs_type file_type }:dir ioctl FITRIM; + +# Get/set file-based encryption policies on dirs in /data and adoptable storage, +# and add/remove file-based encryption keys. +allowxperm vold data_file_type:dir ioctl { + FS_IOC_GET_ENCRYPTION_POLICY + FS_IOC_SET_ENCRYPTION_POLICY + FS_IOC_ADD_ENCRYPTION_KEY + FS_IOC_REMOVE_ENCRYPTION_KEY +}; + +# Only vold and init should ever set file-based encryption policies. +neverallowxperm { + domain + -vold + -init + -vendor_init +} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY }; + +# Only vold should ever add/remove file-based encryption keys. +neverallowxperm { + domain + -vold +} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY }; + +# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is +# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the +# location of the file's blocks on the raw block device to erase. +allowxperm vold { + vold_data_file + vold_metadata_file +}:file ioctl { + F2FS_IOC_SEC_TRIM_FILE + FS_IOC_FIEMAP +}; + +typeattribute vold mlstrustedsubject; +allow vold self:process setfscreate; +allow vold system_file:file x_file_perms; +not_full_treble(`allow vold vendor_file:file x_file_perms;') +allow vold block_device:dir create_dir_perms; +allow vold device:dir write; +allow vold devpts:chr_file rw_file_perms; +allow vold rootfs:dir mounton; +allow vold sdcard_type:dir mounton; # TODO: deprecated in M +allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M +allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M +allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M + +# Manage locations where storage is mounted +allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms; +allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms; + +# Access to storage that backs emulated FUSE daemons for migration optimization +allow vold media_rw_data_file:dir create_dir_perms; +allow vold media_rw_data_file:file create_file_perms; +# Allow mounting (lower filesystem) on parts of media for performance +allow vold media_rw_data_file:dir mounton; + +# Allow setting extended attributes (for project quota IDs) on files and dirs +# and to enable project ID inheritance through FS_IOC_SETFLAGS +allowxperm vold media_rw_data_file:{ dir file } ioctl { + FS_IOC_FSGETXATTR + FS_IOC_FSSETXATTR + FS_IOC_GETFLAGS + FS_IOC_SETFLAGS +}; + +# Allow mounting of storage devices +allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr }; + +# Manage per-user primary symlinks +allow vold mnt_user_file:dir { create_dir_perms mounton }; +allow vold mnt_user_file:lnk_file create_file_perms; +allow vold mnt_user_file:file create_file_perms; + +# Manage per-user pass_through primary symlinks +allow vold mnt_pass_through_file:dir { create_dir_perms mounton }; +allow vold mnt_pass_through_file:lnk_file create_file_perms; + +# Allow to create and mount expanded storage +allow vold mnt_expand_file:dir { create_dir_perms mounton }; +allow vold apk_data_file:dir { create getattr setattr }; +allow vold shell_data_file:dir { create getattr setattr }; + +# Allow to mount incremental file system on /data/incremental and create files +allow vold apk_data_file:dir { mounton rw_dir_perms }; +# Allow to create and write files in /data/incremental +allow vold apk_data_file:file { rw_file_perms unlink }; +# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files +allow vold apk_tmp_file:dir { mounton r_dir_perms }; +# Allow to read incremental control file and call selinux restorecon on it +allow vold incremental_control_file:file { r_file_perms relabelto }; + +allow vold tmpfs:filesystem { mount unmount }; +allow vold tmpfs:dir create_dir_perms; +allow vold tmpfs:dir mounton; +allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid }; +allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow vold loop_control_device:chr_file rw_file_perms; +allow vold loop_device:blk_file { create setattr unlink rw_file_perms }; +allowxperm vold loop_device:blk_file ioctl { + LOOP_CLR_FD + LOOP_CTL_GET_FREE + LOOP_GET_STATUS64 + LOOP_SET_FD + LOOP_SET_STATUS64 +}; +allow vold vold_device:blk_file { create setattr unlink rw_file_perms }; +allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE }; +allow vold dm_device:chr_file rw_file_perms; +allow vold dm_device:blk_file rw_file_perms; +allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD }; +# For vold Process::killProcessesWithOpenFiles function. +allow vold domain:dir r_dir_perms; +allow vold domain:{ file lnk_file } r_file_perms; +allow vold domain:process { signal sigkill }; +allow vold self:global_capability_class_set { sys_ptrace kill }; + +allow vold kmsg_device:chr_file rw_file_perms; + +# Run fsck in the fsck domain. +allow vold fsck_exec:file { r_file_perms execute }; + +# Log fsck results +allow vold fscklogs:dir rw_dir_perms; +allow vold fscklogs:file create_file_perms; + +# +# Rules to support encrypted fs support. +# + +# Unmount and mount the fs. +allow vold labeledfs:filesystem { mount unmount remount }; + +# Access /efs/userdata_footer. +# XXX Split into a separate type? +allow vold efs_file:file rw_file_perms; + +# Create and mount on /data/tmp_mnt and management of expansion mounts +allow vold { + system_data_file + system_data_root_file +}:dir { create rw_dir_perms mounton setattr rmdir }; +allow vold system_data_file:lnk_file getattr; + +# Vold create users in /data/vendor_{ce,de}/[0-9]+ +allow vold vendor_data_file:dir create_dir_perms; + +# for secdiscard +allow vold system_data_file:file read; + +# Set scheduling policy of kernel processes +allow vold kernel:process setsched; + +# ASEC +allow vold asec_image_file:file create_file_perms; +allow vold asec_image_file:dir rw_dir_perms; +allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto }; +allow vold asec_public_file:dir { relabelto setattr }; +allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; +allow vold asec_public_file:file { relabelto setattr }; +# restorecon files in asec containers created on 4.2 or earlier. +allow vold unlabeled:dir { r_dir_perms setattr relabelfrom }; +allow vold unlabeled:file { r_file_perms setattr relabelfrom }; + +# Access to FUSE control filesystem to hard-abort FUSE mounts +allow vold fusectlfs:file rw_file_perms; +allow vold fusectlfs:dir rw_dir_perms; + +# Handle wake locks (used for device encryption) +wakelock_use(vold) + +# Allow vold to publish a binder service and make binder calls. +binder_use(vold) +add_service(vold, vold_service) + +# Allow vold to call into the system server so it can check permissions. +binder_call(vold, system_server) +allow vold permission_service:service_manager find; + +# talk to batteryservice +binder_call(vold, healthd) + +# talk to keymaster +hal_client_domain(vold, hal_keymaster) + +# talk to health storage HAL +hal_client_domain(vold, hal_health_storage) + +# talk to bootloader HAL +full_treble_only(`hal_client_domain(vold, hal_bootctl)') + +# Access userdata block device. +allow vold userdata_block_device:blk_file rw_file_perms; +allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD; + +# Access metadata block device used for encryption meta-data. +allow vold metadata_block_device:blk_file rw_file_perms; +allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD; + +# Allow vold to manipulate /data/unencrypted +allow vold unencrypted_data_file:{ file } create_file_perms; +allow vold unencrypted_data_file:dir create_dir_perms; + +# Write to /proc/sys/vm/drop_caches +allow vold proc_drop_caches:file w_file_perms; + +# Give vold a place where only vold can store files; everyone else is off limits +allow vold vold_data_file:dir create_dir_perms; +allow vold vold_data_file:file create_file_perms; + +# And a similar place in the metadata partition +allow vold vold_metadata_file:dir create_dir_perms; +allow vold vold_metadata_file:file create_file_perms; + +# linux keyring configuration +allow vold init:key { write search setattr }; +allow vold vold:key { write search setattr }; + +# vold temporarily changes its priority when running benchmarks +allow vold self:global_capability_class_set sys_nice; + +# vold needs to chroot into app namespaces to remount when runtime permissions change +allow vold self:global_capability_class_set sys_chroot; +allow vold storage_file:dir mounton; + +# For AppFuse. +allow vold fuse_device:chr_file rw_file_perms; +allow vold fuse:filesystem { relabelfrom }; +allow vold app_fusefs:filesystem { relabelfrom relabelto }; +allow vold app_fusefs:filesystem { mount unmount }; +allow vold app_fuse_file:dir rw_dir_perms; +allow vold app_fuse_file:file { read write open getattr append }; + +# MoveTask.cpp executes cp and rm +allow vold toolbox_exec:file rx_file_perms; + +# Prepare profile dir for users. +allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms; + +# Raw writes to misc block device +allow vold misc_block_device:blk_file w_file_perms; + +# vold might need to search or mount /mnt/vendor/* +allow vold mnt_vendor_file:dir search; + +dontaudit vold self:global_capability_class_set sys_resource; + +# Allow ReadDefaultFstab(). +read_fstab(vold) + +# vold might need to search loopback apex files +allow vold vendor_apex_file:file r_file_perms; + +neverallow { + domain + -vold + -vold_prepare_subdirs +} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl }; + +neverallow { + domain + -init + -vold + -vold_prepare_subdirs +} vold_data_file:dir *; + +neverallow { + domain + -init + -vold +} vold_metadata_file:dir *; + +neverallow { + domain + -kernel + -vold + -vold_prepare_subdirs +} vold_data_file:notdevfile_class_set ~{ relabelto getattr }; + +neverallow { + domain + -init + -vold + -vold_prepare_subdirs +} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr }; + +neverallow { + domain + -init + -kernel + -vold + -vold_prepare_subdirs +} { vold_data_file vold_metadata_file }:notdevfile_class_set *; + +neverallow { domain -vold -init } restorecon_prop:property_service set; + +neverallow vold { + domain + -hal_health_storage_server + -hal_keymaster_server + -system_suspend_server + -hal_bootctl_server + -healthd + -hwservicemanager + -iorapd_service + -keystore + -servicemanager + -system_server + userdebug_or_eng(`-su') +}:binder call; + +neverallow vold fsck_exec:file execute_no_trans; +neverallow { domain -init } vold:process { transition dyntransition }; +neverallow vold *:process ptrace; +neverallow vold *:rawip_socket *; diff --git a/prebuilts/api/32.0/public/vold_prepare_subdirs.te b/prebuilts/api/32.0/public/vold_prepare_subdirs.te new file mode 100644 index 000000000..3087fa861 --- /dev/null +++ b/prebuilts/api/32.0/public/vold_prepare_subdirs.te @@ -0,0 +1,6 @@ +# SELinux directory creation and labelling for vold-managed directories + +type vold_prepare_subdirs, domain; +type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type; + +typeattribute vold_prepare_subdirs coredomain; diff --git a/prebuilts/api/32.0/public/vr_hwc.te b/prebuilts/api/32.0/public/vr_hwc.te new file mode 100644 index 000000000..c14688703 --- /dev/null +++ b/prebuilts/api/32.0/public/vr_hwc.te @@ -0,0 +1,33 @@ +type vr_hwc, domain; +type vr_hwc_exec, system_file_type, exec_type, file_type; + +# Get buffer metadata. +hal_client_domain(vr_hwc, hal_graphics_allocator) + +binder_use(vr_hwc) +binder_service(vr_hwc) + +binder_call(vr_hwc, surfaceflinger) +# Needed to check for app permissions. +binder_call(vr_hwc, system_server) + +add_service(vr_hwc, vr_hwc_service) + +# Hosts the VR HWC implementation and provides a simple Binder interface for VR +# Window Manager to receive the layers/buffers. +hwbinder_use(vr_hwc) + +# Load vendor libraries. +allow vr_hwc system_file:dir r_dir_perms; + +allow vr_hwc ion_device:chr_file r_file_perms; + +# Allow connection to VR DisplayClient to get the primary display metadata +# (ie: size). +pdx_client(vr_hwc, display_client) + +# Requires access to the permission service to validate that clients have the +# appropriate VR permissions. +allow vr_hwc permission_service:service_manager find; + +allow vr_hwc vrflinger_vsync_service:service_manager find; diff --git a/prebuilts/api/32.0/public/watchdogd.te b/prebuilts/api/32.0/public/watchdogd.te new file mode 100644 index 000000000..72e368564 --- /dev/null +++ b/prebuilts/api/32.0/public/watchdogd.te @@ -0,0 +1,6 @@ +# watchdogd seclabel is specified in init.<board>.rc +type watchdogd, domain; +type watchdogd_exec, system_file_type, exec_type, file_type; + +allow watchdogd watchdog_device:chr_file rw_file_perms; +allow watchdogd kmsg_device:chr_file rw_file_perms; diff --git a/prebuilts/api/32.0/public/webview_zygote.te b/prebuilts/api/32.0/public/webview_zygote.te new file mode 100644 index 000000000..ace3a013e --- /dev/null +++ b/prebuilts/api/32.0/public/webview_zygote.te @@ -0,0 +1,6 @@ +# webview_zygote is an auxiliary zygote process that is used to spawn +# isolated_app processes for rendering untrusted web content. + +type webview_zygote, domain; +type webview_zygote_exec, exec_type, file_type; +type webview_zygote_tmpfs, file_type; diff --git a/prebuilts/api/32.0/public/wificond.te b/prebuilts/api/32.0/public/wificond.te new file mode 100644 index 000000000..254fcbca0 --- /dev/null +++ b/prebuilts/api/32.0/public/wificond.te @@ -0,0 +1,43 @@ +# wificond +type wificond, domain; +type wificond_exec, system_file_type, exec_type, file_type; + +binder_use(wificond) +binder_call(wificond, system_server) +binder_call(wificond, keystore) + +add_service(wificond, wifinl80211_service) + +# create sockets to set interfaces up and down +allow wificond self:udp_socket create_socket_perms; +# setting interface state up/down is a privileged ioctl +allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR }; +allow wificond self:global_capability_class_set { net_admin net_raw }; +# allow wificond to speak to nl80211 in the kernel +allow wificond self:netlink_socket create_socket_perms_no_ioctl; +# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets +allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl; + +r_dir_file(wificond, proc_net_type) + +# allow wificond to check permission for dumping logs +allow wificond permission_service:service_manager find; + +# dumpstate support +allow wificond dumpstate:fd use; +allow wificond dumpstate:fifo_file write; + +#### Offer the Wifi Keystore HwBinder service ### +hwbinder_use(wificond) +typeattribute wificond wifi_keystore_service_server; +add_hwservice(wificond, system_wifi_keystore_hwservice) + +# Allow keystore binder access to serve the HwBinder service. +allow wificond keystore_service:service_manager find; +allow wificond keystore:keystore_key get; + +# Allow keystore2 binder access to serve the HwBinder service. +allow wificond wifi_key:keystore2_key { + get_info + use +}; diff --git a/prebuilts/api/32.0/public/wpantund.te b/prebuilts/api/32.0/public/wpantund.te new file mode 100644 index 000000000..8ddd6935d --- /dev/null +++ b/prebuilts/api/32.0/public/wpantund.te @@ -0,0 +1,29 @@ +type wpantund, domain; +type wpantund_exec, system_file_type, exec_type, file_type; + +hal_client_domain(wpantund, hal_lowpan) +net_domain(wpantund) + +binder_use(wpantund) +binder_call(wpantund, system_server) + +# wpantund needs to be able to check in with the lowpan_service +allow wpantund lowpan_service:service_manager find; + +# Allow wpantund to call any callbacks that have been registered with it. +# Generally, only privileged apps are able to register callbacks with +# wpantund, so we are limiting the scope for callbacks to only privileged +# apps. We also add shell to allow the command-line utility `lowpanctl` +# to work properly from `adb shell`. +allow wpantund {priv_app shell}:binder call; + +# create sockets to set interfaces up and down, add multicast groups, etc. +allow wpantund self:udp_socket create_socket_perms; + +# setting interface state up/down and changing MTU are privileged ioctls +allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU }; + +# Allow us to bring up a TUN network interface. +allow wpantund tun_device:chr_file rw_file_perms; +allow wpantund self:global_capability_class_set { net_admin net_raw }; +allow wpantund self:tun_socket create; diff --git a/prebuilts/api/32.0/public/zygote.te b/prebuilts/api/32.0/public/zygote.te new file mode 100644 index 000000000..071354e82 --- /dev/null +++ b/prebuilts/api/32.0/public/zygote.te @@ -0,0 +1,4 @@ +# zygote +type zygote, domain; +type zygote_tmpfs, file_type; +type zygote_exec, system_file_type, exec_type, file_type; diff --git a/private/adbd.te b/private/adbd.te index c2c6164d0..42739957e 100644 --- a/private/adbd.te +++ b/private/adbd.te @@ -169,6 +169,9 @@ allow adbd sepolicy_file:file r_file_perms; # Allow pulling config.gz for CTS purposes allow adbd config_gz:file r_file_perms; +# For CTS listening ports test. +allow adbd proc_net_tcp_udp:file r_file_perms; + allow adbd gpu_service:service_manager find; allow adbd surfaceflinger_service:service_manager find; allow adbd bootchart_data_file:dir search; diff --git a/private/app.te b/private/app.te index 2b3554f88..30c76d330 100644 --- a/private/app.te +++ b/private/app.te @@ -13,6 +13,7 @@ get_prop(appdomain, telephony_config_prop) get_prop(appdomain, userspace_reboot_config_prop) get_prop(appdomain, vold_config_prop) get_prop(appdomain, adbd_config_prop) +get_prop(appdomain, dck_prop) # Allow ART to be configurable via device_config properties # (ART "runs" inside the app process) diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te index da933a9fb..d757a52e7 100644 --- a/private/automotive_display_service.te +++ b/private/automotive_display_service.te @@ -32,3 +32,7 @@ allow automotive_display_service hal_graphics_mapper_hwservice:hwservice_manager # Allow to use hidl token service allow automotive_display_service hidl_token_hwservice:hwservice_manager find; + +# Allow to access EGL files +allow automotive_display_service gpu_device:chr_file rw_file_perms; +allow automotive_display_service gpu_device:dir search; diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil index 0c36aed13..e4acfe8a4 100644 --- a/private/compat/30.0/30.0.ignore.cil +++ b/private/compat/30.0/30.0.ignore.cil @@ -70,6 +70,7 @@ hal_uwb_service hal_weaver_service hw_timeout_multiplier_prop + hypervisor_prop keystore_compat_hal_service keystore_maintenance_service keystore_metrics_service diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil new file mode 100644 index 000000000..009d8b2de --- /dev/null +++ b/private/compat/31.0/31.0.cil @@ -0,0 +1,2470 @@ +(expandtypeattribute (DockObserver_service_31_0) true) +(expandtypeattribute (IProxyService_service_31_0) true) +(expandtypeattribute (aac_drc_prop_31_0) true) +(expandtypeattribute (aaudio_config_prop_31_0) true) +(expandtypeattribute (ab_update_gki_prop_31_0) true) +(expandtypeattribute (accessibility_service_31_0) true) +(expandtypeattribute (account_service_31_0) true) +(expandtypeattribute (activity_service_31_0) true) +(expandtypeattribute (activity_task_service_31_0) true) +(expandtypeattribute (adb_data_file_31_0) true) +(expandtypeattribute (adb_keys_file_31_0) true) +(expandtypeattribute (adb_service_31_0) true) +(expandtypeattribute (adbd_31_0) true) +(expandtypeattribute (adbd_config_prop_31_0) true) +(expandtypeattribute (adbd_exec_31_0) true) +(expandtypeattribute (adbd_socket_31_0) true) +(expandtypeattribute (aidl_lazy_test_server_31_0) true) +(expandtypeattribute (aidl_lazy_test_server_exec_31_0) true) +(expandtypeattribute (aidl_lazy_test_service_31_0) true) +(expandtypeattribute (alarm_service_31_0) true) +(expandtypeattribute (anr_data_file_31_0) true) +(expandtypeattribute (apc_service_31_0) true) +(expandtypeattribute (apex_appsearch_data_file_31_0) true) +(expandtypeattribute (apex_data_file_31_0) true) +(expandtypeattribute (apex_info_file_31_0) true) +(expandtypeattribute (apex_metadata_file_31_0) true) +(expandtypeattribute (apex_mnt_dir_31_0) true) +(expandtypeattribute (apex_module_data_file_31_0) true) +(expandtypeattribute (apex_ota_reserved_file_31_0) true) +(expandtypeattribute (apex_permission_data_file_31_0) true) +(expandtypeattribute (apex_rollback_data_file_31_0) true) +(expandtypeattribute (apex_scheduling_data_file_31_0) true) +(expandtypeattribute (apex_service_31_0) true) +(expandtypeattribute (apex_wifi_data_file_31_0) true) +(expandtypeattribute (apexd_31_0) true) +(expandtypeattribute (apexd_config_prop_31_0) true) +(expandtypeattribute (apexd_exec_31_0) true) +(expandtypeattribute (apexd_prop_31_0) true) +(expandtypeattribute (apk_data_file_31_0) true) +(expandtypeattribute (apk_private_data_file_31_0) true) +(expandtypeattribute (apk_private_tmp_file_31_0) true) +(expandtypeattribute (apk_tmp_file_31_0) true) +(expandtypeattribute (apk_verity_prop_31_0) true) +(expandtypeattribute (app_binding_service_31_0) true) +(expandtypeattribute (app_data_file_31_0) true) +(expandtypeattribute (app_fuse_file_31_0) true) +(expandtypeattribute (app_fusefs_31_0) true) +(expandtypeattribute (app_hibernation_service_31_0) true) +(expandtypeattribute (app_integrity_service_31_0) true) +(expandtypeattribute (app_prediction_service_31_0) true) +(expandtypeattribute (app_search_service_31_0) true) +(expandtypeattribute (app_zygote_31_0) true) +(expandtypeattribute (app_zygote_tmpfs_31_0) true) +(expandtypeattribute (appcompat_data_file_31_0) true) +(expandtypeattribute (appdomain_tmpfs_31_0) true) +(expandtypeattribute (appops_service_31_0) true) +(expandtypeattribute (appwidget_service_31_0) true) +(expandtypeattribute (arm64_memtag_prop_31_0) true) +(expandtypeattribute (art_apex_dir_31_0) true) +(expandtypeattribute (asec_apk_file_31_0) true) +(expandtypeattribute (asec_image_file_31_0) true) +(expandtypeattribute (asec_public_file_31_0) true) +(expandtypeattribute (ashmem_device_31_0) true) +(expandtypeattribute (ashmem_libcutils_device_31_0) true) +(expandtypeattribute (assetatlas_service_31_0) true) +(expandtypeattribute (atrace_31_0) true) +(expandtypeattribute (audio_config_prop_31_0) true) +(expandtypeattribute (audio_data_file_31_0) true) +(expandtypeattribute (audio_device_31_0) true) +(expandtypeattribute (audio_prop_31_0) true) +(expandtypeattribute (audio_service_31_0) true) +(expandtypeattribute (audiohal_data_file_31_0) true) +(expandtypeattribute (audioserver_31_0) true) +(expandtypeattribute (audioserver_data_file_31_0) true) +(expandtypeattribute (audioserver_service_31_0) true) +(expandtypeattribute (audioserver_tmpfs_31_0) true) +(expandtypeattribute (auth_service_31_0) true) +(expandtypeattribute (authorization_service_31_0) true) +(expandtypeattribute (autofill_service_31_0) true) +(expandtypeattribute (backup_data_file_31_0) true) +(expandtypeattribute (backup_service_31_0) true) +(expandtypeattribute (battery_service_31_0) true) +(expandtypeattribute (batteryproperties_service_31_0) true) +(expandtypeattribute (batterystats_service_31_0) true) +(expandtypeattribute (binder_cache_bluetooth_server_prop_31_0) true) +(expandtypeattribute (binder_cache_system_server_prop_31_0) true) +(expandtypeattribute (binder_cache_telephony_server_prop_31_0) true) +(expandtypeattribute (binder_calls_stats_service_31_0) true) +(expandtypeattribute (binder_device_31_0) true) +(expandtypeattribute (binderfs_31_0) true) +(expandtypeattribute (binderfs_logs_31_0) true) +(expandtypeattribute (binderfs_logs_proc_31_0) true) +(expandtypeattribute (binfmt_miscfs_31_0) true) +(expandtypeattribute (biometric_service_31_0) true) +(expandtypeattribute (blkid_31_0) true) +(expandtypeattribute (blkid_untrusted_31_0) true) +(expandtypeattribute (blob_store_service_31_0) true) +(expandtypeattribute (block_device_31_0) true) +(expandtypeattribute (bluetooth_31_0) true) +(expandtypeattribute (bluetooth_a2dp_offload_prop_31_0) true) +(expandtypeattribute (bluetooth_audio_hal_prop_31_0) true) +(expandtypeattribute (bluetooth_data_file_31_0) true) +(expandtypeattribute (bluetooth_efs_file_31_0) true) +(expandtypeattribute (bluetooth_logs_data_file_31_0) true) +(expandtypeattribute (bluetooth_manager_service_31_0) true) +(expandtypeattribute (bluetooth_prop_31_0) true) +(expandtypeattribute (bluetooth_service_31_0) true) +(expandtypeattribute (bluetooth_socket_31_0) true) +(expandtypeattribute (boot_block_device_31_0) true) +(expandtypeattribute (boot_status_prop_31_0) true) +(expandtypeattribute (bootanim_31_0) true) +(expandtypeattribute (bootanim_config_prop_31_0) true) +(expandtypeattribute (bootanim_exec_31_0) true) +(expandtypeattribute (bootanim_system_prop_31_0) true) +(expandtypeattribute (bootchart_data_file_31_0) true) +(expandtypeattribute (bootloader_boot_reason_prop_31_0) true) +(expandtypeattribute (bootloader_prop_31_0) true) +(expandtypeattribute (bootstat_31_0) true) +(expandtypeattribute (bootstat_data_file_31_0) true) +(expandtypeattribute (bootstat_exec_31_0) true) +(expandtypeattribute (boottime_prop_31_0) true) +(expandtypeattribute (boottime_public_prop_31_0) true) +(expandtypeattribute (boottrace_data_file_31_0) true) +(expandtypeattribute (bpf_progs_loaded_prop_31_0) true) +(expandtypeattribute (bq_config_prop_31_0) true) +(expandtypeattribute (broadcastradio_service_31_0) true) +(expandtypeattribute (bufferhubd_31_0) true) +(expandtypeattribute (bufferhubd_exec_31_0) true) +(expandtypeattribute (bugreport_service_31_0) true) +(expandtypeattribute (build_bootimage_prop_31_0) true) +(expandtypeattribute (build_config_prop_31_0) true) +(expandtypeattribute (build_odm_prop_31_0) true) +(expandtypeattribute (build_prop_31_0) true) +(expandtypeattribute (build_vendor_prop_31_0) true) +(expandtypeattribute (cache_backup_file_31_0) true) +(expandtypeattribute (cache_block_device_31_0) true) +(expandtypeattribute (cache_file_31_0) true) +(expandtypeattribute (cache_private_backup_file_31_0) true) +(expandtypeattribute (cache_recovery_file_31_0) true) +(expandtypeattribute (cacheinfo_service_31_0) true) +(expandtypeattribute (camera2_extensions_prop_31_0) true) +(expandtypeattribute (camera_calibration_prop_31_0) true) +(expandtypeattribute (camera_config_prop_31_0) true) +(expandtypeattribute (camera_data_file_31_0) true) +(expandtypeattribute (camera_device_31_0) true) +(expandtypeattribute (cameraproxy_service_31_0) true) +(expandtypeattribute (cameraserver_31_0) true) +(expandtypeattribute (cameraserver_exec_31_0) true) +(expandtypeattribute (cameraserver_service_31_0) true) +(expandtypeattribute (cameraserver_tmpfs_31_0) true) +(expandtypeattribute (camerax_extensions_prop_31_0) true) +(expandtypeattribute (cgroup_31_0) true) +(expandtypeattribute (cgroup_desc_api_file_31_0) true) +(expandtypeattribute (cgroup_desc_file_31_0) true) +(expandtypeattribute (cgroup_rc_file_31_0) true) +(expandtypeattribute (cgroup_v2_31_0) true) +(expandtypeattribute (charger_31_0) true) +(expandtypeattribute (charger_config_prop_31_0) true) +(expandtypeattribute (charger_exec_31_0) true) +(expandtypeattribute (charger_prop_31_0) true) +(expandtypeattribute (charger_status_prop_31_0) true) +(expandtypeattribute (clipboard_service_31_0) true) +(expandtypeattribute (codec2_config_prop_31_0) true) +(expandtypeattribute (cold_boot_done_prop_31_0) true) +(expandtypeattribute (color_display_service_31_0) true) +(expandtypeattribute (companion_device_service_31_0) true) +(expandtypeattribute (config_prop_31_0) true) +(expandtypeattribute (configfs_31_0) true) +(expandtypeattribute (connectivity_service_31_0) true) +(expandtypeattribute (connmetrics_service_31_0) true) +(expandtypeattribute (console_device_31_0) true) +(expandtypeattribute (consumer_ir_service_31_0) true) +(expandtypeattribute (content_capture_service_31_0) true) +(expandtypeattribute (content_service_31_0) true) +(expandtypeattribute (content_suggestions_service_31_0) true) +(expandtypeattribute (contexthub_service_31_0) true) +(expandtypeattribute (coredump_file_31_0) true) +(expandtypeattribute (country_detector_service_31_0) true) +(expandtypeattribute (coverage_service_31_0) true) +(expandtypeattribute (cppreopt_prop_31_0) true) +(expandtypeattribute (cpu_variant_prop_31_0) true) +(expandtypeattribute (cpuinfo_service_31_0) true) +(expandtypeattribute (crash_dump_31_0) true) +(expandtypeattribute (crash_dump_exec_31_0) true) +(expandtypeattribute (credstore_31_0) true) +(expandtypeattribute (credstore_data_file_31_0) true) +(expandtypeattribute (credstore_exec_31_0) true) +(expandtypeattribute (credstore_service_31_0) true) +(expandtypeattribute (crossprofileapps_service_31_0) true) +(expandtypeattribute (ctl_adbd_prop_31_0) true) +(expandtypeattribute (ctl_apexd_prop_31_0) true) +(expandtypeattribute (ctl_bootanim_prop_31_0) true) +(expandtypeattribute (ctl_bugreport_prop_31_0) true) +(expandtypeattribute (ctl_console_prop_31_0) true) +(expandtypeattribute (ctl_default_prop_31_0) true) +(expandtypeattribute (ctl_dumpstate_prop_31_0) true) +(expandtypeattribute (ctl_fuse_prop_31_0) true) +(expandtypeattribute (ctl_gsid_prop_31_0) true) +(expandtypeattribute (ctl_interface_restart_prop_31_0) true) +(expandtypeattribute (ctl_interface_start_prop_31_0) true) +(expandtypeattribute (ctl_interface_stop_prop_31_0) true) +(expandtypeattribute (ctl_mdnsd_prop_31_0) true) +(expandtypeattribute (ctl_restart_prop_31_0) true) +(expandtypeattribute (ctl_rildaemon_prop_31_0) true) +(expandtypeattribute (ctl_sigstop_prop_31_0) true) +(expandtypeattribute (ctl_start_prop_31_0) true) +(expandtypeattribute (ctl_stop_prop_31_0) true) +(expandtypeattribute (dalvik_config_prop_31_0) true) +(expandtypeattribute (dalvik_prop_31_0) true) +(expandtypeattribute (dalvik_runtime_prop_31_0) true) +(expandtypeattribute (dalvikcache_data_file_31_0) true) +(expandtypeattribute (dataloader_manager_service_31_0) true) +(expandtypeattribute (dbinfo_service_31_0) true) +(expandtypeattribute (dck_prop_31_0) true) +(expandtypeattribute (debug_prop_31_0) true) +(expandtypeattribute (debugfs_31_0) true) +(expandtypeattribute (debugfs_bootreceiver_tracing_31_0) true) +(expandtypeattribute (debugfs_kprobes_31_0) true) +(expandtypeattribute (debugfs_mm_events_tracing_31_0) true) +(expandtypeattribute (debugfs_mmc_31_0) true) +(expandtypeattribute (debugfs_restriction_prop_31_0) true) +(expandtypeattribute (debugfs_trace_marker_31_0) true) +(expandtypeattribute (debugfs_tracing_31_0) true) +(expandtypeattribute (debugfs_tracing_debug_31_0) true) +(expandtypeattribute (debugfs_tracing_instances_31_0) true) +(expandtypeattribute (debugfs_tracing_printk_formats_31_0) true) +(expandtypeattribute (debugfs_wakeup_sources_31_0) true) +(expandtypeattribute (debugfs_wifi_tracing_31_0) true) +(expandtypeattribute (debuggerd_prop_31_0) true) +(expandtypeattribute (default_android_hwservice_31_0) true) +(expandtypeattribute (default_android_service_31_0) true) +(expandtypeattribute (default_android_vndservice_31_0) true) +(expandtypeattribute (default_prop_31_0) true) +(expandtypeattribute (dev_cpu_variant_31_0) true) +(expandtypeattribute (device_31_0) true) +(expandtypeattribute (device_config_activity_manager_native_boot_prop_31_0) true) +(expandtypeattribute (device_config_boot_count_prop_31_0) true) +(expandtypeattribute (device_config_input_native_boot_prop_31_0) true) +(expandtypeattribute (device_config_media_native_prop_31_0) true) +(expandtypeattribute (device_config_netd_native_prop_31_0) true) +(expandtypeattribute (device_config_reset_performed_prop_31_0) true) +(expandtypeattribute (device_config_runtime_native_boot_prop_31_0) true) +(expandtypeattribute (device_config_runtime_native_prop_31_0) true) +(expandtypeattribute (device_config_service_31_0) true) +(expandtypeattribute (device_identifiers_service_31_0) true) +(expandtypeattribute (device_logging_prop_31_0) true) +(expandtypeattribute (device_policy_service_31_0) true) +(expandtypeattribute (device_state_service_31_0) true) +(expandtypeattribute (deviceidle_service_31_0) true) +(expandtypeattribute (devicestoragemonitor_service_31_0) true) +(expandtypeattribute (devpts_31_0) true) +(expandtypeattribute (dhcp_31_0) true) +(expandtypeattribute (dhcp_data_file_31_0) true) +(expandtypeattribute (dhcp_exec_31_0) true) +(expandtypeattribute (dhcp_prop_31_0) true) +(expandtypeattribute (diskstats_service_31_0) true) +(expandtypeattribute (display_service_31_0) true) +(expandtypeattribute (dm_device_31_0) true) +(expandtypeattribute (dm_user_device_31_0) true) +(expandtypeattribute (dmabuf_heap_device_31_0) true) +(expandtypeattribute (dmabuf_system_heap_device_31_0) true) +(expandtypeattribute (dmabuf_system_secure_heap_device_31_0) true) +(expandtypeattribute (dnsmasq_31_0) true) +(expandtypeattribute (dnsmasq_exec_31_0) true) +(expandtypeattribute (dnsproxyd_socket_31_0) true) +(expandtypeattribute (dnsresolver_service_31_0) true) +(expandtypeattribute (domain_verification_service_31_0) true) +(expandtypeattribute (dreams_service_31_0) true) +(expandtypeattribute (drm_data_file_31_0) true) +(expandtypeattribute (drm_service_config_prop_31_0) true) +(expandtypeattribute (drmserver_31_0) true) +(expandtypeattribute (drmserver_exec_31_0) true) +(expandtypeattribute (drmserver_service_31_0) true) +(expandtypeattribute (drmserver_socket_31_0) true) +(expandtypeattribute (dropbox_data_file_31_0) true) +(expandtypeattribute (dropbox_service_31_0) true) +(expandtypeattribute (dumpstate_31_0) true) +(expandtypeattribute (dumpstate_exec_31_0) true) +(expandtypeattribute (dumpstate_options_prop_31_0) true) +(expandtypeattribute (dumpstate_prop_31_0) true) +(expandtypeattribute (dumpstate_service_31_0) true) +(expandtypeattribute (dumpstate_socket_31_0) true) +(expandtypeattribute (dynamic_system_prop_31_0) true) +(expandtypeattribute (e2fs_31_0) true) +(expandtypeattribute (e2fs_exec_31_0) true) +(expandtypeattribute (efs_file_31_0) true) +(expandtypeattribute (emergency_affordance_service_31_0) true) +(expandtypeattribute (ephemeral_app_31_0) true) +(expandtypeattribute (ethernet_service_31_0) true) +(expandtypeattribute (exfat_31_0) true) +(expandtypeattribute (exported3_system_prop_31_0) true) +(expandtypeattribute (exported_bluetooth_prop_31_0) true) +(expandtypeattribute (exported_camera_prop_31_0) true) +(expandtypeattribute (exported_config_prop_31_0) true) +(expandtypeattribute (exported_default_prop_31_0) true) +(expandtypeattribute (exported_dumpstate_prop_31_0) true) +(expandtypeattribute (exported_overlay_prop_31_0) true) +(expandtypeattribute (exported_pm_prop_31_0) true) +(expandtypeattribute (exported_secure_prop_31_0) true) +(expandtypeattribute (exported_system_prop_31_0) true) +(expandtypeattribute (external_vibrator_service_31_0) true) +(expandtypeattribute (face_service_31_0) true) +(expandtypeattribute (face_vendor_data_file_31_0) true) +(expandtypeattribute (fastbootd_31_0) true) +(expandtypeattribute (ffs_config_prop_31_0) true) +(expandtypeattribute (ffs_control_prop_31_0) true) +(expandtypeattribute (file_contexts_file_31_0) true) +(expandtypeattribute (file_integrity_service_31_0) true) +(expandtypeattribute (fingerprint_prop_31_0) true) +(expandtypeattribute (fingerprint_service_31_0) true) +(expandtypeattribute (fingerprint_vendor_data_file_31_0) true) +(expandtypeattribute (fingerprintd_31_0) true) +(expandtypeattribute (fingerprintd_data_file_31_0) true) +(expandtypeattribute (fingerprintd_exec_31_0) true) +(expandtypeattribute (fingerprintd_service_31_0) true) +(expandtypeattribute (firstboot_prop_31_0) true) +(expandtypeattribute (flags_health_check_31_0) true) +(expandtypeattribute (flags_health_check_exec_31_0) true) +(expandtypeattribute (font_service_31_0) true) +(expandtypeattribute (framework_watchdog_config_prop_31_0) true) +(expandtypeattribute (frp_block_device_31_0) true) +(expandtypeattribute (fs_bpf_31_0) true) +(expandtypeattribute (fs_bpf_tethering_31_0) true) +(expandtypeattribute (fsck_31_0) true) +(expandtypeattribute (fsck_exec_31_0) true) +(expandtypeattribute (fsck_untrusted_31_0) true) +(expandtypeattribute (fscklogs_31_0) true) +(expandtypeattribute (functionfs_31_0) true) +(expandtypeattribute (fuse_31_0) true) +(expandtypeattribute (fuse_device_31_0) true) +(expandtypeattribute (fusectlfs_31_0) true) +(expandtypeattribute (fwk_automotive_display_hwservice_31_0) true) +(expandtypeattribute (fwk_bufferhub_hwservice_31_0) true) +(expandtypeattribute (fwk_camera_hwservice_31_0) true) +(expandtypeattribute (fwk_display_hwservice_31_0) true) +(expandtypeattribute (fwk_scheduler_hwservice_31_0) true) +(expandtypeattribute (fwk_sensor_hwservice_31_0) true) +(expandtypeattribute (fwk_stats_hwservice_31_0) true) +(expandtypeattribute (fwk_stats_service_31_0) true) +(expandtypeattribute (fwmarkd_socket_31_0) true) +(expandtypeattribute (game_service_31_0) true) +(expandtypeattribute (gatekeeper_data_file_31_0) true) +(expandtypeattribute (gatekeeper_service_31_0) true) +(expandtypeattribute (gatekeeperd_31_0) true) +(expandtypeattribute (gatekeeperd_exec_31_0) true) +(expandtypeattribute (gfxinfo_service_31_0) true) +(expandtypeattribute (gmscore_app_31_0) true) +(expandtypeattribute (gnss_device_31_0) true) +(expandtypeattribute (gnss_time_update_service_31_0) true) +(expandtypeattribute (gps_control_31_0) true) +(expandtypeattribute (gpu_device_31_0) true) +(expandtypeattribute (gpu_service_31_0) true) +(expandtypeattribute (gpuservice_31_0) true) +(expandtypeattribute (graphics_config_prop_31_0) true) +(expandtypeattribute (graphics_device_31_0) true) +(expandtypeattribute (graphicsstats_service_31_0) true) +(expandtypeattribute (gsi_data_file_31_0) true) +(expandtypeattribute (gsi_metadata_file_31_0) true) +(expandtypeattribute (gsi_public_metadata_file_31_0) true) +(expandtypeattribute (hal_atrace_hwservice_31_0) true) +(expandtypeattribute (hal_audio_hwservice_31_0) true) +(expandtypeattribute (hal_audio_service_31_0) true) +(expandtypeattribute (hal_audiocontrol_hwservice_31_0) true) +(expandtypeattribute (hal_audiocontrol_service_31_0) true) +(expandtypeattribute (hal_authsecret_hwservice_31_0) true) +(expandtypeattribute (hal_authsecret_service_31_0) true) +(expandtypeattribute (hal_bluetooth_hwservice_31_0) true) +(expandtypeattribute (hal_bootctl_hwservice_31_0) true) +(expandtypeattribute (hal_broadcastradio_hwservice_31_0) true) +(expandtypeattribute (hal_camera_hwservice_31_0) true) +(expandtypeattribute (hal_can_bus_hwservice_31_0) true) +(expandtypeattribute (hal_can_controller_hwservice_31_0) true) +(expandtypeattribute (hal_cas_hwservice_31_0) true) +(expandtypeattribute (hal_codec2_hwservice_31_0) true) +(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_31_0) true) +(expandtypeattribute (hal_confirmationui_hwservice_31_0) true) +(expandtypeattribute (hal_contexthub_hwservice_31_0) true) +(expandtypeattribute (hal_drm_hwservice_31_0) true) +(expandtypeattribute (hal_dumpstate_config_prop_31_0) true) +(expandtypeattribute (hal_dumpstate_hwservice_31_0) true) +(expandtypeattribute (hal_evs_hwservice_31_0) true) +(expandtypeattribute (hal_face_hwservice_31_0) true) +(expandtypeattribute (hal_face_service_31_0) true) +(expandtypeattribute (hal_fingerprint_hwservice_31_0) true) +(expandtypeattribute (hal_fingerprint_service_31_0) true) +(expandtypeattribute (hal_gatekeeper_hwservice_31_0) true) +(expandtypeattribute (hal_gnss_hwservice_31_0) true) +(expandtypeattribute (hal_gnss_service_31_0) true) +(expandtypeattribute (hal_graphics_allocator_hwservice_31_0) true) +(expandtypeattribute (hal_graphics_composer_hwservice_31_0) true) +(expandtypeattribute (hal_graphics_composer_server_tmpfs_31_0) true) +(expandtypeattribute (hal_graphics_mapper_hwservice_31_0) true) +(expandtypeattribute (hal_health_hwservice_31_0) true) +(expandtypeattribute (hal_health_storage_hwservice_31_0) true) +(expandtypeattribute (hal_health_storage_service_31_0) true) +(expandtypeattribute (hal_identity_service_31_0) true) +(expandtypeattribute (hal_input_classifier_hwservice_31_0) true) +(expandtypeattribute (hal_instrumentation_prop_31_0) true) +(expandtypeattribute (hal_ir_hwservice_31_0) true) +(expandtypeattribute (hal_keymaster_hwservice_31_0) true) +(expandtypeattribute (hal_keymint_service_31_0) true) +(expandtypeattribute (hal_light_hwservice_31_0) true) +(expandtypeattribute (hal_light_service_31_0) true) +(expandtypeattribute (hal_lowpan_hwservice_31_0) true) +(expandtypeattribute (hal_memtrack_hwservice_31_0) true) +(expandtypeattribute (hal_memtrack_service_31_0) true) +(expandtypeattribute (hal_neuralnetworks_hwservice_31_0) true) +(expandtypeattribute (hal_neuralnetworks_service_31_0) true) +(expandtypeattribute (hal_nfc_hwservice_31_0) true) +(expandtypeattribute (hal_oemlock_hwservice_31_0) true) +(expandtypeattribute (hal_oemlock_service_31_0) true) +(expandtypeattribute (hal_omx_hwservice_31_0) true) +(expandtypeattribute (hal_power_hwservice_31_0) true) +(expandtypeattribute (hal_power_service_31_0) true) +(expandtypeattribute (hal_power_stats_hwservice_31_0) true) +(expandtypeattribute (hal_power_stats_service_31_0) true) +(expandtypeattribute (hal_rebootescrow_service_31_0) true) +(expandtypeattribute (hal_remotelyprovisionedcomponent_service_31_0) true) +(expandtypeattribute (hal_renderscript_hwservice_31_0) true) +(expandtypeattribute (hal_secure_element_hwservice_31_0) true) +(expandtypeattribute (hal_secureclock_service_31_0) true) +(expandtypeattribute (hal_sensors_hwservice_31_0) true) +(expandtypeattribute (hal_sharedsecret_service_31_0) true) +(expandtypeattribute (hal_telephony_hwservice_31_0) true) +(expandtypeattribute (hal_tetheroffload_hwservice_31_0) true) +(expandtypeattribute (hal_thermal_hwservice_31_0) true) +(expandtypeattribute (hal_tv_cec_hwservice_31_0) true) +(expandtypeattribute (hal_tv_input_hwservice_31_0) true) +(expandtypeattribute (hal_tv_tuner_hwservice_31_0) true) +(expandtypeattribute (hal_usb_gadget_hwservice_31_0) true) +(expandtypeattribute (hal_usb_hwservice_31_0) true) +(expandtypeattribute (hal_vehicle_hwservice_31_0) true) +(expandtypeattribute (hal_vibrator_hwservice_31_0) true) +(expandtypeattribute (hal_vibrator_service_31_0) true) +(expandtypeattribute (hal_vr_hwservice_31_0) true) +(expandtypeattribute (hal_weaver_hwservice_31_0) true) +(expandtypeattribute (hal_weaver_service_31_0) true) +(expandtypeattribute (hal_wifi_hostapd_hwservice_31_0) true) +(expandtypeattribute (hal_wifi_hwservice_31_0) true) +(expandtypeattribute (hal_wifi_supplicant_hwservice_31_0) true) +(expandtypeattribute (hardware_properties_service_31_0) true) +(expandtypeattribute (hardware_service_31_0) true) +(expandtypeattribute (hci_attach_dev_31_0) true) +(expandtypeattribute (hdmi_config_prop_31_0) true) +(expandtypeattribute (hdmi_control_service_31_0) true) +(expandtypeattribute (healthd_31_0) true) +(expandtypeattribute (healthd_exec_31_0) true) +(expandtypeattribute (heapdump_data_file_31_0) true) +(expandtypeattribute (heapprofd_31_0) true) +(expandtypeattribute (heapprofd_enabled_prop_31_0) true) +(expandtypeattribute (heapprofd_prop_31_0) true) +(expandtypeattribute (heapprofd_socket_31_0) true) +(expandtypeattribute (hidl_allocator_hwservice_31_0) true) +(expandtypeattribute (hidl_base_hwservice_31_0) true) +(expandtypeattribute (hidl_manager_hwservice_31_0) true) +(expandtypeattribute (hidl_memory_hwservice_31_0) true) +(expandtypeattribute (hidl_token_hwservice_31_0) true) +(expandtypeattribute (hint_service_31_0) true) +(expandtypeattribute (hw_random_device_31_0) true) +(expandtypeattribute (hw_timeout_multiplier_prop_31_0) true) +(expandtypeattribute (hwbinder_device_31_0) true) +(expandtypeattribute (hwservice_contexts_file_31_0) true) +(expandtypeattribute (hwservicemanager_31_0) true) +(expandtypeattribute (hwservicemanager_exec_31_0) true) +(expandtypeattribute (hwservicemanager_prop_31_0) true) +(expandtypeattribute (icon_file_31_0) true) +(expandtypeattribute (idmap_31_0) true) +(expandtypeattribute (idmap_exec_31_0) true) +(expandtypeattribute (idmap_service_31_0) true) +(expandtypeattribute (iio_device_31_0) true) +(expandtypeattribute (imms_service_31_0) true) +(expandtypeattribute (incident_31_0) true) +(expandtypeattribute (incident_data_file_31_0) true) +(expandtypeattribute (incident_helper_31_0) true) +(expandtypeattribute (incident_service_31_0) true) +(expandtypeattribute (incidentd_31_0) true) +(expandtypeattribute (incremental_control_file_31_0) true) +(expandtypeattribute (incremental_prop_31_0) true) +(expandtypeattribute (incremental_service_31_0) true) +(expandtypeattribute (init_31_0) true) +(expandtypeattribute (init_exec_31_0) true) +(expandtypeattribute (init_service_status_prop_31_0) true) +(expandtypeattribute (init_tmpfs_31_0) true) +(expandtypeattribute (inotify_31_0) true) +(expandtypeattribute (input_device_31_0) true) +(expandtypeattribute (input_method_service_31_0) true) +(expandtypeattribute (input_service_31_0) true) +(expandtypeattribute (inputflinger_31_0) true) +(expandtypeattribute (inputflinger_exec_31_0) true) +(expandtypeattribute (inputflinger_service_31_0) true) +(expandtypeattribute (install_data_file_31_0) true) +(expandtypeattribute (installd_31_0) true) +(expandtypeattribute (installd_exec_31_0) true) +(expandtypeattribute (installd_service_31_0) true) +(expandtypeattribute (ion_device_31_0) true) +(expandtypeattribute (iorap_inode2filename_31_0) true) +(expandtypeattribute (iorap_inode2filename_exec_31_0) true) +(expandtypeattribute (iorap_inode2filename_tmpfs_31_0) true) +(expandtypeattribute (iorap_prefetcherd_31_0) true) +(expandtypeattribute (iorap_prefetcherd_exec_31_0) true) +(expandtypeattribute (iorap_prefetcherd_tmpfs_31_0) true) +(expandtypeattribute (iorapd_31_0) true) +(expandtypeattribute (iorapd_data_file_31_0) true) +(expandtypeattribute (iorapd_exec_31_0) true) +(expandtypeattribute (iorapd_service_31_0) true) +(expandtypeattribute (iorapd_tmpfs_31_0) true) +(expandtypeattribute (ipsec_service_31_0) true) +(expandtypeattribute (iris_service_31_0) true) +(expandtypeattribute (iris_vendor_data_file_31_0) true) +(expandtypeattribute (isolated_app_31_0) true) +(expandtypeattribute (jobscheduler_service_31_0) true) +(expandtypeattribute (kernel_31_0) true) +(expandtypeattribute (keychain_data_file_31_0) true) +(expandtypeattribute (keychord_device_31_0) true) +(expandtypeattribute (keyguard_config_prop_31_0) true) +(expandtypeattribute (keystore2_key_contexts_file_31_0) true) +(expandtypeattribute (keystore_31_0) true) +(expandtypeattribute (keystore_compat_hal_service_31_0) true) +(expandtypeattribute (keystore_data_file_31_0) true) +(expandtypeattribute (keystore_exec_31_0) true) +(expandtypeattribute (keystore_maintenance_service_31_0) true) +(expandtypeattribute (keystore_metrics_service_31_0) true) +(expandtypeattribute (keystore_service_31_0) true) +(expandtypeattribute (kmsg_debug_device_31_0) true) +(expandtypeattribute (kmsg_device_31_0) true) +(expandtypeattribute (labeledfs_31_0) true) +(expandtypeattribute (launcherapps_service_31_0) true) +(expandtypeattribute (legacy_permission_service_31_0) true) +(expandtypeattribute (legacykeystore_service_31_0) true) +(expandtypeattribute (libc_debug_prop_31_0) true) +(expandtypeattribute (light_service_31_0) true) +(expandtypeattribute (linkerconfig_file_31_0) true) +(expandtypeattribute (llkd_31_0) true) +(expandtypeattribute (llkd_exec_31_0) true) +(expandtypeattribute (llkd_prop_31_0) true) +(expandtypeattribute (lmkd_31_0) true) +(expandtypeattribute (lmkd_config_prop_31_0) true) +(expandtypeattribute (lmkd_exec_31_0) true) +(expandtypeattribute (lmkd_prop_31_0) true) +(expandtypeattribute (lmkd_socket_31_0) true) +(expandtypeattribute (location_service_31_0) true) +(expandtypeattribute (location_time_zone_manager_service_31_0) true) +(expandtypeattribute (lock_settings_service_31_0) true) +(expandtypeattribute (log_prop_31_0) true) +(expandtypeattribute (log_tag_prop_31_0) true) +(expandtypeattribute (logcat_exec_31_0) true) +(expandtypeattribute (logd_31_0) true) +(expandtypeattribute (logd_exec_31_0) true) +(expandtypeattribute (logd_prop_31_0) true) +(expandtypeattribute (logd_socket_31_0) true) +(expandtypeattribute (logdr_socket_31_0) true) +(expandtypeattribute (logdw_socket_31_0) true) +(expandtypeattribute (logpersist_31_0) true) +(expandtypeattribute (logpersistd_logging_prop_31_0) true) +(expandtypeattribute (loop_control_device_31_0) true) +(expandtypeattribute (loop_device_31_0) true) +(expandtypeattribute (looper_stats_service_31_0) true) +(expandtypeattribute (lowpan_device_31_0) true) +(expandtypeattribute (lowpan_prop_31_0) true) +(expandtypeattribute (lowpan_service_31_0) true) +(expandtypeattribute (lpdump_service_31_0) true) +(expandtypeattribute (lpdumpd_prop_31_0) true) +(expandtypeattribute (mac_perms_file_31_0) true) +(expandtypeattribute (mdns_socket_31_0) true) +(expandtypeattribute (mdnsd_31_0) true) +(expandtypeattribute (mdnsd_socket_31_0) true) +(expandtypeattribute (media_communication_service_31_0) true) +(expandtypeattribute (media_config_prop_31_0) true) +(expandtypeattribute (media_data_file_31_0) true) +(expandtypeattribute (media_metrics_service_31_0) true) +(expandtypeattribute (media_projection_service_31_0) true) +(expandtypeattribute (media_router_service_31_0) true) +(expandtypeattribute (media_rw_data_file_31_0) true) +(expandtypeattribute (media_session_service_31_0) true) +(expandtypeattribute (media_variant_prop_31_0) true) +(expandtypeattribute (mediadrm_config_prop_31_0) true) +(expandtypeattribute (mediadrmserver_31_0) true) +(expandtypeattribute (mediadrmserver_exec_31_0) true) +(expandtypeattribute (mediadrmserver_service_31_0) true) +(expandtypeattribute (mediaextractor_31_0) true) +(expandtypeattribute (mediaextractor_exec_31_0) true) +(expandtypeattribute (mediaextractor_service_31_0) true) +(expandtypeattribute (mediaextractor_tmpfs_31_0) true) +(expandtypeattribute (mediametrics_31_0) true) +(expandtypeattribute (mediametrics_exec_31_0) true) +(expandtypeattribute (mediametrics_service_31_0) true) +(expandtypeattribute (mediaprovider_31_0) true) +(expandtypeattribute (mediaserver_31_0) true) +(expandtypeattribute (mediaserver_exec_31_0) true) +(expandtypeattribute (mediaserver_service_31_0) true) +(expandtypeattribute (mediaserver_tmpfs_31_0) true) +(expandtypeattribute (mediaswcodec_31_0) true) +(expandtypeattribute (mediaswcodec_exec_31_0) true) +(expandtypeattribute (mediatranscoding_service_31_0) true) +(expandtypeattribute (meminfo_service_31_0) true) +(expandtypeattribute (memtrackproxy_service_31_0) true) +(expandtypeattribute (metadata_block_device_31_0) true) +(expandtypeattribute (metadata_bootstat_file_31_0) true) +(expandtypeattribute (metadata_file_31_0) true) +(expandtypeattribute (method_trace_data_file_31_0) true) +(expandtypeattribute (midi_service_31_0) true) +(expandtypeattribute (mirror_data_file_31_0) true) +(expandtypeattribute (misc_block_device_31_0) true) +(expandtypeattribute (misc_logd_file_31_0) true) +(expandtypeattribute (misc_user_data_file_31_0) true) +(expandtypeattribute (mm_events_config_prop_31_0) true) +(expandtypeattribute (mmc_prop_31_0) true) +(expandtypeattribute (mnt_expand_file_31_0) true) +(expandtypeattribute (mnt_media_rw_file_31_0) true) +(expandtypeattribute (mnt_media_rw_stub_file_31_0) true) +(expandtypeattribute (mnt_pass_through_file_31_0) true) +(expandtypeattribute (mnt_product_file_31_0) true) +(expandtypeattribute (mnt_sdcard_file_31_0) true) +(expandtypeattribute (mnt_user_file_31_0) true) +(expandtypeattribute (mnt_vendor_file_31_0) true) +(expandtypeattribute (mock_ota_prop_31_0) true) +(expandtypeattribute (modprobe_31_0) true) +(expandtypeattribute (module_sdkextensions_prop_31_0) true) +(expandtypeattribute (mount_service_31_0) true) +(expandtypeattribute (mqueue_31_0) true) +(expandtypeattribute (mtp_31_0) true) +(expandtypeattribute (mtp_device_31_0) true) +(expandtypeattribute (mtp_exec_31_0) true) +(expandtypeattribute (mtpd_socket_31_0) true) +(expandtypeattribute (music_recognition_service_31_0) true) +(expandtypeattribute (nativetest_data_file_31_0) true) +(expandtypeattribute (net_data_file_31_0) true) +(expandtypeattribute (net_dns_prop_31_0) true) +(expandtypeattribute (net_radio_prop_31_0) true) +(expandtypeattribute (netd_31_0) true) +(expandtypeattribute (netd_exec_31_0) true) +(expandtypeattribute (netd_listener_service_31_0) true) +(expandtypeattribute (netd_service_31_0) true) +(expandtypeattribute (netif_31_0) true) +(expandtypeattribute (netpolicy_service_31_0) true) +(expandtypeattribute (netstats_service_31_0) true) +(expandtypeattribute (netutils_wrapper_31_0) true) +(expandtypeattribute (netutils_wrapper_exec_31_0) true) +(expandtypeattribute (network_management_service_31_0) true) +(expandtypeattribute (network_score_service_31_0) true) +(expandtypeattribute (network_stack_31_0) true) +(expandtypeattribute (network_stack_service_31_0) true) +(expandtypeattribute (network_time_update_service_31_0) true) +(expandtypeattribute (network_watchlist_data_file_31_0) true) +(expandtypeattribute (network_watchlist_service_31_0) true) +(expandtypeattribute (nfc_31_0) true) +(expandtypeattribute (nfc_data_file_31_0) true) +(expandtypeattribute (nfc_device_31_0) true) +(expandtypeattribute (nfc_logs_data_file_31_0) true) +(expandtypeattribute (nfc_prop_31_0) true) +(expandtypeattribute (nfc_service_31_0) true) +(expandtypeattribute (nnapi_ext_deny_product_prop_31_0) true) +(expandtypeattribute (node_31_0) true) +(expandtypeattribute (nonplat_service_contexts_file_31_0) true) +(expandtypeattribute (notification_service_31_0) true) +(expandtypeattribute (null_device_31_0) true) +(expandtypeattribute (oem_lock_service_31_0) true) +(expandtypeattribute (oem_unlock_prop_31_0) true) +(expandtypeattribute (oemfs_31_0) true) +(expandtypeattribute (ota_data_file_31_0) true) +(expandtypeattribute (ota_metadata_file_31_0) true) +(expandtypeattribute (ota_package_file_31_0) true) +(expandtypeattribute (ota_prop_31_0) true) +(expandtypeattribute (otadexopt_service_31_0) true) +(expandtypeattribute (otapreopt_chroot_31_0) true) +(expandtypeattribute (overlay_prop_31_0) true) +(expandtypeattribute (overlay_service_31_0) true) +(expandtypeattribute (overlayfs_file_31_0) true) +(expandtypeattribute (owntty_device_31_0) true) +(expandtypeattribute (pac_proxy_service_31_0) true) +(expandtypeattribute (package_native_service_31_0) true) +(expandtypeattribute (package_service_31_0) true) +(expandtypeattribute (packagemanager_config_prop_31_0) true) +(expandtypeattribute (packages_list_file_31_0) true) +(expandtypeattribute (pan_result_prop_31_0) true) +(expandtypeattribute (password_slot_metadata_file_31_0) true) +(expandtypeattribute (pdx_bufferhub_client_channel_socket_31_0) true) +(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_31_0) true) +(expandtypeattribute (pdx_bufferhub_dir_31_0) true) +(expandtypeattribute (pdx_display_client_channel_socket_31_0) true) +(expandtypeattribute (pdx_display_client_endpoint_socket_31_0) true) +(expandtypeattribute (pdx_display_dir_31_0) true) +(expandtypeattribute (pdx_display_manager_channel_socket_31_0) true) +(expandtypeattribute (pdx_display_manager_endpoint_socket_31_0) true) +(expandtypeattribute (pdx_display_screenshot_channel_socket_31_0) true) +(expandtypeattribute (pdx_display_screenshot_endpoint_socket_31_0) true) +(expandtypeattribute (pdx_display_vsync_channel_socket_31_0) true) +(expandtypeattribute (pdx_display_vsync_endpoint_socket_31_0) true) +(expandtypeattribute (pdx_performance_client_channel_socket_31_0) true) +(expandtypeattribute (pdx_performance_client_endpoint_socket_31_0) true) +(expandtypeattribute (pdx_performance_dir_31_0) true) +(expandtypeattribute (people_service_31_0) true) +(expandtypeattribute (perfetto_31_0) true) +(expandtypeattribute (performanced_31_0) true) +(expandtypeattribute (performanced_exec_31_0) true) +(expandtypeattribute (permission_checker_service_31_0) true) +(expandtypeattribute (permission_service_31_0) true) +(expandtypeattribute (permissionmgr_service_31_0) true) +(expandtypeattribute (persist_debug_prop_31_0) true) +(expandtypeattribute (persist_vendor_debug_wifi_prop_31_0) true) +(expandtypeattribute (persistent_data_block_service_31_0) true) +(expandtypeattribute (persistent_properties_ready_prop_31_0) true) +(expandtypeattribute (pinner_service_31_0) true) +(expandtypeattribute (pipefs_31_0) true) +(expandtypeattribute (platform_app_31_0) true) +(expandtypeattribute (platform_compat_service_31_0) true) +(expandtypeattribute (pmsg_device_31_0) true) +(expandtypeattribute (port_31_0) true) +(expandtypeattribute (port_device_31_0) true) +(expandtypeattribute (postinstall_31_0) true) +(expandtypeattribute (postinstall_apex_mnt_dir_31_0) true) +(expandtypeattribute (postinstall_file_31_0) true) +(expandtypeattribute (postinstall_mnt_dir_31_0) true) +(expandtypeattribute (power_debug_prop_31_0) true) +(expandtypeattribute (power_service_31_0) true) +(expandtypeattribute (powerctl_prop_31_0) true) +(expandtypeattribute (powerstats_service_31_0) true) +(expandtypeattribute (ppp_31_0) true) +(expandtypeattribute (ppp_device_31_0) true) +(expandtypeattribute (ppp_exec_31_0) true) +(expandtypeattribute (preloads_data_file_31_0) true) +(expandtypeattribute (preloads_media_file_31_0) true) +(expandtypeattribute (prereboot_data_file_31_0) true) +(expandtypeattribute (print_service_31_0) true) +(expandtypeattribute (priv_app_31_0) true) +(expandtypeattribute (privapp_data_file_31_0) true) +(expandtypeattribute (proc_31_0) true) +(expandtypeattribute (proc_abi_31_0) true) +(expandtypeattribute (proc_asound_31_0) true) +(expandtypeattribute (proc_bluetooth_writable_31_0) true) +(expandtypeattribute (proc_bootconfig_31_0) true) +(expandtypeattribute (proc_buddyinfo_31_0) true) +(expandtypeattribute (proc_cmdline_31_0) true) +(expandtypeattribute (proc_cpuinfo_31_0) true) +(expandtypeattribute (proc_dirty_31_0) true) +(expandtypeattribute (proc_diskstats_31_0) true) +(expandtypeattribute (proc_drop_caches_31_0) true) +(expandtypeattribute (proc_extra_free_kbytes_31_0) true) +(expandtypeattribute (proc_filesystems_31_0) true) +(expandtypeattribute (proc_fs_verity_31_0) true) +(expandtypeattribute (proc_hostname_31_0) true) +(expandtypeattribute (proc_hung_task_31_0) true) +(expandtypeattribute (proc_interrupts_31_0) true) +(expandtypeattribute (proc_iomem_31_0) true) +(expandtypeattribute (proc_kallsyms_31_0) true) +(expandtypeattribute (proc_keys_31_0) true) +(expandtypeattribute (proc_kmsg_31_0) true) +(expandtypeattribute (proc_kpageflags_31_0) true) +(expandtypeattribute (proc_loadavg_31_0) true) +(expandtypeattribute (proc_locks_31_0) true) +(expandtypeattribute (proc_lowmemorykiller_31_0) true) +(expandtypeattribute (proc_max_map_count_31_0) true) +(expandtypeattribute (proc_meminfo_31_0) true) +(expandtypeattribute (proc_min_free_order_shift_31_0) true) +(expandtypeattribute (proc_misc_31_0) true) +(expandtypeattribute (proc_modules_31_0) true) +(expandtypeattribute (proc_mounts_31_0) true) +(expandtypeattribute (proc_net_31_0) true) +(expandtypeattribute (proc_net_tcp_udp_31_0) true) +(expandtypeattribute (proc_overcommit_memory_31_0) true) +(expandtypeattribute (proc_page_cluster_31_0) true) +(expandtypeattribute (proc_pagetypeinfo_31_0) true) +(expandtypeattribute (proc_panic_31_0) true) +(expandtypeattribute (proc_perf_31_0) true) +(expandtypeattribute (proc_pid_max_31_0) true) +(expandtypeattribute (proc_pipe_conf_31_0) true) +(expandtypeattribute (proc_pressure_cpu_31_0) true) +(expandtypeattribute (proc_pressure_io_31_0) true) +(expandtypeattribute (proc_pressure_mem_31_0) true) +(expandtypeattribute (proc_qtaguid_ctrl_31_0) true) +(expandtypeattribute (proc_qtaguid_stat_31_0) true) +(expandtypeattribute (proc_random_31_0) true) +(expandtypeattribute (proc_sched_31_0) true) +(expandtypeattribute (proc_security_31_0) true) +(expandtypeattribute (proc_slabinfo_31_0) true) +(expandtypeattribute (proc_stat_31_0) true) +(expandtypeattribute (proc_swaps_31_0) true) +(expandtypeattribute (proc_sysrq_31_0) true) +(expandtypeattribute (proc_timer_31_0) true) +(expandtypeattribute (proc_tty_drivers_31_0) true) +(expandtypeattribute (proc_uid_concurrent_active_time_31_0) true) +(expandtypeattribute (proc_uid_concurrent_policy_time_31_0) true) +(expandtypeattribute (proc_uid_cpupower_31_0) true) +(expandtypeattribute (proc_uid_cputime_removeuid_31_0) true) +(expandtypeattribute (proc_uid_cputime_showstat_31_0) true) +(expandtypeattribute (proc_uid_io_stats_31_0) true) +(expandtypeattribute (proc_uid_procstat_set_31_0) true) +(expandtypeattribute (proc_uid_time_in_state_31_0) true) +(expandtypeattribute (proc_uptime_31_0) true) +(expandtypeattribute (proc_vendor_sched_31_0) true) +(expandtypeattribute (proc_version_31_0) true) +(expandtypeattribute (proc_vmallocinfo_31_0) true) +(expandtypeattribute (proc_vmstat_31_0) true) +(expandtypeattribute (proc_zoneinfo_31_0) true) +(expandtypeattribute (processinfo_service_31_0) true) +(expandtypeattribute (procstats_service_31_0) true) +(expandtypeattribute (profman_31_0) true) +(expandtypeattribute (profman_dump_data_file_31_0) true) +(expandtypeattribute (profman_exec_31_0) true) +(expandtypeattribute (properties_device_31_0) true) +(expandtypeattribute (properties_serial_31_0) true) +(expandtypeattribute (property_contexts_file_31_0) true) +(expandtypeattribute (property_data_file_31_0) true) +(expandtypeattribute (property_info_31_0) true) +(expandtypeattribute (property_service_version_prop_31_0) true) +(expandtypeattribute (property_socket_31_0) true) +(expandtypeattribute (provisioned_prop_31_0) true) +(expandtypeattribute (pstorefs_31_0) true) +(expandtypeattribute (ptmx_device_31_0) true) +(expandtypeattribute (qemu_hw_prop_31_0) true) +(expandtypeattribute (qemu_sf_lcd_density_prop_31_0) true) +(expandtypeattribute (qtaguid_device_31_0) true) +(expandtypeattribute (racoon_31_0) true) +(expandtypeattribute (racoon_exec_31_0) true) +(expandtypeattribute (racoon_socket_31_0) true) +(expandtypeattribute (radio_31_0) true) +(expandtypeattribute (radio_control_prop_31_0) true) +(expandtypeattribute (radio_core_data_file_31_0) true) +(expandtypeattribute (radio_data_file_31_0) true) +(expandtypeattribute (radio_device_31_0) true) +(expandtypeattribute (radio_prop_31_0) true) +(expandtypeattribute (radio_service_31_0) true) +(expandtypeattribute (ram_device_31_0) true) +(expandtypeattribute (random_device_31_0) true) +(expandtypeattribute (reboot_readiness_service_31_0) true) +(expandtypeattribute (rebootescrow_hal_prop_31_0) true) +(expandtypeattribute (recovery_31_0) true) +(expandtypeattribute (recovery_block_device_31_0) true) +(expandtypeattribute (recovery_config_prop_31_0) true) +(expandtypeattribute (recovery_data_file_31_0) true) +(expandtypeattribute (recovery_persist_31_0) true) +(expandtypeattribute (recovery_persist_exec_31_0) true) +(expandtypeattribute (recovery_refresh_31_0) true) +(expandtypeattribute (recovery_refresh_exec_31_0) true) +(expandtypeattribute (recovery_service_31_0) true) +(expandtypeattribute (recovery_socket_31_0) true) +(expandtypeattribute (registry_service_31_0) true) +(expandtypeattribute (remoteprovisioning_service_31_0) true) +(expandtypeattribute (resourcecache_data_file_31_0) true) +(expandtypeattribute (restorecon_prop_31_0) true) +(expandtypeattribute (restrictions_service_31_0) true) +(expandtypeattribute (retaildemo_prop_31_0) true) +(expandtypeattribute (rild_debug_socket_31_0) true) +(expandtypeattribute (rild_socket_31_0) true) +(expandtypeattribute (ringtone_file_31_0) true) +(expandtypeattribute (role_service_31_0) true) +(expandtypeattribute (rollback_service_31_0) true) +(expandtypeattribute (root_block_device_31_0) true) +(expandtypeattribute (rootfs_31_0) true) +(expandtypeattribute (rpmsg_device_31_0) true) +(expandtypeattribute (rs_31_0) true) +(expandtypeattribute (rs_exec_31_0) true) +(expandtypeattribute (rss_hwm_reset_31_0) true) +(expandtypeattribute (rtc_device_31_0) true) +(expandtypeattribute (rttmanager_service_31_0) true) +(expandtypeattribute (runas_31_0) true) +(expandtypeattribute (runas_app_31_0) true) +(expandtypeattribute (runas_exec_31_0) true) +(expandtypeattribute (runtime_event_log_tags_file_31_0) true) +(expandtypeattribute (runtime_service_31_0) true) +(expandtypeattribute (safemode_prop_31_0) true) +(expandtypeattribute (same_process_hal_file_31_0) true) +(expandtypeattribute (samplingprofiler_service_31_0) true) +(expandtypeattribute (scheduling_policy_service_31_0) true) +(expandtypeattribute (sdcard_block_device_31_0) true) +(expandtypeattribute (sdcardd_31_0) true) +(expandtypeattribute (sdcardd_exec_31_0) true) +(expandtypeattribute (sdcardfs_31_0) true) +(expandtypeattribute (seapp_contexts_file_31_0) true) +(expandtypeattribute (search_service_31_0) true) +(expandtypeattribute (search_ui_service_31_0) true) +(expandtypeattribute (sec_key_att_app_id_provider_service_31_0) true) +(expandtypeattribute (secure_element_31_0) true) +(expandtypeattribute (secure_element_device_31_0) true) +(expandtypeattribute (secure_element_service_31_0) true) +(expandtypeattribute (securityfs_31_0) true) +(expandtypeattribute (selinuxfs_31_0) true) +(expandtypeattribute (sendbug_config_prop_31_0) true) +(expandtypeattribute (sensor_privacy_service_31_0) true) +(expandtypeattribute (sensors_device_31_0) true) +(expandtypeattribute (sensorservice_service_31_0) true) +(expandtypeattribute (sepolicy_file_31_0) true) +(expandtypeattribute (serial_device_31_0) true) +(expandtypeattribute (serial_service_31_0) true) +(expandtypeattribute (serialno_prop_31_0) true) +(expandtypeattribute (server_configurable_flags_data_file_31_0) true) +(expandtypeattribute (service_contexts_file_31_0) true) +(expandtypeattribute (service_manager_service_31_0) true) +(expandtypeattribute (service_manager_vndservice_31_0) true) +(expandtypeattribute (servicediscovery_service_31_0) true) +(expandtypeattribute (servicemanager_31_0) true) +(expandtypeattribute (servicemanager_exec_31_0) true) +(expandtypeattribute (settings_service_31_0) true) +(expandtypeattribute (sgdisk_31_0) true) +(expandtypeattribute (sgdisk_exec_31_0) true) +(expandtypeattribute (shared_relro_31_0) true) +(expandtypeattribute (shared_relro_file_31_0) true) +(expandtypeattribute (shell_31_0) true) +(expandtypeattribute (shell_data_file_31_0) true) +(expandtypeattribute (shell_exec_31_0) true) +(expandtypeattribute (shell_prop_31_0) true) +(expandtypeattribute (shell_test_data_file_31_0) true) +(expandtypeattribute (shm_31_0) true) +(expandtypeattribute (shortcut_manager_icons_31_0) true) +(expandtypeattribute (shortcut_service_31_0) true) +(expandtypeattribute (simpleperf_31_0) true) +(expandtypeattribute (simpleperf_app_runner_31_0) true) +(expandtypeattribute (simpleperf_app_runner_exec_31_0) true) +(expandtypeattribute (slice_service_31_0) true) +(expandtypeattribute (slideshow_31_0) true) +(expandtypeattribute (smartspace_service_31_0) true) +(expandtypeattribute (snapshotctl_log_data_file_31_0) true) +(expandtypeattribute (snapuserd_socket_31_0) true) +(expandtypeattribute (soc_prop_31_0) true) +(expandtypeattribute (socket_device_31_0) true) +(expandtypeattribute (socket_hook_prop_31_0) true) +(expandtypeattribute (sockfs_31_0) true) +(expandtypeattribute (sota_prop_31_0) true) +(expandtypeattribute (soundtrigger_middleware_service_31_0) true) +(expandtypeattribute (speech_recognition_service_31_0) true) +(expandtypeattribute (sqlite_log_prop_31_0) true) +(expandtypeattribute (staged_install_file_31_0) true) +(expandtypeattribute (staging_data_file_31_0) true) +(expandtypeattribute (stats_data_file_31_0) true) +(expandtypeattribute (statsd_31_0) true) +(expandtypeattribute (statsd_exec_31_0) true) +(expandtypeattribute (statsdw_socket_31_0) true) +(expandtypeattribute (statusbar_service_31_0) true) +(expandtypeattribute (storage_config_prop_31_0) true) +(expandtypeattribute (storage_file_31_0) true) +(expandtypeattribute (storage_stub_file_31_0) true) +(expandtypeattribute (storaged_service_31_0) true) +(expandtypeattribute (storagemanager_config_prop_31_0) true) +(expandtypeattribute (storagestats_service_31_0) true) +(expandtypeattribute (su_31_0) true) +(expandtypeattribute (su_exec_31_0) true) +(expandtypeattribute (super_block_device_31_0) true) +(expandtypeattribute (surfaceflinger_31_0) true) +(expandtypeattribute (surfaceflinger_color_prop_31_0) true) +(expandtypeattribute (surfaceflinger_display_prop_31_0) true) +(expandtypeattribute (surfaceflinger_prop_31_0) true) +(expandtypeattribute (surfaceflinger_service_31_0) true) +(expandtypeattribute (surfaceflinger_tmpfs_31_0) true) +(expandtypeattribute (suspend_prop_31_0) true) +(expandtypeattribute (swap_block_device_31_0) true) +(expandtypeattribute (sysfs_31_0) true) +(expandtypeattribute (sysfs_android_usb_31_0) true) +(expandtypeattribute (sysfs_batteryinfo_31_0) true) +(expandtypeattribute (sysfs_block_31_0) true) +(expandtypeattribute (sysfs_bluetooth_writable_31_0) true) +(expandtypeattribute (sysfs_devfreq_cur_31_0) true) +(expandtypeattribute (sysfs_devfreq_dir_31_0) true) +(expandtypeattribute (sysfs_devices_block_31_0) true) +(expandtypeattribute (sysfs_devices_cs_etm_31_0) true) +(expandtypeattribute (sysfs_devices_system_cpu_31_0) true) +(expandtypeattribute (sysfs_dm_31_0) true) +(expandtypeattribute (sysfs_dm_verity_31_0) true) +(expandtypeattribute (sysfs_dma_heap_31_0) true) +(expandtypeattribute (sysfs_dmabuf_stats_31_0) true) +(expandtypeattribute (sysfs_dt_firmware_android_31_0) true) +(expandtypeattribute (sysfs_extcon_31_0) true) +(expandtypeattribute (sysfs_fs_ext4_features_31_0) true) +(expandtypeattribute (sysfs_fs_f2fs_31_0) true) +(expandtypeattribute (sysfs_fs_incfs_features_31_0) true) +(expandtypeattribute (sysfs_fs_incfs_metrics_31_0) true) +(expandtypeattribute (sysfs_hwrandom_31_0) true) +(expandtypeattribute (sysfs_ion_31_0) true) +(expandtypeattribute (sysfs_ipv4_31_0) true) +(expandtypeattribute (sysfs_kernel_notes_31_0) true) +(expandtypeattribute (sysfs_leds_31_0) true) +(expandtypeattribute (sysfs_loop_31_0) true) +(expandtypeattribute (sysfs_lowmemorykiller_31_0) true) +(expandtypeattribute (sysfs_net_31_0) true) +(expandtypeattribute (sysfs_nfc_power_writable_31_0) true) +(expandtypeattribute (sysfs_power_31_0) true) +(expandtypeattribute (sysfs_rtc_31_0) true) +(expandtypeattribute (sysfs_suspend_stats_31_0) true) +(expandtypeattribute (sysfs_switch_31_0) true) +(expandtypeattribute (sysfs_thermal_31_0) true) +(expandtypeattribute (sysfs_transparent_hugepage_31_0) true) +(expandtypeattribute (sysfs_uhid_31_0) true) +(expandtypeattribute (sysfs_uio_31_0) true) +(expandtypeattribute (sysfs_usb_31_0) true) +(expandtypeattribute (sysfs_usermodehelper_31_0) true) +(expandtypeattribute (sysfs_vendor_sched_31_0) true) +(expandtypeattribute (sysfs_vibrator_31_0) true) +(expandtypeattribute (sysfs_wake_lock_31_0) true) +(expandtypeattribute (sysfs_wakeup_31_0) true) +(expandtypeattribute (sysfs_wakeup_reasons_31_0) true) +(expandtypeattribute (sysfs_wlan_fwpath_31_0) true) +(expandtypeattribute (sysfs_zram_31_0) true) +(expandtypeattribute (sysfs_zram_uevent_31_0) true) +(expandtypeattribute (system_app_31_0) true) +(expandtypeattribute (system_app_data_file_31_0) true) +(expandtypeattribute (system_app_service_31_0) true) +(expandtypeattribute (system_asan_options_file_31_0) true) +(expandtypeattribute (system_block_device_31_0) true) +(expandtypeattribute (system_boot_reason_prop_31_0) true) +(expandtypeattribute (system_bootstrap_lib_file_31_0) true) +(expandtypeattribute (system_config_service_31_0) true) +(expandtypeattribute (system_data_file_31_0) true) +(expandtypeattribute (system_data_root_file_31_0) true) +(expandtypeattribute (system_event_log_tags_file_31_0) true) +(expandtypeattribute (system_file_31_0) true) +(expandtypeattribute (system_group_file_31_0) true) +(expandtypeattribute (system_jvmti_agent_prop_31_0) true) +(expandtypeattribute (system_lib_file_31_0) true) +(expandtypeattribute (system_linker_config_file_31_0) true) +(expandtypeattribute (system_linker_exec_31_0) true) +(expandtypeattribute (system_lmk_prop_31_0) true) +(expandtypeattribute (system_ndebug_socket_31_0) true) +(expandtypeattribute (system_net_netd_hwservice_31_0) true) +(expandtypeattribute (system_passwd_file_31_0) true) +(expandtypeattribute (system_prop_31_0) true) +(expandtypeattribute (system_seccomp_policy_file_31_0) true) +(expandtypeattribute (system_security_cacerts_file_31_0) true) +(expandtypeattribute (system_server_31_0) true) +(expandtypeattribute (system_server_dumper_service_31_0) true) +(expandtypeattribute (system_server_tmpfs_31_0) true) +(expandtypeattribute (system_suspend_control_internal_service_31_0) true) +(expandtypeattribute (system_suspend_control_service_31_0) true) +(expandtypeattribute (system_suspend_hwservice_31_0) true) +(expandtypeattribute (system_trace_prop_31_0) true) +(expandtypeattribute (system_unsolzygote_socket_31_0) true) +(expandtypeattribute (system_update_service_31_0) true) +(expandtypeattribute (system_wifi_keystore_hwservice_31_0) true) +(expandtypeattribute (system_wpa_socket_31_0) true) +(expandtypeattribute (system_zoneinfo_file_31_0) true) +(expandtypeattribute (systemkeys_data_file_31_0) true) +(expandtypeattribute (systemsound_config_prop_31_0) true) +(expandtypeattribute (task_profiles_api_file_31_0) true) +(expandtypeattribute (task_profiles_file_31_0) true) +(expandtypeattribute (task_service_31_0) true) +(expandtypeattribute (tcpdump_exec_31_0) true) +(expandtypeattribute (tee_31_0) true) +(expandtypeattribute (tee_data_file_31_0) true) +(expandtypeattribute (tee_device_31_0) true) +(expandtypeattribute (telecom_service_31_0) true) +(expandtypeattribute (telephony_config_prop_31_0) true) +(expandtypeattribute (telephony_status_prop_31_0) true) +(expandtypeattribute (test_boot_reason_prop_31_0) true) +(expandtypeattribute (test_harness_prop_31_0) true) +(expandtypeattribute (testharness_service_31_0) true) +(expandtypeattribute (tethering_service_31_0) true) +(expandtypeattribute (textclassification_service_31_0) true) +(expandtypeattribute (textclassifier_data_file_31_0) true) +(expandtypeattribute (textservices_service_31_0) true) +(expandtypeattribute (texttospeech_service_31_0) true) +(expandtypeattribute (theme_prop_31_0) true) +(expandtypeattribute (thermal_service_31_0) true) +(expandtypeattribute (time_prop_31_0) true) +(expandtypeattribute (timedetector_service_31_0) true) +(expandtypeattribute (timezone_service_31_0) true) +(expandtypeattribute (timezonedetector_service_31_0) true) +(expandtypeattribute (tmpfs_31_0) true) +(expandtypeattribute (tombstone_config_prop_31_0) true) +(expandtypeattribute (tombstone_data_file_31_0) true) +(expandtypeattribute (tombstone_wifi_data_file_31_0) true) +(expandtypeattribute (tombstoned_31_0) true) +(expandtypeattribute (tombstoned_crash_socket_31_0) true) +(expandtypeattribute (tombstoned_exec_31_0) true) +(expandtypeattribute (tombstoned_intercept_socket_31_0) true) +(expandtypeattribute (tombstoned_java_trace_socket_31_0) true) +(expandtypeattribute (toolbox_31_0) true) +(expandtypeattribute (toolbox_exec_31_0) true) +(expandtypeattribute (trace_data_file_31_0) true) +(expandtypeattribute (traced_31_0) true) +(expandtypeattribute (traced_consumer_socket_31_0) true) +(expandtypeattribute (traced_enabled_prop_31_0) true) +(expandtypeattribute (traced_lazy_prop_31_0) true) +(expandtypeattribute (traced_perf_31_0) true) +(expandtypeattribute (traced_perf_socket_31_0) true) +(expandtypeattribute (traced_probes_31_0) true) +(expandtypeattribute (traced_producer_socket_31_0) true) +(expandtypeattribute (traced_tmpfs_31_0) true) +(expandtypeattribute (traceur_app_31_0) true) +(expandtypeattribute (translation_service_31_0) true) +(expandtypeattribute (trust_service_31_0) true) +(expandtypeattribute (tty_device_31_0) true) +(expandtypeattribute (tun_device_31_0) true) +(expandtypeattribute (tv_input_service_31_0) true) +(expandtypeattribute (tv_tuner_resource_mgr_service_31_0) true) +(expandtypeattribute (tzdatacheck_31_0) true) +(expandtypeattribute (tzdatacheck_exec_31_0) true) +(expandtypeattribute (ueventd_31_0) true) +(expandtypeattribute (ueventd_tmpfs_31_0) true) +(expandtypeattribute (uhid_device_31_0) true) +(expandtypeattribute (uimode_service_31_0) true) +(expandtypeattribute (uio_device_31_0) true) +(expandtypeattribute (uncrypt_31_0) true) +(expandtypeattribute (uncrypt_exec_31_0) true) +(expandtypeattribute (uncrypt_socket_31_0) true) +(expandtypeattribute (unencrypted_data_file_31_0) true) +(expandtypeattribute (unlabeled_31_0) true) +(expandtypeattribute (untrusted_app_25_31_0) true) +(expandtypeattribute (untrusted_app_27_31_0) true) +(expandtypeattribute (untrusted_app_29_31_0) true) +(expandtypeattribute (untrusted_app_31_0) true) +(expandtypeattribute (update_engine_31_0) true) +(expandtypeattribute (update_engine_data_file_31_0) true) +(expandtypeattribute (update_engine_exec_31_0) true) +(expandtypeattribute (update_engine_log_data_file_31_0) true) +(expandtypeattribute (update_engine_service_31_0) true) +(expandtypeattribute (update_engine_stable_service_31_0) true) +(expandtypeattribute (update_verifier_31_0) true) +(expandtypeattribute (update_verifier_exec_31_0) true) +(expandtypeattribute (updatelock_service_31_0) true) +(expandtypeattribute (uri_grants_service_31_0) true) +(expandtypeattribute (usagestats_service_31_0) true) +(expandtypeattribute (usb_config_prop_31_0) true) +(expandtypeattribute (usb_control_prop_31_0) true) +(expandtypeattribute (usb_device_31_0) true) +(expandtypeattribute (usb_prop_31_0) true) +(expandtypeattribute (usb_serial_device_31_0) true) +(expandtypeattribute (usb_service_31_0) true) +(expandtypeattribute (usbaccessory_device_31_0) true) +(expandtypeattribute (usbd_31_0) true) +(expandtypeattribute (usbd_exec_31_0) true) +(expandtypeattribute (usbfs_31_0) true) +(expandtypeattribute (use_memfd_prop_31_0) true) +(expandtypeattribute (user_profile_data_file_31_0) true) +(expandtypeattribute (user_profile_root_file_31_0) true) +(expandtypeattribute (user_service_31_0) true) +(expandtypeattribute (userdata_block_device_31_0) true) +(expandtypeattribute (userdata_sysdev_31_0) true) +(expandtypeattribute (usermodehelper_31_0) true) +(expandtypeattribute (userspace_reboot_config_prop_31_0) true) +(expandtypeattribute (userspace_reboot_exported_prop_31_0) true) +(expandtypeattribute (userspace_reboot_metadata_file_31_0) true) +(expandtypeattribute (uwb_service_31_0) true) +(expandtypeattribute (vcn_management_service_31_0) true) +(expandtypeattribute (vd_device_31_0) true) +(expandtypeattribute (vdc_31_0) true) +(expandtypeattribute (vdc_exec_31_0) true) +(expandtypeattribute (vehicle_hal_prop_31_0) true) +(expandtypeattribute (vendor_apex_file_31_0) true) +(expandtypeattribute (vendor_app_file_31_0) true) +(expandtypeattribute (vendor_cgroup_desc_file_31_0) true) +(expandtypeattribute (vendor_configs_file_31_0) true) +(expandtypeattribute (vendor_data_file_31_0) true) +(expandtypeattribute (vendor_default_prop_31_0) true) +(expandtypeattribute (vendor_file_31_0) true) +(expandtypeattribute (vendor_framework_file_31_0) true) +(expandtypeattribute (vendor_hal_file_31_0) true) +(expandtypeattribute (vendor_idc_file_31_0) true) +(expandtypeattribute (vendor_init_31_0) true) +(expandtypeattribute (vendor_kernel_modules_31_0) true) +(expandtypeattribute (vendor_keychars_file_31_0) true) +(expandtypeattribute (vendor_keylayout_file_31_0) true) +(expandtypeattribute (vendor_misc_writer_31_0) true) +(expandtypeattribute (vendor_misc_writer_exec_31_0) true) +(expandtypeattribute (vendor_modprobe_31_0) true) +(expandtypeattribute (vendor_overlay_file_31_0) true) +(expandtypeattribute (vendor_public_framework_file_31_0) true) +(expandtypeattribute (vendor_public_lib_file_31_0) true) +(expandtypeattribute (vendor_security_patch_level_prop_31_0) true) +(expandtypeattribute (vendor_service_contexts_file_31_0) true) +(expandtypeattribute (vendor_shell_31_0) true) +(expandtypeattribute (vendor_shell_exec_31_0) true) +(expandtypeattribute (vendor_socket_hook_prop_31_0) true) +(expandtypeattribute (vendor_task_profiles_file_31_0) true) +(expandtypeattribute (vendor_toolbox_exec_31_0) true) +(expandtypeattribute (vfat_31_0) true) +(expandtypeattribute (vibrator_manager_service_31_0) true) +(expandtypeattribute (vibrator_service_31_0) true) +(expandtypeattribute (video_device_31_0) true) +(expandtypeattribute (virtual_ab_prop_31_0) true) +(expandtypeattribute (virtual_touchpad_31_0) true) +(expandtypeattribute (virtual_touchpad_exec_31_0) true) +(expandtypeattribute (virtual_touchpad_service_31_0) true) +(expandtypeattribute (virtualization_service_31_0) true) +(expandtypeattribute (vndbinder_device_31_0) true) +(expandtypeattribute (vndk_prop_31_0) true) +(expandtypeattribute (vndk_sp_file_31_0) true) +(expandtypeattribute (vndservice_contexts_file_31_0) true) +(expandtypeattribute (vndservicemanager_31_0) true) +(expandtypeattribute (voiceinteraction_service_31_0) true) +(expandtypeattribute (vold_31_0) true) +(expandtypeattribute (vold_config_prop_31_0) true) +(expandtypeattribute (vold_data_file_31_0) true) +(expandtypeattribute (vold_device_31_0) true) +(expandtypeattribute (vold_exec_31_0) true) +(expandtypeattribute (vold_metadata_file_31_0) true) +(expandtypeattribute (vold_post_fs_data_prop_31_0) true) +(expandtypeattribute (vold_prepare_subdirs_31_0) true) +(expandtypeattribute (vold_prepare_subdirs_exec_31_0) true) +(expandtypeattribute (vold_prop_31_0) true) +(expandtypeattribute (vold_service_31_0) true) +(expandtypeattribute (vold_status_prop_31_0) true) +(expandtypeattribute (vpn_data_file_31_0) true) +(expandtypeattribute (vpn_management_service_31_0) true) +(expandtypeattribute (vr_hwc_31_0) true) +(expandtypeattribute (vr_hwc_exec_31_0) true) +(expandtypeattribute (vr_hwc_service_31_0) true) +(expandtypeattribute (vr_manager_service_31_0) true) +(expandtypeattribute (vrflinger_vsync_service_31_0) true) +(expandtypeattribute (vts_config_prop_31_0) true) +(expandtypeattribute (vts_status_prop_31_0) true) +(expandtypeattribute (wallpaper_file_31_0) true) +(expandtypeattribute (wallpaper_service_31_0) true) +(expandtypeattribute (watchdog_device_31_0) true) +(expandtypeattribute (watchdog_metadata_file_31_0) true) +(expandtypeattribute (watchdogd_31_0) true) +(expandtypeattribute (watchdogd_exec_31_0) true) +(expandtypeattribute (webview_zygote_31_0) true) +(expandtypeattribute (webview_zygote_exec_31_0) true) +(expandtypeattribute (webview_zygote_tmpfs_31_0) true) +(expandtypeattribute (webviewupdate_service_31_0) true) +(expandtypeattribute (wifi_config_prop_31_0) true) +(expandtypeattribute (wifi_data_file_31_0) true) +(expandtypeattribute (wifi_hal_prop_31_0) true) +(expandtypeattribute (wifi_key_31_0) true) +(expandtypeattribute (wifi_log_prop_31_0) true) +(expandtypeattribute (wifi_prop_31_0) true) +(expandtypeattribute (wifi_service_31_0) true) +(expandtypeattribute (wifiaware_service_31_0) true) +(expandtypeattribute (wificond_31_0) true) +(expandtypeattribute (wificond_exec_31_0) true) +(expandtypeattribute (wifinl80211_service_31_0) true) +(expandtypeattribute (wifip2p_service_31_0) true) +(expandtypeattribute (wifiscanner_service_31_0) true) +(expandtypeattribute (window_service_31_0) true) +(expandtypeattribute (wpa_socket_31_0) true) +(expandtypeattribute (wpantund_31_0) true) +(expandtypeattribute (wpantund_exec_31_0) true) +(expandtypeattribute (wpantund_service_31_0) true) +(expandtypeattribute (zero_device_31_0) true) +(expandtypeattribute (zoneinfo_data_file_31_0) true) +(expandtypeattribute (zram_config_prop_31_0) true) +(expandtypeattribute (zram_control_prop_31_0) true) +(expandtypeattribute (zygote_31_0) true) +(expandtypeattribute (zygote_config_prop_31_0) true) +(expandtypeattribute (zygote_exec_31_0) true) +(expandtypeattribute (zygote_socket_31_0) true) +(expandtypeattribute (zygote_tmpfs_31_0) true) +(typeattributeset DockObserver_service_31_0 (DockObserver_service)) +(typeattributeset IProxyService_service_31_0 (IProxyService_service)) +(typeattributeset aac_drc_prop_31_0 (aac_drc_prop)) +(typeattributeset aaudio_config_prop_31_0 (aaudio_config_prop)) +(typeattributeset ab_update_gki_prop_31_0 (ab_update_gki_prop)) +(typeattributeset accessibility_service_31_0 (accessibility_service)) +(typeattributeset account_service_31_0 (account_service)) +(typeattributeset activity_service_31_0 (activity_service)) +(typeattributeset activity_task_service_31_0 (activity_task_service)) +(typeattributeset adb_data_file_31_0 (adb_data_file)) +(typeattributeset adb_keys_file_31_0 (adb_keys_file)) +(typeattributeset adb_service_31_0 (adb_service)) +(typeattributeset adbd_31_0 (adbd)) +(typeattributeset adbd_config_prop_31_0 (adbd_config_prop)) +(typeattributeset adbd_exec_31_0 (adbd_exec)) +(typeattributeset adbd_socket_31_0 (adbd_socket)) +(typeattributeset aidl_lazy_test_server_31_0 (aidl_lazy_test_server)) +(typeattributeset aidl_lazy_test_server_exec_31_0 (aidl_lazy_test_server_exec)) +(typeattributeset aidl_lazy_test_service_31_0 (aidl_lazy_test_service)) +(typeattributeset alarm_service_31_0 (alarm_service)) +(typeattributeset anr_data_file_31_0 (anr_data_file)) +(typeattributeset apc_service_31_0 (apc_service)) +(typeattributeset apex_appsearch_data_file_31_0 (apex_appsearch_data_file)) +(typeattributeset apex_data_file_31_0 (apex_data_file)) +(typeattributeset apex_info_file_31_0 (apex_info_file)) +(typeattributeset apex_metadata_file_31_0 (apex_metadata_file)) +(typeattributeset apex_mnt_dir_31_0 (apex_mnt_dir)) +(typeattributeset apex_module_data_file_31_0 (apex_module_data_file)) +(typeattributeset apex_ota_reserved_file_31_0 (apex_ota_reserved_file)) +(typeattributeset apex_permission_data_file_31_0 (apex_permission_data_file)) +(typeattributeset apex_rollback_data_file_31_0 (apex_rollback_data_file)) +(typeattributeset apex_scheduling_data_file_31_0 (apex_scheduling_data_file)) +(typeattributeset apex_service_31_0 (apex_service)) +(typeattributeset apex_wifi_data_file_31_0 (apex_wifi_data_file)) +(typeattributeset apexd_31_0 (apexd)) +(typeattributeset apexd_config_prop_31_0 (apexd_config_prop)) +(typeattributeset apexd_exec_31_0 (apexd_exec)) +(typeattributeset apexd_prop_31_0 (apexd_prop)) +(typeattributeset apk_data_file_31_0 (apk_data_file)) +(typeattributeset apk_private_data_file_31_0 (apk_private_data_file)) +(typeattributeset apk_private_tmp_file_31_0 (apk_private_tmp_file)) +(typeattributeset apk_tmp_file_31_0 (apk_tmp_file)) +(typeattributeset apk_verity_prop_31_0 (apk_verity_prop)) +(typeattributeset app_binding_service_31_0 (app_binding_service)) +(typeattributeset app_data_file_31_0 (app_data_file)) +(typeattributeset app_fuse_file_31_0 (app_fuse_file)) +(typeattributeset app_fusefs_31_0 (app_fusefs)) +(typeattributeset app_hibernation_service_31_0 (app_hibernation_service)) +(typeattributeset app_integrity_service_31_0 (app_integrity_service)) +(typeattributeset app_prediction_service_31_0 (app_prediction_service)) +(typeattributeset app_search_service_31_0 (app_search_service)) +(typeattributeset app_zygote_31_0 (app_zygote)) +(typeattributeset app_zygote_tmpfs_31_0 (app_zygote_tmpfs)) +(typeattributeset appcompat_data_file_31_0 (appcompat_data_file)) +(typeattributeset appdomain_tmpfs_31_0 (appdomain_tmpfs)) +(typeattributeset appops_service_31_0 (appops_service)) +(typeattributeset appwidget_service_31_0 (appwidget_service)) +(typeattributeset arm64_memtag_prop_31_0 (arm64_memtag_prop)) +(typeattributeset art_apex_dir_31_0 (art_apex_dir)) +(typeattributeset asec_apk_file_31_0 (asec_apk_file)) +(typeattributeset asec_image_file_31_0 (asec_image_file)) +(typeattributeset asec_public_file_31_0 (asec_public_file)) +(typeattributeset ashmem_device_31_0 (ashmem_device)) +(typeattributeset ashmem_libcutils_device_31_0 (ashmem_libcutils_device)) +(typeattributeset assetatlas_service_31_0 (assetatlas_service)) +(typeattributeset atrace_31_0 (atrace)) +(typeattributeset audio_config_prop_31_0 (audio_config_prop)) +(typeattributeset audio_data_file_31_0 (audio_data_file)) +(typeattributeset audio_device_31_0 (audio_device)) +(typeattributeset audio_prop_31_0 (audio_prop)) +(typeattributeset audio_service_31_0 (audio_service)) +(typeattributeset audiohal_data_file_31_0 (audiohal_data_file)) +(typeattributeset audioserver_31_0 (audioserver)) +(typeattributeset audioserver_data_file_31_0 (audioserver_data_file)) +(typeattributeset audioserver_service_31_0 (audioserver_service)) +(typeattributeset audioserver_tmpfs_31_0 (audioserver_tmpfs)) +(typeattributeset auth_service_31_0 (auth_service)) +(typeattributeset authorization_service_31_0 (authorization_service)) +(typeattributeset autofill_service_31_0 (autofill_service)) +(typeattributeset backup_data_file_31_0 (backup_data_file)) +(typeattributeset backup_service_31_0 (backup_service)) +(typeattributeset battery_service_31_0 (battery_service)) +(typeattributeset batteryproperties_service_31_0 (batteryproperties_service)) +(typeattributeset batterystats_service_31_0 (batterystats_service)) +(typeattributeset binder_cache_bluetooth_server_prop_31_0 (binder_cache_bluetooth_server_prop)) +(typeattributeset binder_cache_system_server_prop_31_0 (binder_cache_system_server_prop)) +(typeattributeset binder_cache_telephony_server_prop_31_0 (binder_cache_telephony_server_prop)) +(typeattributeset binder_calls_stats_service_31_0 (binder_calls_stats_service)) +(typeattributeset binder_device_31_0 (binder_device)) +(typeattributeset binderfs_31_0 (binderfs)) +(typeattributeset binderfs_logs_31_0 (binderfs_logs)) +(typeattributeset binderfs_logs_proc_31_0 (binderfs_logs_proc)) +(typeattributeset binfmt_miscfs_31_0 (binfmt_miscfs)) +(typeattributeset biometric_service_31_0 (biometric_service)) +(typeattributeset blkid_31_0 (blkid)) +(typeattributeset blkid_untrusted_31_0 (blkid_untrusted)) +(typeattributeset blob_store_service_31_0 (blob_store_service)) +(typeattributeset block_device_31_0 (block_device)) +(typeattributeset bluetooth_31_0 (bluetooth)) +(typeattributeset bluetooth_a2dp_offload_prop_31_0 (bluetooth_a2dp_offload_prop)) +(typeattributeset bluetooth_audio_hal_prop_31_0 (bluetooth_audio_hal_prop)) +(typeattributeset bluetooth_data_file_31_0 (bluetooth_data_file)) +(typeattributeset bluetooth_efs_file_31_0 (bluetooth_efs_file)) +(typeattributeset bluetooth_logs_data_file_31_0 (bluetooth_logs_data_file)) +(typeattributeset bluetooth_manager_service_31_0 (bluetooth_manager_service)) +(typeattributeset bluetooth_prop_31_0 (bluetooth_prop)) +(typeattributeset bluetooth_service_31_0 (bluetooth_service)) +(typeattributeset bluetooth_socket_31_0 (bluetooth_socket)) +(typeattributeset boot_block_device_31_0 (boot_block_device)) +(typeattributeset boot_status_prop_31_0 (boot_status_prop)) +(typeattributeset bootanim_31_0 (bootanim)) +(typeattributeset bootanim_config_prop_31_0 (bootanim_config_prop)) +(typeattributeset bootanim_exec_31_0 (bootanim_exec)) +(typeattributeset bootanim_system_prop_31_0 (bootanim_system_prop)) +(typeattributeset bootchart_data_file_31_0 (bootchart_data_file)) +(typeattributeset bootloader_boot_reason_prop_31_0 (bootloader_boot_reason_prop)) +(typeattributeset bootloader_prop_31_0 (bootloader_prop)) +(typeattributeset bootstat_31_0 (bootstat)) +(typeattributeset bootstat_data_file_31_0 (bootstat_data_file)) +(typeattributeset bootstat_exec_31_0 (bootstat_exec)) +(typeattributeset boottime_prop_31_0 (boottime_prop)) +(typeattributeset boottime_public_prop_31_0 (boottime_public_prop)) +(typeattributeset boottrace_data_file_31_0 (boottrace_data_file)) +(typeattributeset bpf_progs_loaded_prop_31_0 (bpf_progs_loaded_prop)) +(typeattributeset bq_config_prop_31_0 (bq_config_prop)) +(typeattributeset broadcastradio_service_31_0 (broadcastradio_service)) +(typeattributeset bufferhubd_31_0 (bufferhubd)) +(typeattributeset bufferhubd_exec_31_0 (bufferhubd_exec)) +(typeattributeset bugreport_service_31_0 (bugreport_service)) +(typeattributeset build_bootimage_prop_31_0 (build_bootimage_prop)) +(typeattributeset build_config_prop_31_0 (build_config_prop)) +(typeattributeset build_odm_prop_31_0 (build_odm_prop)) +(typeattributeset build_prop_31_0 (build_prop)) +(typeattributeset build_vendor_prop_31_0 (build_vendor_prop)) +(typeattributeset cache_backup_file_31_0 (cache_backup_file)) +(typeattributeset cache_block_device_31_0 (cache_block_device)) +(typeattributeset cache_file_31_0 (cache_file)) +(typeattributeset cache_private_backup_file_31_0 (cache_private_backup_file)) +(typeattributeset cache_recovery_file_31_0 (cache_recovery_file)) +(typeattributeset cacheinfo_service_31_0 (cacheinfo_service)) +(typeattributeset camera2_extensions_prop_31_0 (camera2_extensions_prop)) +(typeattributeset camera_calibration_prop_31_0 (camera_calibration_prop)) +(typeattributeset camera_config_prop_31_0 (camera_config_prop)) +(typeattributeset camera_data_file_31_0 (camera_data_file)) +(typeattributeset camera_device_31_0 (camera_device)) +(typeattributeset cameraproxy_service_31_0 (cameraproxy_service)) +(typeattributeset cameraserver_31_0 (cameraserver)) +(typeattributeset cameraserver_exec_31_0 (cameraserver_exec)) +(typeattributeset cameraserver_service_31_0 (cameraserver_service)) +(typeattributeset cameraserver_tmpfs_31_0 (cameraserver_tmpfs)) +(typeattributeset camerax_extensions_prop_31_0 (camerax_extensions_prop)) +(typeattributeset cgroup_31_0 (cgroup)) +(typeattributeset cgroup_desc_api_file_31_0 (cgroup_desc_api_file)) +(typeattributeset cgroup_desc_file_31_0 (cgroup_desc_file)) +(typeattributeset cgroup_rc_file_31_0 (cgroup_rc_file)) +(typeattributeset cgroup_v2_31_0 (cgroup_v2)) +(typeattributeset charger_31_0 (charger)) +(typeattributeset charger_config_prop_31_0 (charger_config_prop)) +(typeattributeset charger_exec_31_0 (charger_exec)) +(typeattributeset charger_prop_31_0 (charger_prop)) +(typeattributeset charger_status_prop_31_0 (charger_status_prop)) +(typeattributeset clipboard_service_31_0 (clipboard_service)) +(typeattributeset codec2_config_prop_31_0 (codec2_config_prop)) +(typeattributeset cold_boot_done_prop_31_0 (cold_boot_done_prop)) +(typeattributeset color_display_service_31_0 (color_display_service)) +(typeattributeset companion_device_service_31_0 (companion_device_service)) +(typeattributeset config_prop_31_0 (config_prop)) +(typeattributeset configfs_31_0 (configfs)) +(typeattributeset connectivity_service_31_0 (connectivity_service)) +(typeattributeset connmetrics_service_31_0 (connmetrics_service)) +(typeattributeset console_device_31_0 (console_device)) +(typeattributeset consumer_ir_service_31_0 (consumer_ir_service)) +(typeattributeset content_capture_service_31_0 (content_capture_service)) +(typeattributeset content_service_31_0 (content_service)) +(typeattributeset content_suggestions_service_31_0 (content_suggestions_service)) +(typeattributeset contexthub_service_31_0 (contexthub_service)) +(typeattributeset coredump_file_31_0 (coredump_file)) +(typeattributeset country_detector_service_31_0 (country_detector_service)) +(typeattributeset coverage_service_31_0 (coverage_service)) +(typeattributeset cppreopt_prop_31_0 (cppreopt_prop)) +(typeattributeset cpu_variant_prop_31_0 (cpu_variant_prop)) +(typeattributeset cpuinfo_service_31_0 (cpuinfo_service)) +(typeattributeset crash_dump_31_0 (crash_dump)) +(typeattributeset crash_dump_exec_31_0 (crash_dump_exec)) +(typeattributeset credstore_31_0 (credstore)) +(typeattributeset credstore_data_file_31_0 (credstore_data_file)) +(typeattributeset credstore_exec_31_0 (credstore_exec)) +(typeattributeset credstore_service_31_0 (credstore_service)) +(typeattributeset crossprofileapps_service_31_0 (crossprofileapps_service)) +(typeattributeset ctl_adbd_prop_31_0 (ctl_adbd_prop)) +(typeattributeset ctl_apexd_prop_31_0 (ctl_apexd_prop)) +(typeattributeset ctl_bootanim_prop_31_0 (ctl_bootanim_prop)) +(typeattributeset ctl_bugreport_prop_31_0 (ctl_bugreport_prop)) +(typeattributeset ctl_console_prop_31_0 (ctl_console_prop)) +(typeattributeset ctl_default_prop_31_0 (ctl_default_prop)) +(typeattributeset ctl_dumpstate_prop_31_0 (ctl_dumpstate_prop)) +(typeattributeset ctl_fuse_prop_31_0 (ctl_fuse_prop)) +(typeattributeset ctl_gsid_prop_31_0 (ctl_gsid_prop)) +(typeattributeset ctl_interface_restart_prop_31_0 (ctl_interface_restart_prop)) +(typeattributeset ctl_interface_start_prop_31_0 (ctl_interface_start_prop)) +(typeattributeset ctl_interface_stop_prop_31_0 (ctl_interface_stop_prop)) +(typeattributeset ctl_mdnsd_prop_31_0 (ctl_mdnsd_prop)) +(typeattributeset ctl_restart_prop_31_0 (ctl_restart_prop)) +(typeattributeset ctl_rildaemon_prop_31_0 (ctl_rildaemon_prop)) +(typeattributeset ctl_sigstop_prop_31_0 (ctl_sigstop_prop)) +(typeattributeset ctl_start_prop_31_0 (ctl_start_prop)) +(typeattributeset ctl_stop_prop_31_0 (ctl_stop_prop)) +(typeattributeset dalvik_config_prop_31_0 (dalvik_config_prop)) +(typeattributeset dalvik_prop_31_0 (dalvik_prop)) +(typeattributeset dalvik_runtime_prop_31_0 (dalvik_runtime_prop)) +(typeattributeset dalvikcache_data_file_31_0 (dalvikcache_data_file)) +(typeattributeset dataloader_manager_service_31_0 (dataloader_manager_service)) +(typeattributeset dbinfo_service_31_0 (dbinfo_service)) +(typeattributeset dck_prop_31_0 (dck_prop)) +(typeattributeset debug_prop_31_0 (debug_prop)) +(typeattributeset debugfs_31_0 (debugfs)) +(typeattributeset debugfs_bootreceiver_tracing_31_0 (debugfs_bootreceiver_tracing)) +(typeattributeset debugfs_kprobes_31_0 (debugfs_kprobes)) +(typeattributeset debugfs_mm_events_tracing_31_0 (debugfs_mm_events_tracing)) +(typeattributeset debugfs_mmc_31_0 (debugfs_mmc)) +(typeattributeset debugfs_restriction_prop_31_0 (debugfs_restriction_prop)) +(typeattributeset debugfs_trace_marker_31_0 (debugfs_trace_marker)) +(typeattributeset debugfs_tracing_31_0 (debugfs_tracing)) +(typeattributeset debugfs_tracing_debug_31_0 (debugfs_tracing_debug)) +(typeattributeset debugfs_tracing_instances_31_0 (debugfs_tracing_instances)) +(typeattributeset debugfs_tracing_printk_formats_31_0 (debugfs_tracing_printk_formats)) +(typeattributeset debugfs_wakeup_sources_31_0 (debugfs_wakeup_sources)) +(typeattributeset debugfs_wifi_tracing_31_0 (debugfs_wifi_tracing)) +(typeattributeset debuggerd_prop_31_0 (debuggerd_prop)) +(typeattributeset default_android_hwservice_31_0 (default_android_hwservice)) +(typeattributeset default_android_service_31_0 (default_android_service)) +(typeattributeset default_android_vndservice_31_0 (default_android_vndservice)) +(typeattributeset default_prop_31_0 (default_prop)) +(typeattributeset dev_cpu_variant_31_0 (dev_cpu_variant)) +(typeattributeset device_31_0 (device)) +(typeattributeset device_config_activity_manager_native_boot_prop_31_0 (device_config_activity_manager_native_boot_prop)) +(typeattributeset device_config_boot_count_prop_31_0 (device_config_boot_count_prop)) +(typeattributeset device_config_input_native_boot_prop_31_0 (device_config_input_native_boot_prop)) +(typeattributeset device_config_media_native_prop_31_0 (device_config_media_native_prop)) +(typeattributeset device_config_netd_native_prop_31_0 (device_config_netd_native_prop)) +(typeattributeset device_config_reset_performed_prop_31_0 (device_config_reset_performed_prop)) +(typeattributeset device_config_runtime_native_boot_prop_31_0 (device_config_runtime_native_boot_prop)) +(typeattributeset device_config_runtime_native_prop_31_0 (device_config_runtime_native_prop)) +(typeattributeset device_config_service_31_0 (device_config_service)) +(typeattributeset device_identifiers_service_31_0 (device_identifiers_service)) +(typeattributeset device_logging_prop_31_0 (device_logging_prop)) +(typeattributeset device_policy_service_31_0 (device_policy_service)) +(typeattributeset device_state_service_31_0 (device_state_service)) +(typeattributeset deviceidle_service_31_0 (deviceidle_service)) +(typeattributeset devicestoragemonitor_service_31_0 (devicestoragemonitor_service)) +(typeattributeset devpts_31_0 (devpts)) +(typeattributeset dhcp_31_0 (dhcp)) +(typeattributeset dhcp_data_file_31_0 (dhcp_data_file)) +(typeattributeset dhcp_exec_31_0 (dhcp_exec)) +(typeattributeset dhcp_prop_31_0 (dhcp_prop)) +(typeattributeset diskstats_service_31_0 (diskstats_service)) +(typeattributeset display_service_31_0 (display_service)) +(typeattributeset dm_device_31_0 (dm_device)) +(typeattributeset dm_user_device_31_0 (dm_user_device)) +(typeattributeset dmabuf_heap_device_31_0 (dmabuf_heap_device)) +(typeattributeset dmabuf_system_heap_device_31_0 (dmabuf_system_heap_device)) +(typeattributeset dmabuf_system_secure_heap_device_31_0 (dmabuf_system_secure_heap_device)) +(typeattributeset dnsmasq_31_0 (dnsmasq)) +(typeattributeset dnsmasq_exec_31_0 (dnsmasq_exec)) +(typeattributeset dnsproxyd_socket_31_0 (dnsproxyd_socket)) +(typeattributeset dnsresolver_service_31_0 (dnsresolver_service)) +(typeattributeset domain_verification_service_31_0 (domain_verification_service)) +(typeattributeset dreams_service_31_0 (dreams_service)) +(typeattributeset drm_data_file_31_0 (drm_data_file)) +(typeattributeset drm_service_config_prop_31_0 (drm_service_config_prop)) +(typeattributeset drmserver_31_0 (drmserver)) +(typeattributeset drmserver_exec_31_0 (drmserver_exec)) +(typeattributeset drmserver_service_31_0 (drmserver_service)) +(typeattributeset drmserver_socket_31_0 (drmserver_socket)) +(typeattributeset dropbox_data_file_31_0 (dropbox_data_file)) +(typeattributeset dropbox_service_31_0 (dropbox_service)) +(typeattributeset dumpstate_31_0 (dumpstate)) +(typeattributeset dumpstate_exec_31_0 (dumpstate_exec)) +(typeattributeset dumpstate_options_prop_31_0 (dumpstate_options_prop)) +(typeattributeset dumpstate_prop_31_0 (dumpstate_prop)) +(typeattributeset dumpstate_service_31_0 (dumpstate_service)) +(typeattributeset dumpstate_socket_31_0 (dumpstate_socket)) +(typeattributeset dynamic_system_prop_31_0 (dynamic_system_prop)) +(typeattributeset e2fs_31_0 (e2fs)) +(typeattributeset e2fs_exec_31_0 (e2fs_exec)) +(typeattributeset efs_file_31_0 (efs_file)) +(typeattributeset emergency_affordance_service_31_0 (emergency_affordance_service)) +(typeattributeset ephemeral_app_31_0 (ephemeral_app)) +(typeattributeset ethernet_service_31_0 (ethernet_service)) +(typeattributeset exfat_31_0 (exfat)) +(typeattributeset exported3_system_prop_31_0 (exported3_system_prop)) +(typeattributeset exported_bluetooth_prop_31_0 (exported_bluetooth_prop)) +(typeattributeset exported_camera_prop_31_0 (exported_camera_prop)) +(typeattributeset exported_config_prop_31_0 (exported_config_prop)) +(typeattributeset exported_default_prop_31_0 (exported_default_prop)) +(typeattributeset exported_dumpstate_prop_31_0 (exported_dumpstate_prop)) +(typeattributeset exported_overlay_prop_31_0 (exported_overlay_prop)) +(typeattributeset exported_pm_prop_31_0 (exported_pm_prop)) +(typeattributeset exported_secure_prop_31_0 (exported_secure_prop)) +(typeattributeset exported_system_prop_31_0 (exported_system_prop)) +(typeattributeset external_vibrator_service_31_0 (external_vibrator_service)) +(typeattributeset face_service_31_0 (face_service)) +(typeattributeset face_vendor_data_file_31_0 (face_vendor_data_file)) +(typeattributeset fastbootd_31_0 (fastbootd)) +(typeattributeset ffs_config_prop_31_0 (ffs_config_prop)) +(typeattributeset ffs_control_prop_31_0 (ffs_control_prop)) +(typeattributeset file_contexts_file_31_0 (file_contexts_file)) +(typeattributeset file_integrity_service_31_0 (file_integrity_service)) +(typeattributeset fingerprint_prop_31_0 (fingerprint_prop)) +(typeattributeset fingerprint_service_31_0 (fingerprint_service)) +(typeattributeset fingerprint_vendor_data_file_31_0 (fingerprint_vendor_data_file)) +(typeattributeset fingerprintd_31_0 (fingerprintd)) +(typeattributeset fingerprintd_data_file_31_0 (fingerprintd_data_file)) +(typeattributeset fingerprintd_exec_31_0 (fingerprintd_exec)) +(typeattributeset fingerprintd_service_31_0 (fingerprintd_service)) +(typeattributeset firstboot_prop_31_0 (firstboot_prop)) +(typeattributeset flags_health_check_31_0 (flags_health_check)) +(typeattributeset flags_health_check_exec_31_0 (flags_health_check_exec)) +(typeattributeset font_service_31_0 (font_service)) +(typeattributeset framework_watchdog_config_prop_31_0 (framework_watchdog_config_prop)) +(typeattributeset frp_block_device_31_0 (frp_block_device)) +(typeattributeset fs_bpf_31_0 (fs_bpf)) +(typeattributeset fs_bpf_tethering_31_0 (fs_bpf_tethering)) +(typeattributeset fsck_31_0 (fsck)) +(typeattributeset fsck_exec_31_0 (fsck_exec)) +(typeattributeset fsck_untrusted_31_0 (fsck_untrusted)) +(typeattributeset fscklogs_31_0 (fscklogs)) +(typeattributeset functionfs_31_0 (functionfs)) +(typeattributeset fuse_31_0 (fuse)) +(typeattributeset fuse_device_31_0 (fuse_device)) +(typeattributeset fusectlfs_31_0 (fusectlfs)) +(typeattributeset fwk_automotive_display_hwservice_31_0 (fwk_automotive_display_hwservice)) +(typeattributeset fwk_bufferhub_hwservice_31_0 (fwk_bufferhub_hwservice)) +(typeattributeset fwk_camera_hwservice_31_0 (fwk_camera_hwservice)) +(typeattributeset fwk_display_hwservice_31_0 (fwk_display_hwservice)) +(typeattributeset fwk_scheduler_hwservice_31_0 (fwk_scheduler_hwservice)) +(typeattributeset fwk_sensor_hwservice_31_0 (fwk_sensor_hwservice)) +(typeattributeset fwk_stats_hwservice_31_0 (fwk_stats_hwservice)) +(typeattributeset fwk_stats_service_31_0 (fwk_stats_service)) +(typeattributeset fwmarkd_socket_31_0 (fwmarkd_socket)) +(typeattributeset game_service_31_0 (game_service)) +(typeattributeset gatekeeper_data_file_31_0 (gatekeeper_data_file)) +(typeattributeset gatekeeper_service_31_0 (gatekeeper_service)) +(typeattributeset gatekeeperd_31_0 (gatekeeperd)) +(typeattributeset gatekeeperd_exec_31_0 (gatekeeperd_exec)) +(typeattributeset gfxinfo_service_31_0 (gfxinfo_service)) +(typeattributeset gmscore_app_31_0 (gmscore_app)) +(typeattributeset gnss_device_31_0 (gnss_device)) +(typeattributeset gnss_time_update_service_31_0 (gnss_time_update_service)) +(typeattributeset gps_control_31_0 (gps_control)) +(typeattributeset gpu_device_31_0 (gpu_device)) +(typeattributeset gpu_service_31_0 (gpu_service)) +(typeattributeset gpuservice_31_0 (gpuservice)) +(typeattributeset graphics_config_prop_31_0 (graphics_config_prop)) +(typeattributeset graphics_device_31_0 (graphics_device)) +(typeattributeset graphicsstats_service_31_0 (graphicsstats_service)) +(typeattributeset gsi_data_file_31_0 (gsi_data_file)) +(typeattributeset gsi_metadata_file_31_0 (gsi_metadata_file)) +(typeattributeset gsi_public_metadata_file_31_0 (gsi_public_metadata_file)) +(typeattributeset hal_atrace_hwservice_31_0 (hal_atrace_hwservice)) +(typeattributeset hal_audio_hwservice_31_0 (hal_audio_hwservice)) +(typeattributeset hal_audio_service_31_0 (hal_audio_service)) +(typeattributeset hal_audiocontrol_hwservice_31_0 (hal_audiocontrol_hwservice)) +(typeattributeset hal_audiocontrol_service_31_0 (hal_audiocontrol_service)) +(typeattributeset hal_authsecret_hwservice_31_0 (hal_authsecret_hwservice)) +(typeattributeset hal_authsecret_service_31_0 (hal_authsecret_service)) +(typeattributeset hal_bluetooth_hwservice_31_0 (hal_bluetooth_hwservice)) +(typeattributeset hal_bootctl_hwservice_31_0 (hal_bootctl_hwservice)) +(typeattributeset hal_broadcastradio_hwservice_31_0 (hal_broadcastradio_hwservice)) +(typeattributeset hal_camera_hwservice_31_0 (hal_camera_hwservice)) +(typeattributeset hal_can_bus_hwservice_31_0 (hal_can_bus_hwservice)) +(typeattributeset hal_can_controller_hwservice_31_0 (hal_can_controller_hwservice)) +(typeattributeset hal_cas_hwservice_31_0 (hal_cas_hwservice)) +(typeattributeset hal_codec2_hwservice_31_0 (hal_codec2_hwservice)) +(typeattributeset hal_configstore_ISurfaceFlingerConfigs_31_0 (hal_configstore_ISurfaceFlingerConfigs)) +(typeattributeset hal_confirmationui_hwservice_31_0 (hal_confirmationui_hwservice)) +(typeattributeset hal_contexthub_hwservice_31_0 (hal_contexthub_hwservice)) +(typeattributeset hal_drm_hwservice_31_0 (hal_drm_hwservice)) +(typeattributeset hal_dumpstate_config_prop_31_0 (hal_dumpstate_config_prop)) +(typeattributeset hal_dumpstate_hwservice_31_0 (hal_dumpstate_hwservice)) +(typeattributeset hal_evs_hwservice_31_0 (hal_evs_hwservice)) +(typeattributeset hal_face_hwservice_31_0 (hal_face_hwservice)) +(typeattributeset hal_face_service_31_0 (hal_face_service)) +(typeattributeset hal_fingerprint_hwservice_31_0 (hal_fingerprint_hwservice)) +(typeattributeset hal_fingerprint_service_31_0 (hal_fingerprint_service)) +(typeattributeset hal_gatekeeper_hwservice_31_0 (hal_gatekeeper_hwservice)) +(typeattributeset hal_gnss_hwservice_31_0 (hal_gnss_hwservice)) +(typeattributeset hal_gnss_service_31_0 (hal_gnss_service)) +(typeattributeset hal_graphics_allocator_hwservice_31_0 (hal_graphics_allocator_hwservice)) +(typeattributeset hal_graphics_composer_hwservice_31_0 (hal_graphics_composer_hwservice)) +(typeattributeset hal_graphics_composer_server_tmpfs_31_0 (hal_graphics_composer_server_tmpfs)) +(typeattributeset hal_graphics_mapper_hwservice_31_0 (hal_graphics_mapper_hwservice)) +(typeattributeset hal_health_hwservice_31_0 (hal_health_hwservice)) +(typeattributeset hal_health_storage_hwservice_31_0 (hal_health_storage_hwservice)) +(typeattributeset hal_health_storage_service_31_0 (hal_health_storage_service)) +(typeattributeset hal_identity_service_31_0 (hal_identity_service)) +(typeattributeset hal_input_classifier_hwservice_31_0 (hal_input_classifier_hwservice)) +(typeattributeset hal_instrumentation_prop_31_0 (hal_instrumentation_prop)) +(typeattributeset hal_ir_hwservice_31_0 (hal_ir_hwservice)) +(typeattributeset hal_keymaster_hwservice_31_0 (hal_keymaster_hwservice)) +(typeattributeset hal_keymint_service_31_0 (hal_keymint_service)) +(typeattributeset hal_light_hwservice_31_0 (hal_light_hwservice)) +(typeattributeset hal_light_service_31_0 (hal_light_service)) +(typeattributeset hal_lowpan_hwservice_31_0 (hal_lowpan_hwservice)) +(typeattributeset hal_memtrack_hwservice_31_0 (hal_memtrack_hwservice)) +(typeattributeset hal_memtrack_service_31_0 (hal_memtrack_service)) +(typeattributeset hal_neuralnetworks_hwservice_31_0 (hal_neuralnetworks_hwservice)) +(typeattributeset hal_neuralnetworks_service_31_0 (hal_neuralnetworks_service)) +(typeattributeset hal_nfc_hwservice_31_0 (hal_nfc_hwservice)) +(typeattributeset hal_oemlock_hwservice_31_0 (hal_oemlock_hwservice)) +(typeattributeset hal_oemlock_service_31_0 (hal_oemlock_service)) +(typeattributeset hal_omx_hwservice_31_0 (hal_omx_hwservice)) +(typeattributeset hal_power_hwservice_31_0 (hal_power_hwservice)) +(typeattributeset hal_power_service_31_0 (hal_power_service)) +(typeattributeset hal_power_stats_hwservice_31_0 (hal_power_stats_hwservice)) +(typeattributeset hal_power_stats_service_31_0 (hal_power_stats_service)) +(typeattributeset hal_rebootescrow_service_31_0 (hal_rebootescrow_service)) +(typeattributeset hal_remotelyprovisionedcomponent_service_31_0 (hal_remotelyprovisionedcomponent_service)) +(typeattributeset hal_renderscript_hwservice_31_0 (hal_renderscript_hwservice)) +(typeattributeset hal_secure_element_hwservice_31_0 (hal_secure_element_hwservice)) +(typeattributeset hal_secureclock_service_31_0 (hal_secureclock_service)) +(typeattributeset hal_sensors_hwservice_31_0 (hal_sensors_hwservice)) +(typeattributeset hal_sharedsecret_service_31_0 (hal_sharedsecret_service)) +(typeattributeset hal_telephony_hwservice_31_0 (hal_telephony_hwservice)) +(typeattributeset hal_tetheroffload_hwservice_31_0 (hal_tetheroffload_hwservice)) +(typeattributeset hal_thermal_hwservice_31_0 (hal_thermal_hwservice)) +(typeattributeset hal_tv_cec_hwservice_31_0 (hal_tv_cec_hwservice)) +(typeattributeset hal_tv_input_hwservice_31_0 (hal_tv_input_hwservice)) +(typeattributeset hal_tv_tuner_hwservice_31_0 (hal_tv_tuner_hwservice)) +(typeattributeset hal_usb_gadget_hwservice_31_0 (hal_usb_gadget_hwservice)) +(typeattributeset hal_usb_hwservice_31_0 (hal_usb_hwservice)) +(typeattributeset hal_vehicle_hwservice_31_0 (hal_vehicle_hwservice)) +(typeattributeset hal_vibrator_hwservice_31_0 (hal_vibrator_hwservice)) +(typeattributeset hal_vibrator_service_31_0 (hal_vibrator_service)) +(typeattributeset hal_vr_hwservice_31_0 (hal_vr_hwservice)) +(typeattributeset hal_weaver_hwservice_31_0 (hal_weaver_hwservice)) +(typeattributeset hal_weaver_service_31_0 (hal_weaver_service)) +(typeattributeset hal_wifi_hostapd_hwservice_31_0 (hal_wifi_hostapd_hwservice)) +(typeattributeset hal_wifi_hwservice_31_0 (hal_wifi_hwservice)) +(typeattributeset hal_wifi_supplicant_hwservice_31_0 (hal_wifi_supplicant_hwservice)) +(typeattributeset hardware_properties_service_31_0 (hardware_properties_service)) +(typeattributeset hardware_service_31_0 (hardware_service)) +(typeattributeset hci_attach_dev_31_0 (hci_attach_dev)) +(typeattributeset hdmi_config_prop_31_0 (hdmi_config_prop)) +(typeattributeset hdmi_control_service_31_0 (hdmi_control_service)) +(typeattributeset healthd_31_0 (healthd)) +(typeattributeset healthd_exec_31_0 (healthd_exec)) +(typeattributeset heapdump_data_file_31_0 (heapdump_data_file)) +(typeattributeset heapprofd_31_0 (heapprofd)) +(typeattributeset heapprofd_enabled_prop_31_0 (heapprofd_enabled_prop)) +(typeattributeset heapprofd_prop_31_0 (heapprofd_prop)) +(typeattributeset heapprofd_socket_31_0 (heapprofd_socket)) +(typeattributeset hidl_allocator_hwservice_31_0 (hidl_allocator_hwservice)) +(typeattributeset hidl_base_hwservice_31_0 (hidl_base_hwservice)) +(typeattributeset hidl_manager_hwservice_31_0 (hidl_manager_hwservice)) +(typeattributeset hidl_memory_hwservice_31_0 (hidl_memory_hwservice)) +(typeattributeset hidl_token_hwservice_31_0 (hidl_token_hwservice)) +(typeattributeset hint_service_31_0 (hint_service)) +(typeattributeset hw_random_device_31_0 (hw_random_device)) +(typeattributeset hw_timeout_multiplier_prop_31_0 (hw_timeout_multiplier_prop)) +(typeattributeset hwbinder_device_31_0 (hwbinder_device)) +(typeattributeset hwservice_contexts_file_31_0 (hwservice_contexts_file)) +(typeattributeset hwservicemanager_31_0 (hwservicemanager)) +(typeattributeset hwservicemanager_exec_31_0 (hwservicemanager_exec)) +(typeattributeset hwservicemanager_prop_31_0 (hwservicemanager_prop)) +(typeattributeset icon_file_31_0 (icon_file)) +(typeattributeset idmap_31_0 (idmap)) +(typeattributeset idmap_exec_31_0 (idmap_exec)) +(typeattributeset idmap_service_31_0 (idmap_service)) +(typeattributeset iio_device_31_0 (iio_device)) +(typeattributeset imms_service_31_0 (imms_service)) +(typeattributeset incident_31_0 (incident)) +(typeattributeset incident_data_file_31_0 (incident_data_file)) +(typeattributeset incident_helper_31_0 (incident_helper)) +(typeattributeset incident_service_31_0 (incident_service)) +(typeattributeset incidentd_31_0 (incidentd)) +(typeattributeset incremental_control_file_31_0 (incremental_control_file)) +(typeattributeset incremental_prop_31_0 (incremental_prop)) +(typeattributeset incremental_service_31_0 (incremental_service)) +(typeattributeset init_31_0 (init)) +(typeattributeset init_exec_31_0 (init_exec)) +(typeattributeset init_service_status_prop_31_0 (init_service_status_prop)) +(typeattributeset init_tmpfs_31_0 (init_tmpfs)) +(typeattributeset inotify_31_0 (inotify)) +(typeattributeset input_device_31_0 (input_device)) +(typeattributeset input_method_service_31_0 (input_method_service)) +(typeattributeset input_service_31_0 (input_service)) +(typeattributeset inputflinger_31_0 (inputflinger)) +(typeattributeset inputflinger_exec_31_0 (inputflinger_exec)) +(typeattributeset inputflinger_service_31_0 (inputflinger_service)) +(typeattributeset install_data_file_31_0 (install_data_file)) +(typeattributeset installd_31_0 (installd)) +(typeattributeset installd_exec_31_0 (installd_exec)) +(typeattributeset installd_service_31_0 (installd_service)) +(typeattributeset ion_device_31_0 (ion_device)) +(typeattributeset iorap_inode2filename_31_0 (iorap_inode2filename)) +(typeattributeset iorap_inode2filename_exec_31_0 (iorap_inode2filename_exec)) +(typeattributeset iorap_inode2filename_tmpfs_31_0 (iorap_inode2filename_tmpfs)) +(typeattributeset iorap_prefetcherd_31_0 (iorap_prefetcherd)) +(typeattributeset iorap_prefetcherd_exec_31_0 (iorap_prefetcherd_exec)) +(typeattributeset iorap_prefetcherd_tmpfs_31_0 (iorap_prefetcherd_tmpfs)) +(typeattributeset iorapd_31_0 (iorapd)) +(typeattributeset iorapd_data_file_31_0 (iorapd_data_file)) +(typeattributeset iorapd_exec_31_0 (iorapd_exec)) +(typeattributeset iorapd_service_31_0 (iorapd_service)) +(typeattributeset iorapd_tmpfs_31_0 (iorapd_tmpfs)) +(typeattributeset ipsec_service_31_0 (ipsec_service)) +(typeattributeset iris_service_31_0 (iris_service)) +(typeattributeset iris_vendor_data_file_31_0 (iris_vendor_data_file)) +(typeattributeset isolated_app_31_0 (isolated_app)) +(typeattributeset jobscheduler_service_31_0 (jobscheduler_service)) +(typeattributeset kernel_31_0 (kernel)) +(typeattributeset keychain_data_file_31_0 (keychain_data_file)) +(typeattributeset keychord_device_31_0 (keychord_device)) +(typeattributeset keyguard_config_prop_31_0 (keyguard_config_prop)) +(typeattributeset keystore2_key_contexts_file_31_0 (keystore2_key_contexts_file)) +(typeattributeset keystore_31_0 (keystore)) +(typeattributeset keystore_compat_hal_service_31_0 (keystore_compat_hal_service)) +(typeattributeset keystore_data_file_31_0 (keystore_data_file)) +(typeattributeset keystore_exec_31_0 (keystore_exec)) +(typeattributeset keystore_maintenance_service_31_0 (keystore_maintenance_service)) +(typeattributeset keystore_metrics_service_31_0 (keystore_metrics_service)) +(typeattributeset keystore_service_31_0 (keystore_service)) +(typeattributeset kmsg_debug_device_31_0 (kmsg_debug_device)) +(typeattributeset kmsg_device_31_0 (kmsg_device)) +(typeattributeset labeledfs_31_0 (labeledfs)) +(typeattributeset launcherapps_service_31_0 (launcherapps_service)) +(typeattributeset legacy_permission_service_31_0 (legacy_permission_service)) +(typeattributeset legacykeystore_service_31_0 (legacykeystore_service)) +(typeattributeset libc_debug_prop_31_0 (libc_debug_prop)) +(typeattributeset light_service_31_0 (light_service)) +(typeattributeset linkerconfig_file_31_0 (linkerconfig_file)) +(typeattributeset llkd_31_0 (llkd)) +(typeattributeset llkd_exec_31_0 (llkd_exec)) +(typeattributeset llkd_prop_31_0 (llkd_prop)) +(typeattributeset lmkd_31_0 (lmkd)) +(typeattributeset lmkd_config_prop_31_0 (lmkd_config_prop)) +(typeattributeset lmkd_exec_31_0 (lmkd_exec)) +(typeattributeset lmkd_prop_31_0 (lmkd_prop)) +(typeattributeset lmkd_socket_31_0 (lmkd_socket)) +(typeattributeset location_service_31_0 (location_service)) +(typeattributeset location_time_zone_manager_service_31_0 (location_time_zone_manager_service)) +(typeattributeset lock_settings_service_31_0 (lock_settings_service)) +(typeattributeset log_prop_31_0 (log_prop)) +(typeattributeset log_tag_prop_31_0 (log_tag_prop)) +(typeattributeset logcat_exec_31_0 (logcat_exec)) +(typeattributeset logd_31_0 (logd)) +(typeattributeset logd_exec_31_0 (logd_exec)) +(typeattributeset logd_prop_31_0 (logd_prop)) +(typeattributeset logd_socket_31_0 (logd_socket)) +(typeattributeset logdr_socket_31_0 (logdr_socket)) +(typeattributeset logdw_socket_31_0 (logdw_socket)) +(typeattributeset logpersist_31_0 (logpersist)) +(typeattributeset logpersistd_logging_prop_31_0 (logpersistd_logging_prop)) +(typeattributeset loop_control_device_31_0 (loop_control_device)) +(typeattributeset loop_device_31_0 (loop_device)) +(typeattributeset looper_stats_service_31_0 (looper_stats_service)) +(typeattributeset lowpan_device_31_0 (lowpan_device)) +(typeattributeset lowpan_prop_31_0 (lowpan_prop)) +(typeattributeset lowpan_service_31_0 (lowpan_service)) +(typeattributeset lpdump_service_31_0 (lpdump_service)) +(typeattributeset lpdumpd_prop_31_0 (lpdumpd_prop)) +(typeattributeset mac_perms_file_31_0 (mac_perms_file)) +(typeattributeset mdns_socket_31_0 (mdns_socket)) +(typeattributeset mdnsd_31_0 (mdnsd)) +(typeattributeset mdnsd_socket_31_0 (mdnsd_socket)) +(typeattributeset media_communication_service_31_0 (media_communication_service)) +(typeattributeset media_config_prop_31_0 (media_config_prop)) +(typeattributeset media_data_file_31_0 (media_data_file)) +(typeattributeset media_metrics_service_31_0 (media_metrics_service)) +(typeattributeset media_projection_service_31_0 (media_projection_service)) +(typeattributeset media_router_service_31_0 (media_router_service)) +(typeattributeset media_rw_data_file_31_0 (media_rw_data_file)) +(typeattributeset media_session_service_31_0 (media_session_service)) +(typeattributeset media_variant_prop_31_0 (media_variant_prop)) +(typeattributeset mediadrm_config_prop_31_0 (mediadrm_config_prop)) +(typeattributeset mediadrmserver_31_0 (mediadrmserver)) +(typeattributeset mediadrmserver_exec_31_0 (mediadrmserver_exec)) +(typeattributeset mediadrmserver_service_31_0 (mediadrmserver_service)) +(typeattributeset mediaextractor_31_0 (mediaextractor)) +(typeattributeset mediaextractor_exec_31_0 (mediaextractor_exec)) +(typeattributeset mediaextractor_service_31_0 (mediaextractor_service)) +(typeattributeset mediaextractor_tmpfs_31_0 (mediaextractor_tmpfs)) +(typeattributeset mediametrics_31_0 (mediametrics)) +(typeattributeset mediametrics_exec_31_0 (mediametrics_exec)) +(typeattributeset mediametrics_service_31_0 (mediametrics_service)) +(typeattributeset mediaprovider_31_0 (mediaprovider)) +(typeattributeset mediaserver_31_0 (mediaserver)) +(typeattributeset mediaserver_exec_31_0 (mediaserver_exec)) +(typeattributeset mediaserver_service_31_0 (mediaserver_service)) +(typeattributeset mediaserver_tmpfs_31_0 (mediaserver_tmpfs)) +(typeattributeset mediaswcodec_31_0 (mediaswcodec)) +(typeattributeset mediaswcodec_exec_31_0 (mediaswcodec_exec)) +(typeattributeset mediatranscoding_service_31_0 (mediatranscoding_service)) +(typeattributeset meminfo_service_31_0 (meminfo_service)) +(typeattributeset memtrackproxy_service_31_0 (memtrackproxy_service)) +(typeattributeset metadata_block_device_31_0 (metadata_block_device)) +(typeattributeset metadata_bootstat_file_31_0 (metadata_bootstat_file)) +(typeattributeset metadata_file_31_0 (metadata_file)) +(typeattributeset method_trace_data_file_31_0 (method_trace_data_file)) +(typeattributeset midi_service_31_0 (midi_service)) +(typeattributeset mirror_data_file_31_0 (mirror_data_file)) +(typeattributeset misc_block_device_31_0 (misc_block_device)) +(typeattributeset misc_logd_file_31_0 (misc_logd_file)) +(typeattributeset misc_user_data_file_31_0 (misc_user_data_file)) +(typeattributeset mm_events_config_prop_31_0 (mm_events_config_prop)) +(typeattributeset mmc_prop_31_0 (mmc_prop)) +(typeattributeset mnt_expand_file_31_0 (mnt_expand_file)) +(typeattributeset mnt_media_rw_file_31_0 (mnt_media_rw_file)) +(typeattributeset mnt_media_rw_stub_file_31_0 (mnt_media_rw_stub_file)) +(typeattributeset mnt_pass_through_file_31_0 (mnt_pass_through_file)) +(typeattributeset mnt_product_file_31_0 (mnt_product_file)) +(typeattributeset mnt_sdcard_file_31_0 (mnt_sdcard_file)) +(typeattributeset mnt_user_file_31_0 (mnt_user_file)) +(typeattributeset mnt_vendor_file_31_0 (mnt_vendor_file)) +(typeattributeset mock_ota_prop_31_0 (mock_ota_prop)) +(typeattributeset modprobe_31_0 (modprobe)) +(typeattributeset module_sdkextensions_prop_31_0 (module_sdkextensions_prop)) +(typeattributeset mount_service_31_0 (mount_service)) +(typeattributeset mqueue_31_0 (mqueue)) +(typeattributeset mtp_31_0 (mtp)) +(typeattributeset mtp_device_31_0 (mtp_device)) +(typeattributeset mtp_exec_31_0 (mtp_exec)) +(typeattributeset mtpd_socket_31_0 (mtpd_socket)) +(typeattributeset music_recognition_service_31_0 (music_recognition_service)) +(typeattributeset nativetest_data_file_31_0 (nativetest_data_file)) +(typeattributeset net_data_file_31_0 (net_data_file)) +(typeattributeset net_dns_prop_31_0 (net_dns_prop)) +(typeattributeset net_radio_prop_31_0 (net_radio_prop)) +(typeattributeset netd_31_0 (netd)) +(typeattributeset netd_exec_31_0 (netd_exec)) +(typeattributeset netd_listener_service_31_0 (netd_listener_service)) +(typeattributeset netd_service_31_0 (netd_service)) +(typeattributeset netif_31_0 (netif)) +(typeattributeset netpolicy_service_31_0 (netpolicy_service)) +(typeattributeset netstats_service_31_0 (netstats_service)) +(typeattributeset netutils_wrapper_31_0 (netutils_wrapper)) +(typeattributeset netutils_wrapper_exec_31_0 (netutils_wrapper_exec)) +(typeattributeset network_management_service_31_0 (network_management_service)) +(typeattributeset network_score_service_31_0 (network_score_service)) +(typeattributeset network_stack_31_0 (network_stack)) +(typeattributeset network_stack_service_31_0 (network_stack_service)) +(typeattributeset network_time_update_service_31_0 (network_time_update_service)) +(typeattributeset network_watchlist_data_file_31_0 (network_watchlist_data_file)) +(typeattributeset network_watchlist_service_31_0 (network_watchlist_service)) +(typeattributeset nfc_31_0 (nfc)) +(typeattributeset nfc_data_file_31_0 (nfc_data_file)) +(typeattributeset nfc_device_31_0 (nfc_device)) +(typeattributeset nfc_logs_data_file_31_0 (nfc_logs_data_file)) +(typeattributeset nfc_prop_31_0 (nfc_prop)) +(typeattributeset nfc_service_31_0 (nfc_service)) +(typeattributeset nnapi_ext_deny_product_prop_31_0 (nnapi_ext_deny_product_prop)) +(typeattributeset node_31_0 (node)) +(typeattributeset nonplat_service_contexts_file_31_0 (nonplat_service_contexts_file)) +(typeattributeset notification_service_31_0 (notification_service)) +(typeattributeset null_device_31_0 (null_device)) +(typeattributeset oem_lock_service_31_0 (oem_lock_service)) +(typeattributeset oem_unlock_prop_31_0 (oem_unlock_prop)) +(typeattributeset oemfs_31_0 (oemfs)) +(typeattributeset ota_data_file_31_0 (ota_data_file)) +(typeattributeset ota_metadata_file_31_0 (ota_metadata_file)) +(typeattributeset ota_package_file_31_0 (ota_package_file)) +(typeattributeset ota_prop_31_0 (ota_prop)) +(typeattributeset otadexopt_service_31_0 (otadexopt_service)) +(typeattributeset otapreopt_chroot_31_0 (otapreopt_chroot)) +(typeattributeset overlay_prop_31_0 (overlay_prop)) +(typeattributeset overlay_service_31_0 (overlay_service)) +(typeattributeset overlayfs_file_31_0 (overlayfs_file)) +(typeattributeset owntty_device_31_0 (owntty_device)) +(typeattributeset pac_proxy_service_31_0 (pac_proxy_service)) +(typeattributeset package_native_service_31_0 (package_native_service)) +(typeattributeset package_service_31_0 (package_service)) +(typeattributeset packagemanager_config_prop_31_0 (packagemanager_config_prop)) +(typeattributeset packages_list_file_31_0 (packages_list_file)) +(typeattributeset pan_result_prop_31_0 (pan_result_prop)) +(typeattributeset password_slot_metadata_file_31_0 (password_slot_metadata_file)) +(typeattributeset pdx_bufferhub_client_channel_socket_31_0 (pdx_bufferhub_client_channel_socket)) +(typeattributeset pdx_bufferhub_client_endpoint_socket_31_0 (pdx_bufferhub_client_endpoint_socket)) +(typeattributeset pdx_bufferhub_dir_31_0 (pdx_bufferhub_dir)) +(typeattributeset pdx_display_client_channel_socket_31_0 (pdx_display_client_channel_socket)) +(typeattributeset pdx_display_client_endpoint_socket_31_0 (pdx_display_client_endpoint_socket)) +(typeattributeset pdx_display_dir_31_0 (pdx_display_dir)) +(typeattributeset pdx_display_manager_channel_socket_31_0 (pdx_display_manager_channel_socket)) +(typeattributeset pdx_display_manager_endpoint_socket_31_0 (pdx_display_manager_endpoint_socket)) +(typeattributeset pdx_display_screenshot_channel_socket_31_0 (pdx_display_screenshot_channel_socket)) +(typeattributeset pdx_display_screenshot_endpoint_socket_31_0 (pdx_display_screenshot_endpoint_socket)) +(typeattributeset pdx_display_vsync_channel_socket_31_0 (pdx_display_vsync_channel_socket)) +(typeattributeset pdx_display_vsync_endpoint_socket_31_0 (pdx_display_vsync_endpoint_socket)) +(typeattributeset pdx_performance_client_channel_socket_31_0 (pdx_performance_client_channel_socket)) +(typeattributeset pdx_performance_client_endpoint_socket_31_0 (pdx_performance_client_endpoint_socket)) +(typeattributeset pdx_performance_dir_31_0 (pdx_performance_dir)) +(typeattributeset people_service_31_0 (people_service)) +(typeattributeset perfetto_31_0 (perfetto)) +(typeattributeset performanced_31_0 (performanced)) +(typeattributeset performanced_exec_31_0 (performanced_exec)) +(typeattributeset permission_checker_service_31_0 (permission_checker_service)) +(typeattributeset permission_service_31_0 (permission_service)) +(typeattributeset permissionmgr_service_31_0 (permissionmgr_service)) +(typeattributeset persist_debug_prop_31_0 (persist_debug_prop)) +(typeattributeset persist_vendor_debug_wifi_prop_31_0 (persist_vendor_debug_wifi_prop)) +(typeattributeset persistent_data_block_service_31_0 (persistent_data_block_service)) +(typeattributeset persistent_properties_ready_prop_31_0 (persistent_properties_ready_prop)) +(typeattributeset pinner_service_31_0 (pinner_service)) +(typeattributeset pipefs_31_0 (pipefs)) +(typeattributeset platform_app_31_0 (platform_app)) +(typeattributeset platform_compat_service_31_0 (platform_compat_service)) +(typeattributeset pmsg_device_31_0 (pmsg_device)) +(typeattributeset port_31_0 (port)) +(typeattributeset port_device_31_0 (port_device)) +(typeattributeset postinstall_31_0 (postinstall)) +(typeattributeset postinstall_apex_mnt_dir_31_0 (postinstall_apex_mnt_dir)) +(typeattributeset postinstall_file_31_0 (postinstall_file)) +(typeattributeset postinstall_mnt_dir_31_0 (postinstall_mnt_dir)) +(typeattributeset power_debug_prop_31_0 (power_debug_prop)) +(typeattributeset power_service_31_0 (power_service)) +(typeattributeset powerctl_prop_31_0 (powerctl_prop)) +(typeattributeset powerstats_service_31_0 (powerstats_service)) +(typeattributeset ppp_31_0 (ppp)) +(typeattributeset ppp_device_31_0 (ppp_device)) +(typeattributeset ppp_exec_31_0 (ppp_exec)) +(typeattributeset preloads_data_file_31_0 (preloads_data_file)) +(typeattributeset preloads_media_file_31_0 (preloads_media_file)) +(typeattributeset prereboot_data_file_31_0 (prereboot_data_file)) +(typeattributeset print_service_31_0 (print_service)) +(typeattributeset priv_app_31_0 (priv_app)) +(typeattributeset privapp_data_file_31_0 (privapp_data_file)) +(typeattributeset proc_31_0 (proc)) +(typeattributeset proc_abi_31_0 (proc_abi)) +(typeattributeset proc_asound_31_0 (proc_asound)) +(typeattributeset proc_bluetooth_writable_31_0 (proc_bluetooth_writable)) +(typeattributeset proc_bootconfig_31_0 (proc_bootconfig)) +(typeattributeset proc_buddyinfo_31_0 (proc_buddyinfo)) +(typeattributeset proc_cmdline_31_0 (proc_cmdline)) +(typeattributeset proc_cpuinfo_31_0 (proc_cpuinfo)) +(typeattributeset proc_dirty_31_0 (proc_dirty)) +(typeattributeset proc_diskstats_31_0 (proc_diskstats)) +(typeattributeset proc_drop_caches_31_0 (proc_drop_caches)) +(typeattributeset proc_extra_free_kbytes_31_0 (proc_extra_free_kbytes)) +(typeattributeset proc_filesystems_31_0 (proc_filesystems)) +(typeattributeset proc_fs_verity_31_0 (proc_fs_verity)) +(typeattributeset proc_hostname_31_0 (proc_hostname)) +(typeattributeset proc_hung_task_31_0 (proc_hung_task)) +(typeattributeset proc_interrupts_31_0 (proc_interrupts)) +(typeattributeset proc_iomem_31_0 (proc_iomem)) +(typeattributeset proc_kallsyms_31_0 (proc_kallsyms)) +(typeattributeset proc_keys_31_0 (proc_keys)) +(typeattributeset proc_kmsg_31_0 (proc_kmsg)) +(typeattributeset proc_kpageflags_31_0 (proc_kpageflags)) +(typeattributeset proc_loadavg_31_0 (proc_loadavg)) +(typeattributeset proc_locks_31_0 (proc_locks)) +(typeattributeset proc_lowmemorykiller_31_0 (proc_lowmemorykiller)) +(typeattributeset proc_max_map_count_31_0 (proc_max_map_count)) +(typeattributeset proc_meminfo_31_0 (proc_meminfo)) +(typeattributeset proc_min_free_order_shift_31_0 (proc_min_free_order_shift)) +(typeattributeset proc_misc_31_0 (proc_misc)) +(typeattributeset proc_modules_31_0 (proc_modules)) +(typeattributeset proc_mounts_31_0 (proc_mounts)) +(typeattributeset proc_net_31_0 (proc_net)) +(typeattributeset proc_net_tcp_udp_31_0 (proc_net_tcp_udp)) +(typeattributeset proc_overcommit_memory_31_0 (proc_overcommit_memory)) +(typeattributeset proc_page_cluster_31_0 (proc_page_cluster)) +(typeattributeset proc_pagetypeinfo_31_0 (proc_pagetypeinfo)) +(typeattributeset proc_panic_31_0 (proc_panic)) +(typeattributeset proc_perf_31_0 (proc_perf)) +(typeattributeset proc_pid_max_31_0 (proc_pid_max)) +(typeattributeset proc_pipe_conf_31_0 (proc_pipe_conf)) +(typeattributeset proc_pressure_cpu_31_0 (proc_pressure_cpu)) +(typeattributeset proc_pressure_io_31_0 (proc_pressure_io)) +(typeattributeset proc_pressure_mem_31_0 (proc_pressure_mem)) +(typeattributeset proc_qtaguid_ctrl_31_0 (proc_qtaguid_ctrl)) +(typeattributeset proc_qtaguid_stat_31_0 (proc_qtaguid_stat)) +(typeattributeset proc_random_31_0 (proc_random)) +(typeattributeset proc_sched_31_0 (proc_sched)) +(typeattributeset proc_security_31_0 (proc_security)) +(typeattributeset proc_slabinfo_31_0 (proc_slabinfo)) +(typeattributeset proc_stat_31_0 (proc_stat)) +(typeattributeset proc_swaps_31_0 (proc_swaps)) +(typeattributeset proc_sysrq_31_0 (proc_sysrq)) +(typeattributeset proc_timer_31_0 (proc_timer)) +(typeattributeset proc_tty_drivers_31_0 (proc_tty_drivers)) +(typeattributeset proc_uid_concurrent_active_time_31_0 (proc_uid_concurrent_active_time)) +(typeattributeset proc_uid_concurrent_policy_time_31_0 (proc_uid_concurrent_policy_time)) +(typeattributeset proc_uid_cpupower_31_0 (proc_uid_cpupower)) +(typeattributeset proc_uid_cputime_removeuid_31_0 (proc_uid_cputime_removeuid)) +(typeattributeset proc_uid_cputime_showstat_31_0 (proc_uid_cputime_showstat)) +(typeattributeset proc_uid_io_stats_31_0 (proc_uid_io_stats)) +(typeattributeset proc_uid_procstat_set_31_0 (proc_uid_procstat_set)) +(typeattributeset proc_uid_time_in_state_31_0 (proc_uid_time_in_state)) +(typeattributeset proc_uptime_31_0 (proc_uptime)) +(typeattributeset proc_vendor_sched_31_0 (proc_vendor_sched)) +(typeattributeset proc_version_31_0 (proc_version)) +(typeattributeset proc_vmallocinfo_31_0 (proc_vmallocinfo)) +(typeattributeset proc_vmstat_31_0 (proc_vmstat)) +(typeattributeset proc_zoneinfo_31_0 (proc_zoneinfo)) +(typeattributeset processinfo_service_31_0 (processinfo_service)) +(typeattributeset procstats_service_31_0 (procstats_service)) +(typeattributeset profman_31_0 (profman)) +(typeattributeset profman_dump_data_file_31_0 (profman_dump_data_file)) +(typeattributeset profman_exec_31_0 (profman_exec)) +(typeattributeset properties_device_31_0 (properties_device)) +(typeattributeset properties_serial_31_0 (properties_serial)) +(typeattributeset property_contexts_file_31_0 (property_contexts_file)) +(typeattributeset property_data_file_31_0 (property_data_file)) +(typeattributeset property_info_31_0 (property_info)) +(typeattributeset property_service_version_prop_31_0 (property_service_version_prop)) +(typeattributeset property_socket_31_0 (property_socket)) +(typeattributeset provisioned_prop_31_0 (provisioned_prop)) +(typeattributeset pstorefs_31_0 (pstorefs)) +(typeattributeset ptmx_device_31_0 (ptmx_device)) +(typeattributeset qemu_hw_prop_31_0 (qemu_hw_prop)) +(typeattributeset qemu_sf_lcd_density_prop_31_0 (qemu_sf_lcd_density_prop)) +(typeattributeset qtaguid_device_31_0 (qtaguid_device)) +(typeattributeset racoon_31_0 (racoon)) +(typeattributeset racoon_exec_31_0 (racoon_exec)) +(typeattributeset racoon_socket_31_0 (racoon_socket)) +(typeattributeset radio_31_0 (radio)) +(typeattributeset radio_control_prop_31_0 (radio_control_prop)) +(typeattributeset radio_core_data_file_31_0 (radio_core_data_file)) +(typeattributeset radio_data_file_31_0 (radio_data_file)) +(typeattributeset radio_device_31_0 (radio_device)) +(typeattributeset radio_prop_31_0 (radio_prop)) +(typeattributeset radio_service_31_0 (radio_service)) +(typeattributeset ram_device_31_0 (ram_device)) +(typeattributeset random_device_31_0 (random_device)) +(typeattributeset reboot_readiness_service_31_0 (reboot_readiness_service)) +(typeattributeset rebootescrow_hal_prop_31_0 (rebootescrow_hal_prop)) +(typeattributeset recovery_31_0 (recovery)) +(typeattributeset recovery_block_device_31_0 (recovery_block_device)) +(typeattributeset recovery_config_prop_31_0 (recovery_config_prop)) +(typeattributeset recovery_data_file_31_0 (recovery_data_file)) +(typeattributeset recovery_persist_31_0 (recovery_persist)) +(typeattributeset recovery_persist_exec_31_0 (recovery_persist_exec)) +(typeattributeset recovery_refresh_31_0 (recovery_refresh)) +(typeattributeset recovery_refresh_exec_31_0 (recovery_refresh_exec)) +(typeattributeset recovery_service_31_0 (recovery_service)) +(typeattributeset recovery_socket_31_0 (recovery_socket)) +(typeattributeset registry_service_31_0 (registry_service)) +(typeattributeset remoteprovisioning_service_31_0 (remoteprovisioning_service)) +(typeattributeset resourcecache_data_file_31_0 (resourcecache_data_file)) +(typeattributeset restorecon_prop_31_0 (restorecon_prop)) +(typeattributeset restrictions_service_31_0 (restrictions_service)) +(typeattributeset retaildemo_prop_31_0 (retaildemo_prop)) +(typeattributeset rild_debug_socket_31_0 (rild_debug_socket)) +(typeattributeset rild_socket_31_0 (rild_socket)) +(typeattributeset ringtone_file_31_0 (ringtone_file)) +(typeattributeset role_service_31_0 (role_service)) +(typeattributeset rollback_service_31_0 (rollback_service)) +(typeattributeset root_block_device_31_0 (root_block_device)) +(typeattributeset rootfs_31_0 (rootfs)) +(typeattributeset rpmsg_device_31_0 (rpmsg_device)) +(typeattributeset rs_31_0 (rs)) +(typeattributeset rs_exec_31_0 (rs_exec)) +(typeattributeset rss_hwm_reset_31_0 (rss_hwm_reset)) +(typeattributeset rtc_device_31_0 (rtc_device)) +(typeattributeset rttmanager_service_31_0 (rttmanager_service)) +(typeattributeset runas_31_0 (runas)) +(typeattributeset runas_app_31_0 (runas_app)) +(typeattributeset runas_exec_31_0 (runas_exec)) +(typeattributeset runtime_event_log_tags_file_31_0 (runtime_event_log_tags_file)) +(typeattributeset runtime_service_31_0 (runtime_service)) +(typeattributeset safemode_prop_31_0 (safemode_prop)) +(typeattributeset same_process_hal_file_31_0 (same_process_hal_file)) +(typeattributeset samplingprofiler_service_31_0 (samplingprofiler_service)) +(typeattributeset scheduling_policy_service_31_0 (scheduling_policy_service)) +(typeattributeset sdcard_block_device_31_0 (sdcard_block_device)) +(typeattributeset sdcardd_31_0 (sdcardd)) +(typeattributeset sdcardd_exec_31_0 (sdcardd_exec)) +(typeattributeset sdcardfs_31_0 (sdcardfs)) +(typeattributeset seapp_contexts_file_31_0 (seapp_contexts_file)) +(typeattributeset search_service_31_0 (search_service)) +(typeattributeset search_ui_service_31_0 (search_ui_service)) +(typeattributeset sec_key_att_app_id_provider_service_31_0 (sec_key_att_app_id_provider_service)) +(typeattributeset secure_element_31_0 (secure_element)) +(typeattributeset secure_element_device_31_0 (secure_element_device)) +(typeattributeset secure_element_service_31_0 (secure_element_service)) +(typeattributeset securityfs_31_0 (securityfs)) +(typeattributeset selinuxfs_31_0 (selinuxfs)) +(typeattributeset sendbug_config_prop_31_0 (sendbug_config_prop)) +(typeattributeset sensor_privacy_service_31_0 (sensor_privacy_service)) +(typeattributeset sensors_device_31_0 (sensors_device)) +(typeattributeset sensorservice_service_31_0 (sensorservice_service)) +(typeattributeset sepolicy_file_31_0 (sepolicy_file)) +(typeattributeset serial_device_31_0 (serial_device)) +(typeattributeset serial_service_31_0 (serial_service)) +(typeattributeset serialno_prop_31_0 (serialno_prop)) +(typeattributeset server_configurable_flags_data_file_31_0 (server_configurable_flags_data_file)) +(typeattributeset service_contexts_file_31_0 (service_contexts_file)) +(typeattributeset service_manager_service_31_0 (service_manager_service)) +(typeattributeset service_manager_vndservice_31_0 (service_manager_vndservice)) +(typeattributeset servicediscovery_service_31_0 (servicediscovery_service)) +(typeattributeset servicemanager_31_0 (servicemanager)) +(typeattributeset servicemanager_exec_31_0 (servicemanager_exec)) +(typeattributeset settings_service_31_0 (settings_service)) +(typeattributeset sgdisk_31_0 (sgdisk)) +(typeattributeset sgdisk_exec_31_0 (sgdisk_exec)) +(typeattributeset shared_relro_31_0 (shared_relro)) +(typeattributeset shared_relro_file_31_0 (shared_relro_file)) +(typeattributeset shell_31_0 (shell)) +(typeattributeset shell_data_file_31_0 (shell_data_file)) +(typeattributeset shell_exec_31_0 (shell_exec)) +(typeattributeset shell_prop_31_0 (shell_prop)) +(typeattributeset shell_test_data_file_31_0 (shell_test_data_file)) +(typeattributeset shm_31_0 (shm)) +(typeattributeset shortcut_manager_icons_31_0 (shortcut_manager_icons)) +(typeattributeset shortcut_service_31_0 (shortcut_service)) +(typeattributeset simpleperf_31_0 (simpleperf)) +(typeattributeset simpleperf_app_runner_31_0 (simpleperf_app_runner)) +(typeattributeset simpleperf_app_runner_exec_31_0 (simpleperf_app_runner_exec)) +(typeattributeset slice_service_31_0 (slice_service)) +(typeattributeset slideshow_31_0 (slideshow)) +(typeattributeset smartspace_service_31_0 (smartspace_service)) +(typeattributeset snapshotctl_log_data_file_31_0 (snapshotctl_log_data_file)) +(typeattributeset snapuserd_socket_31_0 (snapuserd_socket)) +(typeattributeset soc_prop_31_0 (soc_prop)) +(typeattributeset socket_device_31_0 (socket_device)) +(typeattributeset socket_hook_prop_31_0 (socket_hook_prop)) +(typeattributeset sockfs_31_0 (sockfs)) +(typeattributeset sota_prop_31_0 (sota_prop)) +(typeattributeset soundtrigger_middleware_service_31_0 (soundtrigger_middleware_service)) +(typeattributeset speech_recognition_service_31_0 (speech_recognition_service)) +(typeattributeset sqlite_log_prop_31_0 (sqlite_log_prop)) +(typeattributeset staged_install_file_31_0 (staged_install_file)) +(typeattributeset staging_data_file_31_0 (staging_data_file)) +(typeattributeset stats_data_file_31_0 (stats_data_file)) +(typeattributeset statsd_31_0 (statsd)) +(typeattributeset statsd_exec_31_0 (statsd_exec)) +(typeattributeset statsdw_socket_31_0 (statsdw_socket)) +(typeattributeset statusbar_service_31_0 (statusbar_service)) +(typeattributeset storage_config_prop_31_0 (storage_config_prop)) +(typeattributeset storage_file_31_0 (storage_file)) +(typeattributeset storage_stub_file_31_0 (storage_stub_file)) +(typeattributeset storaged_service_31_0 (storaged_service)) +(typeattributeset storagemanager_config_prop_31_0 (storagemanager_config_prop)) +(typeattributeset storagestats_service_31_0 (storagestats_service)) +(typeattributeset su_31_0 (su)) +(typeattributeset su_exec_31_0 (su_exec)) +(typeattributeset super_block_device_31_0 (super_block_device)) +(typeattributeset surfaceflinger_31_0 (surfaceflinger)) +(typeattributeset surfaceflinger_color_prop_31_0 (surfaceflinger_color_prop)) +(typeattributeset surfaceflinger_display_prop_31_0 (surfaceflinger_display_prop)) +(typeattributeset surfaceflinger_prop_31_0 (surfaceflinger_prop)) +(typeattributeset surfaceflinger_service_31_0 (surfaceflinger_service)) +(typeattributeset surfaceflinger_tmpfs_31_0 (surfaceflinger_tmpfs)) +(typeattributeset suspend_prop_31_0 (suspend_prop)) +(typeattributeset swap_block_device_31_0 (swap_block_device)) +(typeattributeset sysfs_31_0 (sysfs)) +(typeattributeset sysfs_android_usb_31_0 (sysfs_android_usb)) +(typeattributeset sysfs_batteryinfo_31_0 (sysfs_batteryinfo)) +(typeattributeset sysfs_block_31_0 (sysfs_block)) +(typeattributeset sysfs_bluetooth_writable_31_0 (sysfs_bluetooth_writable)) +(typeattributeset sysfs_devfreq_cur_31_0 (sysfs_devfreq_cur)) +(typeattributeset sysfs_devfreq_dir_31_0 (sysfs_devfreq_dir)) +(typeattributeset sysfs_devices_block_31_0 (sysfs_devices_block)) +(typeattributeset sysfs_devices_cs_etm_31_0 (sysfs_devices_cs_etm)) +(typeattributeset sysfs_devices_system_cpu_31_0 (sysfs_devices_system_cpu)) +(typeattributeset sysfs_dm_31_0 (sysfs_dm)) +(typeattributeset sysfs_dm_verity_31_0 (sysfs_dm_verity)) +(typeattributeset sysfs_dma_heap_31_0 (sysfs_dma_heap)) +(typeattributeset sysfs_dmabuf_stats_31_0 (sysfs_dmabuf_stats)) +(typeattributeset sysfs_dt_firmware_android_31_0 (sysfs_dt_firmware_android)) +(typeattributeset sysfs_extcon_31_0 (sysfs_extcon)) +(typeattributeset sysfs_fs_ext4_features_31_0 (sysfs_fs_ext4_features)) +(typeattributeset sysfs_fs_f2fs_31_0 (sysfs_fs_f2fs)) +(typeattributeset sysfs_fs_incfs_features_31_0 (sysfs_fs_incfs_features)) +(typeattributeset sysfs_fs_incfs_metrics_31_0 (sysfs_fs_incfs_metrics)) +(typeattributeset sysfs_hwrandom_31_0 (sysfs_hwrandom)) +(typeattributeset sysfs_ion_31_0 (sysfs_ion)) +(typeattributeset sysfs_ipv4_31_0 (sysfs_ipv4)) +(typeattributeset sysfs_kernel_notes_31_0 (sysfs_kernel_notes)) +(typeattributeset sysfs_leds_31_0 (sysfs_leds)) +(typeattributeset sysfs_loop_31_0 (sysfs_loop)) +(typeattributeset sysfs_lowmemorykiller_31_0 (sysfs_lowmemorykiller)) +(typeattributeset sysfs_net_31_0 (sysfs_net)) +(typeattributeset sysfs_nfc_power_writable_31_0 (sysfs_nfc_power_writable)) +(typeattributeset sysfs_power_31_0 (sysfs_power)) +(typeattributeset sysfs_rtc_31_0 (sysfs_rtc)) +(typeattributeset sysfs_suspend_stats_31_0 (sysfs_suspend_stats)) +(typeattributeset sysfs_switch_31_0 (sysfs_switch)) +(typeattributeset sysfs_thermal_31_0 (sysfs_thermal)) +(typeattributeset sysfs_transparent_hugepage_31_0 (sysfs_transparent_hugepage)) +(typeattributeset sysfs_uhid_31_0 (sysfs_uhid)) +(typeattributeset sysfs_uio_31_0 (sysfs_uio)) +(typeattributeset sysfs_usb_31_0 (sysfs_usb)) +(typeattributeset sysfs_usermodehelper_31_0 (sysfs_usermodehelper)) +(typeattributeset sysfs_vendor_sched_31_0 (sysfs_vendor_sched)) +(typeattributeset sysfs_vibrator_31_0 (sysfs_vibrator)) +(typeattributeset sysfs_wake_lock_31_0 (sysfs_wake_lock)) +(typeattributeset sysfs_wakeup_31_0 (sysfs_wakeup)) +(typeattributeset sysfs_wakeup_reasons_31_0 (sysfs_wakeup_reasons)) +(typeattributeset sysfs_wlan_fwpath_31_0 (sysfs_wlan_fwpath)) +(typeattributeset sysfs_zram_31_0 (sysfs_zram)) +(typeattributeset sysfs_zram_uevent_31_0 (sysfs_zram_uevent)) +(typeattributeset system_app_31_0 (system_app)) +(typeattributeset system_app_data_file_31_0 (system_app_data_file)) +(typeattributeset system_app_service_31_0 (system_app_service)) +(typeattributeset system_asan_options_file_31_0 (system_asan_options_file)) +(typeattributeset system_block_device_31_0 (system_block_device)) +(typeattributeset system_boot_reason_prop_31_0 (system_boot_reason_prop)) +(typeattributeset system_bootstrap_lib_file_31_0 (system_bootstrap_lib_file)) +(typeattributeset system_config_service_31_0 (system_config_service)) +(typeattributeset system_data_file_31_0 (system_data_file)) +(typeattributeset system_data_root_file_31_0 (system_data_root_file)) +(typeattributeset system_event_log_tags_file_31_0 (system_event_log_tags_file)) +(typeattributeset system_file_31_0 (system_file)) +(typeattributeset system_group_file_31_0 (system_group_file)) +(typeattributeset system_jvmti_agent_prop_31_0 (system_jvmti_agent_prop)) +(typeattributeset system_lib_file_31_0 (system_lib_file)) +(typeattributeset system_linker_config_file_31_0 (system_linker_config_file)) +(typeattributeset system_linker_exec_31_0 (system_linker_exec)) +(typeattributeset system_lmk_prop_31_0 (system_lmk_prop)) +(typeattributeset system_ndebug_socket_31_0 (system_ndebug_socket)) +(typeattributeset system_net_netd_hwservice_31_0 (system_net_netd_hwservice)) +(typeattributeset system_passwd_file_31_0 (system_passwd_file)) +(typeattributeset system_prop_31_0 (system_prop)) +(typeattributeset system_seccomp_policy_file_31_0 (system_seccomp_policy_file)) +(typeattributeset system_security_cacerts_file_31_0 (system_security_cacerts_file)) +(typeattributeset system_server_31_0 (system_server)) +(typeattributeset system_server_dumper_service_31_0 (system_server_dumper_service)) +(typeattributeset system_server_tmpfs_31_0 (system_server_tmpfs)) +(typeattributeset system_suspend_control_internal_service_31_0 (system_suspend_control_internal_service)) +(typeattributeset system_suspend_control_service_31_0 (system_suspend_control_service)) +(typeattributeset system_suspend_hwservice_31_0 (system_suspend_hwservice)) +(typeattributeset system_trace_prop_31_0 (system_trace_prop)) +(typeattributeset system_unsolzygote_socket_31_0 (system_unsolzygote_socket)) +(typeattributeset system_update_service_31_0 (system_update_service)) +(typeattributeset system_wifi_keystore_hwservice_31_0 (system_wifi_keystore_hwservice)) +(typeattributeset system_wpa_socket_31_0 (system_wpa_socket)) +(typeattributeset system_zoneinfo_file_31_0 (system_zoneinfo_file)) +(typeattributeset systemkeys_data_file_31_0 (systemkeys_data_file)) +(typeattributeset systemsound_config_prop_31_0 (systemsound_config_prop)) +(typeattributeset task_profiles_api_file_31_0 (task_profiles_api_file)) +(typeattributeset task_profiles_file_31_0 (task_profiles_file)) +(typeattributeset task_service_31_0 (task_service)) +(typeattributeset tcpdump_exec_31_0 (tcpdump_exec)) +(typeattributeset tee_31_0 (tee)) +(typeattributeset tee_data_file_31_0 (tee_data_file)) +(typeattributeset tee_device_31_0 (tee_device)) +(typeattributeset telecom_service_31_0 (telecom_service)) +(typeattributeset telephony_config_prop_31_0 (telephony_config_prop)) +(typeattributeset telephony_status_prop_31_0 (telephony_status_prop)) +(typeattributeset test_boot_reason_prop_31_0 (test_boot_reason_prop)) +(typeattributeset test_harness_prop_31_0 (test_harness_prop)) +(typeattributeset testharness_service_31_0 (testharness_service)) +(typeattributeset tethering_service_31_0 (tethering_service)) +(typeattributeset textclassification_service_31_0 (textclassification_service)) +(typeattributeset textclassifier_data_file_31_0 (textclassifier_data_file)) +(typeattributeset textservices_service_31_0 (textservices_service)) +(typeattributeset texttospeech_service_31_0 (texttospeech_service)) +(typeattributeset theme_prop_31_0 (theme_prop)) +(typeattributeset thermal_service_31_0 (thermal_service)) +(typeattributeset time_prop_31_0 (time_prop)) +(typeattributeset timedetector_service_31_0 (timedetector_service)) +(typeattributeset timezone_service_31_0 (timezone_service)) +(typeattributeset timezonedetector_service_31_0 (timezonedetector_service)) +(typeattributeset tmpfs_31_0 (tmpfs)) +(typeattributeset tombstone_config_prop_31_0 (tombstone_config_prop)) +(typeattributeset tombstone_data_file_31_0 (tombstone_data_file)) +(typeattributeset tombstone_wifi_data_file_31_0 (tombstone_wifi_data_file)) +(typeattributeset tombstoned_31_0 (tombstoned)) +(typeattributeset tombstoned_crash_socket_31_0 (tombstoned_crash_socket)) +(typeattributeset tombstoned_exec_31_0 (tombstoned_exec)) +(typeattributeset tombstoned_intercept_socket_31_0 (tombstoned_intercept_socket)) +(typeattributeset tombstoned_java_trace_socket_31_0 (tombstoned_java_trace_socket)) +(typeattributeset toolbox_31_0 (toolbox)) +(typeattributeset toolbox_exec_31_0 (toolbox_exec)) +(typeattributeset trace_data_file_31_0 (trace_data_file)) +(typeattributeset traced_31_0 (traced)) +(typeattributeset traced_consumer_socket_31_0 (traced_consumer_socket)) +(typeattributeset traced_enabled_prop_31_0 (traced_enabled_prop)) +(typeattributeset traced_lazy_prop_31_0 (traced_lazy_prop)) +(typeattributeset traced_perf_31_0 (traced_perf)) +(typeattributeset traced_perf_socket_31_0 (traced_perf_socket)) +(typeattributeset traced_probes_31_0 (traced_probes)) +(typeattributeset traced_producer_socket_31_0 (traced_producer_socket)) +(typeattributeset traced_tmpfs_31_0 (traced_tmpfs)) +(typeattributeset traceur_app_31_0 (traceur_app)) +(typeattributeset translation_service_31_0 (translation_service)) +(typeattributeset trust_service_31_0 (trust_service)) +(typeattributeset tty_device_31_0 (tty_device)) +(typeattributeset tun_device_31_0 (tun_device)) +(typeattributeset tv_input_service_31_0 (tv_input_service)) +(typeattributeset tv_tuner_resource_mgr_service_31_0 (tv_tuner_resource_mgr_service)) +(typeattributeset tzdatacheck_31_0 (tzdatacheck)) +(typeattributeset tzdatacheck_exec_31_0 (tzdatacheck_exec)) +(typeattributeset ueventd_31_0 (ueventd)) +(typeattributeset ueventd_tmpfs_31_0 (ueventd_tmpfs)) +(typeattributeset uhid_device_31_0 (uhid_device)) +(typeattributeset uimode_service_31_0 (uimode_service)) +(typeattributeset uio_device_31_0 (uio_device)) +(typeattributeset uncrypt_31_0 (uncrypt)) +(typeattributeset uncrypt_exec_31_0 (uncrypt_exec)) +(typeattributeset uncrypt_socket_31_0 (uncrypt_socket)) +(typeattributeset unencrypted_data_file_31_0 (unencrypted_data_file)) +(typeattributeset unlabeled_31_0 (unlabeled)) +(typeattributeset untrusted_app_25_31_0 (untrusted_app_25)) +(typeattributeset untrusted_app_27_31_0 (untrusted_app_27)) +(typeattributeset untrusted_app_29_31_0 (untrusted_app_29)) +(typeattributeset untrusted_app_31_0 (untrusted_app)) +(typeattributeset update_engine_31_0 (update_engine)) +(typeattributeset update_engine_data_file_31_0 (update_engine_data_file)) +(typeattributeset update_engine_exec_31_0 (update_engine_exec)) +(typeattributeset update_engine_log_data_file_31_0 (update_engine_log_data_file)) +(typeattributeset update_engine_service_31_0 (update_engine_service)) +(typeattributeset update_engine_stable_service_31_0 (update_engine_stable_service)) +(typeattributeset update_verifier_31_0 (update_verifier)) +(typeattributeset update_verifier_exec_31_0 (update_verifier_exec)) +(typeattributeset updatelock_service_31_0 (updatelock_service)) +(typeattributeset uri_grants_service_31_0 (uri_grants_service)) +(typeattributeset usagestats_service_31_0 (usagestats_service)) +(typeattributeset usb_config_prop_31_0 (usb_config_prop)) +(typeattributeset usb_control_prop_31_0 (usb_control_prop)) +(typeattributeset usb_device_31_0 (usb_device)) +(typeattributeset usb_prop_31_0 (usb_prop)) +(typeattributeset usb_serial_device_31_0 (usb_serial_device)) +(typeattributeset usb_service_31_0 (usb_service)) +(typeattributeset usbaccessory_device_31_0 (usbaccessory_device)) +(typeattributeset usbd_31_0 (usbd)) +(typeattributeset usbd_exec_31_0 (usbd_exec)) +(typeattributeset usbfs_31_0 (usbfs)) +(typeattributeset use_memfd_prop_31_0 (use_memfd_prop)) +(typeattributeset user_profile_data_file_31_0 (user_profile_data_file)) +(typeattributeset user_profile_root_file_31_0 (user_profile_root_file)) +(typeattributeset user_service_31_0 (user_service)) +(typeattributeset userdata_block_device_31_0 (userdata_block_device)) +(typeattributeset userdata_sysdev_31_0 (userdata_sysdev)) +(typeattributeset usermodehelper_31_0 (usermodehelper)) +(typeattributeset userspace_reboot_config_prop_31_0 (userspace_reboot_config_prop)) +(typeattributeset userspace_reboot_exported_prop_31_0 (userspace_reboot_exported_prop)) +(typeattributeset userspace_reboot_metadata_file_31_0 (userspace_reboot_metadata_file)) +(typeattributeset uwb_service_31_0 (uwb_service)) +(typeattributeset vcn_management_service_31_0 (vcn_management_service)) +(typeattributeset vd_device_31_0 (vd_device)) +(typeattributeset vdc_31_0 (vdc)) +(typeattributeset vdc_exec_31_0 (vdc_exec)) +(typeattributeset vehicle_hal_prop_31_0 (vehicle_hal_prop)) +(typeattributeset vendor_apex_file_31_0 (vendor_apex_file)) +(typeattributeset vendor_app_file_31_0 (vendor_app_file)) +(typeattributeset vendor_cgroup_desc_file_31_0 (vendor_cgroup_desc_file)) +(typeattributeset vendor_configs_file_31_0 (vendor_configs_file)) +(typeattributeset vendor_data_file_31_0 (vendor_data_file)) +(typeattributeset vendor_default_prop_31_0 (vendor_default_prop)) +(typeattributeset vendor_file_31_0 (vendor_file)) +(typeattributeset vendor_framework_file_31_0 (vendor_framework_file)) +(typeattributeset vendor_hal_file_31_0 (vendor_hal_file)) +(typeattributeset vendor_idc_file_31_0 (vendor_idc_file)) +(typeattributeset vendor_init_31_0 (vendor_init)) +(typeattributeset vendor_kernel_modules_31_0 (vendor_kernel_modules)) +(typeattributeset vendor_keychars_file_31_0 (vendor_keychars_file)) +(typeattributeset vendor_keylayout_file_31_0 (vendor_keylayout_file)) +(typeattributeset vendor_misc_writer_31_0 (vendor_misc_writer)) +(typeattributeset vendor_misc_writer_exec_31_0 (vendor_misc_writer_exec)) +(typeattributeset vendor_modprobe_31_0 (vendor_modprobe)) +(typeattributeset vendor_overlay_file_31_0 (vendor_overlay_file)) +(typeattributeset vendor_public_framework_file_31_0 (vendor_public_framework_file)) +(typeattributeset vendor_public_lib_file_31_0 (vendor_public_lib_file)) +(typeattributeset vendor_security_patch_level_prop_31_0 (vendor_security_patch_level_prop)) +(typeattributeset vendor_service_contexts_file_31_0 (vendor_service_contexts_file)) +(typeattributeset vendor_shell_31_0 (vendor_shell)) +(typeattributeset vendor_shell_exec_31_0 (vendor_shell_exec)) +(typeattributeset vendor_socket_hook_prop_31_0 (vendor_socket_hook_prop)) +(typeattributeset vendor_task_profiles_file_31_0 (vendor_task_profiles_file)) +(typeattributeset vendor_toolbox_exec_31_0 (vendor_toolbox_exec)) +(typeattributeset vfat_31_0 (vfat)) +(typeattributeset vibrator_manager_service_31_0 (vibrator_manager_service)) +(typeattributeset vibrator_service_31_0 (vibrator_service)) +(typeattributeset video_device_31_0 (video_device)) +(typeattributeset virtual_ab_prop_31_0 (virtual_ab_prop)) +(typeattributeset virtual_touchpad_31_0 (virtual_touchpad)) +(typeattributeset virtual_touchpad_exec_31_0 (virtual_touchpad_exec)) +(typeattributeset virtual_touchpad_service_31_0 (virtual_touchpad_service)) +(typeattributeset virtualization_service_31_0 (virtualization_service)) +(typeattributeset vndbinder_device_31_0 (vndbinder_device)) +(typeattributeset vndk_prop_31_0 (vndk_prop)) +(typeattributeset vndk_sp_file_31_0 (vndk_sp_file)) +(typeattributeset vndservice_contexts_file_31_0 (vndservice_contexts_file)) +(typeattributeset vndservicemanager_31_0 (vndservicemanager)) +(typeattributeset voiceinteraction_service_31_0 (voiceinteraction_service)) +(typeattributeset vold_31_0 (vold)) +(typeattributeset vold_config_prop_31_0 (vold_config_prop)) +(typeattributeset vold_data_file_31_0 (vold_data_file)) +(typeattributeset vold_device_31_0 (vold_device)) +(typeattributeset vold_exec_31_0 (vold_exec)) +(typeattributeset vold_metadata_file_31_0 (vold_metadata_file)) +(typeattributeset vold_post_fs_data_prop_31_0 (vold_post_fs_data_prop)) +(typeattributeset vold_prepare_subdirs_31_0 (vold_prepare_subdirs)) +(typeattributeset vold_prepare_subdirs_exec_31_0 (vold_prepare_subdirs_exec)) +(typeattributeset vold_prop_31_0 (vold_prop)) +(typeattributeset vold_service_31_0 (vold_service)) +(typeattributeset vold_status_prop_31_0 (vold_status_prop)) +(typeattributeset vpn_data_file_31_0 (vpn_data_file)) +(typeattributeset vpn_management_service_31_0 (vpn_management_service)) +(typeattributeset vr_hwc_31_0 (vr_hwc)) +(typeattributeset vr_hwc_exec_31_0 (vr_hwc_exec)) +(typeattributeset vr_hwc_service_31_0 (vr_hwc_service)) +(typeattributeset vr_manager_service_31_0 (vr_manager_service)) +(typeattributeset vrflinger_vsync_service_31_0 (vrflinger_vsync_service)) +(typeattributeset vts_config_prop_31_0 (vts_config_prop)) +(typeattributeset vts_status_prop_31_0 (vts_status_prop)) +(typeattributeset wallpaper_file_31_0 (wallpaper_file)) +(typeattributeset wallpaper_service_31_0 (wallpaper_service)) +(typeattributeset watchdog_device_31_0 (watchdog_device)) +(typeattributeset watchdog_metadata_file_31_0 (watchdog_metadata_file)) +(typeattributeset watchdogd_31_0 (watchdogd)) +(typeattributeset watchdogd_exec_31_0 (watchdogd_exec)) +(typeattributeset webview_zygote_31_0 (webview_zygote)) +(typeattributeset webview_zygote_exec_31_0 (webview_zygote_exec)) +(typeattributeset webview_zygote_tmpfs_31_0 (webview_zygote_tmpfs)) +(typeattributeset webviewupdate_service_31_0 (webviewupdate_service)) +(typeattributeset wifi_config_prop_31_0 (wifi_config_prop)) +(typeattributeset wifi_data_file_31_0 (wifi_data_file)) +(typeattributeset wifi_hal_prop_31_0 (wifi_hal_prop)) +(typeattributeset wifi_key_31_0 (wifi_key)) +(typeattributeset wifi_log_prop_31_0 (wifi_log_prop)) +(typeattributeset wifi_prop_31_0 (wifi_prop)) +(typeattributeset wifi_service_31_0 (wifi_service)) +(typeattributeset wifiaware_service_31_0 (wifiaware_service)) +(typeattributeset wificond_31_0 (wificond)) +(typeattributeset wificond_exec_31_0 (wificond_exec)) +(typeattributeset wifinl80211_service_31_0 (wifinl80211_service)) +(typeattributeset wifip2p_service_31_0 (wifip2p_service)) +(typeattributeset wifiscanner_service_31_0 (wifiscanner_service)) +(typeattributeset window_service_31_0 (window_service)) +(typeattributeset wpa_socket_31_0 (wpa_socket)) +(typeattributeset wpantund_31_0 (wpantund)) +(typeattributeset wpantund_exec_31_0 (wpantund_exec)) +(typeattributeset wpantund_service_31_0 (wpantund_service)) +(typeattributeset zero_device_31_0 (zero_device)) +(typeattributeset zoneinfo_data_file_31_0 (zoneinfo_data_file)) +(typeattributeset zram_config_prop_31_0 (zram_config_prop)) +(typeattributeset zram_control_prop_31_0 (zram_control_prop)) +(typeattributeset zygote_31_0 (zygote)) +(typeattributeset zygote_config_prop_31_0 (zygote_config_prop)) +(typeattributeset zygote_exec_31_0 (zygote_exec)) +(typeattributeset zygote_socket_31_0 (zygote_socket)) +(typeattributeset zygote_tmpfs_31_0 (zygote_tmpfs)) diff --git a/private/compat/31.0/31.0.compat.cil b/private/compat/31.0/31.0.compat.cil new file mode 100644 index 000000000..628abfcda --- /dev/null +++ b/private/compat/31.0/31.0.compat.cil @@ -0,0 +1 @@ +;; This file can't be empty. diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil new file mode 100644 index 000000000..4e95cc6e4 --- /dev/null +++ b/private/compat/31.0/31.0.ignore.cil @@ -0,0 +1,9 @@ +;; new_objects - a collection of types that have been introduced that have no +;; analogue in older policy. Thus, we do not need to map these types to +;; previous ones. Add here to pass checkapi tests. +(type new_objects) +(typeattribute new_objects) +(typeattributeset new_objects + ( new_objects + hypervisor_prop + )) diff --git a/private/dumpstate.te b/private/dumpstate.te index 37a9a0c8b..4fad5852f 100644 --- a/private/dumpstate.te +++ b/private/dumpstate.te @@ -91,6 +91,9 @@ set_prop(dumpstate, ctl_dumpstate_prop) set_prop(dumpstate, lpdumpd_prop) binder_call(dumpstate, lpdumpd) +# For dumping hypervisor information. +get_prop(dumpstate, hypervisor_prop) + # For dumping device-mapper and snapshot information. allow dumpstate gsid_exec:file rx_file_perms; set_prop(dumpstate, ctl_gsid_prop) diff --git a/private/file_contexts b/private/file_contexts index 923f30c91..d61bf0f44 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -374,6 +374,7 @@ /system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0 /system/bin/snapuserd u:object_r:snapuserd_exec:s0 /system/bin/odsign u:object_r:odsign_exec:s0 +/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0 ############################# # Vendor files @@ -477,6 +478,7 @@ /(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0 /(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0 /(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0 +/(system_ext|system/system_ext)/etc/selinux/userdebug_plat_sepolicy\.cil u:object_r:sepolicy_file:s0 /(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0 /(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0 diff --git a/private/init.te b/private/init.te index f569e0c2d..200780dfb 100644 --- a/private/init.te +++ b/private/init.te @@ -92,6 +92,9 @@ neverallow { domain -init } vts_status_prop:property_service set; # Only init can write normal ro.boot. properties neverallow { domain -init } bootloader_prop:property_service set; +# Only init can write ro.boot.hypervisor properties +neverallow { domain -init } hypervisor_prop:property_service set; + # Only init can write hal.instrumentation.enable neverallow { domain -init } hal_instrumentation_prop:property_service set; diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te index 0e4a50ee6..742da1f12 100644 --- a/private/mediaprovider_app.te +++ b/private/mediaprovider_app.te @@ -21,6 +21,9 @@ allow mediaprovider_app drmserver_service:service_manager find; # Talk to the MediaServer service allow mediaprovider_app mediaserver_service:service_manager find; +# Talk to the MediaCodec APIs that log media metrics +allow mediaprovider_app mediametrics_service:service_manager find; + # Talk to regular app services allow mediaprovider_app app_api_service:service_manager find; @@ -54,3 +57,5 @@ get_prop(mediaprovider_app, storage_config_prop) get_prop(mediaprovider_app, drm_service_config_prop) allow mediaprovider_app gpu_device:dir search; + +dontaudit mediaprovider_app sysfs_vendor_sched:dir search; diff --git a/private/property_contexts b/private/property_contexts index 8cd0e425e..f8c887a9b 100644 --- a/private/property_contexts +++ b/private/property_contexts @@ -323,6 +323,9 @@ audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool +# Boolean property used in AudioService to configure whether +# spatializer functionality should be initialized +ro.audio.spatializer_enabled u:object_r:audio_config_prop:s0 exact bool persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string @@ -672,6 +675,8 @@ ro.boot.revision u:object_r:bootloader_prop:s0 exact string ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string +# Properties specific to virtualized deployments of Android +ro.boot.hypervisor.version u:object_r:hypervisor_prop:s0 exact string # These ro.X properties are set to values of ro.boot.X by property_service. ro.baseband u:object_r:bootloader_prop:s0 exact string @@ -1108,6 +1113,8 @@ cache_key.telephony. u:object_r:binder_cache_telephony_serve framework_watchdog.fatal_count u:object_r:framework_watchdog_config_prop:s0 exact int framework_watchdog.fatal_window.second u:object_r:framework_watchdog_config_prop:s0 exact int +gsm.operator.iso-country u:object_r:telephony_status_prop:s0 exact string +gsm.sim.operator.iso-country u:object_r:telephony_status_prop:s0 exact string gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string persist.radio.airplane_mode_on u:object_r:telephony_status_prop:s0 exact bool diff --git a/private/shell.te b/private/shell.te index 40b19fde0..ba9e972a1 100644 --- a/private/shell.te +++ b/private/shell.te @@ -106,8 +106,16 @@ allowxperm shell shell_data_file:dir ioctl { # Allow shell to execute simpleperf without a domain transition. allow shell simpleperf_exec:file rx_file_perms; -# Allow shell to execute profcollectctl without a domain transition. -allow shell profcollectd_exec:file rx_file_perms; +userdebug_or_eng(` + # Allow shell to execute profcollectctl without a domain transition. + allow shell profcollectd_exec:file rx_file_perms; + + # Allow shell to read profcollectd data files. + r_dir_file(shell, profcollectd_data_file) + + # Allow to issue control commands to profcollectd binder service. + allow shell profcollectd:binder call; +') # Allow shell to call perf_event_open for profiling other shell processes, but # not the whole system. @@ -173,11 +181,6 @@ get_prop(shell, build_bootimage_prop) userdebug_or_eng(`set_prop(shell, persist_debug_prop)') -# Allow to issue control commands to profcollectd binder service. -userdebug_or_eng(` - allow shell profcollectd:binder call; -') - # Allow shell to read the keystore key contexts files. Used by native tests to test label lookup. allow shell keystore2_key_contexts_file:file r_file_perms; diff --git a/private/vdc.te b/private/vdc.te index bc7409eee..63c9c2a0e 100644 --- a/private/vdc.te +++ b/private/vdc.te @@ -1,3 +1,6 @@ typeattribute vdc coredomain; init_daemon_domain(vdc) + +# Allow stdin/out back to vehicle_binding_util +allow vdc vehicle_binding_util:fd use; diff --git a/private/vehicle_binding_util.te b/private/vehicle_binding_util.te new file mode 100644 index 000000000..76d075600 --- /dev/null +++ b/private/vehicle_binding_util.te @@ -0,0 +1,20 @@ +# vehicle binding util startup application +type vehicle_binding_util, domain, coredomain; + +# allow init to start vehicle_binding_util +type vehicle_binding_util_exec, exec_type, file_type, system_file_type; +init_daemon_domain(vehicle_binding_util) + +# allow writing to kmsg during boot +allow vehicle_binding_util kmsg_device:chr_file { getattr w_file_perms }; + +# allow reading the binding property from vhal +hwbinder_use(vehicle_binding_util) +hal_client_domain(vehicle_binding_util, hal_vehicle) + +# allow executing vdc +domain_auto_trans(vehicle_binding_util, vdc_exec, vdc) + +# devpts is needed to redirect output from vdc +allow vehicle_binding_util devpts:chr_file rw_file_perms; + diff --git a/public/audioserver.te b/public/audioserver.te index a8a33cc5a..d593567aa 100644 --- a/public/audioserver.te +++ b/public/audioserver.te @@ -4,3 +4,7 @@ type audioserver_tmpfs, file_type; # Allow audioserver to signal audio HAL processes and dump their stacks. allow audioserver hal_audio_server:process signal; + +# Allow audioserver to access sensorservice. +allow audioserver sensorservice_service:service_manager find; +allow audioserver system_server:unix_stream_socket { read write }; diff --git a/public/property.te b/public/property.te index 1d3f358fd..2b2af6d19 100644 --- a/public/property.te +++ b/public/property.te @@ -69,6 +69,7 @@ system_restricted_prop(device_config_runtime_native_boot_prop) system_restricted_prop(device_config_runtime_native_prop) system_restricted_prop(fingerprint_prop) system_restricted_prop(hal_instrumentation_prop) +system_restricted_prop(hypervisor_prop) system_restricted_prop(init_service_status_prop) system_restricted_prop(libc_debug_prop) system_restricted_prop(module_sdkextensions_prop) |