xref: /aosp_15_r20/out/soong/.intermediates/system/sepolicy/prebuilts/api/29.0/29.0_product_pub_policy.conf/android_common/29.0_product_pub_policy.conf

#line 1 "system/sepolicy/flagging/flagging_macros"
####################################
# is_flag_enabled(flag, rules)
# SELinux rules which apply only if given feature is turned on


####################################
# is_flag_disabled(flag, rules)
# SELinux rules which apply only if given feature is turned off


####################################
# starting_at_board_api(api_level, rules_if_api_level)
#
# This macro conditionally exposes SELinux rules ensuring they are available
# only when the board API level is at or above the specified 'api_level'.


####################################
# until_board_api(api_level, rules_if_lower_api_level)
#
# This macro conditionally exposes SELinux rules ensuring they are available
# only when the board API level is below the specified 'api_level'.

#line 1 "system/sepolicy/reqd_mask/security_classes"
# FLASK

#
# Define the security object classes
#

# Classes marked as userspace are classes
# for userspace object managers

class security
class process
class system
class capability

# file-related classes
class filesystem
class file
class anon_inode
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file

# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket

# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc

# extended netlink sockets
class netlink_route_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
class netlink_dnrt_socket

# IPSec association
class association

# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket

class appletalk_socket

class packet

# Kernel access key retention
class key

class dccp_socket

class memprotect

# network peer labels
class peer

# Capabilities >= 32
class capability2

# kernel services that need to override task security, e.g. cachefiles
class kernel_service

class tun_socket

class binder

# Updated netlink classes for more recent netlink protocols.
class netlink_iscsi_socket
class netlink_fib_lookup_socket
class netlink_connector_socket
class netlink_netfilter_socket
class netlink_generic_socket
class netlink_scsitransport_socket
class netlink_rdma_socket
class netlink_crypto_socket

# Infiniband
class infiniband_pkey
class infiniband_endport

# Capability checks when on a non-init user namespace
class cap_userns
class cap2_userns

# New socket classes introduced by extended_socket_class policy capability.
# These two were previously mapped to rawip_socket.
class sctp_socket
class icmp_socket
# These were previously mapped to socket.
class ax25_socket
class ipx_socket
class netrom_socket
class atmpvc_socket
class x25_socket
class rose_socket
class decnet_socket
class atmsvc_socket
class rds_socket
class irda_socket
class pppox_socket
class llc_socket
class can_socket
class tipc_socket
class bluetooth_socket
class iucv_socket
class rxrpc_socket
class isdn_socket
class phonet_socket
class ieee802154_socket
class caif_socket
class alg_socket
class nfc_socket
class vsock_socket
class kcm_socket
class qipcrtr_socket
class smc_socket
class xdp_socket
class mctp_socket

class process2

class bpf

class perf_event

class io_uring

# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
class lockdown

class user_namespace

# Property service
class property_service          # userspace

# Service manager
class service_manager           # userspace

# hardware service manager      # userspace
class hwservice_manager

# Legacy Keystore key permissions
class keystore_key              # userspace

# Keystore 2.0 permissions
class keystore2                 # userspace

# Keystore 2.0 key permissions
class keystore2_key             # userspace

# Diced permissions
class diced                     # userspace

class drmservice                # userspace
# FLASK

# Permissions for VMs to access SMC services
class tee_service            		# userspace
#line 1 "system/sepolicy/reqd_mask/initial_sids"
sid reqd_mask

# FLASK
#line 1 "system/sepolicy/reqd_mask/access_vectors"
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }


#
# Define a common prefix for file access vectors.
#

common file
{
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	map
	unlink
	link
	rename
	execute
	quotaon
	mounton
	audit_access
	open
	execmod
	watch
	watch_mount
	watch_sb
	watch_with_perm
	watch_reads
}


#
# Define a common prefix for socket access vectors.
#

common socket
{
# inherited from file
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	map
# socket-specific
	bind
	connect
	listen
	accept
	getopt
	setopt
	shutdown
	recvfrom
	sendto
	name_bind
}

#
# Define a common prefix for ipc access vectors.
#

common ipc
{
	create
	destroy
	getattr
	setattr
	read
	write
	associate
	unix_read
	unix_write
}

#
# Define a common for capability access vectors.
#
common cap
{
	# The capabilities are defined in include/linux/capability.h
	# Capabilities >= 32 are defined in the cap2 common.
	# Care should be taken to ensure that these are consistent with
	# those definitions. (Order matters)

	chown
	dac_override
	dac_read_search
	fowner
	fsetid
	kill
	setgid
	setuid
	setpcap
	linux_immutable
	net_bind_service
	net_broadcast
	net_admin
	net_raw
	ipc_lock
	ipc_owner
	sys_module
	sys_rawio
	sys_chroot
	sys_ptrace
	sys_pacct
	sys_admin
	sys_boot
	sys_nice
	sys_resource
	sys_time
	sys_tty_config
	mknod
	lease
	audit_write
	audit_control
	setfcap
}

common cap2
{
	mac_override	# unused by SELinux
	mac_admin
	syslog
	wake_alarm
	block_suspend
	audit_read
	perfmon


}

#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }


#
# Define the access vector interpretation for file-related objects.
#

class filesystem
{
	mount
	remount
	unmount
	getattr
	relabelfrom
	relabelto
	associate
	quotamod
	quotaget
	watch
}

class dir
inherits file
{
	add_name
	remove_name
	reparent
	search
	rmdir
}

class file
inherits file
{
	execute_no_trans
	entrypoint
}

class anon_inode
inherits file

class lnk_file
inherits file

class chr_file
inherits file
{
	execute_no_trans
	entrypoint
}

class blk_file
inherits file

class sock_file
inherits file

class fifo_file
inherits file

class fd
{
	use
}


#
# Define the access vector interpretation for network-related objects.
#

class socket
inherits socket

class tcp_socket
inherits socket
{
	node_bind
	name_connect
}

class udp_socket
inherits socket
{
	node_bind
}

class rawip_socket
inherits socket
{
	node_bind
}

class node
{
	recvfrom
	sendto
}

class netif
{
	ingress
	egress
}

class netlink_socket
inherits socket

class packet_socket
inherits socket

class key_socket
inherits socket

class unix_stream_socket
inherits socket
{
	connectto
}

class unix_dgram_socket
inherits socket

#
# Define the access vector interpretation for process-related objects
#

class process
{
	fork
	transition
	sigchld # commonly granted from child to parent
	sigkill # cannot be caught or ignored
	sigstop # cannot be caught or ignored
	signull # for kill(pid, 0)
	signal  # all other signals
	ptrace
	getsched
	setsched
	getsession
	getpgid
	setpgid
	getcap
	setcap
	share
	getattr
	setexec
	setfscreate
	noatsecure
	siginh
	setrlimit
	rlimitinh
	dyntransition
	setcurrent
	execmem
	execstack
	execheap
	setkeycreate
	setsockcreate
	getrlimit
}

class process2
{
	nnp_transition
	nosuid_transition
}

#
# Define the access vector interpretation for ipc-related objects
#

class ipc
inherits ipc

class sem
inherits ipc

class msgq
inherits ipc
{
	enqueue
}

class msg
{
	send
	receive
}

class shm
inherits ipc
{
	lock
}


#
# Define the access vector interpretation for the security server.
#

class security
{
	compute_av
	compute_create
	compute_member
	check_context
	load_policy
	compute_relabel
	compute_user
	setenforce     # was avc_toggle in system class
	setbool
	setsecparam
	setcheckreqprot
	read_policy
	validate_trans
}


#
# Define the access vector interpretation for system operations.
#

class system
{
	ipc_info
	syslog_read
	syslog_mod
	syslog_console
	module_request
	module_load
}

#
# Define the access vector interpretation for controlling capabilities
#

class capability
inherits cap

class capability2
inherits cap2

#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
	nlmsg_readpriv
	nlmsg_getneigh
}

class netlink_tcpdiag_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_nflog_socket
inherits socket

class netlink_xfrm_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_selinux_socket
inherits socket

class netlink_audit_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
	nlmsg_relay
	nlmsg_readpriv
	nlmsg_tty_audit
}

class netlink_dnrt_socket
inherits socket

# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
	sendto
	recvfrom
	setcontext
	polmatch
}

# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket

class appletalk_socket
inherits socket

class packet
{
	send
	recv
	relabelto
	forward_in
	forward_out
}

class key
{
	view
	read
	write
	search
	link
	setattr
	create
}

class dccp_socket
inherits socket
{
	node_bind
	name_connect
}

class memprotect
{
	mmap_zero
}

# network peer labels
class peer
{
	recv
}

class kernel_service
{
	use_as_override
	create_files_as
}

class tun_socket
inherits socket
{
	attach_queue
}

class binder
{
	impersonate
	call
	set_context_mgr
	transfer
}

class netlink_iscsi_socket
inherits socket

class netlink_fib_lookup_socket
inherits socket

class netlink_connector_socket
inherits socket

class netlink_netfilter_socket
inherits socket

class netlink_generic_socket
inherits socket

class netlink_scsitransport_socket
inherits socket

class netlink_rdma_socket
inherits socket

class netlink_crypto_socket
inherits socket

class infiniband_pkey
{
	access
}

class infiniband_endport
{
	manage_subnet
}

#
# Define the access vector interpretation for controlling capabilities
# in user namespaces
#

class cap_userns
inherits cap

class cap2_userns
inherits cap2


#
# Define the access vector interpretation for the new socket classes
# enabled by the extended_socket_class policy capability.
#

#
# The next two classes were previously mapped to rawip_socket and therefore
# have the same definition as rawip_socket (until further permissions
# are defined).
#
class sctp_socket
inherits socket
{
	node_bind
	name_connect
	association
}

class icmp_socket
inherits socket
{
	node_bind
}

#
# The remaining network socket classes were previously
# mapped to the socket class and therefore have the
# same definition as socket.
#

class ax25_socket
inherits socket

class ipx_socket
inherits socket

class netrom_socket
inherits socket

class atmpvc_socket
inherits socket

class x25_socket
inherits socket

class rose_socket
inherits socket

class decnet_socket
inherits socket

class atmsvc_socket
inherits socket

class rds_socket
inherits socket

class irda_socket
inherits socket

class pppox_socket
inherits socket

class llc_socket
inherits socket

class can_socket
inherits socket

class tipc_socket
inherits socket

class bluetooth_socket
inherits socket

class iucv_socket
inherits socket

class rxrpc_socket
inherits socket

class isdn_socket
inherits socket

class phonet_socket
inherits socket

class ieee802154_socket
inherits socket

class caif_socket
inherits socket

class alg_socket
inherits socket

class nfc_socket
inherits socket

class vsock_socket
inherits socket

class kcm_socket
inherits socket

class qipcrtr_socket
inherits socket

class smc_socket
inherits socket

class xdp_socket
inherits socket

class mctp_socket
inherits socket

class bpf
{
	map_create
	map_read
	map_write
	prog_load
	prog_run
}

class property_service
{
	set
}

class service_manager
{
	add
	find
	list
}

class hwservice_manager
{
	add
	find
	list
}

class keystore_key # No longer used
{
	get_state
	get
	insert
	delete
	exist
	list
	reset
	password
	lock
	unlock
	is_empty
	sign
	verify
	grant
	duplicate
	clear_uid
	add_auth
	user_changed
	gen_unique_id
}

class keystore2
{
	add_auth
	change_password
	change_user
	clear_ns
	clear_uid
	delete_all_keys
	early_boot_ended
	get_attestation_key
	get_auth_token
	get_last_auth_time
	get_state # No longer used
	list
	lock
	pull_metrics
	report_off_body # No longer used
	reset
	unlock
}

class keystore2_key
{
	convert_storage_key_to_ephemeral
	delete
	gen_unique_id
	get_info
	grant
	manage_blob
	rebind
	req_forced_op
	update
	use
	use_dev_id
}

class diced
{
	demote
	demote_self
	derive
	get_attestation_chain
	use_seal
	use_sign
}

class drmservice {
	consumeRights
	setPlaybackStatus
	openDecryptSession
	closeDecryptSession
	initializeDecryptUnit
	decrypt
	finalizeDecryptUnit
	pread
}

class perf_event
{
	open
	cpu
	kernel
	tracepoint
	read
	write
}

class lockdown
{
	integrity
	confidentiality
}

class io_uring
{
	override_creds
	sqpoll
	cmd
}

class user_namespace
{
	create
}

class tee_service
{
	use
}
#line 1 "system/sepolicy/prebuilts/api/29.0/public/global_macros"
#####################################
# Common groupings of object classes.
#

















#####################################
# Common groupings of permissions.
#




















#####################################
# Common socket permission sets.






#line 1 "system/sepolicy/prebuilts/api/29.0/public/neverallow_macros"
#
# Common neverallow permissions





#####################################
# neverallow_establish_socket_comms(src, dst)
# neverallow src domain establishing socket connections to dst domain.
#
#line 15

#line 1 "system/sepolicy/reqd_mask/mls_macros"
########################################
#
# gen_cats(N)
#
# declares categores c0 to c(N-1)
#
#line 10




########################################
#
# gen_sens(N)
#
# declares sensitivites s0 to s(N-1) with dominance
# in increasing numeric order with s0 lowest, s(N-1) highest
#
#line 24




#line 34


########################################
#
# gen_levels(N,M)
#
# levels from s0 to (N-1) with categories c0 to (M-1)
#
#line 45




########################################
#
# Basic level names for system low and high
#


#line 1 "system/sepolicy/reqd_mask/mls_decl"
#########################################
# MLS declarations
#

# Generate the desired number of sensitivities and categories.

#line 6
# Each sensitivity has a name and zero or more aliases.
#line 6
sensitivity s0;
#line 6

#line 6

#line 6
# Define the ordering of the sensitivity levels (least to greatest)
#line 6
dominance { s0  }
#line 6

category c0;
#line 7
category c1;
#line 7
category c2;
#line 7
category c3;
#line 7
category c4;
#line 7
category c5;
#line 7
category c6;
#line 7
category c7;
#line 7
category c8;
#line 7
category c9;
#line 7
category c10;
#line 7
category c11;
#line 7
category c12;
#line 7
category c13;
#line 7
category c14;
#line 7
category c15;
#line 7
category c16;
#line 7
category c17;
#line 7
category c18;
#line 7
category c19;
#line 7
category c20;
#line 7
category c21;
#line 7
category c22;
#line 7
category c23;
#line 7
category c24;
#line 7
category c25;
#line 7
category c26;
#line 7
category c27;
#line 7
category c28;
#line 7
category c29;
#line 7
category c30;
#line 7
category c31;
#line 7
category c32;
#line 7
category c33;
#line 7
category c34;
#line 7
category c35;
#line 7
category c36;
#line 7
category c37;
#line 7
category c38;
#line 7
category c39;
#line 7
category c40;
#line 7
category c41;
#line 7
category c42;
#line 7
category c43;
#line 7
category c44;
#line 7
category c45;
#line 7
category c46;
#line 7
category c47;
#line 7
category c48;
#line 7
category c49;
#line 7
category c50;
#line 7
category c51;
#line 7
category c52;
#line 7
category c53;
#line 7
category c54;
#line 7
category c55;
#line 7
category c56;
#line 7
category c57;
#line 7
category c58;
#line 7
category c59;
#line 7
category c60;
#line 7
category c61;
#line 7
category c62;
#line 7
category c63;
#line 7
category c64;
#line 7
category c65;
#line 7
category c66;
#line 7
category c67;
#line 7
category c68;
#line 7
category c69;
#line 7
category c70;
#line 7
category c71;
#line 7
category c72;
#line 7
category c73;
#line 7
category c74;
#line 7
category c75;
#line 7
category c76;
#line 7
category c77;
#line 7
category c78;
#line 7
category c79;
#line 7
category c80;
#line 7
category c81;
#line 7
category c82;
#line 7
category c83;
#line 7
category c84;
#line 7
category c85;
#line 7
category c86;
#line 7
category c87;
#line 7
category c88;
#line 7
category c89;
#line 7
category c90;
#line 7
category c91;
#line 7
category c92;
#line 7
category c93;
#line 7
category c94;
#line 7
category c95;
#line 7
category c96;
#line 7
category c97;
#line 7
category c98;
#line 7
category c99;
#line 7
category c100;
#line 7
category c101;
#line 7
category c102;
#line 7
category c103;
#line 7
category c104;
#line 7
category c105;
#line 7
category c106;
#line 7
category c107;
#line 7
category c108;
#line 7
category c109;
#line 7
category c110;
#line 7
category c111;
#line 7
category c112;
#line 7
category c113;
#line 7
category c114;
#line 7
category c115;
#line 7
category c116;
#line 7
category c117;
#line 7
category c118;
#line 7
category c119;
#line 7
category c120;
#line 7
category c121;
#line 7
category c122;
#line 7
category c123;
#line 7
category c124;
#line 7
category c125;
#line 7
category c126;
#line 7
category c127;
#line 7
category c128;
#line 7
category c129;
#line 7
category c130;
#line 7
category c131;
#line 7
category c132;
#line 7
category c133;
#line 7
category c134;
#line 7
category c135;
#line 7
category c136;
#line 7
category c137;
#line 7
category c138;
#line 7
category c139;
#line 7
category c140;
#line 7
category c141;
#line 7
category c142;
#line 7
category c143;
#line 7
category c144;
#line 7
category c145;
#line 7
category c146;
#line 7
category c147;
#line 7
category c148;
#line 7
category c149;
#line 7
category c150;
#line 7
category c151;
#line 7
category c152;
#line 7
category c153;
#line 7
category c154;
#line 7
category c155;
#line 7
category c156;
#line 7
category c157;
#line 7
category c158;
#line 7
category c159;
#line 7
category c160;
#line 7
category c161;
#line 7
category c162;
#line 7
category c163;
#line 7
category c164;
#line 7
category c165;
#line 7
category c166;
#line 7
category c167;
#line 7
category c168;
#line 7
category c169;
#line 7
category c170;
#line 7
category c171;
#line 7
category c172;
#line 7
category c173;
#line 7
category c174;
#line 7
category c175;
#line 7
category c176;
#line 7
category c177;
#line 7
category c178;
#line 7
category c179;
#line 7
category c180;
#line 7
category c181;
#line 7
category c182;
#line 7
category c183;
#line 7
category c184;
#line 7
category c185;
#line 7
category c186;
#line 7
category c187;
#line 7
category c188;
#line 7
category c189;
#line 7
category c190;
#line 7
category c191;
#line 7
category c192;
#line 7
category c193;
#line 7
category c194;
#line 7
category c195;
#line 7
category c196;
#line 7
category c197;
#line 7
category c198;
#line 7
category c199;
#line 7
category c200;
#line 7
category c201;
#line 7
category c202;
#line 7
category c203;
#line 7
category c204;
#line 7
category c205;
#line 7
category c206;
#line 7
category c207;
#line 7
category c208;
#line 7
category c209;
#line 7
category c210;
#line 7
category c211;
#line 7
category c212;
#line 7
category c213;
#line 7
category c214;
#line 7
category c215;
#line 7
category c216;
#line 7
category c217;
#line 7
category c218;
#line 7
category c219;
#line 7
category c220;
#line 7
category c221;
#line 7
category c222;
#line 7
category c223;
#line 7
category c224;
#line 7
category c225;
#line 7
category c226;
#line 7
category c227;
#line 7
category c228;
#line 7
category c229;
#line 7
category c230;
#line 7
category c231;
#line 7
category c232;
#line 7
category c233;
#line 7
category c234;
#line 7
category c235;
#line 7
category c236;
#line 7
category c237;
#line 7
category c238;
#line 7
category c239;
#line 7
category c240;
#line 7
category c241;
#line 7
category c242;
#line 7
category c243;
#line 7
category c244;
#line 7
category c245;
#line 7
category c246;
#line 7
category c247;
#line 7
category c248;
#line 7
category c249;
#line 7
category c250;
#line 7
category c251;
#line 7
category c252;
#line 7
category c253;
#line 7
category c254;
#line 7
category c255;
#line 7
category c256;
#line 7
category c257;
#line 7
category c258;
#line 7
category c259;
#line 7
category c260;
#line 7
category c261;
#line 7
category c262;
#line 7
category c263;
#line 7
category c264;
#line 7
category c265;
#line 7
category c266;
#line 7
category c267;
#line 7
category c268;
#line 7
category c269;
#line 7
category c270;
#line 7
category c271;
#line 7
category c272;
#line 7
category c273;
#line 7
category c274;
#line 7
category c275;
#line 7
category c276;
#line 7
category c277;
#line 7
category c278;
#line 7
category c279;
#line 7
category c280;
#line 7
category c281;
#line 7
category c282;
#line 7
category c283;
#line 7
category c284;
#line 7
category c285;
#line 7
category c286;
#line 7
category c287;
#line 7
category c288;
#line 7
category c289;
#line 7
category c290;
#line 7
category c291;
#line 7
category c292;
#line 7
category c293;
#line 7
category c294;
#line 7
category c295;
#line 7
category c296;
#line 7
category c297;
#line 7
category c298;
#line 7
category c299;
#line 7
category c300;
#line 7
category c301;
#line 7
category c302;
#line 7
category c303;
#line 7
category c304;
#line 7
category c305;
#line 7
category c306;
#line 7
category c307;
#line 7
category c308;
#line 7
category c309;
#line 7
category c310;
#line 7
category c311;
#line 7
category c312;
#line 7
category c313;
#line 7
category c314;
#line 7
category c315;
#line 7
category c316;
#line 7
category c317;
#line 7
category c318;
#line 7
category c319;
#line 7
category c320;
#line 7
category c321;
#line 7
category c322;
#line 7
category c323;
#line 7
category c324;
#line 7
category c325;
#line 7
category c326;
#line 7
category c327;
#line 7
category c328;
#line 7
category c329;
#line 7
category c330;
#line 7
category c331;
#line 7
category c332;
#line 7
category c333;
#line 7
category c334;
#line 7
category c335;
#line 7
category c336;
#line 7
category c337;
#line 7
category c338;
#line 7
category c339;
#line 7
category c340;
#line 7
category c341;
#line 7
category c342;
#line 7
category c343;
#line 7
category c344;
#line 7
category c345;
#line 7
category c346;
#line 7
category c347;
#line 7
category c348;
#line 7
category c349;
#line 7
category c350;
#line 7
category c351;
#line 7
category c352;
#line 7
category c353;
#line 7
category c354;
#line 7
category c355;
#line 7
category c356;
#line 7
category c357;
#line 7
category c358;
#line 7
category c359;
#line 7
category c360;
#line 7
category c361;
#line 7
category c362;
#line 7
category c363;
#line 7
category c364;
#line 7
category c365;
#line 7
category c366;
#line 7
category c367;
#line 7
category c368;
#line 7
category c369;
#line 7
category c370;
#line 7
category c371;
#line 7
category c372;
#line 7
category c373;
#line 7
category c374;
#line 7
category c375;
#line 7
category c376;
#line 7
category c377;
#line 7
category c378;
#line 7
category c379;
#line 7
category c380;
#line 7
category c381;
#line 7
category c382;
#line 7
category c383;
#line 7
category c384;
#line 7
category c385;
#line 7
category c386;
#line 7
category c387;
#line 7
category c388;
#line 7
category c389;
#line 7
category c390;
#line 7
category c391;
#line 7
category c392;
#line 7
category c393;
#line 7
category c394;
#line 7
category c395;
#line 7
category c396;
#line 7
category c397;
#line 7
category c398;
#line 7
category c399;
#line 7
category c400;
#line 7
category c401;
#line 7
category c402;
#line 7
category c403;
#line 7
category c404;
#line 7
category c405;
#line 7
category c406;
#line 7
category c407;
#line 7
category c408;
#line 7
category c409;
#line 7
category c410;
#line 7
category c411;
#line 7
category c412;
#line 7
category c413;
#line 7
category c414;
#line 7
category c415;
#line 7
category c416;
#line 7
category c417;
#line 7
category c418;
#line 7
category c419;
#line 7
category c420;
#line 7
category c421;
#line 7
category c422;
#line 7
category c423;
#line 7
category c424;
#line 7
category c425;
#line 7
category c426;
#line 7
category c427;
#line 7
category c428;
#line 7
category c429;
#line 7
category c430;
#line 7
category c431;
#line 7
category c432;
#line 7
category c433;
#line 7
category c434;
#line 7
category c435;
#line 7
category c436;
#line 7
category c437;
#line 7
category c438;
#line 7
category c439;
#line 7
category c440;
#line 7
category c441;
#line 7
category c442;
#line 7
category c443;
#line 7
category c444;
#line 7
category c445;
#line 7
category c446;
#line 7
category c447;
#line 7
category c448;
#line 7
category c449;
#line 7
category c450;
#line 7
category c451;
#line 7
category c452;
#line 7
category c453;
#line 7
category c454;
#line 7
category c455;
#line 7
category c456;
#line 7
category c457;
#line 7
category c458;
#line 7
category c459;
#line 7
category c460;
#line 7
category c461;
#line 7
category c462;
#line 7
category c463;
#line 7
category c464;
#line 7
category c465;
#line 7
category c466;
#line 7
category c467;
#line 7
category c468;
#line 7
category c469;
#line 7
category c470;
#line 7
category c471;
#line 7
category c472;
#line 7
category c473;
#line 7
category c474;
#line 7
category c475;
#line 7
category c476;
#line 7
category c477;
#line 7
category c478;
#line 7
category c479;
#line 7
category c480;
#line 7
category c481;
#line 7
category c482;
#line 7
category c483;
#line 7
category c484;
#line 7
category c485;
#line 7
category c486;
#line 7
category c487;
#line 7
category c488;
#line 7
category c489;
#line 7
category c490;
#line 7
category c491;
#line 7
category c492;
#line 7
category c493;
#line 7
category c494;
#line 7
category c495;
#line 7
category c496;
#line 7
category c497;
#line 7
category c498;
#line 7
category c499;
#line 7
category c500;
#line 7
category c501;
#line 7
category c502;
#line 7
category c503;
#line 7
category c504;
#line 7
category c505;
#line 7
category c506;
#line 7
category c507;
#line 7
category c508;
#line 7
category c509;
#line 7
category c510;
#line 7
category c511;
#line 7
category c512;
#line 7
category c513;
#line 7
category c514;
#line 7
category c515;
#line 7
category c516;
#line 7
category c517;
#line 7
category c518;
#line 7
category c519;
#line 7
category c520;
#line 7
category c521;
#line 7
category c522;
#line 7
category c523;
#line 7
category c524;
#line 7
category c525;
#line 7
category c526;
#line 7
category c527;
#line 7
category c528;
#line 7
category c529;
#line 7
category c530;
#line 7
category c531;
#line 7
category c532;
#line 7
category c533;
#line 7
category c534;
#line 7
category c535;
#line 7
category c536;
#line 7
category c537;
#line 7
category c538;
#line 7
category c539;
#line 7
category c540;
#line 7
category c541;
#line 7
category c542;
#line 7
category c543;
#line 7
category c544;
#line 7
category c545;
#line 7
category c546;
#line 7
category c547;
#line 7
category c548;
#line 7
category c549;
#line 7
category c550;
#line 7
category c551;
#line 7
category c552;
#line 7
category c553;
#line 7
category c554;
#line 7
category c555;
#line 7
category c556;
#line 7
category c557;
#line 7
category c558;
#line 7
category c559;
#line 7
category c560;
#line 7
category c561;
#line 7
category c562;
#line 7
category c563;
#line 7
category c564;
#line 7
category c565;
#line 7
category c566;
#line 7
category c567;
#line 7
category c568;
#line 7
category c569;
#line 7
category c570;
#line 7
category c571;
#line 7
category c572;
#line 7
category c573;
#line 7
category c574;
#line 7
category c575;
#line 7
category c576;
#line 7
category c577;
#line 7
category c578;
#line 7
category c579;
#line 7
category c580;
#line 7
category c581;
#line 7
category c582;
#line 7
category c583;
#line 7
category c584;
#line 7
category c585;
#line 7
category c586;
#line 7
category c587;
#line 7
category c588;
#line 7
category c589;
#line 7
category c590;
#line 7
category c591;
#line 7
category c592;
#line 7
category c593;
#line 7
category c594;
#line 7
category c595;
#line 7
category c596;
#line 7
category c597;
#line 7
category c598;
#line 7
category c599;
#line 7
category c600;
#line 7
category c601;
#line 7
category c602;
#line 7
category c603;
#line 7
category c604;
#line 7
category c605;
#line 7
category c606;
#line 7
category c607;
#line 7
category c608;
#line 7
category c609;
#line 7
category c610;
#line 7
category c611;
#line 7
category c612;
#line 7
category c613;
#line 7
category c614;
#line 7
category c615;
#line 7
category c616;
#line 7
category c617;
#line 7
category c618;
#line 7
category c619;
#line 7
category c620;
#line 7
category c621;
#line 7
category c622;
#line 7
category c623;
#line 7
category c624;
#line 7
category c625;
#line 7
category c626;
#line 7
category c627;
#line 7
category c628;
#line 7
category c629;
#line 7
category c630;
#line 7
category c631;
#line 7
category c632;
#line 7
category c633;
#line 7
category c634;
#line 7
category c635;
#line 7
category c636;
#line 7
category c637;
#line 7
category c638;
#line 7
category c639;
#line 7
category c640;
#line 7
category c641;
#line 7
category c642;
#line 7
category c643;
#line 7
category c644;
#line 7
category c645;
#line 7
category c646;
#line 7
category c647;
#line 7
category c648;
#line 7
category c649;
#line 7
category c650;
#line 7
category c651;
#line 7
category c652;
#line 7
category c653;
#line 7
category c654;
#line 7
category c655;
#line 7
category c656;
#line 7
category c657;
#line 7
category c658;
#line 7
category c659;
#line 7
category c660;
#line 7
category c661;
#line 7
category c662;
#line 7
category c663;
#line 7
category c664;
#line 7
category c665;
#line 7
category c666;
#line 7
category c667;
#line 7
category c668;
#line 7
category c669;
#line 7
category c670;
#line 7
category c671;
#line 7
category c672;
#line 7
category c673;
#line 7
category c674;
#line 7
category c675;
#line 7
category c676;
#line 7
category c677;
#line 7
category c678;
#line 7
category c679;
#line 7
category c680;
#line 7
category c681;
#line 7
category c682;
#line 7
category c683;
#line 7
category c684;
#line 7
category c685;
#line 7
category c686;
#line 7
category c687;
#line 7
category c688;
#line 7
category c689;
#line 7
category c690;
#line 7
category c691;
#line 7
category c692;
#line 7
category c693;
#line 7
category c694;
#line 7
category c695;
#line 7
category c696;
#line 7
category c697;
#line 7
category c698;
#line 7
category c699;
#line 7
category c700;
#line 7
category c701;
#line 7
category c702;
#line 7
category c703;
#line 7
category c704;
#line 7
category c705;
#line 7
category c706;
#line 7
category c707;
#line 7
category c708;
#line 7
category c709;
#line 7
category c710;
#line 7
category c711;
#line 7
category c712;
#line 7
category c713;
#line 7
category c714;
#line 7
category c715;
#line 7
category c716;
#line 7
category c717;
#line 7
category c718;
#line 7
category c719;
#line 7
category c720;
#line 7
category c721;
#line 7
category c722;
#line 7
category c723;
#line 7
category c724;
#line 7
category c725;
#line 7
category c726;
#line 7
category c727;
#line 7
category c728;
#line 7
category c729;
#line 7
category c730;
#line 7
category c731;
#line 7
category c732;
#line 7
category c733;
#line 7
category c734;
#line 7
category c735;
#line 7
category c736;
#line 7
category c737;
#line 7
category c738;
#line 7
category c739;
#line 7
category c740;
#line 7
category c741;
#line 7
category c742;
#line 7
category c743;
#line 7
category c744;
#line 7
category c745;
#line 7
category c746;
#line 7
category c747;
#line 7
category c748;
#line 7
category c749;
#line 7
category c750;
#line 7
category c751;
#line 7
category c752;
#line 7
category c753;
#line 7
category c754;
#line 7
category c755;
#line 7
category c756;
#line 7
category c757;
#line 7
category c758;
#line 7
category c759;
#line 7
category c760;
#line 7
category c761;
#line 7
category c762;
#line 7
category c763;
#line 7
category c764;
#line 7
category c765;
#line 7
category c766;
#line 7
category c767;
#line 7
category c768;
#line 7
category c769;
#line 7
category c770;
#line 7
category c771;
#line 7
category c772;
#line 7
category c773;
#line 7
category c774;
#line 7
category c775;
#line 7
category c776;
#line 7
category c777;
#line 7
category c778;
#line 7
category c779;
#line 7
category c780;
#line 7
category c781;
#line 7
category c782;
#line 7
category c783;
#line 7
category c784;
#line 7
category c785;
#line 7
category c786;
#line 7
category c787;
#line 7
category c788;
#line 7
category c789;
#line 7
category c790;
#line 7
category c791;
#line 7
category c792;
#line 7
category c793;
#line 7
category c794;
#line 7
category c795;
#line 7
category c796;
#line 7
category c797;
#line 7
category c798;
#line 7
category c799;
#line 7
category c800;
#line 7
category c801;
#line 7
category c802;
#line 7
category c803;
#line 7
category c804;
#line 7
category c805;
#line 7
category c806;
#line 7
category c807;
#line 7
category c808;
#line 7
category c809;
#line 7
category c810;
#line 7
category c811;
#line 7
category c812;
#line 7
category c813;
#line 7
category c814;
#line 7
category c815;
#line 7
category c816;
#line 7
category c817;
#line 7
category c818;
#line 7
category c819;
#line 7
category c820;
#line 7
category c821;
#line 7
category c822;
#line 7
category c823;
#line 7
category c824;
#line 7
category c825;
#line 7
category c826;
#line 7
category c827;
#line 7
category c828;
#line 7
category c829;
#line 7
category c830;
#line 7
category c831;
#line 7
category c832;
#line 7
category c833;
#line 7
category c834;
#line 7
category c835;
#line 7
category c836;
#line 7
category c837;
#line 7
category c838;
#line 7
category c839;
#line 7
category c840;
#line 7
category c841;
#line 7
category c842;
#line 7
category c843;
#line 7
category c844;
#line 7
category c845;
#line 7
category c846;
#line 7
category c847;
#line 7
category c848;
#line 7
category c849;
#line 7
category c850;
#line 7
category c851;
#line 7
category c852;
#line 7
category c853;
#line 7
category c854;
#line 7
category c855;
#line 7
category c856;
#line 7
category c857;
#line 7
category c858;
#line 7
category c859;
#line 7
category c860;
#line 7
category c861;
#line 7
category c862;
#line 7
category c863;
#line 7
category c864;
#line 7
category c865;
#line 7
category c866;
#line 7
category c867;
#line 7
category c868;
#line 7
category c869;
#line 7
category c870;
#line 7
category c871;
#line 7
category c872;
#line 7
category c873;
#line 7
category c874;
#line 7
category c875;
#line 7
category c876;
#line 7
category c877;
#line 7
category c878;
#line 7
category c879;
#line 7
category c880;
#line 7
category c881;
#line 7
category c882;
#line 7
category c883;
#line 7
category c884;
#line 7
category c885;
#line 7
category c886;
#line 7
category c887;
#line 7
category c888;
#line 7
category c889;
#line 7
category c890;
#line 7
category c891;
#line 7
category c892;
#line 7
category c893;
#line 7
category c894;
#line 7
category c895;
#line 7
category c896;
#line 7
category c897;
#line 7
category c898;
#line 7
category c899;
#line 7
category c900;
#line 7
category c901;
#line 7
category c902;
#line 7
category c903;
#line 7
category c904;
#line 7
category c905;
#line 7
category c906;
#line 7
category c907;
#line 7
category c908;
#line 7
category c909;
#line 7
category c910;
#line 7
category c911;
#line 7
category c912;
#line 7
category c913;
#line 7
category c914;
#line 7
category c915;
#line 7
category c916;
#line 7
category c917;
#line 7
category c918;
#line 7
category c919;
#line 7
category c920;
#line 7
category c921;
#line 7
category c922;
#line 7
category c923;
#line 7
category c924;
#line 7
category c925;
#line 7
category c926;
#line 7
category c927;
#line 7
category c928;
#line 7
category c929;
#line 7
category c930;
#line 7
category c931;
#line 7
category c932;
#line 7
category c933;
#line 7
category c934;
#line 7
category c935;
#line 7
category c936;
#line 7
category c937;
#line 7
category c938;
#line 7
category c939;
#line 7
category c940;
#line 7
category c941;
#line 7
category c942;
#line 7
category c943;
#line 7
category c944;
#line 7
category c945;
#line 7
category c946;
#line 7
category c947;
#line 7
category c948;
#line 7
category c949;
#line 7
category c950;
#line 7
category c951;
#line 7
category c952;
#line 7
category c953;
#line 7
category c954;
#line 7
category c955;
#line 7
category c956;
#line 7
category c957;
#line 7
category c958;
#line 7
category c959;
#line 7
category c960;
#line 7
category c961;
#line 7
category c962;
#line 7
category c963;
#line 7
category c964;
#line 7
category c965;
#line 7
category c966;
#line 7
category c967;
#line 7
category c968;
#line 7
category c969;
#line 7
category c970;
#line 7
category c971;
#line 7
category c972;
#line 7
category c973;
#line 7
category c974;
#line 7
category c975;
#line 7
category c976;
#line 7
category c977;
#line 7
category c978;
#line 7
category c979;
#line 7
category c980;
#line 7
category c981;
#line 7
category c982;
#line 7
category c983;
#line 7
category c984;
#line 7
category c985;
#line 7
category c986;
#line 7
category c987;
#line 7
category c988;
#line 7
category c989;
#line 7
category c990;
#line 7
category c991;
#line 7
category c992;
#line 7
category c993;
#line 7
category c994;
#line 7
category c995;
#line 7
category c996;
#line 7
category c997;
#line 7
category c998;
#line 7
category c999;
#line 7
category c1000;
#line 7
category c1001;
#line 7
category c1002;
#line 7
category c1003;
#line 7
category c1004;
#line 7
category c1005;
#line 7
category c1006;
#line 7
category c1007;
#line 7
category c1008;
#line 7
category c1009;
#line 7
category c1010;
#line 7
category c1011;
#line 7
category c1012;
#line 7
category c1013;
#line 7
category c1014;
#line 7
category c1015;
#line 7
category c1016;
#line 7
category c1017;
#line 7
category c1018;
#line 7
category c1019;
#line 7
category c1020;
#line 7
category c1021;
#line 7
category c1022;
#line 7
category c1023;
#line 7


# Generate level definitions for each sensitivity and category.
level s0:c0.c1023;
#line 10

#line 1 "system/sepolicy/reqd_mask/mls"
mlsconstrain binder { set_context_mgr } (l1 eq l2);
#line 1 "system/sepolicy/prebuilts/api/29.0/public/te_macros"
#####################################
# domain_trans(olddomain, type, newdomain)
# Allow a transition from olddomain to newdomain
# upon executing a file labeled with type.
# This only allows the transition; it does not
# cause it to occur automatically - use domain_auto_trans
# if that is what you want.
#
#line 21


#####################################
# domain_auto_trans(olddomain, type, newdomain)
# Automatically transition from olddomain to newdomain
# upon executing a file labeled with type.
#
#line 33


#####################################
# file_type_trans(domain, dir_type, file_type)
# Allow domain to create a file labeled file_type in a
# directory labeled dir_type.
# This only allows the transition; it does not
# cause it to occur automatically - use file_type_auto_trans
# if that is what you want.
#
#line 49


#####################################
# file_type_auto_trans(domain, dir_type, file_type)
# Automatically label new files with file_type when
# they are created by domain in directories labeled dir_type.
#
#line 62


#####################################
# r_dir_file(domain, type)
# Allow the specified domain to read directories, files
# and symbolic links of the specified type.
#line 71


#####################################
# tmpfs_domain(domain)
# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
#line 79


# pdx macros for IPC. pdx is a high-level name which contains transport-specific
# rules from underlying transport (e.g. UDS-based implementation).

#####################################
# pdx_service_attributes(service)
# Defines type attribute used to identify various service-related types.
#line 92


#####################################
# pdx_service_socket_types(service, endpoint_dir_t)
# Define types for endpoint and channel sockets.
#line 105


#####################################
# pdx_server(server_domain, service)
#line 124


#####################################
# pdx_connect(client, service)
#line 134


#####################################
# pdx_use(client, service)
#line 149


#####################################
# pdx_client(client, service)
#line 156


#####################################
# init_daemon_domain(domain)
# Set up a transition from init to the daemon domain
# upon executing its binary.
#line 164


#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
#line 184


#####################################
# untrusted_app_domain(domain)
# Allow a base set of permissions required for all untrusted apps.
#line 191


#####################################
# net_domain(domain)
# Allow a base set of permissions required for network access.
#line 198


#####################################
# bluetooth_domain(domain)
# Allow a base set of permissions required for bluetooth access.
#line 205


#####################################
# hal_attribute(hal_name)
# Add an attribute for hal implementations along with necessary
# restrictions.
#line 227


#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a
# HAL implementation of the specified type over HwBinder.
#
# For example, default implementation of Foo HAL:
#   type hal_foo_default, domain;
#   hal_server_domain(hal_foo_default, hal_foo)
#
#line 242


#####################################
# hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a HAL of the specified type.
#
# For example, make some_domain a client of Foo HAL:
#   hal_client_domain(some_domain, hal_foo)
#
#line 266


#####################################
# passthrough_hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a passthrough HAL of the specified type.
#
# For example, make some_domain a client of passthrough Foo HAL:
#   passthrough_hal_client_domain(some_domain, hal_foo)
#
#line 284


#####################################
# unix_socket_connect(clientdomain, socket, serverdomain)
# Allow a local socket connection from clientdomain via
# socket to serverdomain.
#
# Note: If you see denial records that distill to the
# following allow rules:
# allow clientdomain property_socket:sock_file write;
# allow clientdomain init:unix_stream_socket connectto;
# allow clientdomain something_prop:property_service set;
#
# This sequence is indicative of attempting to set a property.
# use set_prop(sourcedomain, targetproperty)
#
#line 303


#####################################
# set_prop(sourcedomain, targetproperty)
# Allows source domain to set the
# targetproperty.
#
#line 314


#####################################
# get_prop(sourcedomain, targetproperty)
# Allows source domain to read the
# targetproperty.
#
#line 323


#####################################
# unix_socket_send(clientdomain, socket, serverdomain)
# Allow a local socket send from clientdomain via
# socket to serverdomain.
#line 332


#####################################
# binder_use(domain)
# Allow domain to use Binder IPC.
#line 346


#####################################
# hwbinder_use(domain)
# Allow domain to use HwBinder IPC.
#line 362


#####################################
# vndbinder_use(domain)
# Allow domain to use Binder IPC.
#line 376


#####################################
# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
#line 388


#####################################
# binder_service(domain)
# Mark a domain as being a Binder service domain.
# Used to allow binder IPC to the various system services.
#line 396


#####################################
# wakelock_use(domain)
# Allow domain to manage wake locks
#line 415


#####################################
# selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs.
#line 425


#####################################
# selinux_check_context(domain)
# Allow domain to check SELinux contexts via selinuxfs.
#line 434


#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
#line 453


#####################################
# Non system_app application set
#


#####################################
# Recovery only
# SELinux rules which apply only to recovery mode
#


#####################################
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
#line 475


#####################################
# Not full TREBLE
# SELinux rules which apply only to devices which are not full TREBLE devices
#


#####################################
# Compatible property only
# SELinux rules which apply only to devices with compatible property
#
#line 492


#####################################
# Not compatible property
# SELinux rules which apply only to devices without compatible property
#


#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
#


#####################################
# asan builds
# SELinux rules which apply only to asan builds
#


#####################################
# native coverage builds
# SELinux rules which apply only to builds with native coverage
#


#####################################
# Build-time-only test
# SELinux rules which are verified during build, but not as part of *TS testing.
#


####################################
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
#
#line 542


#####################################
# WITH_DEXPREOPT builds
# SELinux rules which apply only when pre-opting.
#


#####################################
# write_logd(domain)
# Ability to write to android log
# daemon via sockets
#line 557


#####################################
# read_logd(domain)
# Ability to run logcat and read from android
# log daemon via sockets
#line 566


#####################################
# read_runtime_log_tags(domain)
# ability to directly map the runtime event log tags
#line 573


#####################################
# control_logd(domain)
# Ability to control
# android log daemon via sockets
#line 583


#####################################
# use_keystore(domain)
# Ability to use keystore.
# Keystore is requires the following permissions
# to call getpidcon.
#line 597


###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires
# DrmService to call getpidcon.
#line 607


###########################################
# add_service(domain, service)
# Ability for domain to add a service to service_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#line 617


###########################################
# add_hwservice(domain, service)
# Ability for domain to add a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#line 628


###########################################
# hal_attribute_hwservice(attribute, service)
# Ability for domain to get a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#
# Used to pair hal_foo_client with hal_foo_hwservice
#line 644


###################################
# can_profile_heap(domain)
# Allow processes within the domain to have their heap profiled by heapprofd.
#
# Note that profiling is performed differently between debug and user builds.
# This macro covers both user and debug builds, but see
# can_profile_heap_userdebug_or_eng for a variant that can be used when
# allowing profiling for a domain only on debug builds, without granting
# the exec permission. The exec permission is necessary for user builds, but
# only a nice-to-have for development and testing purposes on debug builds.
#line 672


###################################
# can_profile_heap_userdebug_or_eng(domain)
# Allow processes within the domain to have their heap profiled by heapprofd on
# debug builds only.
#
# Only necessary when can_profile_heap cannot be applied, see its description
# for rationale.
#line 702


###################################
# never_profile_heap(domain)
# Opt out of heap profiling by heapprofd.
#line 710

#line 1 "system/sepolicy/prebuilts/api/29.0/public/ioctl_defines"































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































#line 1 "system/sepolicy/prebuilts/api/29.0/public/ioctl_macros"
# socket ioctls allowed to unprivileged apps
#line 12


# socket ioctls never allowed to unprivileged apps
#line 42


# commonly used ioctls on unix sockets
#line 47


# commonly used TTY ioctls
# merge with unpriv_unix_sock_ioctls?
#line 54


# point to point ioctls
#line 68

#line 1 "system/sepolicy/prebuilts/api/29.0/public/attributes"
######################################
# Attribute declarations
#

# All types used for devices.
# On change, update CHECK_FC_ASSERT_ATTRS
# in tools/checkfc.c
attribute dev_type;

# All types used for processes.
attribute domain;

# All types used for filesystems.
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute fs_type;

# All types used for context= mounts.
attribute contextmount_type;

# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute file_type;

# All types used for domain entry points.
attribute exec_type;

# All types used for /data files.
attribute data_file_type;
expandattribute data_file_type false;
# All types in /data, not in /data/vendor
attribute core_data_file_type;
expandattribute core_data_file_type false;

# All types in /system
attribute system_file_type;

# All types in /vendor
attribute vendor_file_type;

# All types used for procfs files.
attribute proc_type;
expandattribute proc_type false;

# Types in /proc/net, excluding qtaguid types.
# TODO(b/9496886) Lock down access to /proc/net.
# This attribute is used to audit access to proc_net. it is temporary and will
# be removed.
attribute proc_net_type;
expandattribute proc_net_type true;

# All types used for sysfs files.
attribute sysfs_type;

# All types use for debugfs files.
attribute debugfs_type;

# Attribute used for all sdcards
attribute sdcard_type;

# All types used for nodes/hosts.
attribute node_type;

# All types used for network interfaces.
attribute netif_type;

# All types used for network ports.
attribute port_type;

# All types used for property service
# On change, update CHECK_PC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute property_type;

# All properties defined in core SELinux policy. Should not be
# used by device specific properties
attribute core_property_type;

# All properties used to configure log filtering.
attribute log_property_type;

# All properties that are not specific to device but are added from
# outside of AOSP. (e.g. OEM-specific properties)
# These properties are not accessible from device-specific domains
attribute extended_core_property_type;

# All service_manager types created by system_server
attribute system_server_service;

# services which should be available to all but isolated apps
attribute app_api_service;

# services which should be available to all ephemeral apps
attribute ephemeral_app_api_service;

# services which export only system_api
attribute system_api_service;

# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute service_manager_type;

# All types used for services managed by hwservicemanager
attribute hwservice_manager_type;

# All HwBinder services guaranteed to be passthrough. These services always run
# in the process of their clients, and thus operate with the same access as
# their clients.
attribute same_process_hwservice;

# All HwBinder services guaranteed to be offered only by core domain components
attribute coredomain_hwservice;

# All types used for services managed by vndservicemanager
attribute vndservice_manager_type;


# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;

# All types that can override MLS restrictions.
# i.e. files that can be read by lower and written by higher
attribute mlstrustedobject;

# All domains used for apps.
attribute appdomain;

# All third party apps.
attribute untrusted_app_all;

# All domains used for apps with network access.
attribute netdomain;

# All domains used for apps with bluetooth access.
attribute bluetoothdomain;

# All domains used for binder service domains.
attribute binderservicedomain;

# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
attribute update_engine_common;

# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;

# All socket devices owned by core domain components
attribute coredomain_socket;
expandattribute coredomain_socket false;

# All vendor domains which violate the requirement of not using Binder
# TODO(b/35870313): Remove this once there are no violations
attribute binder_in_vendor_violators;
expandattribute binder_in_vendor_violators false;

# All vendor domains which violate the requirement of not using sockets for
# communicating with core components
# TODO(b/36577153): Remove this once there are no violations
attribute socket_between_core_and_vendor_violators;
expandattribute socket_between_core_and_vendor_violators false;

# All vendor domains which violate the requirement of not executing
# system processes
# TODO(b/36463595)
attribute vendor_executes_system_violators;
expandattribute vendor_executes_system_violators false;

# All domains which violate the requirement of not sharing files by path
# between between vendor and core domains.
# TODO(b/34980020)
attribute data_between_core_and_vendor_violators;
expandattribute data_between_core_and_vendor_violators false;

# All system domains which violate the requirement of not executing vendor
# binaries/libraries.
# TODO(b/62041836)
attribute system_executes_vendor_violators;
expandattribute system_executes_vendor_violators false;

# All system domains which violate the requirement of not writing vendor
# properties.
# TODO(b/78598545): Remove this once there are no violations
attribute system_writes_vendor_properties_violators;
expandattribute system_writes_vendor_properties_violators false;

# All system domains which violate the requirement of not writing to
# /mnt/vendor/*. Must not be used on devices launched with P or later.
attribute system_writes_mnt_vendor_violators;
expandattribute system_writes_mnt_vendor_violators false;

# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
# absolutely necessary.  It is a temporary allowance to aid the
# transition to treble and will be removed in a future platform
# version, requiring all hwservices that are labeled with this
# attribute to be submitted to AOSP in order to maintain their
# app-visibility.
attribute untrusted_app_visible_hwservice_violators;
expandattribute untrusted_app_visible_hwservice_violators false;

# halserver domains that are accessible to untrusted applications.  These
# domains are typically those hosting  hwservices attributed by the
# untrusted_app_visible_hwservice_violators.
# WARNING: Use of this attribute should be avoided unless absolutely necessary.
# It is a temporary allowance to aid the transition to treble and will be
# removed in the future platform version, requiring all halserver domains that
# are labeled with this attribute to be submitted to AOSP in order to maintain
# their app-visibility.
attribute untrusted_app_visible_halserver_violators;
expandattribute untrusted_app_visible_halserver_violators false;

# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;
expandattribute pdx_endpoint_socket_type false;
attribute pdx_channel_socket_type;
expandattribute pdx_channel_socket_type false;


#line 224
attribute pdx_display_client_endpoint_dir_type;
#line 224
attribute pdx_display_client_endpoint_socket_type;
#line 224
attribute pdx_display_client_channel_socket_type;
#line 224
attribute pdx_display_client_server_type;
#line 224


#line 225
attribute pdx_display_manager_endpoint_dir_type;
#line 225
attribute pdx_display_manager_endpoint_socket_type;
#line 225
attribute pdx_display_manager_channel_socket_type;
#line 225
attribute pdx_display_manager_server_type;
#line 225


#line 226
attribute pdx_display_screenshot_endpoint_dir_type;
#line 226
attribute pdx_display_screenshot_endpoint_socket_type;
#line 226
attribute pdx_display_screenshot_channel_socket_type;
#line 226
attribute pdx_display_screenshot_server_type;
#line 226


#line 227
attribute pdx_display_vsync_endpoint_dir_type;
#line 227
attribute pdx_display_vsync_endpoint_socket_type;
#line 227
attribute pdx_display_vsync_channel_socket_type;
#line 227
attribute pdx_display_vsync_server_type;
#line 227


#line 228
attribute pdx_performance_client_endpoint_dir_type;
#line 228
attribute pdx_performance_client_endpoint_socket_type;
#line 228
attribute pdx_performance_client_channel_socket_type;
#line 228
attribute pdx_performance_client_server_type;
#line 228


#line 229
attribute pdx_bufferhub_client_endpoint_dir_type;
#line 229
attribute pdx_bufferhub_client_endpoint_socket_type;
#line 229
attribute pdx_bufferhub_client_channel_socket_type;
#line 229
attribute pdx_bufferhub_client_server_type;
#line 229


# All HAL servers
attribute halserverdomain;
# All HAL clients
attribute halclientdomain;
expandattribute halclientdomain true;

# Exempt for halserverdomain to access sockets. Only builds for automotive
# device types are allowed to use this attribute (enforced by CTS).
# Unlike phone, in a car many modules are external from Android perspective and
# HALs should be able to communicate with those devices through sockets.
attribute hal_automotive_socket_exemption;

# HALs

#line 244
attribute hal_allocator;
#line 244
expandattribute hal_allocator true;
#line 244
attribute hal_allocator_client;
#line 244
expandattribute hal_allocator_client true;
#line 244
attribute hal_allocator_server;
#line 244
expandattribute hal_allocator_server false;
#line 244

#line 244
neverallow { hal_allocator_server -halserverdomain } domain:process fork;
#line 244
# hal_*_client and halclientdomain attributes are always expanded for
#line 244
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 244
# verified by CTS since these attributes are already expanded by that time.
#line 244

#line 244
neverallow { hal_allocator_server -hal_allocator } domain:process fork;
#line 244
neverallow { hal_allocator_client -halclientdomain } domain:process fork;
#line 244

#line 244
;

#line 245
attribute hal_atrace;
#line 245
expandattribute hal_atrace true;
#line 245
attribute hal_atrace_client;
#line 245
expandattribute hal_atrace_client true;
#line 245
attribute hal_atrace_server;
#line 245
expandattribute hal_atrace_server false;
#line 245

#line 245
neverallow { hal_atrace_server -halserverdomain } domain:process fork;
#line 245
# hal_*_client and halclientdomain attributes are always expanded for
#line 245
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 245
# verified by CTS since these attributes are already expanded by that time.
#line 245

#line 245
neverallow { hal_atrace_server -hal_atrace } domain:process fork;
#line 245
neverallow { hal_atrace_client -halclientdomain } domain:process fork;
#line 245

#line 245
;

#line 246
attribute hal_audio;
#line 246
expandattribute hal_audio true;
#line 246
attribute hal_audio_client;
#line 246
expandattribute hal_audio_client true;
#line 246
attribute hal_audio_server;
#line 246
expandattribute hal_audio_server false;
#line 246

#line 246
neverallow { hal_audio_server -halserverdomain } domain:process fork;
#line 246
# hal_*_client and halclientdomain attributes are always expanded for
#line 246
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 246
# verified by CTS since these attributes are already expanded by that time.
#line 246

#line 246
neverallow { hal_audio_server -hal_audio } domain:process fork;
#line 246
neverallow { hal_audio_client -halclientdomain } domain:process fork;
#line 246

#line 246
;

#line 247
attribute hal_audiocontrol;
#line 247
expandattribute hal_audiocontrol true;
#line 247
attribute hal_audiocontrol_client;
#line 247
expandattribute hal_audiocontrol_client true;
#line 247
attribute hal_audiocontrol_server;
#line 247
expandattribute hal_audiocontrol_server false;
#line 247

#line 247
neverallow { hal_audiocontrol_server -halserverdomain } domain:process fork;
#line 247
# hal_*_client and halclientdomain attributes are always expanded for
#line 247
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 247
# verified by CTS since these attributes are already expanded by that time.
#line 247

#line 247
neverallow { hal_audiocontrol_server -hal_audiocontrol } domain:process fork;
#line 247
neverallow { hal_audiocontrol_client -halclientdomain } domain:process fork;
#line 247

#line 247
;

#line 248
attribute hal_authsecret;
#line 248
expandattribute hal_authsecret true;
#line 248
attribute hal_authsecret_client;
#line 248
expandattribute hal_authsecret_client true;
#line 248
attribute hal_authsecret_server;
#line 248
expandattribute hal_authsecret_server false;
#line 248

#line 248
neverallow { hal_authsecret_server -halserverdomain } domain:process fork;
#line 248
# hal_*_client and halclientdomain attributes are always expanded for
#line 248
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 248
# verified by CTS since these attributes are already expanded by that time.
#line 248

#line 248
neverallow { hal_authsecret_server -hal_authsecret } domain:process fork;
#line 248
neverallow { hal_authsecret_client -halclientdomain } domain:process fork;
#line 248

#line 248
;

#line 249
attribute hal_bluetooth;
#line 249
expandattribute hal_bluetooth true;
#line 249
attribute hal_bluetooth_client;
#line 249
expandattribute hal_bluetooth_client true;
#line 249
attribute hal_bluetooth_server;
#line 249
expandattribute hal_bluetooth_server false;
#line 249

#line 249
neverallow { hal_bluetooth_server -halserverdomain } domain:process fork;
#line 249
# hal_*_client and halclientdomain attributes are always expanded for
#line 249
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 249
# verified by CTS since these attributes are already expanded by that time.
#line 249

#line 249
neverallow { hal_bluetooth_server -hal_bluetooth } domain:process fork;
#line 249
neverallow { hal_bluetooth_client -halclientdomain } domain:process fork;
#line 249

#line 249
;

#line 250
attribute hal_bootctl;
#line 250
expandattribute hal_bootctl true;
#line 250
attribute hal_bootctl_client;
#line 250
expandattribute hal_bootctl_client true;
#line 250
attribute hal_bootctl_server;
#line 250
expandattribute hal_bootctl_server false;
#line 250

#line 250
neverallow { hal_bootctl_server -halserverdomain } domain:process fork;
#line 250
# hal_*_client and halclientdomain attributes are always expanded for
#line 250
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 250
# verified by CTS since these attributes are already expanded by that time.
#line 250

#line 250
neverallow { hal_bootctl_server -hal_bootctl } domain:process fork;
#line 250
neverallow { hal_bootctl_client -halclientdomain } domain:process fork;
#line 250

#line 250
;

#line 251
attribute hal_bufferhub;
#line 251
expandattribute hal_bufferhub true;
#line 251
attribute hal_bufferhub_client;
#line 251
expandattribute hal_bufferhub_client true;
#line 251
attribute hal_bufferhub_server;
#line 251
expandattribute hal_bufferhub_server false;
#line 251

#line 251
neverallow { hal_bufferhub_server -halserverdomain } domain:process fork;
#line 251
# hal_*_client and halclientdomain attributes are always expanded for
#line 251
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 251
# verified by CTS since these attributes are already expanded by that time.
#line 251

#line 251
neverallow { hal_bufferhub_server -hal_bufferhub } domain:process fork;
#line 251
neverallow { hal_bufferhub_client -halclientdomain } domain:process fork;
#line 251

#line 251
;

#line 252
attribute hal_broadcastradio;
#line 252
expandattribute hal_broadcastradio true;
#line 252
attribute hal_broadcastradio_client;
#line 252
expandattribute hal_broadcastradio_client true;
#line 252
attribute hal_broadcastradio_server;
#line 252
expandattribute hal_broadcastradio_server false;
#line 252

#line 252
neverallow { hal_broadcastradio_server -halserverdomain } domain:process fork;
#line 252
# hal_*_client and halclientdomain attributes are always expanded for
#line 252
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 252
# verified by CTS since these attributes are already expanded by that time.
#line 252

#line 252
neverallow { hal_broadcastradio_server -hal_broadcastradio } domain:process fork;
#line 252
neverallow { hal_broadcastradio_client -halclientdomain } domain:process fork;
#line 252

#line 252
;

#line 253
attribute hal_camera;
#line 253
expandattribute hal_camera true;
#line 253
attribute hal_camera_client;
#line 253
expandattribute hal_camera_client true;
#line 253
attribute hal_camera_server;
#line 253
expandattribute hal_camera_server false;
#line 253

#line 253
neverallow { hal_camera_server -halserverdomain } domain:process fork;
#line 253
# hal_*_client and halclientdomain attributes are always expanded for
#line 253
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 253
# verified by CTS since these attributes are already expanded by that time.
#line 253

#line 253
neverallow { hal_camera_server -hal_camera } domain:process fork;
#line 253
neverallow { hal_camera_client -halclientdomain } domain:process fork;
#line 253

#line 253
;

#line 254
attribute hal_cas;
#line 254
expandattribute hal_cas true;
#line 254
attribute hal_cas_client;
#line 254
expandattribute hal_cas_client true;
#line 254
attribute hal_cas_server;
#line 254
expandattribute hal_cas_server false;
#line 254

#line 254
neverallow { hal_cas_server -halserverdomain } domain:process fork;
#line 254
# hal_*_client and halclientdomain attributes are always expanded for
#line 254
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 254
# verified by CTS since these attributes are already expanded by that time.
#line 254

#line 254
neverallow { hal_cas_server -hal_cas } domain:process fork;
#line 254
neverallow { hal_cas_client -halclientdomain } domain:process fork;
#line 254

#line 254
;

#line 255
attribute hal_codec2;
#line 255
expandattribute hal_codec2 true;
#line 255
attribute hal_codec2_client;
#line 255
expandattribute hal_codec2_client true;
#line 255
attribute hal_codec2_server;
#line 255
expandattribute hal_codec2_server false;
#line 255

#line 255
neverallow { hal_codec2_server -halserverdomain } domain:process fork;
#line 255
# hal_*_client and halclientdomain attributes are always expanded for
#line 255
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 255
# verified by CTS since these attributes are already expanded by that time.
#line 255

#line 255
neverallow { hal_codec2_server -hal_codec2 } domain:process fork;
#line 255
neverallow { hal_codec2_client -halclientdomain } domain:process fork;
#line 255

#line 255
;

#line 256
attribute hal_configstore;
#line 256
expandattribute hal_configstore true;
#line 256
attribute hal_configstore_client;
#line 256
expandattribute hal_configstore_client true;
#line 256
attribute hal_configstore_server;
#line 256
expandattribute hal_configstore_server false;
#line 256

#line 256
neverallow { hal_configstore_server -halserverdomain } domain:process fork;
#line 256
# hal_*_client and halclientdomain attributes are always expanded for
#line 256
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 256
# verified by CTS since these attributes are already expanded by that time.
#line 256

#line 256
neverallow { hal_configstore_server -hal_configstore } domain:process fork;
#line 256
neverallow { hal_configstore_client -halclientdomain } domain:process fork;
#line 256

#line 256
;

#line 257
attribute hal_confirmationui;
#line 257
expandattribute hal_confirmationui true;
#line 257
attribute hal_confirmationui_client;
#line 257
expandattribute hal_confirmationui_client true;
#line 257
attribute hal_confirmationui_server;
#line 257
expandattribute hal_confirmationui_server false;
#line 257

#line 257
neverallow { hal_confirmationui_server -halserverdomain } domain:process fork;
#line 257
# hal_*_client and halclientdomain attributes are always expanded for
#line 257
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 257
# verified by CTS since these attributes are already expanded by that time.
#line 257

#line 257
neverallow { hal_confirmationui_server -hal_confirmationui } domain:process fork;
#line 257
neverallow { hal_confirmationui_client -halclientdomain } domain:process fork;
#line 257

#line 257
;

#line 258
attribute hal_contexthub;
#line 258
expandattribute hal_contexthub true;
#line 258
attribute hal_contexthub_client;
#line 258
expandattribute hal_contexthub_client true;
#line 258
attribute hal_contexthub_server;
#line 258
expandattribute hal_contexthub_server false;
#line 258

#line 258
neverallow { hal_contexthub_server -halserverdomain } domain:process fork;
#line 258
# hal_*_client and halclientdomain attributes are always expanded for
#line 258
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 258
# verified by CTS since these attributes are already expanded by that time.
#line 258

#line 258
neverallow { hal_contexthub_server -hal_contexthub } domain:process fork;
#line 258
neverallow { hal_contexthub_client -halclientdomain } domain:process fork;
#line 258

#line 258
;

#line 259
attribute hal_drm;
#line 259
expandattribute hal_drm true;
#line 259
attribute hal_drm_client;
#line 259
expandattribute hal_drm_client true;
#line 259
attribute hal_drm_server;
#line 259
expandattribute hal_drm_server false;
#line 259

#line 259
neverallow { hal_drm_server -halserverdomain } domain:process fork;
#line 259
# hal_*_client and halclientdomain attributes are always expanded for
#line 259
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 259
# verified by CTS since these attributes are already expanded by that time.
#line 259

#line 259
neverallow { hal_drm_server -hal_drm } domain:process fork;
#line 259
neverallow { hal_drm_client -halclientdomain } domain:process fork;
#line 259

#line 259
;

#line 260
attribute hal_dumpstate;
#line 260
expandattribute hal_dumpstate true;
#line 260
attribute hal_dumpstate_client;
#line 260
expandattribute hal_dumpstate_client true;
#line 260
attribute hal_dumpstate_server;
#line 260
expandattribute hal_dumpstate_server false;
#line 260

#line 260
neverallow { hal_dumpstate_server -halserverdomain } domain:process fork;
#line 260
# hal_*_client and halclientdomain attributes are always expanded for
#line 260
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 260
# verified by CTS since these attributes are already expanded by that time.
#line 260

#line 260
neverallow { hal_dumpstate_server -hal_dumpstate } domain:process fork;
#line 260
neverallow { hal_dumpstate_client -halclientdomain } domain:process fork;
#line 260

#line 260
;

#line 261
attribute hal_evs;
#line 261
expandattribute hal_evs true;
#line 261
attribute hal_evs_client;
#line 261
expandattribute hal_evs_client true;
#line 261
attribute hal_evs_server;
#line 261
expandattribute hal_evs_server false;
#line 261

#line 261
neverallow { hal_evs_server -halserverdomain } domain:process fork;
#line 261
# hal_*_client and halclientdomain attributes are always expanded for
#line 261
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 261
# verified by CTS since these attributes are already expanded by that time.
#line 261

#line 261
neverallow { hal_evs_server -hal_evs } domain:process fork;
#line 261
neverallow { hal_evs_client -halclientdomain } domain:process fork;
#line 261

#line 261
;

#line 262
attribute hal_face;
#line 262
expandattribute hal_face true;
#line 262
attribute hal_face_client;
#line 262
expandattribute hal_face_client true;
#line 262
attribute hal_face_server;
#line 262
expandattribute hal_face_server false;
#line 262

#line 262
neverallow { hal_face_server -halserverdomain } domain:process fork;
#line 262
# hal_*_client and halclientdomain attributes are always expanded for
#line 262
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 262
# verified by CTS since these attributes are already expanded by that time.
#line 262

#line 262
neverallow { hal_face_server -hal_face } domain:process fork;
#line 262
neverallow { hal_face_client -halclientdomain } domain:process fork;
#line 262

#line 262
;

#line 263
attribute hal_fingerprint;
#line 263
expandattribute hal_fingerprint true;
#line 263
attribute hal_fingerprint_client;
#line 263
expandattribute hal_fingerprint_client true;
#line 263
attribute hal_fingerprint_server;
#line 263
expandattribute hal_fingerprint_server false;
#line 263

#line 263
neverallow { hal_fingerprint_server -halserverdomain } domain:process fork;
#line 263
# hal_*_client and halclientdomain attributes are always expanded for
#line 263
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 263
# verified by CTS since these attributes are already expanded by that time.
#line 263

#line 263
neverallow { hal_fingerprint_server -hal_fingerprint } domain:process fork;
#line 263
neverallow { hal_fingerprint_client -halclientdomain } domain:process fork;
#line 263

#line 263
;

#line 264
attribute hal_gatekeeper;
#line 264
expandattribute hal_gatekeeper true;
#line 264
attribute hal_gatekeeper_client;
#line 264
expandattribute hal_gatekeeper_client true;
#line 264
attribute hal_gatekeeper_server;
#line 264
expandattribute hal_gatekeeper_server false;
#line 264

#line 264
neverallow { hal_gatekeeper_server -halserverdomain } domain:process fork;
#line 264
# hal_*_client and halclientdomain attributes are always expanded for
#line 264
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 264
# verified by CTS since these attributes are already expanded by that time.
#line 264

#line 264
neverallow { hal_gatekeeper_server -hal_gatekeeper } domain:process fork;
#line 264
neverallow { hal_gatekeeper_client -halclientdomain } domain:process fork;
#line 264

#line 264
;

#line 265
attribute hal_gnss;
#line 265
expandattribute hal_gnss true;
#line 265
attribute hal_gnss_client;
#line 265
expandattribute hal_gnss_client true;
#line 265
attribute hal_gnss_server;
#line 265
expandattribute hal_gnss_server false;
#line 265

#line 265
neverallow { hal_gnss_server -halserverdomain } domain:process fork;
#line 265
# hal_*_client and halclientdomain attributes are always expanded for
#line 265
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 265
# verified by CTS since these attributes are already expanded by that time.
#line 265

#line 265
neverallow { hal_gnss_server -hal_gnss } domain:process fork;
#line 265
neverallow { hal_gnss_client -halclientdomain } domain:process fork;
#line 265

#line 265
;

#line 266
attribute hal_graphics_allocator;
#line 266
expandattribute hal_graphics_allocator true;
#line 266
attribute hal_graphics_allocator_client;
#line 266
expandattribute hal_graphics_allocator_client true;
#line 266
attribute hal_graphics_allocator_server;
#line 266
expandattribute hal_graphics_allocator_server false;
#line 266

#line 266
neverallow { hal_graphics_allocator_server -halserverdomain } domain:process fork;
#line 266
# hal_*_client and halclientdomain attributes are always expanded for
#line 266
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 266
# verified by CTS since these attributes are already expanded by that time.
#line 266

#line 266
neverallow { hal_graphics_allocator_server -hal_graphics_allocator } domain:process fork;
#line 266
neverallow { hal_graphics_allocator_client -halclientdomain } domain:process fork;
#line 266

#line 266
;

#line 267
attribute hal_graphics_composer;
#line 267
expandattribute hal_graphics_composer true;
#line 267
attribute hal_graphics_composer_client;
#line 267
expandattribute hal_graphics_composer_client true;
#line 267
attribute hal_graphics_composer_server;
#line 267
expandattribute hal_graphics_composer_server false;
#line 267

#line 267
neverallow { hal_graphics_composer_server -halserverdomain } domain:process fork;
#line 267
# hal_*_client and halclientdomain attributes are always expanded for
#line 267
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 267
# verified by CTS since these attributes are already expanded by that time.
#line 267

#line 267
neverallow { hal_graphics_composer_server -hal_graphics_composer } domain:process fork;
#line 267
neverallow { hal_graphics_composer_client -halclientdomain } domain:process fork;
#line 267

#line 267
;

#line 268
attribute hal_health;
#line 268
expandattribute hal_health true;
#line 268
attribute hal_health_client;
#line 268
expandattribute hal_health_client true;
#line 268
attribute hal_health_server;
#line 268
expandattribute hal_health_server false;
#line 268

#line 268
neverallow { hal_health_server -halserverdomain } domain:process fork;
#line 268
# hal_*_client and halclientdomain attributes are always expanded for
#line 268
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 268
# verified by CTS since these attributes are already expanded by that time.
#line 268

#line 268
neverallow { hal_health_server -hal_health } domain:process fork;
#line 268
neverallow { hal_health_client -halclientdomain } domain:process fork;
#line 268

#line 268
;

#line 269
attribute hal_health_storage;
#line 269
expandattribute hal_health_storage true;
#line 269
attribute hal_health_storage_client;
#line 269
expandattribute hal_health_storage_client true;
#line 269
attribute hal_health_storage_server;
#line 269
expandattribute hal_health_storage_server false;
#line 269

#line 269
neverallow { hal_health_storage_server -halserverdomain } domain:process fork;
#line 269
# hal_*_client and halclientdomain attributes are always expanded for
#line 269
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 269
# verified by CTS since these attributes are already expanded by that time.
#line 269

#line 269
neverallow { hal_health_storage_server -hal_health_storage } domain:process fork;
#line 269
neverallow { hal_health_storage_client -halclientdomain } domain:process fork;
#line 269

#line 269
;

#line 270
attribute hal_input_classifier;
#line 270
expandattribute hal_input_classifier true;
#line 270
attribute hal_input_classifier_client;
#line 270
expandattribute hal_input_classifier_client true;
#line 270
attribute hal_input_classifier_server;
#line 270
expandattribute hal_input_classifier_server false;
#line 270

#line 270
neverallow { hal_input_classifier_server -halserverdomain } domain:process fork;
#line 270
# hal_*_client and halclientdomain attributes are always expanded for
#line 270
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 270
# verified by CTS since these attributes are already expanded by that time.
#line 270

#line 270
neverallow { hal_input_classifier_server -hal_input_classifier } domain:process fork;
#line 270
neverallow { hal_input_classifier_client -halclientdomain } domain:process fork;
#line 270

#line 270
;

#line 271
attribute hal_ir;
#line 271
expandattribute hal_ir true;
#line 271
attribute hal_ir_client;
#line 271
expandattribute hal_ir_client true;
#line 271
attribute hal_ir_server;
#line 271
expandattribute hal_ir_server false;
#line 271

#line 271
neverallow { hal_ir_server -halserverdomain } domain:process fork;
#line 271
# hal_*_client and halclientdomain attributes are always expanded for
#line 271
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 271
# verified by CTS since these attributes are already expanded by that time.
#line 271

#line 271
neverallow { hal_ir_server -hal_ir } domain:process fork;
#line 271
neverallow { hal_ir_client -halclientdomain } domain:process fork;
#line 271

#line 271
;

#line 272
attribute hal_keymaster;
#line 272
expandattribute hal_keymaster true;
#line 272
attribute hal_keymaster_client;
#line 272
expandattribute hal_keymaster_client true;
#line 272
attribute hal_keymaster_server;
#line 272
expandattribute hal_keymaster_server false;
#line 272

#line 272
neverallow { hal_keymaster_server -halserverdomain } domain:process fork;
#line 272
# hal_*_client and halclientdomain attributes are always expanded for
#line 272
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 272
# verified by CTS since these attributes are already expanded by that time.
#line 272

#line 272
neverallow { hal_keymaster_server -hal_keymaster } domain:process fork;
#line 272
neverallow { hal_keymaster_client -halclientdomain } domain:process fork;
#line 272

#line 272
;

#line 273
attribute hal_light;
#line 273
expandattribute hal_light true;
#line 273
attribute hal_light_client;
#line 273
expandattribute hal_light_client true;
#line 273
attribute hal_light_server;
#line 273
expandattribute hal_light_server false;
#line 273

#line 273
neverallow { hal_light_server -halserverdomain } domain:process fork;
#line 273
# hal_*_client and halclientdomain attributes are always expanded for
#line 273
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 273
# verified by CTS since these attributes are already expanded by that time.
#line 273

#line 273
neverallow { hal_light_server -hal_light } domain:process fork;
#line 273
neverallow { hal_light_client -halclientdomain } domain:process fork;
#line 273

#line 273
;

#line 274
attribute hal_lowpan;
#line 274
expandattribute hal_lowpan true;
#line 274
attribute hal_lowpan_client;
#line 274
expandattribute hal_lowpan_client true;
#line 274
attribute hal_lowpan_server;
#line 274
expandattribute hal_lowpan_server false;
#line 274

#line 274
neverallow { hal_lowpan_server -halserverdomain } domain:process fork;
#line 274
# hal_*_client and halclientdomain attributes are always expanded for
#line 274
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 274
# verified by CTS since these attributes are already expanded by that time.
#line 274

#line 274
neverallow { hal_lowpan_server -hal_lowpan } domain:process fork;
#line 274
neverallow { hal_lowpan_client -halclientdomain } domain:process fork;
#line 274

#line 274
;

#line 275
attribute hal_memtrack;
#line 275
expandattribute hal_memtrack true;
#line 275
attribute hal_memtrack_client;
#line 275
expandattribute hal_memtrack_client true;
#line 275
attribute hal_memtrack_server;
#line 275
expandattribute hal_memtrack_server false;
#line 275

#line 275
neverallow { hal_memtrack_server -halserverdomain } domain:process fork;
#line 275
# hal_*_client and halclientdomain attributes are always expanded for
#line 275
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 275
# verified by CTS since these attributes are already expanded by that time.
#line 275

#line 275
neverallow { hal_memtrack_server -hal_memtrack } domain:process fork;
#line 275
neverallow { hal_memtrack_client -halclientdomain } domain:process fork;
#line 275

#line 275
;

#line 276
attribute hal_neuralnetworks;
#line 276
expandattribute hal_neuralnetworks true;
#line 276
attribute hal_neuralnetworks_client;
#line 276
expandattribute hal_neuralnetworks_client true;
#line 276
attribute hal_neuralnetworks_server;
#line 276
expandattribute hal_neuralnetworks_server false;
#line 276

#line 276
neverallow { hal_neuralnetworks_server -halserverdomain } domain:process fork;
#line 276
# hal_*_client and halclientdomain attributes are always expanded for
#line 276
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 276
# verified by CTS since these attributes are already expanded by that time.
#line 276

#line 276
neverallow { hal_neuralnetworks_server -hal_neuralnetworks } domain:process fork;
#line 276
neverallow { hal_neuralnetworks_client -halclientdomain } domain:process fork;
#line 276

#line 276
;

#line 277
attribute hal_nfc;
#line 277
expandattribute hal_nfc true;
#line 277
attribute hal_nfc_client;
#line 277
expandattribute hal_nfc_client true;
#line 277
attribute hal_nfc_server;
#line 277
expandattribute hal_nfc_server false;
#line 277

#line 277
neverallow { hal_nfc_server -halserverdomain } domain:process fork;
#line 277
# hal_*_client and halclientdomain attributes are always expanded for
#line 277
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 277
# verified by CTS since these attributes are already expanded by that time.
#line 277

#line 277
neverallow { hal_nfc_server -hal_nfc } domain:process fork;
#line 277
neverallow { hal_nfc_client -halclientdomain } domain:process fork;
#line 277

#line 277
;

#line 278
attribute hal_oemlock;
#line 278
expandattribute hal_oemlock true;
#line 278
attribute hal_oemlock_client;
#line 278
expandattribute hal_oemlock_client true;
#line 278
attribute hal_oemlock_server;
#line 278
expandattribute hal_oemlock_server false;
#line 278

#line 278
neverallow { hal_oemlock_server -halserverdomain } domain:process fork;
#line 278
# hal_*_client and halclientdomain attributes are always expanded for
#line 278
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 278
# verified by CTS since these attributes are already expanded by that time.
#line 278

#line 278
neverallow { hal_oemlock_server -hal_oemlock } domain:process fork;
#line 278
neverallow { hal_oemlock_client -halclientdomain } domain:process fork;
#line 278

#line 278
;

#line 279
attribute hal_omx;
#line 279
expandattribute hal_omx true;
#line 279
attribute hal_omx_client;
#line 279
expandattribute hal_omx_client true;
#line 279
attribute hal_omx_server;
#line 279
expandattribute hal_omx_server false;
#line 279

#line 279
neverallow { hal_omx_server -halserverdomain } domain:process fork;
#line 279
# hal_*_client and halclientdomain attributes are always expanded for
#line 279
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 279
# verified by CTS since these attributes are already expanded by that time.
#line 279

#line 279
neverallow { hal_omx_server -hal_omx } domain:process fork;
#line 279
neverallow { hal_omx_client -halclientdomain } domain:process fork;
#line 279

#line 279
;

#line 280
attribute hal_power;
#line 280
expandattribute hal_power true;
#line 280
attribute hal_power_client;
#line 280
expandattribute hal_power_client true;
#line 280
attribute hal_power_server;
#line 280
expandattribute hal_power_server false;
#line 280

#line 280
neverallow { hal_power_server -halserverdomain } domain:process fork;
#line 280
# hal_*_client and halclientdomain attributes are always expanded for
#line 280
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 280
# verified by CTS since these attributes are already expanded by that time.
#line 280

#line 280
neverallow { hal_power_server -hal_power } domain:process fork;
#line 280
neverallow { hal_power_client -halclientdomain } domain:process fork;
#line 280

#line 280
;

#line 281
attribute hal_power_stats;
#line 281
expandattribute hal_power_stats true;
#line 281
attribute hal_power_stats_client;
#line 281
expandattribute hal_power_stats_client true;
#line 281
attribute hal_power_stats_server;
#line 281
expandattribute hal_power_stats_server false;
#line 281

#line 281
neverallow { hal_power_stats_server -halserverdomain } domain:process fork;
#line 281
# hal_*_client and halclientdomain attributes are always expanded for
#line 281
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 281
# verified by CTS since these attributes are already expanded by that time.
#line 281

#line 281
neverallow { hal_power_stats_server -hal_power_stats } domain:process fork;
#line 281
neverallow { hal_power_stats_client -halclientdomain } domain:process fork;
#line 281

#line 281
;

#line 282
attribute hal_secure_element;
#line 282
expandattribute hal_secure_element true;
#line 282
attribute hal_secure_element_client;
#line 282
expandattribute hal_secure_element_client true;
#line 282
attribute hal_secure_element_server;
#line 282
expandattribute hal_secure_element_server false;
#line 282

#line 282
neverallow { hal_secure_element_server -halserverdomain } domain:process fork;
#line 282
# hal_*_client and halclientdomain attributes are always expanded for
#line 282
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 282
# verified by CTS since these attributes are already expanded by that time.
#line 282

#line 282
neverallow { hal_secure_element_server -hal_secure_element } domain:process fork;
#line 282
neverallow { hal_secure_element_client -halclientdomain } domain:process fork;
#line 282

#line 282
;

#line 283
attribute hal_sensors;
#line 283
expandattribute hal_sensors true;
#line 283
attribute hal_sensors_client;
#line 283
expandattribute hal_sensors_client true;
#line 283
attribute hal_sensors_server;
#line 283
expandattribute hal_sensors_server false;
#line 283

#line 283
neverallow { hal_sensors_server -halserverdomain } domain:process fork;
#line 283
# hal_*_client and halclientdomain attributes are always expanded for
#line 283
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 283
# verified by CTS since these attributes are already expanded by that time.
#line 283

#line 283
neverallow { hal_sensors_server -hal_sensors } domain:process fork;
#line 283
neverallow { hal_sensors_client -halclientdomain } domain:process fork;
#line 283

#line 283
;

#line 284
attribute hal_telephony;
#line 284
expandattribute hal_telephony true;
#line 284
attribute hal_telephony_client;
#line 284
expandattribute hal_telephony_client true;
#line 284
attribute hal_telephony_server;
#line 284
expandattribute hal_telephony_server false;
#line 284

#line 284
neverallow { hal_telephony_server -halserverdomain } domain:process fork;
#line 284
# hal_*_client and halclientdomain attributes are always expanded for
#line 284
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 284
# verified by CTS since these attributes are already expanded by that time.
#line 284

#line 284
neverallow { hal_telephony_server -hal_telephony } domain:process fork;
#line 284
neverallow { hal_telephony_client -halclientdomain } domain:process fork;
#line 284

#line 284
;

#line 285
attribute hal_tetheroffload;
#line 285
expandattribute hal_tetheroffload true;
#line 285
attribute hal_tetheroffload_client;
#line 285
expandattribute hal_tetheroffload_client true;
#line 285
attribute hal_tetheroffload_server;
#line 285
expandattribute hal_tetheroffload_server false;
#line 285

#line 285
neverallow { hal_tetheroffload_server -halserverdomain } domain:process fork;
#line 285
# hal_*_client and halclientdomain attributes are always expanded for
#line 285
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 285
# verified by CTS since these attributes are already expanded by that time.
#line 285

#line 285
neverallow { hal_tetheroffload_server -hal_tetheroffload } domain:process fork;
#line 285
neverallow { hal_tetheroffload_client -halclientdomain } domain:process fork;
#line 285

#line 285
;

#line 286
attribute hal_thermal;
#line 286
expandattribute hal_thermal true;
#line 286
attribute hal_thermal_client;
#line 286
expandattribute hal_thermal_client true;
#line 286
attribute hal_thermal_server;
#line 286
expandattribute hal_thermal_server false;
#line 286

#line 286
neverallow { hal_thermal_server -halserverdomain } domain:process fork;
#line 286
# hal_*_client and halclientdomain attributes are always expanded for
#line 286
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 286
# verified by CTS since these attributes are already expanded by that time.
#line 286

#line 286
neverallow { hal_thermal_server -hal_thermal } domain:process fork;
#line 286
neverallow { hal_thermal_client -halclientdomain } domain:process fork;
#line 286

#line 286
;

#line 287
attribute hal_tv_cec;
#line 287
expandattribute hal_tv_cec true;
#line 287
attribute hal_tv_cec_client;
#line 287
expandattribute hal_tv_cec_client true;
#line 287
attribute hal_tv_cec_server;
#line 287
expandattribute hal_tv_cec_server false;
#line 287

#line 287
neverallow { hal_tv_cec_server -halserverdomain } domain:process fork;
#line 287
# hal_*_client and halclientdomain attributes are always expanded for
#line 287
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 287
# verified by CTS since these attributes are already expanded by that time.
#line 287

#line 287
neverallow { hal_tv_cec_server -hal_tv_cec } domain:process fork;
#line 287
neverallow { hal_tv_cec_client -halclientdomain } domain:process fork;
#line 287

#line 287
;

#line 288
attribute hal_tv_input;
#line 288
expandattribute hal_tv_input true;
#line 288
attribute hal_tv_input_client;
#line 288
expandattribute hal_tv_input_client true;
#line 288
attribute hal_tv_input_server;
#line 288
expandattribute hal_tv_input_server false;
#line 288

#line 288
neverallow { hal_tv_input_server -halserverdomain } domain:process fork;
#line 288
# hal_*_client and halclientdomain attributes are always expanded for
#line 288
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 288
# verified by CTS since these attributes are already expanded by that time.
#line 288

#line 288
neverallow { hal_tv_input_server -hal_tv_input } domain:process fork;
#line 288
neverallow { hal_tv_input_client -halclientdomain } domain:process fork;
#line 288

#line 288
;

#line 289
attribute hal_usb;
#line 289
expandattribute hal_usb true;
#line 289
attribute hal_usb_client;
#line 289
expandattribute hal_usb_client true;
#line 289
attribute hal_usb_server;
#line 289
expandattribute hal_usb_server false;
#line 289

#line 289
neverallow { hal_usb_server -halserverdomain } domain:process fork;
#line 289
# hal_*_client and halclientdomain attributes are always expanded for
#line 289
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 289
# verified by CTS since these attributes are already expanded by that time.
#line 289

#line 289
neverallow { hal_usb_server -hal_usb } domain:process fork;
#line 289
neverallow { hal_usb_client -halclientdomain } domain:process fork;
#line 289

#line 289
;

#line 290
attribute hal_usb_gadget;
#line 290
expandattribute hal_usb_gadget true;
#line 290
attribute hal_usb_gadget_client;
#line 290
expandattribute hal_usb_gadget_client true;
#line 290
attribute hal_usb_gadget_server;
#line 290
expandattribute hal_usb_gadget_server false;
#line 290

#line 290
neverallow { hal_usb_gadget_server -halserverdomain } domain:process fork;
#line 290
# hal_*_client and halclientdomain attributes are always expanded for
#line 290
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 290
# verified by CTS since these attributes are already expanded by that time.
#line 290

#line 290
neverallow { hal_usb_gadget_server -hal_usb_gadget } domain:process fork;
#line 290
neverallow { hal_usb_gadget_client -halclientdomain } domain:process fork;
#line 290

#line 290
;

#line 291
attribute hal_vehicle;
#line 291
expandattribute hal_vehicle true;
#line 291
attribute hal_vehicle_client;
#line 291
expandattribute hal_vehicle_client true;
#line 291
attribute hal_vehicle_server;
#line 291
expandattribute hal_vehicle_server false;
#line 291

#line 291
neverallow { hal_vehicle_server -halserverdomain } domain:process fork;
#line 291
# hal_*_client and halclientdomain attributes are always expanded for
#line 291
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 291
# verified by CTS since these attributes are already expanded by that time.
#line 291

#line 291
neverallow { hal_vehicle_server -hal_vehicle } domain:process fork;
#line 291
neverallow { hal_vehicle_client -halclientdomain } domain:process fork;
#line 291

#line 291
;

#line 292
attribute hal_vibrator;
#line 292
expandattribute hal_vibrator true;
#line 292
attribute hal_vibrator_client;
#line 292
expandattribute hal_vibrator_client true;
#line 292
attribute hal_vibrator_server;
#line 292
expandattribute hal_vibrator_server false;
#line 292

#line 292
neverallow { hal_vibrator_server -halserverdomain } domain:process fork;
#line 292
# hal_*_client and halclientdomain attributes are always expanded for
#line 292
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 292
# verified by CTS since these attributes are already expanded by that time.
#line 292

#line 292
neverallow { hal_vibrator_server -hal_vibrator } domain:process fork;
#line 292
neverallow { hal_vibrator_client -halclientdomain } domain:process fork;
#line 292

#line 292
;

#line 293
attribute hal_vr;
#line 293
expandattribute hal_vr true;
#line 293
attribute hal_vr_client;
#line 293
expandattribute hal_vr_client true;
#line 293
attribute hal_vr_server;
#line 293
expandattribute hal_vr_server false;
#line 293

#line 293
neverallow { hal_vr_server -halserverdomain } domain:process fork;
#line 293
# hal_*_client and halclientdomain attributes are always expanded for
#line 293
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 293
# verified by CTS since these attributes are already expanded by that time.
#line 293

#line 293
neverallow { hal_vr_server -hal_vr } domain:process fork;
#line 293
neverallow { hal_vr_client -halclientdomain } domain:process fork;
#line 293

#line 293
;

#line 294
attribute hal_weaver;
#line 294
expandattribute hal_weaver true;
#line 294
attribute hal_weaver_client;
#line 294
expandattribute hal_weaver_client true;
#line 294
attribute hal_weaver_server;
#line 294
expandattribute hal_weaver_server false;
#line 294

#line 294
neverallow { hal_weaver_server -halserverdomain } domain:process fork;
#line 294
# hal_*_client and halclientdomain attributes are always expanded for
#line 294
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 294
# verified by CTS since these attributes are already expanded by that time.
#line 294

#line 294
neverallow { hal_weaver_server -hal_weaver } domain:process fork;
#line 294
neverallow { hal_weaver_client -halclientdomain } domain:process fork;
#line 294

#line 294
;

#line 295
attribute hal_wifi;
#line 295
expandattribute hal_wifi true;
#line 295
attribute hal_wifi_client;
#line 295
expandattribute hal_wifi_client true;
#line 295
attribute hal_wifi_server;
#line 295
expandattribute hal_wifi_server false;
#line 295

#line 295
neverallow { hal_wifi_server -halserverdomain } domain:process fork;
#line 295
# hal_*_client and halclientdomain attributes are always expanded for
#line 295
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 295
# verified by CTS since these attributes are already expanded by that time.
#line 295

#line 295
neverallow { hal_wifi_server -hal_wifi } domain:process fork;
#line 295
neverallow { hal_wifi_client -halclientdomain } domain:process fork;
#line 295

#line 295
;

#line 296
attribute hal_wifi_hostapd;
#line 296
expandattribute hal_wifi_hostapd true;
#line 296
attribute hal_wifi_hostapd_client;
#line 296
expandattribute hal_wifi_hostapd_client true;
#line 296
attribute hal_wifi_hostapd_server;
#line 296
expandattribute hal_wifi_hostapd_server false;
#line 296

#line 296
neverallow { hal_wifi_hostapd_server -halserverdomain } domain:process fork;
#line 296
# hal_*_client and halclientdomain attributes are always expanded for
#line 296
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 296
# verified by CTS since these attributes are already expanded by that time.
#line 296

#line 296
neverallow { hal_wifi_hostapd_server -hal_wifi_hostapd } domain:process fork;
#line 296
neverallow { hal_wifi_hostapd_client -halclientdomain } domain:process fork;
#line 296

#line 296
;

#line 297
attribute hal_wifi_offload;
#line 297
expandattribute hal_wifi_offload true;
#line 297
attribute hal_wifi_offload_client;
#line 297
expandattribute hal_wifi_offload_client true;
#line 297
attribute hal_wifi_offload_server;
#line 297
expandattribute hal_wifi_offload_server false;
#line 297

#line 297
neverallow { hal_wifi_offload_server -halserverdomain } domain:process fork;
#line 297
# hal_*_client and halclientdomain attributes are always expanded for
#line 297
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 297
# verified by CTS since these attributes are already expanded by that time.
#line 297

#line 297
neverallow { hal_wifi_offload_server -hal_wifi_offload } domain:process fork;
#line 297
neverallow { hal_wifi_offload_client -halclientdomain } domain:process fork;
#line 297

#line 297
;

#line 298
attribute hal_wifi_supplicant;
#line 298
expandattribute hal_wifi_supplicant true;
#line 298
attribute hal_wifi_supplicant_client;
#line 298
expandattribute hal_wifi_supplicant_client true;
#line 298
attribute hal_wifi_supplicant_server;
#line 298
expandattribute hal_wifi_supplicant_server false;
#line 298

#line 298
neverallow { hal_wifi_supplicant_server -halserverdomain } domain:process fork;
#line 298
# hal_*_client and halclientdomain attributes are always expanded for
#line 298
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 298
# verified by CTS since these attributes are already expanded by that time.
#line 298

#line 298
neverallow { hal_wifi_supplicant_server -hal_wifi_supplicant } domain:process fork;
#line 298
neverallow { hal_wifi_supplicant_client -halclientdomain } domain:process fork;
#line 298

#line 298
;

# HwBinder services offered across the core-vendor boundary
#
# We annotate server domains with x_server  to loosen the coupling between
# system and vendor images. For example, it should be possible to move a service
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.

attribute camera_service_server;
attribute display_service_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
attribute system_suspend_server;
attribute wifi_keystore_service_server;

# All types used for super partition block devices.
attribute super_block_device_type;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/adbd.te"
# adbd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type adbd, domain;
type adbd_exec, exec_type, file_type, system_file_type;

# Only init is allowed to enter the adbd domain via exec()
neverallow { domain -init } adbd:process transition;
neverallow * adbd:process dyntransition;

# Allow adbd start/stop mdnsd via ctl.start

#line 11

#line 11
allow adbd property_socket:sock_file write;
#line 11
allow adbd init:unix_stream_socket connectto;
#line 11

#line 11
allow adbd ctl_mdnsd_prop:property_service set;
#line 11

#line 11
allow adbd ctl_mdnsd_prop:file { getattr open read map };
#line 11

#line 11

#line 1 "system/sepolicy/prebuilts/api/29.0/public/apexd.te"
# apexd -- manager for APEX packages
type apexd, domain;
type apexd_exec, exec_type, file_type, system_file_type;


#line 5
# Call the servicemanager and transfer references to it.
#line 5
allow apexd servicemanager:binder { call transfer };
#line 5
# servicemanager performs getpidcon on clients.
#line 5
allow servicemanager apexd:dir search;
#line 5
allow servicemanager apexd:file { read open };
#line 5
allow servicemanager apexd:process getattr;
#line 5
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 5
# all domains in domain.te.
#line 5


#line 6
  allow apexd apex_service:service_manager { add find };
#line 6
  neverallow { domain -apexd } apex_service:service_manager add;
#line 6


#line 7

#line 7
allow apexd property_socket:sock_file write;
#line 7
allow apexd init:unix_stream_socket connectto;
#line 7

#line 7
allow apexd apexd_prop:property_service set;
#line 7

#line 7
allow apexd apexd_prop:file { getattr open read map };
#line 7

#line 7


neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
neverallow { domain -init -apexd -system_server } apexd:binder call;

neverallow { domain  } apexd:process ptrace;

# only apexd can set apexd sysprop
neverallow { domain -apexd -init } apexd_prop:property_service set;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/app.te"
###
### Domain for all zygote spawned apps
###
### This file is the base policy for all zygote spawned apps.
### Other policy files, such as isolated_app.te, untrusted_app.te, etc
### extend from this policy. Only policies which should apply to ALL
### zygote spawned apps should be added here.
###
type appdomain_tmpfs, file_type;

# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;

allow appdomain ashmem_device:chr_file execute;

# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;

# gdbserver for ndk-gdb reads the zygote.
# valgrind needs mmap exec for zygote
allow appdomain zygote_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# Notify zygote of death;
allow appdomain zygote:process sigchld;

# Read /data/dalvik-cache.
allow appdomain dalvikcache_data_file:dir { search getattr };
allow appdomain dalvikcache_data_file:file { getattr open read ioctl lock map };

# Read the /sdcard and /mnt/sdcard symlinks
allow { appdomain -isolated_app } rootfs:lnk_file { getattr open read ioctl lock map };
allow { appdomain -isolated_app } tmpfs:lnk_file { getattr open read ioctl lock map };

# Search /storage/emulated tmpfs mount.
allow appdomain tmpfs:dir { open getattr read search ioctl lock };

# Notify zygote of the wrapped process PID when using --invoke-with.
allow appdomain zygote:fifo_file write;

#line 44


# Notify shell and adbd of death when spawned via runas for ndk-gdb.
allow appdomain shell:process sigchld;
allow appdomain adbd:process sigchld;

# child shell or gdbserver pty access for runas.
allow appdomain devpts:chr_file { getattr read write ioctl };

# Use pipes and sockets provided by system_server via binder or local socket.
allow appdomain system_server:fd use;
allow appdomain system_server:fifo_file { { getattr open read ioctl lock map } { open append write lock map } };
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };

# For AppFuse.
allow appdomain vold:fd use;

# Communication with other apps via fifos
allow appdomain appdomain:fifo_file { { getattr open read ioctl lock map } { open append write lock map } };

# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };

# App sandbox file accesses.
allow { appdomain -isolated_app } { app_data_file privapp_data_file }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Traverse into expanded storage
allow appdomain mnt_expand_file:dir { open getattr read search ioctl lock };

# Keychain and user-trusted credentials

#line 76
allow appdomain keychain_data_file:dir { open getattr read search ioctl lock };
#line 76
allow appdomain keychain_data_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 76

allow appdomain misc_user_data_file:dir { open getattr read search ioctl lock };
allow appdomain misc_user_data_file:file { getattr open read ioctl lock map };

# TextClassifier

#line 81
allow { appdomain -isolated_app } textclassifier_data_file:dir { open getattr read search ioctl lock };
#line 81
allow { appdomain -isolated_app } textclassifier_data_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 81


# Access to OEM provided data and apps
allow appdomain oemfs:dir { open getattr read search ioctl lock };
allow appdomain oemfs:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# Execute the shell or other system executables.
allow { appdomain -ephemeral_app } shell_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow { appdomain -ephemeral_app } toolbox_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow appdomain system_file:file { getattr execute execute_no_trans map };


# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir { open getattr read search ioctl lock };
allow appdomain system_file:lnk_file { getattr open read };
# Renderscript specific permissions to open /system/vendor/lib64.
#line 100



#line 102
    # For looking up Renderscript vendor drivers
#line 102
    allow { appdomain -isolated_app } vendor_file:dir { open read };
#line 105


# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.

#line 109
allow { appdomain -ephemeral_app } vendor_app_file:dir { open getattr read search ioctl lock };
#line 109
allow { appdomain -ephemeral_app } vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 109

allow { appdomain -ephemeral_app } vendor_app_file:file execute;

# Allow apps access to /vendor/overlay

#line 113
allow appdomain vendor_overlay_file:dir { open getattr read search ioctl lock };
#line 113
allow appdomain vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 113


# Allow apps access to /vendor/framework
# for vendor provided libraries.

#line 117
allow appdomain vendor_framework_file:dir { open getattr read search ioctl lock };
#line 117
allow appdomain vendor_framework_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 117


# Allow apps read / execute access to vendor public libraries.
allow appdomain vendor_public_lib_file:dir { open getattr read search ioctl lock };
allow appdomain vendor_public_lib_file:file { execute read open getattr map };

# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write map };

# Read/write cached ringtones (opened by system).
allow appdomain ringtone_file:file { getattr read write map };

# Read ShortcutManager icon files (opened by system).
allow appdomain shortcut_manager_icons:file { getattr read map };

# Read icon file (opened by system).
allow appdomain icon_file:file { getattr read map };

# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
#
# TODO: All of these permissions except for anr_data_file:file append can be
# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
# and the rules below.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };

# New stack dumping scheme : request an output FD from tombstoned via a unix
# domain socket.
#
# Allow apps to connect and write to the tombstoned java trace socket in
# order to dump their traces. Also allow them to append traces to pipes
# created by dumptrace. (Also see the rules below where they are given
# additional permissions to dumpstate pipes for other aspects of bug report
# creation).

#line 151
allow appdomain tombstoned_java_trace_socket:sock_file write;
#line 151
allow appdomain tombstoned:unix_stream_socket connectto;
#line 151

allow appdomain tombstoned:fd use;
allow appdomain dumpstate:fifo_file append;
allow appdomain incidentd:fifo_file append;

# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
allow appdomain dumpstate:fifo_file { write getattr };
allow appdomain shell_data_file:file { write getattr };

# Allow apps to send dump information to incidentd
allow appdomain incidentd:fd use;
allow appdomain incidentd:fifo_file { write getattr };

# Allow apps to send information to statsd socket.

#line 167
allow appdomain statsdw_socket:sock_file write;
#line 167
allow appdomain statsd:unix_dgram_socket sendto;
#line 167


# Write profiles /data/misc/profiles
allow appdomain user_profile_data_file:dir { search write add_name };
allow appdomain user_profile_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576
# % adb shell dumpsys procstats --start-testing
# debuggable builds only.
#line 179


# /proc/net access.
# TODO(b/9496886) Audit access for removal.
# proc_net access for the negated domains below is granted (or not) in their
# individual .te files.

#line 185
allow {
#line 185
  appdomain
#line 185
  -ephemeral_app
#line 185
  -isolated_app
#line 185
  -platform_app
#line 185
  -priv_app
#line 185
  -shell
#line 185
  -system_app
#line 185
  -untrusted_app_all
#line 185
} proc_net_type:dir { open getattr read search ioctl lock };
#line 185
allow {
#line 185
  appdomain
#line 185
  -ephemeral_app
#line 185
  -isolated_app
#line 185
  -platform_app
#line 185
  -priv_app
#line 185
  -shell
#line 185
  -system_app
#line 185
  -untrusted_app_all
#line 185
} proc_net_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 194

# audit access for all these non-core app domains.
#line 208


# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
allow { appdomain -isolated_app } gpu_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Use the Binder.

#line 215
# Call the servicemanager and transfer references to it.
#line 215
allow appdomain servicemanager:binder { call transfer };
#line 215
# servicemanager performs getpidcon on clients.
#line 215
allow servicemanager appdomain:dir search;
#line 215
allow servicemanager appdomain:file { read open };
#line 215
allow servicemanager appdomain:process getattr;
#line 215
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 215
# all domains in domain.te.
#line 215

# Perform binder IPC to binder services.

#line 217
# Call the server domain and optionally transfer references to it.
#line 217
allow appdomain binderservicedomain:binder { call transfer };
#line 217
# Allow the serverdomain to transfer references to the client on the reply.
#line 217
allow binderservicedomain appdomain:binder transfer;
#line 217
# Receive and use open files from the server.
#line 217
allow appdomain binderservicedomain:fd use;
#line 217

# Perform binder IPC to other apps.

#line 219
# Call the server domain and optionally transfer references to it.
#line 219
allow appdomain appdomain:binder { call transfer };
#line 219
# Allow the serverdomain to transfer references to the client on the reply.
#line 219
allow appdomain appdomain:binder transfer;
#line 219
# Receive and use open files from the server.
#line 219
allow appdomain appdomain:fd use;
#line 219

# Perform binder IPC to ephemeral apps.

#line 221
# Call the server domain and optionally transfer references to it.
#line 221
allow appdomain ephemeral_app:binder { call transfer };
#line 221
# Allow the serverdomain to transfer references to the client on the reply.
#line 221
allow ephemeral_app appdomain:binder transfer;
#line 221
# Receive and use open files from the server.
#line 221
allow appdomain ephemeral_app:fd use;
#line 221


# Talk with graphics composer fences
allow appdomain hal_graphics_composer:fd use;

# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
# are examined.
allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };

# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
allow appdomain backup_data_file:file { read write getattr map };
allow appdomain cache_backup_file:file { read write getattr map };
allow appdomain cache_backup_file:dir getattr;
# Backup ability using 'adb backup'
allow appdomain system_data_file:lnk_file { getattr open read ioctl lock map };
allow appdomain system_data_file:file { getattr read map };

# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };

# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app } radio_data_file:file { read write getattr };

# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow { appdomain -isolated_app -ephemeral_app } storage_file:dir { open getattr read search ioctl lock };
allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file { getattr open read ioctl lock map };
allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir { open getattr read search ioctl lock };
allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file { getattr open read ioctl lock map };

# Read/write visible storage
allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };

# For art.
allow appdomain dalvikcache_data_file:file execute;
allow appdomain dalvikcache_data_file:lnk_file { getattr open read ioctl lock map };

# Allow any app to read shared RELRO files.
allow appdomain shared_relro_file:dir search;
allow appdomain shared_relro_file:file { getattr open read ioctl lock map };

# Allow apps to read/execute installed binaries
allow appdomain apk_data_file:dir { open getattr read search ioctl lock };
allow appdomain apk_data_file:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# /data/resource-cache
allow appdomain resourcecache_data_file:file { getattr open read ioctl lock map };
allow appdomain resourcecache_data_file:dir { open getattr read search ioctl lock };

# logd access

#line 287
allow appdomain logcat_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
#line 287

#line 287
allow appdomain logdr_socket:sock_file write;
#line 287
allow appdomain logd:unix_stream_socket connectto;
#line 287

#line 287


#line 288
# Group AID_LOG checked by filesystem & logd
#line 288
# to permit control commands
#line 288

#line 288
allow { appdomain -ephemeral_app } logd_socket:sock_file write;
#line 288
allow { appdomain -ephemeral_app } logd:unix_stream_socket connectto;
#line 288

#line 288

# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;

allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };


#line 294
  allow keystore { appdomain -isolated_app -ephemeral_app }:dir search;
#line 294
  allow keystore { appdomain -isolated_app -ephemeral_app }:file { read open };
#line 294
  allow keystore { appdomain -isolated_app -ephemeral_app }:process getattr;
#line 294
  allow { appdomain -isolated_app -ephemeral_app } keystore_service:service_manager find;
#line 294

#line 294
# Call the server domain and optionally transfer references to it.
#line 294
allow { appdomain -isolated_app -ephemeral_app } keystore:binder { call transfer };
#line 294
# Allow the serverdomain to transfer references to the client on the reply.
#line 294
allow keystore { appdomain -isolated_app -ephemeral_app }:binder transfer;
#line 294
# Receive and use open files from the server.
#line 294
allow { appdomain -isolated_app -ephemeral_app } keystore:fd use;
#line 294

#line 294

#line 294
# Call the server domain and optionally transfer references to it.
#line 294
allow keystore { appdomain -isolated_app -ephemeral_app }:binder { call transfer };
#line 294
# Allow the serverdomain to transfer references to the client on the reply.
#line 294
allow { appdomain -isolated_app -ephemeral_app } keystore:binder transfer;
#line 294
# Receive and use open files from the server.
#line 294
allow keystore { appdomain -isolated_app -ephemeral_app }:fd use;
#line 294

#line 294


allow appdomain console_device:chr_file { read write };

# only allow unprivileged socket ioctl commands
allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
  ioctl {
#line 300
{
#line 300
# Socket ioctls for gathering information about the interface
#line 300
0x00008906 0x00008907
#line 300
0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919
#line 300
0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942
#line 300
# Wireless extension ioctls. Primarily get functions.
#line 300
0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d
#line 300
0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23
#line 300
0x00008b25 0x00008b27 0x00008b29 0x00008b2d
#line 300
} {
#line 300
  0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005413 0x00005414 0x0000540e
#line 300
  0x00005403 0x0000540b 0x00005410 0x0000540f
#line 300
} };

allow { appdomain -isolated_app } ion_device:chr_file { getattr open read ioctl lock map };

# Allow AAudio apps to use shared memory file descriptors from the HAL
allow { appdomain -isolated_app } hal_audio:fd use;

# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;

# RenderScript always-passthrough HAL
allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
allow appdomain same_process_hal_file:file { execute read open getattr map };

# TODO: switch to meminfo service
allow appdomain proc_meminfo:file { getattr open read ioctl lock map };

# For app fuse.
allow appdomain app_fuse_file:file { getattr read append write };


#line 320

#line 320
# Allow client to open the service endpoint file.
#line 320
allow { appdomain -isolated_app -ephemeral_app } pdx_display_client_endpoint_dir_type:dir { open getattr read search ioctl lock };
#line 320
allow { appdomain -isolated_app -ephemeral_app } pdx_display_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map } { open append write lock map } };
#line 320
# Allow the client to connect to endpoint socket.
#line 320
allow { appdomain -isolated_app -ephemeral_app } pdx_display_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
#line 320

#line 320

#line 320
# Allow the client to use the PDX channel socket.
#line 320
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 320
# than we need (e.g. we don"t need "bind" or "connect").
#line 320
allow { appdomain -isolated_app -ephemeral_app } pdx_display_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 320
# Client needs to use an channel event fd from the server.
#line 320
allow { appdomain -isolated_app -ephemeral_app } pdx_display_client_server_type:fd use;
#line 320
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 320
# This could be tightened on a per-server basis, but keeping track of service
#line 320
# clients is error prone.
#line 320
allow pdx_display_client_server_type { appdomain -isolated_app -ephemeral_app }:fd use;
#line 320

#line 320


#line 321

#line 321
# Allow client to open the service endpoint file.
#line 321
allow { appdomain -isolated_app -ephemeral_app } pdx_display_manager_endpoint_dir_type:dir { open getattr read search ioctl lock };
#line 321
allow { appdomain -isolated_app -ephemeral_app } pdx_display_manager_endpoint_socket_type:sock_file { { getattr open read ioctl lock map } { open append write lock map } };
#line 321
# Allow the client to connect to endpoint socket.
#line 321
allow { appdomain -isolated_app -ephemeral_app } pdx_display_manager_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
#line 321

#line 321

#line 321
# Allow the client to use the PDX channel socket.
#line 321
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 321
# than we need (e.g. we don"t need "bind" or "connect").
#line 321
allow { appdomain -isolated_app -ephemeral_app } pdx_display_manager_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 321
# Client needs to use an channel event fd from the server.
#line 321
allow { appdomain -isolated_app -ephemeral_app } pdx_display_manager_server_type:fd use;
#line 321
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 321
# This could be tightened on a per-server basis, but keeping track of service
#line 321
# clients is error prone.
#line 321
allow pdx_display_manager_server_type { appdomain -isolated_app -ephemeral_app }:fd use;
#line 321

#line 321


#line 322

#line 322
# Allow client to open the service endpoint file.
#line 322
allow { appdomain -isolated_app -ephemeral_app } pdx_display_vsync_endpoint_dir_type:dir { open getattr read search ioctl lock };
#line 322
allow { appdomain -isolated_app -ephemeral_app } pdx_display_vsync_endpoint_socket_type:sock_file { { getattr open read ioctl lock map } { open append write lock map } };
#line 322
# Allow the client to connect to endpoint socket.
#line 322
allow { appdomain -isolated_app -ephemeral_app } pdx_display_vsync_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
#line 322

#line 322

#line 322
# Allow the client to use the PDX channel socket.
#line 322
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 322
# than we need (e.g. we don"t need "bind" or "connect").
#line 322
allow { appdomain -isolated_app -ephemeral_app } pdx_display_vsync_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 322
# Client needs to use an channel event fd from the server.
#line 322
allow { appdomain -isolated_app -ephemeral_app } pdx_display_vsync_server_type:fd use;
#line 322
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 322
# This could be tightened on a per-server basis, but keeping track of service
#line 322
# clients is error prone.
#line 322
allow pdx_display_vsync_server_type { appdomain -isolated_app -ephemeral_app }:fd use;
#line 322

#line 322


#line 323

#line 323
# Allow client to open the service endpoint file.
#line 323
allow { appdomain -isolated_app -ephemeral_app } pdx_performance_client_endpoint_dir_type:dir { open getattr read search ioctl lock };
#line 323
allow { appdomain -isolated_app -ephemeral_app } pdx_performance_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map } { open append write lock map } };
#line 323
# Allow the client to connect to endpoint socket.
#line 323
allow { appdomain -isolated_app -ephemeral_app } pdx_performance_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
#line 323

#line 323

#line 323
# Allow the client to use the PDX channel socket.
#line 323
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 323
# than we need (e.g. we don"t need "bind" or "connect").
#line 323
allow { appdomain -isolated_app -ephemeral_app } pdx_performance_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 323
# Client needs to use an channel event fd from the server.
#line 323
allow { appdomain -isolated_app -ephemeral_app } pdx_performance_client_server_type:fd use;
#line 323
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 323
# This could be tightened on a per-server basis, but keeping track of service
#line 323
# clients is error prone.
#line 323
allow pdx_performance_client_server_type { appdomain -isolated_app -ephemeral_app }:fd use;
#line 323

#line 323

# Apps do not directly open the IPC socket for bufferhubd.

#line 325
# Allow the client to use the PDX channel socket.
#line 325
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 325
# than we need (e.g. we don"t need "bind" or "connect").
#line 325
allow { appdomain -isolated_app -ephemeral_app } pdx_bufferhub_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 325
# Client needs to use an channel event fd from the server.
#line 325
allow { appdomain -isolated_app -ephemeral_app } pdx_bufferhub_client_server_type:fd use;
#line 325
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 325
# This could be tightened on a per-server basis, but keeping track of service
#line 325
# clients is error prone.
#line 325
allow pdx_bufferhub_client_server_type { appdomain -isolated_app -ephemeral_app }:fd use;
#line 325


###
### CTS-specific rules
###

# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
# testRunAsHasCorrectCapabilities
allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired.

# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl 0x800454d2;

# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow appdomain adbd:unix_stream_socket connectto;
allow appdomain adbd:fd use;
allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };

allow appdomain cache_file:dir getattr;

# Allow apps to run with asanwrapper.


# Read access to FDs from the DropboxManagerService.
allow appdomain dropbox_data_file:file { getattr read };

# Read tmpfs types from these processes.
allow appdomain audioserver_tmpfs:file { getattr map read write };
allow appdomain system_server_tmpfs:file { getattr map read write };
allow appdomain zygote_tmpfs:file { map read };

# Allow vendor apps access to ashmemd to request /dev/ashmem fds.

#line 361
# Call the server domain and optionally transfer references to it.
#line 361
allow { appdomain -coredomain } ashmemd:binder { call transfer };
#line 361
# Allow the serverdomain to transfer references to the client on the reply.
#line 361
allow ashmemd { appdomain -coredomain }:binder transfer;
#line 361
# Receive and use open files from the server.
#line 361
allow { appdomain -coredomain } ashmemd:fd use;
#line 361


###
### Neverallow rules
###
### These are things that Android apps should NEVER be able to do
###

# Superuser capabilities.
# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
neverallow { appdomain -bluetooth -network_stack } self:{ capability capability2 cap_userns cap2_userns } *;

# Block device access.
neverallow appdomain dev_type:blk_file { read write };

# Access to any of the following character devices.
neverallow appdomain {
    audio_device
    camera_device
    dm_device
    radio_device
    rpmsg_device
    video_device
}:chr_file { read write };

# Note: Try expanding list of app domains in the future.
neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };

neverallow { appdomain -nfc } nfc_device:chr_file
    { read write };
neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
    { read write };
neverallow appdomain tee_device:chr_file { read write };

# Privileged netlink socket interfaces.
neverallow appdomain
    domain:{
        netlink_tcpdiag_socket
        netlink_nflog_socket
        netlink_xfrm_socket
        netlink_audit_socket
        netlink_dnrt_socket
    } *;

# These messages are broadcast messages from the kernel to userspace.
# Do not allow the writing of netlink messages, which has been a source
# of rooting vulns in the past.
neverallow appdomain domain:netlink_kobject_uevent_socket { write append };

# Sockets under /dev/socket that are not specifically typed.
neverallow appdomain socket_device:sock_file write;

# Unix domain sockets.
neverallow appdomain adbd_socket:sock_file write;
neverallow { appdomain -radio } rild_socket:sock_file write;

# ptrace access to non-app domains.
neverallow appdomain { domain -appdomain }:process ptrace;

# The Android security model guarantees the confidentiality and integrity
# of application data and execution state. Ptrace bypasses those
# confidentiality guarantees. Disallow ptrace access from system components
# to apps. Crash_dump is excluded, as it needs ptrace access to
# produce stack traces.  llkd is excluded, as it needs ptrace access to
# inspect stack traces for live lock conditions.

neverallow {
  domain
  -appdomain
  -crash_dump

} appdomain:process ptrace;

# Read or write access to /proc/pid entries for any non-app domain.
# A different form of hidepid=2 like protections
neverallow appdomain { domain -appdomain }:file { append create link unlink relabelfrom rename setattr write };
neverallow { appdomain -shell } { domain -appdomain }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };

# signal access to non-app domains.
# sigchld allowed for parent death notification.
# signull allowed for kill(pid, 0) existence test.
# All others prohibited.
# -perfetto is to allow shell (which is an appdomain) to kill perfetto
# (see private/shell.te).
neverallow appdomain { domain -appdomain -perfetto }:process
    { sigkill sigstop signal };

# Write to rootfs.
neverallow appdomain rootfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };

# Write to /system.
neverallow appdomain system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };

# Write to entrypoint executables.
neverallow appdomain exec_type:file
    { create write setattr relabelfrom relabelto append unlink link rename };

# Write to system-owned parts of /data.
# This is the default type for anything under /data not otherwise
# specified in file_contexts.  Define a different type for portions
# that should be writable by apps.
neverallow appdomain system_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };

# Write to various other parts of /data.
neverallow appdomain drm_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
    apk_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
    apk_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
    apk_private_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
    apk_private_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -shell }
    shell_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -bluetooth }
    bluetooth_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow appdomain
    keystore_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow appdomain
    systemkeys_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow appdomain
    wifi_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow appdomain
    dhcp_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };

# access tmp apk files
neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
    { apk_tmp_file apk_private_tmp_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } *;

neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ { chr_file blk_file } dir fifo_file lnk_file sock_file } *;
neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };

# Access to factory files.
neverallow appdomain efs_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
neverallow { appdomain -shell } efs_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } read;

# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
    sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
neverallow appdomain
    proc:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;

# Access to syslog(2) or /proc/kmsg.
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };

# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
neverallow { appdomain -shell } *:netlink_selinux_socket *;

# Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc.
neverallow appdomain fs_type:filesystem ~getattr;

# prevent creation/manipulation of globally readable symlinks
neverallow appdomain {
  apk_data_file
  cache_file
  cache_recovery_file
  dev_type
  rootfs
  system_file
  tmpfs
}:lnk_file { append create link unlink relabelfrom rename setattr write };

# Denylist app domains not allowed to execute from /data
neverallow {
  bluetooth
  isolated_app
  nfc
  radio
  shared_relro
  system_app
} {
  data_file_type
  -dalvikcache_data_file
  -system_data_file # shared libs in apks
  -apk_data_file
}:file { execute execute_no_trans };

# Applications should use the activity model for receiving events
neverallow {
  appdomain
  -shell # bugreport
} input_device:chr_file ~getattr;

# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
  appdomain
  -bluetooth
  -system_app
} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;

# Apps cannot access proc_uid_concurrent_active_time
neverallow appdomain proc_uid_concurrent_active_time:file *;

# Apps cannot access proc_uid_concurrent_policy_time
neverallow appdomain proc_uid_concurrent_policy_time:file *;

# Apps cannot access proc_uid_cpupower
neverallow appdomain proc_uid_cpupower:file *;

# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
# perform UID lookups.
neverallow { appdomain -shell } proc_net_tcp_udp:file *;

# Apps cannot access bootstrap files. The bootstrap files are only for
# extremely early processes (like init, etc.) which are started before
# the runtime APEX is activated and Bionic libs are provided from there.
# If app process accesses (or even load/execute) the bootstrap files,
# it might cause problems such as ODR violation, etc.
neverallow appdomain system_bootstrap_lib_file:file
    { open read write append execute execute_no_trans map };
neverallow appdomain system_bootstrap_lib_file:dir
    { open read getattr search };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/app_zygote.te"
# app_zygote is an auxiliary zygote process that is used to spawn
# isolated service processes for individual applications. It is
# spawned from the regular zygote process as a "child zygote".

type app_zygote, domain;
type app_zygote_tmpfs, file_type;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/asan_extract.te"
# asan_extract
#
# This command set moves the artifact corresponding to the current slot
# from /data/ota to /data/dalvik-cache.

#line 36

#line 1 "system/sepolicy/prebuilts/api/29.0/public/ashmemd.te"
type ashmemd, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/audioserver.te"
# audioserver - audio services daemon
type audioserver, domain;
type audioserver_tmpfs, file_type;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/blkid.te"
# blkid called from vold
type blkid, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/blkid_untrusted.te"
# blkid for untrusted block devices
type blkid_untrusted, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/bluetooth.te"
# bluetooth subsystem
type bluetooth, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/bootanim.te"
# bootanimation oneshot service
type bootanim, domain;
type bootanim_exec, system_file_type, exec_type, file_type;


#line 5
typeattribute bootanim halclientdomain;
#line 5
typeattribute bootanim hal_configstore_client;
#line 5

#line 5
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 5
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 5
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 5

#line 5


#line 6
typeattribute bootanim halclientdomain;
#line 6
typeattribute bootanim hal_graphics_allocator_client;
#line 6

#line 6
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 6
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 6
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 6

#line 6


#line 7
typeattribute bootanim halclientdomain;
#line 7
typeattribute bootanim hal_graphics_composer_client;
#line 7

#line 7
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 7
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 7
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 7

#line 7



#line 9
# Call the servicemanager and transfer references to it.
#line 9
allow bootanim servicemanager:binder { call transfer };
#line 9
# servicemanager performs getpidcon on clients.
#line 9
allow servicemanager bootanim:dir search;
#line 9
allow servicemanager bootanim:file { read open };
#line 9
allow servicemanager bootanim:process getattr;
#line 9
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 9
# all domains in domain.te.
#line 9


#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow bootanim surfaceflinger:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow surfaceflinger bootanim:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow bootanim surfaceflinger:fd use;
#line 10


#line 11
# Call the server domain and optionally transfer references to it.
#line 11
allow bootanim audioserver:binder { call transfer };
#line 11
# Allow the serverdomain to transfer references to the client on the reply.
#line 11
allow audioserver bootanim:binder transfer;
#line 11
# Receive and use open files from the server.
#line 11
allow bootanim audioserver:fd use;
#line 11



#line 13
# Call the hwservicemanager and transfer references to it.
#line 13
allow bootanim hwservicemanager:binder { call transfer };
#line 13
# Allow hwservicemanager to send out callbacks
#line 13
allow hwservicemanager bootanim:binder { call transfer };
#line 13
# hwservicemanager performs getpidcon on clients.
#line 13
allow hwservicemanager bootanim:dir search;
#line 13
allow hwservicemanager bootanim:file { read open map };
#line 13
allow hwservicemanager bootanim:process getattr;
#line 13
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 13
# all domains in domain.te.
#line 13


allow bootanim gpu_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# /oem access
allow bootanim oemfs:dir search;
allow bootanim oemfs:file { getattr open read ioctl lock map };

allow bootanim audio_device:dir { open getattr read search ioctl lock };
allow bootanim audio_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

allow bootanim audioserver_service:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;

# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow bootanim hal_graphics_allocator:fd use;

# Fences
allow bootanim hal_graphics_composer:fd use;

# Read access to pseudo filesystems.
allow bootanim proc_meminfo:file { getattr open read ioctl lock map };

# System file accesses.
allow bootanim system_file:dir { open getattr read search ioctl lock };

# Read ro.boot.bootreason b/30654343

#line 41
allow bootanim bootloader_boot_reason_prop:file { getattr open read map };
#line 41


#line 1 "system/sepolicy/prebuilts/api/29.0/public/bootstat.te"
# bootstat command
type bootstat, domain;
type bootstat_exec, system_file_type, exec_type, file_type;


#line 5
allow bootstat runtime_event_log_tags_file:file { getattr open read ioctl lock map };
#line 5


# Allow persistent storage in /data/misc/bootstat.
allow bootstat bootstat_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow bootstat bootstat_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Collect metrics on boot time created by init

#line 12
allow bootstat boottime_prop:file { getattr open read map };
#line 12


# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)

#line 15

#line 15
allow bootstat property_socket:sock_file write;
#line 15
allow bootstat init:unix_stream_socket connectto;
#line 15

#line 15
allow bootstat bootloader_boot_reason_prop:property_service set;
#line 15

#line 15
allow bootstat bootloader_boot_reason_prop:file { getattr open read map };
#line 15

#line 15


#line 16

#line 16
allow bootstat property_socket:sock_file write;
#line 16
allow bootstat init:unix_stream_socket connectto;
#line 16

#line 16
allow bootstat system_boot_reason_prop:property_service set;
#line 16

#line 16
allow bootstat system_boot_reason_prop:file { getattr open read map };
#line 16

#line 16


#line 17

#line 17
allow bootstat property_socket:sock_file write;
#line 17
allow bootstat init:unix_stream_socket connectto;
#line 17

#line 17
allow bootstat last_boot_reason_prop:property_service set;
#line 17

#line 17
allow bootstat last_boot_reason_prop:file { getattr open read map };
#line 17

#line 17


# ToDo: TBI move access for the following to a system health HAL

# Allow access to /sys/fs/pstore/ and syslog
allow bootstat pstorefs:dir search;
allow bootstat pstorefs:file { getattr open read ioctl lock map };
allow bootstat kernel:system syslog_read;

# Allow access to reading the logs to read aspects of system health

#line 27
allow bootstat logcat_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
#line 27

#line 27
allow bootstat logdr_socket:sock_file write;
#line 27
allow bootstat logd:unix_stream_socket connectto;
#line 27

#line 27


# Allow bootstat write to statsd.

#line 30
allow bootstat statsdw_socket:sock_file write;
#line 30
allow bootstat statsd:unix_dgram_socket sendto;
#line 30


# ToDo: end

neverallow {
  domain
  -bootanim
  -bootstat
  -dumpstate
  -init
  -recovery
  -shell
  -system_server
} { bootloader_boot_reason_prop last_boot_reason_prop }:file { getattr open read ioctl lock map };
# ... and refine, as these components should not set the last boot reason
neverallow { bootanim recovery } last_boot_reason_prop:file { getattr open read ioctl lock map };

neverallow {
  domain
  -bootstat
  -init
  -system_server
} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
# ... and refine ... for a ro propertly no less ... keep this _tight_
neverallow system_server bootloader_boot_reason_prop:property_service set;

neverallow {
  domain
  -bootstat
  -init
} system_boot_reason_prop:property_service set;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/bufferhubd.te"
# bufferhubd
type bufferhubd, domain, mlstrustedsubject;
type bufferhubd_exec, system_file_type, exec_type, file_type;


#line 5
typeattribute bufferhubd halclientdomain;
#line 5
typeattribute bufferhubd hal_graphics_allocator_client;
#line 5

#line 5
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 5
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 5
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 5

#line 5


# TODO(b/112338294): remove these after migrate to Binder

#line 8
# Mark the server domain as a PDX server.
#line 8
typeattribute bufferhubd pdx_bufferhub_client_server_type;
#line 8
# Allow the init process to create the initial endpoint socket.
#line 8
allow init pdx_bufferhub_client_endpoint_socket_type:unix_stream_socket { create bind };
#line 8
# Allow the server domain to use the endpoint socket and accept connections on it.
#line 8
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 8
# than we need (e.g. we don"t need "bind" or "connect").
#line 8
allow bufferhubd pdx_bufferhub_client_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
#line 8
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
#line 8
allow bufferhubd self:process setsockcreate;
#line 8
# Allow the server domain to create a client channel socket.
#line 8
allow bufferhubd pdx_bufferhub_client_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } };
#line 8
# Prevent other processes from claiming to be a server for the same service.
#line 8
neverallow {domain -bufferhubd} pdx_bufferhub_client_endpoint_socket_type:unix_stream_socket { listen accept };
#line 8


#line 9

#line 9
# Allow client to open the service endpoint file.
#line 9
allow bufferhubd pdx_performance_client_endpoint_dir_type:dir { open getattr read search ioctl lock };
#line 9
allow bufferhubd pdx_performance_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map } { open append write lock map } };
#line 9
# Allow the client to connect to endpoint socket.
#line 9
allow bufferhubd pdx_performance_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
#line 9

#line 9

#line 9
# Allow the client to use the PDX channel socket.
#line 9
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 9
# than we need (e.g. we don"t need "bind" or "connect").
#line 9
allow bufferhubd pdx_performance_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 9
# Client needs to use an channel event fd from the server.
#line 9
allow bufferhubd pdx_performance_client_server_type:fd use;
#line 9
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 9
# This could be tightened on a per-server basis, but keeping track of service
#line 9
# clients is error prone.
#line 9
allow pdx_performance_client_server_type bufferhubd:fd use;
#line 9

#line 9


# Access the GPU.
allow bufferhubd gpu_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Access /dev/ion
allow bufferhubd ion_device:chr_file { getattr open read ioctl lock map };

# Receive sync fence FDs from hal_omx_server. Note that hal_omx_server never directly
# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
# Thus, there is no need to use pdx_client macro.
allow bufferhubd hal_omx_server:fd use;

# Codec2 is similar to OMX
allow bufferhubd hal_codec2_server:fd use;

#line 1 "system/sepolicy/prebuilts/api/29.0/public/camera_service_server.te"

#line 1
  allow camera_service_server fwk_camera_hwservice:hwservice_manager { add find };
#line 1
  allow camera_service_server hidl_base_hwservice:hwservice_manager add;
#line 1
  neverallow { domain -camera_service_server } fwk_camera_hwservice:hwservice_manager add;
#line 1

#line 1 "system/sepolicy/prebuilts/api/29.0/public/cameraserver.te"
# cameraserver - camera daemon
type cameraserver, domain;
type cameraserver_exec, system_file_type, exec_type, file_type;
type cameraserver_tmpfs, file_type;


#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow cameraserver servicemanager:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager cameraserver:dir search;
#line 6
allow servicemanager cameraserver:file { read open };
#line 6
allow servicemanager cameraserver:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6


#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow cameraserver binderservicedomain:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow binderservicedomain cameraserver:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow cameraserver binderservicedomain:fd use;
#line 7


#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow cameraserver appdomain:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow appdomain cameraserver:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow cameraserver appdomain:fd use;
#line 8


#line 9
typeattribute cameraserver binderservicedomain;
#line 9



#line 11
typeattribute cameraserver halclientdomain;
#line 11
typeattribute cameraserver hal_camera_client;
#line 11

#line 11
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 11
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 11
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 11

#line 11



#line 13
typeattribute cameraserver halclientdomain;
#line 13
typeattribute cameraserver hal_graphics_allocator_client;
#line 13

#line 13
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 13
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 13
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 13

#line 13


allow cameraserver ion_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Talk with graphics composer fences
allow cameraserver hal_graphics_composer:fd use;


#line 20
  allow cameraserver cameraserver_service:service_manager { add find };
#line 20
  neverallow { domain -cameraserver } cameraserver_service:service_manager add;
#line 20


#line 21
  allow cameraserver fwk_camera_hwservice:hwservice_manager { add find };
#line 21
  allow cameraserver hidl_base_hwservice:hwservice_manager add;
#line 21
  neverallow { domain -cameraserver } fwk_camera_hwservice:hwservice_manager add;
#line 21


allow cameraserver activity_service:service_manager find;
allow cameraserver appops_service:service_manager find;
allow cameraserver audioserver_service:service_manager find;
allow cameraserver batterystats_service:service_manager find;
allow cameraserver cameraproxy_service:service_manager find;
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver sensor_privacy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;

allow cameraserver hidl_token_hwservice:hwservice_manager find;

###
### neverallow rules
###

# cameraserver should never execute any executable without a
# domain transition
neverallow cameraserver { file_type fs_type }:file execute_no_trans;

# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;

# Allow shell commands from ADB for CTS testing/dumping
allow cameraserver adbd:fd use;
allow cameraserver adbd:unix_stream_socket { read write };
allow cameraserver shell:fd use;
allow cameraserver shell:unix_stream_socket { read write };
allow cameraserver shell:fifo_file { read write };

# Allow to talk with media codec
allow cameraserver mediametrics_service:service_manager find;

#line 65
typeattribute cameraserver halclientdomain;
#line 65
typeattribute cameraserver hal_codec2_client;
#line 65

#line 65
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 65
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 65
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 65

#line 65


#line 66
typeattribute cameraserver halclientdomain;
#line 66
typeattribute cameraserver hal_omx_client;
#line 66

#line 66
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 66
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 66
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 66

#line 66


#line 67
typeattribute cameraserver halclientdomain;
#line 67
typeattribute cameraserver hal_allocator_client;
#line 67

#line 67
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 67
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 67
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 67

#line 67


# Allow shell commands from ADB for CTS testing/dumping
#line 74

#line 1 "system/sepolicy/prebuilts/api/29.0/public/charger.te"
type charger, domain;
type charger_exec, system_file_type, exec_type, file_type;

# Write to /dev/kmsg
allow charger kmsg_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Read access to pseudo filesystems.

#line 8
allow charger rootfs:dir { open getattr read search ioctl lock };
#line 8
allow charger rootfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 8


#line 9
allow charger cgroup:dir { open getattr read search ioctl lock };
#line 9
allow charger cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 9


# Allow to read /sys/class/power_supply directory
allow charger sysfs_type:dir { open getattr read search ioctl lock };

allow charger self:{ capability cap_userns } { sys_tty_config };
allow charger self:{ capability cap_userns } sys_boot;


#line 17
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 17
# deprecated.
#line 17
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 17
allow charger sysfs_wake_lock:file { { getattr open read ioctl lock map } { open append write lock map } };
#line 17
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 17
allow charger self:{ capability2 cap2_userns } block_suspend;
#line 17
# system_suspend permissions
#line 17

#line 17
# Call the server domain and optionally transfer references to it.
#line 17
allow charger system_suspend_server:binder { call transfer };
#line 17
# Allow the serverdomain to transfer references to the client on the reply.
#line 17
allow system_suspend_server charger:binder transfer;
#line 17
# Receive and use open files from the server.
#line 17
allow charger system_suspend_server:fd use;
#line 17

#line 17
allow charger system_suspend_hwservice:hwservice_manager find;
#line 17
# halclientdomain permissions
#line 17

#line 17
# Call the hwservicemanager and transfer references to it.
#line 17
allow charger hwservicemanager:binder { call transfer };
#line 17
# Allow hwservicemanager to send out callbacks
#line 17
allow hwservicemanager charger:binder { call transfer };
#line 17
# hwservicemanager performs getpidcon on clients.
#line 17
allow hwservicemanager charger:dir search;
#line 17
allow hwservicemanager charger:file { read open map };
#line 17
allow hwservicemanager charger:process getattr;
#line 17
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 17
# all domains in domain.te.
#line 17

#line 17

#line 17
allow charger hwservicemanager_prop:file { getattr open read map };
#line 17

#line 17
allow charger hidl_manager_hwservice:hwservice_manager find;
#line 17


allow charger self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };

# Read/write to /sys/power/state
allow charger sysfs_power:file { { getattr open read ioctl lock map } { open append write lock map } };


#line 24
allow charger sysfs_batteryinfo:dir { open getattr read search ioctl lock };
#line 24
allow charger sysfs_batteryinfo:{ file lnk_file } { getattr open read ioctl lock map };
#line 24


# Read /sys/fs/pstore/console-ramoops
# Don't worry about overly broad permissions for now, as there's
# only one file in /sys/fs/pstore
allow charger pstorefs:dir { open getattr read search ioctl lock };
allow charger pstorefs:file { getattr open read ioctl lock map };

allow charger graphics_device:dir { open getattr read search ioctl lock };
allow charger graphics_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow charger input_device:dir { open getattr read search ioctl lock };
allow charger input_device:chr_file { getattr open read ioctl lock map };
allow charger tty_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow charger proc_sysrq:file { { getattr open read ioctl lock map } { open append write lock map } };

# charger needs to tell init to continue the boot
# process when running in charger mode.

#line 41

#line 41
allow charger property_socket:sock_file write;
#line 41
allow charger init:unix_stream_socket connectto;
#line 41

#line 41
allow charger system_prop:property_service set;
#line 41

#line 41
allow charger system_prop:file { getattr open read map };
#line 41

#line 41


#line 42

#line 42
allow charger property_socket:sock_file write;
#line 42
allow charger init:unix_stream_socket connectto;
#line 42

#line 42
allow charger exported_system_prop:property_service set;
#line 42

#line 42
allow charger exported_system_prop:file { getattr open read map };
#line 42

#line 42


#line 43

#line 43
allow charger property_socket:sock_file write;
#line 43
allow charger init:unix_stream_socket connectto;
#line 43

#line 43
allow charger exported2_system_prop:property_service set;
#line 43

#line 43
allow charger exported2_system_prop:file { getattr open read map };
#line 43

#line 43


#line 44

#line 44
allow charger property_socket:sock_file write;
#line 44
allow charger init:unix_stream_socket connectto;
#line 44

#line 44
allow charger exported3_system_prop:property_service set;
#line 44

#line 44
allow charger exported3_system_prop:file { getattr open read map };
#line 44

#line 44

#line 1 "system/sepolicy/prebuilts/api/29.0/public/clatd.te"
# 464xlat daemon
type clatd, domain;
type clatd_exec, system_file_type, exec_type, file_type;


#line 5
typeattribute clatd netdomain;
#line 5



#line 7
allow clatd proc_net_type:dir { open getattr read search ioctl lock };
#line 7
allow clatd proc_net_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 7

#line 10


# Access objects inherited from netd.
allow clatd netd:fd use;
allow clatd netd:fifo_file { read write };
# TODO: Check whether some or all of these sockets should be close-on-exec.
allow clatd netd:netlink_kobject_uevent_socket { read write };
allow clatd netd:netlink_nflog_socket { read write };
allow clatd netd:netlink_route_socket { read write };
allow clatd netd:udp_socket { read write };
allow clatd netd:unix_stream_socket { read write };
allow clatd netd:unix_dgram_socket { read write };

allow clatd self:{ capability cap_userns } { net_admin net_raw setuid setgid };

# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
# so we permit any requests we see from clatd asking for this capability.
# See https://android-review.googlesource.com/127940 and
# https://b.corp.google.com/issues/21736319
allow clatd self:{ capability cap_userns } ipc_lock;

allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:{ packet_socket rawip_socket } { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow clatd tun_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };type crash_dump, domain;
#line 2 "system/sepolicy/prebuilts/api/29.0/public/crash_dump.te"
type crash_dump_exec, system_file_type, exec_type, file_type;

# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
dontaudit crash_dump self:{ capability cap_userns } { sys_ptrace };

#line 13


# Use inherited file descriptors
allow crash_dump domain:fd use;

# Read/write IPC pipes inherited from crashing processes.
allow crash_dump domain:fifo_file { read write };

# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
allow crash_dump domain:fifo_file { append };


#line 24
allow crash_dump domain:dir { open getattr read search ioctl lock };
#line 24
allow crash_dump domain:{ file lnk_file } { getattr open read ioctl lock map };
#line 24

allow crash_dump exec_type:file { getattr open read ioctl lock map };

# Read /data/dalvik-cache.
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file { getattr open read ioctl lock map };

# Read APK files.

#line 32
allow crash_dump apk_data_file:dir { open getattr read search ioctl lock };
#line 32
allow crash_dump apk_data_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 32
;

# Read all /vendor

#line 35
allow crash_dump { vendor_file same_process_hal_file }:dir { open getattr read search ioctl lock };
#line 35
allow crash_dump { vendor_file same_process_hal_file }:{ file lnk_file } { getattr open read ioctl lock map };
#line 35


# Talk to tombstoned

#line 38
allow crash_dump tombstoned_crash_socket:sock_file write;
#line 38
allow crash_dump tombstoned:unix_stream_socket connectto;
#line 38


# Talk to ActivityManager.

#line 41
allow crash_dump system_ndebug_socket:sock_file write;
#line 41
allow crash_dump system_server:unix_stream_socket connectto;
#line 41


# Append to ANR files.
allow crash_dump anr_data_file:file { append getattr };

# Append to tombstone files.
allow crash_dump tombstone_data_file:file { append getattr };

# crash_dump writes out logcat logs at the bottom of tombstones,
# which is super useful in some cases.

#line 51
allow crash_dump logdr_socket:sock_file write;
#line 51
allow crash_dump logd:unix_stream_socket connectto;
#line 51


# Crash dump is not intended to access the following files. Since these
# are WAI, suppress the denials to clean up the logs.
dontaudit crash_dump {
  core_data_file_type
  vendor_file_type
}:dir search;
dontaudit crash_dump system_data_file:file read;
dontaudit crash_dump property_type:file read;

###
### neverallow assertions
###

# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
# Do not allow the execution of crash_dump without a domain transition.
neverallow domain crash_dump_exec:file execute_no_trans;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/device.te"
# Device types
type device, dev_type, fs_type;
type ashmem_device, dev_type, mlstrustedobject;
type audio_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
type block_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
type ram_device, dev_type;
type rtc_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
type fscklogs, dev_type;
# GPU (used by most UI apps)
type gpu_device, dev_type, mlstrustedobject;
type graphics_device, dev_type;
type hw_random_device, dev_type;
type input_device, dev_type;
type port_device, dev_type;
type lowpan_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
type nfc_device, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
type kmsg_device, dev_type;
type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type, mlstrustedobject;
type secure_element_device, dev_type;
type sensors_device, dev_type;
type serial_device, dev_type;
type socket_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
type tty_device, dev_type;
type video_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
type uhid_device, dev_type;
type uio_device, dev_type;
type tun_device, dev_type, mlstrustedobject;
type usbaccessory_device, dev_type, mlstrustedobject;
type usb_device, dev_type, mlstrustedobject;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;

# All devices have a uart for the hci
# attach service. The uart dev node
# varies per device. This type
# is used in per device policy
type hci_attach_dev, dev_type;

# All devices have a rpmsg device for
# achieving remoteproc and rpmsg modules
type rpmsg_device, dev_type;

# Partition layout block device
type root_block_device, dev_type;

# factory reset protection block device
type frp_block_device, dev_type;

# System block device mounted on /system.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type system_block_device, dev_type;

# Recovery block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type recovery_block_device, dev_type;

# boot block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type boot_block_device, dev_type;

# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type userdata_block_device, dev_type;

# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type cache_block_device, dev_type;

# Block device for any swap partition.
type swap_block_device, dev_type;

# Metadata block device used for encryption metadata.
# Assign this type to the partition specified by the encryptable=
# mount option in your fstab file in the entry for userdata.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type metadata_block_device, dev_type;

# The 'misc' partition used by recovery and A/B.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type misc_block_device, dev_type;

# 'super' partition to be used for logical partitioning.
type super_block_device, super_block_device_type, dev_type;

# sdcard devices; normally vold uses the vold_block_device label and creates a
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
type sdcard_block_device, dev_type;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/dhcp.te"
type dhcp, domain;
type dhcp_exec, system_file_type, exec_type, file_type;


#line 4
typeattribute dhcp netdomain;
#line 4


allow dhcp cgroup:dir { create write add_name };
allow dhcp self:{ capability cap_userns } { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow dhcp system_file:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };


# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
allow dhcp toolbox_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net_type:file write;


#line 20

#line 20
allow dhcp property_socket:sock_file write;
#line 20
allow dhcp init:unix_stream_socket connectto;
#line 20

#line 20
allow dhcp dhcp_prop:property_service set;
#line 20

#line 20
allow dhcp dhcp_prop:file { getattr open read map };
#line 20

#line 20


#line 21

#line 21
allow dhcp property_socket:sock_file write;
#line 21
allow dhcp init:unix_stream_socket connectto;
#line 21

#line 21
allow dhcp pan_result_prop:property_service set;
#line 21

#line 21
allow dhcp pan_result_prop:file { getattr open read map };
#line 21

#line 21


allow dhcp dhcp_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow dhcp dhcp_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# PAN connections
allow dhcp netd:fd use;
allow dhcp netd:fifo_file { { getattr open read ioctl lock map } { open append write lock map } };
allow dhcp netd:{ { udp_socket unix_dgram_socket } unix_stream_socket } { read write };
allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/display_service_server.te"

#line 1
  allow display_service_server fwk_display_hwservice:hwservice_manager { add find };
#line 1
  allow display_service_server hidl_base_hwservice:hwservice_manager add;
#line 1
  neverallow { domain -display_service_server } fwk_display_hwservice:hwservice_manager add;
#line 1

#line 1 "system/sepolicy/prebuilts/api/29.0/public/dnsmasq.te"
# DNS, DHCP services
type dnsmasq, domain;
type dnsmasq_exec, system_file_type, exec_type, file_type;


#line 5
typeattribute dnsmasq netdomain;
#line 5

allowxperm dnsmasq self:udp_socket ioctl
#line 6
{
#line 6
# qualcomm rmnet ioctls
#line 6
0x00006900 0x00006902
#line 6
# socket ioctls
#line 6
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 6
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 6
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 6
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 6
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 6
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 6
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 6
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 6
0x00008991 0x00008992 0x00008993 0x00008994
#line 6
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 6
# device and protocol specific ioctls
#line 6
0x000089f0-0x000089ff
#line 6
0x000089e0-0x000089ef
#line 6
# Wireless extension ioctls
#line 6
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 6
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 6
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 6
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 6
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 6
0x00008b34 0x00008b35 0x00008b36
#line 6
# Dev private ioctl i.e. hardware specific ioctls
#line 6
0x00008be0-0x00008bff
#line 6
};

# TODO:  Run with dhcp group to avoid need for dac_override.
allow dnsmasq self:{ capability cap_userns } { dac_override dac_read_search };

allow dnsmasq self:{ capability cap_userns } { net_admin net_raw net_bind_service setgid setuid };

allow dnsmasq dhcp_data_file:dir { open search write add_name remove_name lock };
allow dnsmasq dhcp_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Inherit and use open files from netd.
allow dnsmasq netd:fd use;
allow dnsmasq netd:fifo_file { getattr read write };
# TODO: Investigate whether these inherited sockets should be closed on exec.
allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
allow dnsmasq netd:netlink_nflog_socket { read write };
allow dnsmasq netd:netlink_route_socket { read write };
allow dnsmasq netd:unix_stream_socket { getattr read write };
allow dnsmasq netd:unix_dgram_socket { read write };
allow dnsmasq netd:udp_socket { read write };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/domain.te"
# Rules for all domains.

# Allow reaping by init.
allow domain init:process sigchld;

# Intra-domain accesses.
allow domain self:process {
    fork
    sigchld
    sigkill
    sigstop
    signull
    signal
    getsched
    setsched
    getsession
    getpgid
    setpgid
    getcap
    setcap
    getattr
    setrlimit
};
allow domain self:fd use;
allow domain proc:dir { open getattr read search ioctl lock };
allow domain proc_net_type:dir search;

#line 27
allow domain self:dir { open getattr read search ioctl lock };
#line 27
allow domain self:{ file lnk_file } { getattr open read ioctl lock map };
#line 27

allow domain self:{ fifo_file file } { { getattr open read ioctl lock map } { open append write lock map } };
allow domain self:unix_dgram_socket { { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } } sendto };
allow domain self:unix_stream_socket { { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } } connectto };

# Inherit or receive open files from others.
allow domain init:fd use;

#line 52


#line 58


# Root fs.
allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
allow domain rootfs:lnk_file { read getattr };

# Device accesses.
allow domain device:dir search;
allow domain dev_type:lnk_file { getattr open read ioctl lock map };
allow domain devpts:dir search;
allow domain socket_device:dir { open getattr read search ioctl lock };
allow domain owntty_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow domain null_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow domain zero_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow {
  domain
  # TODO(b/113362644): route coredomain to ashmemd
  #-coredomain
  -mediaprovider
  -ephemeral_app
  -isolated_app
  -untrusted_app_all
} ashmem_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Allow using fds to /dev/ashmem.
allow domain ashmemd:fd use;

# /dev/binder can be accessed by non-vendor domains and by apps
allow {
  coredomain
  appdomain
  binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
  -hwservicemanager
} binder_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder

allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow domain ptmx_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow domain random_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow domain proc_random:dir { open getattr read search ioctl lock };
allow domain proc_random:file { getattr open read ioctl lock map };
allow domain properties_device:dir { search getattr };
allow domain properties_serial:file { getattr open read ioctl lock map };
allow domain property_info:file { getattr open read ioctl lock map };

# Public readable properties

#line 105
allow domain debug_prop:file { getattr open read map };
#line 105


#line 106
allow domain exported_config_prop:file { getattr open read map };
#line 106


#line 107
allow domain exported_default_prop:file { getattr open read map };
#line 107


#line 108
allow domain exported_dumpstate_prop:file { getattr open read map };
#line 108


#line 109
allow domain exported_fingerprint_prop:file { getattr open read map };
#line 109


#line 110
allow domain exported_radio_prop:file { getattr open read map };
#line 110


#line 111
allow domain exported_secure_prop:file { getattr open read map };
#line 111


#line 112
allow domain exported_system_prop:file { getattr open read map };
#line 112


#line 113
allow domain exported_vold_prop:file { getattr open read map };
#line 113


#line 114
allow domain exported2_default_prop:file { getattr open read map };
#line 114


#line 115
allow domain logd_prop:file { getattr open read map };
#line 115


# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.

#line 119
allow domain log_property_type:file { getattr open read map };
#line 119

dontaudit domain property_type:file audit_access;
allow domain property_contexts_file:file { getattr open read ioctl lock map };

allow domain init:key search;
allow domain vold:key search;

# logd access

#line 127

#line 127
allow domain logdw_socket:sock_file write;
#line 127
allow domain logd:unix_dgram_socket sendto;
#line 127

#line 127
allow domain pmsg_device:chr_file { open append write lock map };
#line 127


# Directory/link file access for path resolution.
allow domain {
    system_file
    system_lib_file
    system_seccomp_policy_file
    system_security_cacerts_file
}:dir { open getattr read search ioctl lock };
allow domain system_file:lnk_file { getattr read };

# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
# linker and its config.
allow domain system_seccomp_policy_file:file { getattr open read ioctl lock map };
# cacerts are accessible from public Java API.
allow domain system_security_cacerts_file:file { getattr open read ioctl lock map };
allow domain system_linker_exec:file { execute read open getattr map };
allow domain system_linker_config_file:file { getattr open read ioctl lock map };
allow domain system_lib_file:file { execute read open getattr map };
# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
allow domain system_linker_exec:lnk_file { read open getattr };
allow domain system_lib_file:lnk_file { read open getattr };

allow domain system_event_log_tags_file:file { getattr open read ioctl lock map };

allow { appdomain coredomain } system_file:file { execute read open getattr map };

# Make sure system/vendor split doesn not affect non-treble
# devices
#line 161


# All domains are allowed to open and read directories
# that contain HAL implementations (e.g. passthrough
# HALs require clients to have these permissions)
allow domain vendor_hal_file:dir { open getattr read search ioctl lock };

# Everyone can read and execute all same process HALs
allow domain same_process_hal_file:dir { open getattr read search ioctl lock };
allow {
    domain
    -coredomain # access is explicitly granted to individual coredomains
} same_process_hal_file:file { execute read open getattr map };

# Any process can load vndk-sp libraries, which are system libraries
# used by same process HALs
allow domain vndk_sp_file:dir { open getattr read search ioctl lock };
allow domain vndk_sp_file:file { execute read open getattr map };

# All domains get access to /vendor/etc
allow domain vendor_configs_file:dir { open getattr read search ioctl lock };
allow domain vendor_configs_file:file { read open getattr map };


#line 184
    # Allow all domains to be able to follow /system/vendor and/or
#line 184
    # /vendor/odm symlinks.
#line 184
    allow domain vendor_file_type:lnk_file { getattr open read };
#line 184

#line 184
    # This is required to be able to search & read /vendor/lib64
#line 184
    # in order to lookup vendor libraries. The execute permission
#line 184
    # for coredomains is granted *only* for same process HALs
#line 184
    allow domain vendor_file:dir { getattr search };
#line 184

#line 184
    # Allow reading and executing out of /vendor to all vendor domains
#line 184
    allow { domain -coredomain } vendor_file_type:dir { open getattr read search ioctl lock };
#line 184
    allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
#line 184
    allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
#line 198


# read and stat any sysfs symlinks
allow domain sysfs:lnk_file { getattr read };

# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
# timezone related information.
# This directory is considered to be a VNDK-stable
allow domain { system_zoneinfo_file zoneinfo_data_file }:file { getattr open read ioctl lock map };
allow domain { system_zoneinfo_file zoneinfo_data_file }:dir { open getattr read search ioctl lock };

# Lots of processes access current CPU information

#line 210
allow domain sysfs_devices_system_cpu:dir { open getattr read search ioctl lock };
#line 210
allow domain sysfs_devices_system_cpu:{ file lnk_file } { getattr open read ioctl lock map };
#line 210



#line 212
allow domain sysfs_usb:dir { open getattr read search ioctl lock };
#line 212
allow domain sysfs_usb:{ file lnk_file } { getattr open read ioctl lock map };
#line 212
;

# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
allow domain sysfs_transparent_hugepage:dir search;
allow domain sysfs_transparent_hugepage:file { getattr open read ioctl lock map };

# files under /data.
#line 222

allow { coredomain appdomain } system_data_file:dir getattr;
# /data has the label system_data_file. Vendor components need the search
# permission on system_data_file for path traversal to /data/vendor.
allow domain system_data_file:dir search;
# TODO restrict this to non-coredomain
allow domain vendor_data_file:dir { getattr search };

# required by the dynamic linker
allow domain proc:lnk_file { getattr read };

# /proc/cpuinfo
allow domain proc_cpuinfo:file { getattr open read ioctl lock map };

# /dev/cpu_variant:.*
allow domain dev_cpu_variant:file { getattr open read ioctl lock map };

# jemalloc needs to read /proc/sys/vm/overcommit_memory
allow domain proc_overcommit_memory:file { getattr open read ioctl lock map };

# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
allow domain proc_perf:file { getattr open read ioctl lock map };

# toybox loads libselinux which stats /sys/fs/selinux/
allow domain selinuxfs:dir search;
allow domain selinuxfs:file getattr;
allow domain sysfs:dir search;
allow domain selinuxfs:filesystem getattr;

# Almost all processes log tracing information to
# /sys/kernel/debug/tracing/trace_marker
# The reason behind this is documented in b/6513400
allow domain debugfs:dir search;
allow domain debugfs_tracing:dir search;
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file { open append write lock map };

# Filesystem access.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;

# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
  ioctl {
#line 269
{
#line 269
# Socket ioctls for gathering information about the interface
#line 269
0x00008906 0x00008907
#line 269
0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919
#line 269
0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942
#line 269
# Wireless extension ioctls. Primarily get functions.
#line 269
0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d
#line 269
0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23
#line 269
0x00008b25 0x00008b27 0x00008b29 0x00008b2d
#line 269
} {
#line 269
  0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005413 0x00005414 0x0000540e
#line 269
  0x00005403 0x0000540b 0x00005410 0x0000540f
#line 269
} };
# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
  ioctl {
#line 272
  0x00005411 0x00005451 0x00005450 0x00005401 0x00005413 0x00005414 0x0000541b
#line 272
};

# Restrict PTYs to only allowlisted ioctls.
# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl {
#line 278
  0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005413 0x00005414 0x0000540e
#line 278
  0x00005403 0x0000540b 0x00005410 0x0000540f
#line 278
};

# All domains must clearly enumerate what ioctls they use
# on filesystem objects (plain files, directories, symbolic links,
# named pipes, and named sockets). We start off with a safe set.
allowxperm domain { file_type fs_type domain dev_type }:{ dir { file lnk_file sock_file fifo_file } blk_file } ioctl { 0x00005451 0x00005450 };

# If a domain has ioctl access to tun_device, it must clearly enumerate the
# ioctls used. Safe defaults are listed below.
allowxperm domain tun_device:chr_file ioctl { 0x00005451 0x00005450 };

# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
# this allowlist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { 0x00005401 };
allowxperm domain domain:fifo_file ioctl { 0x00005401 };

# If a domain has access to perform an ioctl on a block device, allow these
# very common, benign ioctls
allowxperm domain dev_type:blk_file ioctl { 0x80081272 0x00001268 };

# Support sqlite F2FS specific optimizations
# ioctl permission on the specific file type is still required
# TODO: consider only compiling these rules if we know the
# /data partition is F2FS
allowxperm domain { file_type sdcard_type }:file ioctl {
  0xf505
  0xf502
  0xf50c
  0xf50e
  0xf50d
  0xf501
};

# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
# when it's not explicitly used in allow rules
allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
# when it's not explicitly used in allow rules
allow { domain -domain } vndservice_manager_type:service_manager { add find };

# Under ASAN, processes will try to read /data, as the sanitized libraries are there.

# Under ASAN, /system/asan.options needs to be globally accessible.


# read APEX dir and stat any symlink pointing to APEXs.
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file { getattr open read ioctl lock map };

###
### neverallow rules
###

# All ioctls on file-like objects (except chr_file and blk_file) and
# sockets must be restricted to a allowlist.
neverallowxperm * *:{ dir { file lnk_file sock_file fifo_file } { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } blk_file } ioctl { 0 };

# b/68014825 and https://android-review.googlesource.com/516535
# rfc6093 says that processes should not use the TCP urgent mechanism
neverallowxperm domain domain:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } ioctl { 0x00008905 };

# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * devpts:chr_file ioctl 0x00005412;

# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } create;

# Limit device node creation to these allowlisted domains.
neverallow {
  domain
  -kernel
  -init
  -ueventd
  -vold
} self:{ capability cap_userns } mknod;

# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow * self:memprotect mmap_zero;

# No domain needs mac_override as it is unused by SELinux.
neverallow * self:{ capability2 cap2_userns } mac_override;

# Disallow attempts to set contexts not defined in current policy
# This helps guarantee that unknown or dangerous contents will not ever
# be set.
neverallow * self:{ capability2 cap2_userns } mac_admin;

# Once the policy has been loaded there shall be none to modify the policy.
# It is sealed.
neverallow * kernel:security load_policy;

# Only init prior to switching context should be able to set enforcing mode.
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
neverallow * kernel:security setenforce;
neverallow { domain -kernel } kernel:security setcheckreqprot;

# No booleans in AOSP policy, so no need to ever set them.
neverallow * kernel:security setbool;

# Adjusting the AVC cache threshold.
# Not presently allowed to anything in policy, but possibly something
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;

# Only init, ueventd, shell and system_server should be able to access HW RNG
neverallow {
  domain
  -init
  -shell # For CTS and is restricted to getattr in shell.te
  -system_server
  -ueventd
} hw_random_device:chr_file *;
# b/78174219 b/64114943
neverallow {
  domain
  -shell # stat of /dev, getattr only
  -ueventd
} keychord_device:chr_file *;

# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;

# The dynamic linker always calls access(2) on the path. Don't generate SElinux
# denials since the linker does not actually access the path in case the path
# does not exist or isn't accessible for the process.
dontaudit domain postinstall_mnt_dir:dir audit_access;

#Ensure that nothing in userspace can access /dev/port
neverallow {
  domain
  -shell # Shell user should not have any abilities outside of getattr
  -ueventd
} port_device:chr_file *;
neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };

# Nobody is allowed to make binder calls into init.
# Only servicemanager may transfer binder references to init
# vendor_init shouldn't use binder at all.
neverallow * init:binder ~{ transfer };
neverallow { domain -servicemanager } init:binder { transfer };
neverallow * vendor_init:binder *;

# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };

# Do not allow renaming of block files or character files
# Ability to do so can lead to possible use in an exploit chain
# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
neverallow * *:{ blk_file chr_file } rename;

# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
neverallow domain device:chr_file { open read write };

# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;

# Protect most domains from executing arbitrary content from /data.
neverallow {
  domain
  -appdomain
} {
  data_file_type
  -dalvikcache_data_file
  -system_data_file # shared libs in apks
  -apk_data_file
}:file { execute execute_no_trans };

# The test files and executables MUST not be accessible to any domain
neverallow { domain  } nativetest_data_file:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } { append create link unlink relabelfrom rename setattr write };
neverallow domain nativetest_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
neverallow { domain  } nativetest_data_file:file { execute execute_no_trans };

# Only the init property service should write to /data/property and /dev/__properties__
neverallow { domain -init } property_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
neverallow { domain -init } property_data_file:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } };
neverallow { domain -init } property_type:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } };
neverallow { domain -init } properties_device:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } };
neverallow { domain -init } properties_serial:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } };

# Nobody should be doing writes to /system & /vendor
# These partitions are intended to be read-only and must never be
# modified. Doing so would violate important Android security guarantees
# and invalidate dm-verity signatures.
neverallow {
    domain


} {
    system_file_type
    vendor_file_type
    exec_type
}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom append unlink link rename };

neverallow { domain -kernel  } { system_file_type vendor_file_type exec_type }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;

# Don't allow mounting on top of /system files or directories
neverallow * exec_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } mounton;
neverallow { domain -init } { system_file_type vendor_file_type }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } mounton;

# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };

# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
neverallow * {fs_type -contextmount_type}:filesystem relabelto;

# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
# mount to another type.
neverallow * contextmount_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create setattr relabelfrom relabelto append link rename };
neverallow { domain  } contextmount_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { write unlink };

# Do not allow service_manager add for default service labels.
# Instead domains should use a more specific type such as
# system_app_service rather than the generic type.
# New service_types are defined in {,hw,vnd}service.te and new mappings
# from service name to service_type are defined in {,hw,vnd}service_contexts.
neverallow * default_android_service:service_manager add;
neverallow * default_android_vndservice:service_manager { add find };
neverallow * default_android_hwservice:hwservice_manager { add find };

# Looking up the base class/interface of all HwBinder services is a bad idea.
# hwservicemanager currently offer such lookups only to make it so that security
# decisions are expressed in SELinux policy. However, it's unclear whether this
# lookup has security implications. If it doesn't, hwservicemanager should be
# modified to not offer this lookup.
# This rule can be removed if hwservicemanager is modified to not permit these
# lookups.
neverallow * hidl_base_hwservice:hwservice_manager find;

# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
neverallow { domain -init -vendor_init } default_prop:property_service set;
neverallow { domain -init -vendor_init } mmc_prop:property_service set;


#line 527
    neverallow { domain -init } default_prop:property_service set;
#line 527
    neverallow { domain -init } mmc_prop:property_service set;
#line 527
    neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
#line 527
    neverallow { domain -init } exported_secure_prop:property_service set;
#line 527
    neverallow { domain -init } exported2_default_prop:property_service set;
#line 527
    neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
#line 527
    neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
#line 535


# Only core domains are allowed to access package_manager properties
neverallow { domain -init -system_server } pm_prop:property_service set;
neverallow { domain -coredomain } pm_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };


#line 541
    neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
#line 541
    neverallow { domain -coredomain -vendor_init } exported_pm_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };
#line 544


# Do not allow reading device's serial number from system properties except form
# a few allowlisted domains.
neverallow {
  domain
  -adbd
  -dumpstate
  -fastbootd
  -hal_camera_server
  -hal_cas_server
  -hal_drm_server
  -init
  -mediadrmserver
  -recovery
  -shell
  -system_server
  -vendor_init
} serialno_prop:file { getattr open read ioctl lock map };

# Do not allow reading the last boot timestamp from system properties
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file { getattr open read ioctl lock map };

neverallow {
  domain
  -init
  -recovery
  -system_server
  -shell # Shell is further restricted in shell.te
  -ueventd # Further restricted in ueventd.te
} frp_block_device:blk_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };

# The metadata block device is set aside for device encryption and
# verified boot metadata. It may be reset at will and should not
# be used by other domains.
neverallow {
  domain
  -init
  -recovery
  -vold
  -e2fs
  -fsck
  -fastbootd
} metadata_block_device:blk_file { append link rename write open read ioctl lock };

# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
neverallow {
  domain
  -fastbootd


  -recovery
  -update_engine
} system_block_device:blk_file { write append };

# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
# this partition for testing purposes.
neverallow {
  domain
   # exclude debuggable builds
  -fastbootd
  -hal_bootctl_server
  -init
  -uncrypt
  -update_engine
  -vendor_init
  -vendor_misc_writer
  -vold
  -recovery
  -ueventd
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };

# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
# The service managers are only allowed to access their own device node
neverallow servicemanager hwbinder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };
neverallow servicemanager vndbinder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };
neverallow hwservicemanager binder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };
neverallow hwservicemanager vndbinder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };
neverallow vndservicemanager binder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };
neverallow vndservicemanager hwbinder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };

# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
# domain apps need this because Android framework offers many of its services to apps as Binder
# services.

#line 631
  neverallow {
#line 631
    domain
#line 631
    -coredomain
#line 631
    -appdomain
#line 631
    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
#line 631
  } binder_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
#line 638


# libcutils can probe for /dev/binder permissions with access(). Ignore
# generated denials. See b/129073672 for details.
dontaudit domain binder_device:chr_file audit_access;


#line 644
  neverallow {
#line 644
    domain
#line 644
    -coredomain
#line 644
    -appdomain # restrictions for vendor apps are declared lower down
#line 644
    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
#line 644
  } service_manager_type:service_manager find;
#line 651


#line 652
  # Vendor apps are permited to use only stable public services. If they were to use arbitrary
#line 652
  # services which can change any time framework/core is updated, breakage is likely.
#line 652
  neverallow {
#line 652
    appdomain
#line 652
    -coredomain
#line 652
  } {
#line 652
    service_manager_type
#line 652
    -app_api_service
#line 652
    -ephemeral_app_api_service
#line 652
    -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
#line 652
    -cameraserver_service
#line 652
    -drmserver_service
#line 652
    -keystore_service
#line 652
    -mediadrmserver_service
#line 652
    -mediaextractor_service
#line 652
    -mediametrics_service
#line 652
    -mediaserver_service
#line 652
    -nfc_service
#line 652
    -radio_service
#line 652
    -virtual_touchpad_service
#line 652
    -vr_hwc_service
#line 652
    -vr_manager_service
#line 652
  }:service_manager find;
#line 676


#line 677
  neverallow {
#line 677
    domain
#line 677
    -coredomain
#line 677
    -appdomain
#line 677
    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
#line 677
  } servicemanager:binder { call transfer };
#line 684


# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.

#line 687
  neverallow {
#line 687
    coredomain
#line 687
    -shell
#line 687

#line 687
    -ueventd # uevent is granted create for this device, but we still neverallow I/O below
#line 687
  } vndbinder_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
#line 694


#line 695
  neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
#line 697


#line 698
  neverallow {
#line 698
    coredomain
#line 698
    -shell
#line 698

#line 698
  } vndservice_manager_type:service_manager *;
#line 704


#line 705
  neverallow {
#line 705
    coredomain
#line 705
    -shell
#line 705

#line 705
  } vndservicemanager:binder *;
#line 711


# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
  # Most general rules first, more specific rules below.

  # Core domains are not permitted to initiate communications to vendor domain sockets.
  # We are not restricting the use of already established sockets because it is fine for a process
  # to obtain an already established socket via some public/official/stable API and then exchange
  # data with its peer over that socket. The wire format in this scenario is dicatated by the API
  # and thus does not break the core-vendor separation.

#line 722

#line 722
  neverallow {
#line 722
    coredomain
#line 722
    -init
#line 722
    -adbd
#line 722
  } {
#line 722
    domain
#line 722
    -coredomain
#line 722
    -socket_between_core_and_vendor_violators
#line 722
  }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } { connect sendto };
#line 722
  neverallow {
#line 722
    coredomain
#line 722
    -init
#line 722
    -adbd
#line 722
  } {
#line 722
    domain
#line 722
    -coredomain
#line 722
    -socket_between_core_and_vendor_violators
#line 722
  }:unix_stream_socket connectto;
#line 722
;
#line 732

  # Vendor domains are not permitted to initiate communications to core domain sockets

#line 734

#line 734
  neverallow {
#line 734
    domain
#line 734
    -coredomain
#line 734
    -appdomain
#line 734
    -socket_between_core_and_vendor_violators
#line 734
  } {
#line 734
    coredomain
#line 734
    -logd # Logging by writing to logd Unix domain socket is public API
#line 734
    -netd # netdomain needs this
#line 734
    -mdnsd # netdomain needs this
#line 734
     # communications with su are permitted only on userdebug or eng builds
#line 734
    -init
#line 734
    -tombstoned # linker to tombstoned
#line 734

#line 734
  }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } { connect sendto };
#line 734
  neverallow {
#line 734
    domain
#line 734
    -coredomain
#line 734
    -appdomain
#line 734
    -socket_between_core_and_vendor_violators
#line 734
  } {
#line 734
    coredomain
#line 734
    -logd # Logging by writing to logd Unix domain socket is public API
#line 734
    -netd # netdomain needs this
#line 734
    -mdnsd # netdomain needs this
#line 734
     # communications with su are permitted only on userdebug or eng builds
#line 734
    -init
#line 734
    -tombstoned # linker to tombstoned
#line 734

#line 734
  }:unix_stream_socket connectto;
#line 734
;
#line 750


  # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets

#line 753

#line 753
  neverallow {
#line 753
    domain
#line 753
    -coredomain
#line 753
    -netdomain
#line 753
    -socket_between_core_and_vendor_violators
#line 753
  } netd:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } { connect sendto };
#line 753
  neverallow {
#line 753
    domain
#line 753
    -coredomain
#line 753
    -netdomain
#line 753
    -socket_between_core_and_vendor_violators
#line 753
  } netd:unix_stream_socket connectto;
#line 753
;
#line 760


  # Vendor domains are not permitted to initiate create/open sockets owned by core domains

#line 763
  neverallow {
#line 763
    domain
#line 763
    -coredomain
#line 763
    -appdomain # appdomain restrictions below
#line 763
    -data_between_core_and_vendor_violators # b/70393317
#line 763
    -socket_between_core_and_vendor_violators
#line 763
    -vendor_init
#line 763
  } {
#line 763
    coredomain_socket
#line 763
    core_data_file_type
#line 763
    unlabeled # used only by core domains
#line 763
  }:sock_file ~{ append getattr ioctl read write };
#line 776


#line 777
  neverallow {
#line 777
    appdomain
#line 777
    -coredomain
#line 777
  } {
#line 777
    coredomain_socket
#line 777
    unlabeled # used only by core domains
#line 777
    core_data_file_type
#line 777
    -app_data_file
#line 777
    -privapp_data_file
#line 777
    -pdx_endpoint_socket_type # used by VR layer
#line 777
    -pdx_channel_socket_type # used by VR layer
#line 777
  }:sock_file ~{ append getattr ioctl read write };
#line 790


  # Core domains are not permitted to create/open sockets owned by vendor domains

#line 793
  neverallow {
#line 793
    coredomain
#line 793
    -init
#line 793
    -ueventd
#line 793
    -socket_between_core_and_vendor_violators
#line 793
  } {
#line 793
    file_type
#line 793
    dev_type
#line 793
    -coredomain_socket
#line 793
    -core_data_file_type
#line 793
    -unlabeled
#line 793
  }:sock_file ~{ append getattr ioctl read write };
#line 806


# On TREBLE devices, vendor and system components are only allowed to share
# files by passing open FDs over hwbinder. Ban all directory access and all file
# accesses other than what can be applied to an open FD such as
# ioctl/stat/read/write/append. This is enforced by segregating /data.
# Vendor domains may directly access file in /data/vendor by path, but may only
# access files outside of /data/vendor via an open FD passed over hwbinder.
# Likewise, core domains may only directly access files outside /data/vendor by
# path and files in /data/vendor by open FD.

#line 816
  # only coredomains may only access core_data_file_type, particularly not
#line 816
  # /data/vendor
#line 816
  neverallow {
#line 816
    coredomain
#line 816
    -appdomain # TODO(b/34980020) remove exemption for appdomain
#line 816
    -data_between_core_and_vendor_violators
#line 816
    -init
#line 816
    -vold_prepare_subdirs
#line 816
  } {
#line 816
    data_file_type
#line 816
    -core_data_file_type
#line 816
  }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ append getattr ioctl read write map };
#line 829


#line 830
  neverallow {
#line 830
    coredomain
#line 830
    -appdomain # TODO(b/34980020) remove exemption for appdomain
#line 830
    -data_between_core_and_vendor_violators
#line 830
    -init
#line 830
    -vold_prepare_subdirs
#line 830
    } {
#line 830
      data_file_type
#line 830
      -core_data_file_type
#line 830
      # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
#line 830
      # neverallow. Currently only getattr and search are allowed.
#line 830
      -vendor_data_file
#line 830
    }:dir *;
#line 830

#line 845


#line 846
  # vendor domains may only access files in /data/vendor, never core_data_file_types
#line 846
  neverallow {
#line 846
    domain
#line 846
    -appdomain # TODO(b/34980020) remove exemption for appdomain
#line 846
    -coredomain
#line 846
    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
#line 846
    -vendor_init
#line 846
  } {
#line 846
    core_data_file_type
#line 846
    # libc includes functions like mktime and localtime which attempt to access
#line 846
    # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
#line 846
    # These functions are considered vndk-stable and thus must be allowed for
#line 846
    # all processes.
#line 846
    -zoneinfo_data_file
#line 846

#line 846
  }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ append getattr ioctl read write map };
#line 846
  neverallow {
#line 846
    vendor_init
#line 846
    -data_between_core_and_vendor_violators
#line 846
  } {
#line 846
    core_data_file_type
#line 846
    -unencrypted_data_file
#line 846
    -zoneinfo_data_file
#line 846

#line 846
  }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ append getattr ioctl read write map };
#line 846
  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
#line 846
  # The vendor init binary lives on the system partition so there is not a concern with stability.
#line 846
  neverallow vendor_init unencrypted_data_file:file ~{ getattr open read ioctl lock map };
#line 875


#line 876
  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
#line 876
  neverallow {
#line 876
    domain
#line 876
    -appdomain # TODO(b/34980020) remove exemption for appdomain
#line 876
    -coredomain
#line 876
    -data_between_core_and_vendor_violators
#line 876
    -vendor_init
#line 876
  } {
#line 876
    core_data_file_type
#line 876
    -system_data_file # default label for files on /data. Covered below...
#line 876
    -vendor_data_file
#line 876
    -zoneinfo_data_file
#line 876

#line 876
  }:dir *;
#line 876
  neverallow {
#line 876
    vendor_init
#line 876
    -data_between_core_and_vendor_violators
#line 876
  } {
#line 876
    core_data_file_type
#line 876
    -unencrypted_data_file
#line 876
    -system_data_file
#line 876
    -vendor_data_file
#line 876
    -zoneinfo_data_file
#line 876

#line 876
  }:dir *;
#line 876
  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
#line 876
  # The vendor init binary lives on the system partition so there is not a concern with stability.
#line 876
  neverallow vendor_init unencrypted_data_file:dir ~search;
#line 905


#line 906
  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
#line 906
  neverallow {
#line 906
    domain
#line 906
    -appdomain # TODO(b/34980020) remove exemption for appdomain
#line 906
    -coredomain
#line 906
    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
#line 906
    } {
#line 906
      system_data_file # default label for files on /data. Covered below
#line 906
    }:dir ~{ getattr search };
#line 916



#line 918
  #  coredomains may not access dirs in /data/vendor.
#line 918
  neverallow {
#line 918
    coredomain
#line 918
    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
#line 918
    -init
#line 918
    -vold # vold creates per-user storage for both system and vendor
#line 918
    -vold_prepare_subdirs
#line 918
    } {
#line 918
      vendor_data_file # default label for files on /data. Covered below
#line 918
    }:dir ~{ getattr search };
#line 929



#line 931
  #  coredomains may not access dirs in /data/vendor.
#line 931
  neverallow {
#line 931
    coredomain
#line 931
    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
#line 931
    -init
#line 931
    } {
#line 931
      vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
#line 931
    }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ append getattr ioctl read write map };
#line 940



#line 942
    # Non-vendor domains are not allowed to file execute shell
#line 942
    # from vendor
#line 942
    neverallow {
#line 942
        coredomain
#line 942
        -init
#line 942
        -shell
#line 942
    } vendor_shell_exec:file { execute execute_no_trans };
#line 950



#line 952
    # Do not allow vendor components to execute files from system
#line 952
    # except for the ones allowlist here.
#line 952
    neverallow {
#line 952
        domain
#line 952
        -coredomain
#line 952
        -appdomain
#line 952
        -vendor_executes_system_violators
#line 952
        -vendor_init
#line 952
    } {
#line 952
        system_file_type
#line 952
        -system_lib_file
#line 952
        -system_linker_exec
#line 952
        -crash_dump_exec
#line 952
        -netutils_wrapper_exec
#line 952

#line 952
    }:file { entrypoint execute execute_no_trans };
#line 969



#line 971
    # Do not allow system components to execute files from vendor
#line 971
    # except for the ones allowlisted here.
#line 971
    neverallow {
#line 971
      coredomain
#line 971
      -init
#line 971
      -shell
#line 971
      -system_executes_vendor_violators
#line 971
    } {
#line 971
      vendor_file_type
#line 971
      -same_process_hal_file
#line 971
      -vndk_sp_file
#line 971
      -vendor_app_file
#line 971
      -vendor_public_lib_file
#line 971
    }:file execute;
#line 986



#line 988
    neverallow {
#line 988
      coredomain
#line 988
      -shell
#line 988
      -system_executes_vendor_violators
#line 988
    } {
#line 988
      vendor_file_type
#line 988
      -same_process_hal_file
#line 988
    }:file execute_no_trans;
#line 997



#line 999
  # Do not allow system components access to /vendor files except for the
#line 999
  # ones allowlisted here.
#line 999
  neverallow {
#line 999
    coredomain
#line 999
    # TODO(b/37168747): clean up fwk access to /vendor
#line 999
    -crash_dump
#line 999
    -init # starts vendor executables
#line 999
    -kernel # loads /vendor/firmware
#line 999

#line 999

#line 999
    -shell
#line 999
    -system_executes_vendor_violators
#line 999
    -ueventd # reads /vendor/ueventd.rc
#line 999
  } {
#line 999
    vendor_file_type
#line 999
    -same_process_hal_file
#line 999
    -vendor_app_file
#line 999
    -vendor_configs_file
#line 999
    -vendor_framework_file
#line 999
    -vendor_idc_file
#line 999
    -vendor_keychars_file
#line 999
    -vendor_keylayout_file
#line 999
    -vendor_overlay_file
#line 999
    -vendor_public_lib_file
#line 999
    -vendor_task_profiles_file
#line 999
    -vndk_sp_file
#line 999
  }:file *;
#line 1027



#line 1029
  # Do not allow vendor components access to /system files except for the
#line 1029
  # ones allowlisted here.
#line 1029
  neverallow {
#line 1029
    domain
#line 1029
    -appdomain
#line 1029
    -coredomain
#line 1029
    -vendor_executes_system_violators
#line 1029
    # vendor_init needs access to init_exec for domain transition. vendor_init
#line 1029
    # neverallows are covered in public/vendor_init.te
#line 1029
    -vendor_init
#line 1029
  } {
#line 1029
    system_file_type
#line 1029
    -crash_dump_exec
#line 1029
    -file_contexts_file
#line 1029
    -netutils_wrapper_exec
#line 1029
    -property_contexts_file
#line 1029
    -system_event_log_tags_file
#line 1029
    -system_lib_file
#line 1029

#line 1029
    -system_linker_exec
#line 1029
    -system_linker_config_file
#line 1029
    -system_seccomp_policy_file
#line 1029
    -system_security_cacerts_file
#line 1029
    -system_zoneinfo_file
#line 1029
    -task_profiles_file
#line 1029

#line 1029
  }:file *;
#line 1057


# Only system_server should be able to send commands via the zygote socket
neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
neverallow { domain -system_server } zygote_socket:sock_file write;

neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
neverallow { domain -system_server } webview_zygote:sock_file write;
neverallow { domain -system_server } app_zygote:sock_file write;

neverallow {
  domain
  -tombstoned
  -crash_dump
  -dumpstate
  -incidentd
  -system_server

  # Processes that can't exec crash_dump
  -hal_codec2_server
  -hal_omx_server
  -mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;

# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
# the tombstoned intercept socket.
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;

# Android does not support System V IPCs.
#
# The reason for this is due to the fact that, by design, they lead to global
# kernel resource leakage.
#
# For example, there is no way to automatically release a SysV semaphore
# allocated in the kernel when:
#
# - a buggy or malicious process exits
# - a non-buggy and non-malicious process crashes or is explicitly killed.
#
# Killing processes automatically to make room for new ones is an
# important part of Android's application lifecycle implementation. This means
# that, even assuming only non-buggy and non-malicious code, it is very likely
# that over time, the kernel global tables used to implement SysV IPCs will fill
# up.
neverallow * *:{ shm sem msg msgq } *;

# Do not mount on top of symlinks, fifos, or sockets.
# Feature parity with Chromium LSM.
neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;

# Nobody should be able to execute su on user builds.
# On userdebug/eng builds, only dumpstate, shell, and
# su itself execute su.
neverallow { domain  } su_exec:file { execute execute_no_trans };

# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
# The only exceptions are for NDK text relocations associated with
# https://code.google.com/p/android/issues/detail?id=23203
# which, long term, need to go away.
neverallow * {
  file_type
  -apk_data_file
  -app_data_file
  -asec_public_file
}:file execmod;

# Do not allow making the stack or heap executable.
# We would also like to minimize execmem but it seems to be
# required by some device-specific service domains.
neverallow * self:process { execstack execheap };

# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;

neverallow { domain -init } proc:{ file dir } mounton;

# Ensure that all types assigned to processes are included
# in the domain attribute, so that all allow and neverallow rules
# written on domain are applied to all processes.
# This is achieved by ensuring that it is impossible to transition
# from a domain to a non-domain type and vice versa.
# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
neverallow ~domain domain:process { transition dyntransition };

#
# Only system_app and system_server should be creating or writing
# their files. The proper way to share files is to setup
# type transitions to a more specific type or assigning a type
# to its parent directory via a file_contexts entry.
# Example type transition:
#  mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
#
neverallow {
  domain
  -system_server
  -system_app
  -init
  -installd # for relabelfrom and unlink, check for this in explicit neverallow
  -vold_prepare_subdirs # For unlink

} system_data_file:file { append create link unlink relabelfrom rename setattr write };
# do not grant anything greater than r_file_perms and relabelfrom unlink
# to installd
neverallow installd system_data_file:file ~{ { getattr open read ioctl lock map } relabelfrom unlink };

# respect system_app sandboxes
neverallow {
  domain
  -appdomain # finer-grained rules for appdomain are listed below
  -system_server #populate com.android.providers.settings/databases/settings.db.
  -installd # creation of app sandbox
  -traced_probes # resolve inodes for i/o tracing.
                 # only needs open and read, the rest is neverallow in
                 # traced_probes.te.
} system_app_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create unlink open };
neverallow {
  isolated_app
  untrusted_app_all # finer-grained rules for appdomain are listed below
  ephemeral_app
  priv_app
} system_app_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create unlink open };

#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
# script with differing privilege, define a domain and set up a transition.
#
neverallow {
  domain
  -adbd
  -init
  -runas
  -zygote
} shell:process { transition dyntransition };

# Only domains spawned from zygote, runas and simpleperf_app_runner may have the appdomain
# attribute.
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
  appdomain -shell
}:process { transition dyntransition };

# Minimize read access to shell- or app-writable symlinks.
# This is to prevent malicious symlink attacks.
neverallow {
  domain
  -appdomain
  -installd
} { app_data_file privapp_data_file }:lnk_file read;

neverallow {
  domain
  -shell

  -installd
} shell_data_file:lnk_file read;

# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
  domain
  -adbd
  -dumpstate
  -installd
  -init
  -shell
  -vold
} shell_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };

neverallow {
  domain
  -adbd
  -appdomain
  -dumpstate
  -init
  -installd
  -simpleperf_app_runner
  -system_server # why?

} shell_data_file:dir { open search };

# Same as above for /data/local/tmp files. We allow shell files
# to be passed around by file descriptor, but not directly opened.
neverallow {
  domain
  -adbd
  -appdomain
  -dumpstate
  -installd

} shell_data_file:file open;

# servicemanager and vndservicemanager are the only processes which handle the
# service_manager list request
neverallow * ~{
    servicemanager
    vndservicemanager
    }:service_manager list;

# hwservicemanager is the only process which handles hw list requests
neverallow * ~{
    hwservicemanager
    }:hwservice_manager list;

# only service_manager_types can be added to service_manager
# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };

# Prevent assigning non property types to properties
# TODO - rework this: neverallow * ~property_type:property_service set;

# Domain types should never be assigned to any files other
# than the /proc/pid files associated with a process. The
# executable file used to enter a domain should be labeled
# with its own _exec type, not with the domain type.
# Conventionally, this looks something like:
# $ cat mydaemon.te
# type mydaemon, domain;
# type mydaemon_exec, exec_type, file_type;
# init_daemon_domain(mydaemon)
# $ grep mydaemon file_contexts
# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
neverallow * domain:file { execute execute_no_trans entrypoint };

# Do not allow access to the generic debugfs label. This is too broad.
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix dumpstate
neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };

# Do not allow executable files in debugfs.
neverallow domain debugfs_type:file { execute execute_no_trans };

# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
  domain
  -installd
  -profman
} profman_exec:file { execute execute_no_trans };

# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
neverallow * ~{ system_file vendor_file rootfs }:system module_load;

# Only allow filesystem caps to be set at build time. Runtime changes
# to filesystem capabilities are not permitted.
neverallow * self:{ capability cap_userns } setfcap;

# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;

# Do not permit non-core domains to register HwBinder services which are
# guaranteed to be provided by core domains only.
neverallow ~coredomain coredomain_hwservice:hwservice_manager add;

# Do not permit the registeration of HwBinder services which are guaranteed to
# be passthrough only (i.e., run in the process of their clients instead of a
# separate server process).
neverallow * same_process_hwservice:hwservice_manager add;

# On TREBLE devices, most coredomains should not access vendor_files.
# TODO(b/71553434): Remove exceptions here.

#line 1324
  neverallow {
#line 1324
    coredomain
#line 1324
    -appdomain
#line 1324
    -bootanim
#line 1324
    -crash_dump
#line 1324
    -init
#line 1324
    -kernel
#line 1324
    -perfprofd
#line 1324
    -heapprofd
#line 1324
    -ueventd
#line 1324
  } vendor_file:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } open };
#line 1336


# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.

# These filesystems don't allow files or directories to be created, so the permission
# to do so should never be granted.
neverallow domain {
  proc_type
  sysfs_type
}:dir { add_name create link remove_name rename reparent rmdir write };

# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;

dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
dontaudit domain cgroup:file create;

# These are only needed in permissive mode - in enforcing mode the
# directory write check fails and so these are never attempted.
#line 1363


# Platform must not have access to /mnt/vendor.
neverallow {
  coredomain
  -init
  -ueventd
  -vold
  -system_writes_mnt_vendor_violators
} mnt_vendor_file:dir *;

# Only apps are allowed access to vendor public libraries.

#line 1375
  neverallow {
#line 1375
    coredomain
#line 1375
    -appdomain
#line 1375
  } vendor_public_lib_file:file { execute execute_no_trans };
#line 1380


# Vendor domian must not have access to /mnt/product.
neverallow {
  domain
  -coredomain
} mnt_product_file:dir *;

# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd

#line 1389
  neverallow {
#line 1389
    coredomain
#line 1389
    -healthd
#line 1389
    -shell
#line 1389
    # Generate uevents for health info
#line 1389
    -ueventd
#line 1389
    # Recovery uses health HAL passthrough implementation.
#line 1389
    -recovery
#line 1389
    # Charger uses health HAL passthrough implementation.
#line 1389
    -charger
#line 1389
    # TODO(b/110891300): remove this exception
#line 1389
    -incidentd
#line 1389
  } sysfs_batteryinfo:file { open read };
#line 1403


neverallow {
  domain
  -hal_codec2_server
  -hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;

#line 1 "system/sepolicy/prebuilts/api/29.0/public/drmserver.te"
# drmserver - DRM service
type drmserver, domain;
type drmserver_exec, system_file_type, exec_type, file_type;

typeattribute drmserver mlstrustedsubject;


#line 7
typeattribute drmserver netdomain;
#line 7


# Perform Binder IPC to system server.

#line 10
# Call the servicemanager and transfer references to it.
#line 10
allow drmserver servicemanager:binder { call transfer };
#line 10
# servicemanager performs getpidcon on clients.
#line 10
allow servicemanager drmserver:dir search;
#line 10
allow servicemanager drmserver:file { read open };
#line 10
allow servicemanager drmserver:process getattr;
#line 10
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 10
# all domains in domain.te.
#line 10


#line 11
# Call the server domain and optionally transfer references to it.
#line 11
allow drmserver system_server:binder { call transfer };
#line 11
# Allow the serverdomain to transfer references to the client on the reply.
#line 11
allow system_server drmserver:binder transfer;
#line 11
# Receive and use open files from the server.
#line 11
allow drmserver system_server:fd use;
#line 11


#line 12
# Call the server domain and optionally transfer references to it.
#line 12
allow drmserver appdomain:binder { call transfer };
#line 12
# Allow the serverdomain to transfer references to the client on the reply.
#line 12
allow appdomain drmserver:binder transfer;
#line 12
# Receive and use open files from the server.
#line 12
allow drmserver appdomain:fd use;
#line 12


#line 13
typeattribute drmserver binderservicedomain;
#line 13

# Inherit or receive open files from system_server.
allow drmserver system_server:fd use;

# Perform Binder IPC to mediaserver

#line 18
# Call the server domain and optionally transfer references to it.
#line 18
allow drmserver mediaserver:binder { call transfer };
#line 18
# Allow the serverdomain to transfer references to the client on the reply.
#line 18
allow mediaserver drmserver:binder transfer;
#line 18
# Receive and use open files from the server.
#line 18
allow drmserver mediaserver:fd use;
#line 18


allow drmserver sdcard_type:dir search;
allow drmserver drm_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow drmserver drm_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
allow drmserver sdcard_type:file { read write getattr map };

#line 25
allow drmserver efs_file:dir { open getattr read search ioctl lock };
#line 25
allow drmserver efs_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 25


type drmserver_socket, file_type;

# /data/app/tlcd_sock socket file.
# Clearly, /data/app is the most logical place to create a socket.  Not.
allow drmserver apk_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow drmserver drmserver_socket:sock_file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
# Delete old socket file if present.
allow drmserver apk_data_file:sock_file unlink;

# After taking a video, drmserver looks at the video file.

#line 37
allow drmserver media_rw_data_file:dir { open getattr read search ioctl lock };
#line 37
allow drmserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 37


# Read resources from open apk files passed over Binder.
allow drmserver apk_data_file:file { read getattr map };
allow drmserver asec_apk_file:file { read getattr map };
allow drmserver ringtone_file:file { read getattr map };

# Read /data/data/com.android.providers.telephony files passed over Binder.
allow drmserver radio_data_file:file { read getattr map };

# /oem access
allow drmserver oemfs:dir search;
allow drmserver oemfs:file { getattr open read ioctl lock map };


#line 51
  allow drmserver drmserver_service:service_manager { add find };
#line 51
  neverallow { domain -drmserver } drmserver_service:service_manager add;
#line 51

allow drmserver permission_service:service_manager find;


#line 54

#line 54
allow drmserver selinuxfs:dir { open getattr read search ioctl lock };
#line 54
allow drmserver selinuxfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 54

#line 54
allow drmserver selinuxfs:file { open append write lock map };
#line 54
allow drmserver kernel:security compute_av;
#line 54
allow drmserver self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 54



#line 56
allow drmserver cgroup:dir { open getattr read search ioctl lock };
#line 56
allow drmserver cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 56


#line 57
allow drmserver system_file:dir { open getattr read search ioctl lock };
#line 57
allow drmserver system_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 57

#line 1 "system/sepolicy/prebuilts/api/29.0/public/dumpstate.te"
# dumpstate
type dumpstate, domain, mlstrustedsubject;
type dumpstate_exec, system_file_type, exec_type, file_type;


#line 5
typeattribute dumpstate netdomain;
#line 5


#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow dumpstate servicemanager:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager dumpstate:dir search;
#line 6
allow servicemanager dumpstate:file { read open };
#line 6
allow servicemanager dumpstate:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6


#line 7
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 7
# deprecated.
#line 7
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 7
allow dumpstate sysfs_wake_lock:file { { getattr open read ioctl lock map } { open append write lock map } };
#line 7
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 7
allow dumpstate self:{ capability2 cap2_userns } block_suspend;
#line 7
# system_suspend permissions
#line 7

#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow dumpstate system_suspend_server:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow system_suspend_server dumpstate:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow dumpstate system_suspend_server:fd use;
#line 7

#line 7
allow dumpstate system_suspend_hwservice:hwservice_manager find;
#line 7
# halclientdomain permissions
#line 7

#line 7
# Call the hwservicemanager and transfer references to it.
#line 7
allow dumpstate hwservicemanager:binder { call transfer };
#line 7
# Allow hwservicemanager to send out callbacks
#line 7
allow hwservicemanager dumpstate:binder { call transfer };
#line 7
# hwservicemanager performs getpidcon on clients.
#line 7
allow hwservicemanager dumpstate:dir search;
#line 7
allow hwservicemanager dumpstate:file { read open map };
#line 7
allow hwservicemanager dumpstate:process getattr;
#line 7
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7

#line 7

#line 7
allow dumpstate hwservicemanager_prop:file { getattr open read map };
#line 7

#line 7
allow dumpstate hidl_manager_hwservice:hwservice_manager find;
#line 7


# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
allow dumpstate self:{ capability cap_userns } { setuid setgid sys_resource };

# Allow dumpstate to scan through /proc/pid for all processes

#line 14
allow dumpstate domain:dir { open getattr read search ioctl lock };
#line 14
allow dumpstate domain:{ file lnk_file } { getattr open read ioctl lock map };
#line 14


allow dumpstate self:{ capability cap_userns } {
    # Send signals to processes
    kill
    # Run iptables
    net_raw
    net_admin
};

# Allow executing files on system, such as:
#   /system/bin/toolbox
#   /system/bin/logcat
#   /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;

allow dumpstate toolbox_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# hidl searches for files in /system/lib(64)/hw/
allow dumpstate system_file:dir { open getattr read search ioctl lock };

# Create and write into /data/anr/
allow dumpstate self:{ capability cap_userns } { dac_override dac_read_search chown fowner fsetid };
allow dumpstate anr_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow dumpstate anr_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Allow reading /data/system/uiderrors.txt
# TODO: scope this down.
allow dumpstate system_data_file:file { getattr open read ioctl lock map };

# Allow dumpstate to append into privileged apps private files.
allow dumpstate privapp_data_file:file append;

# Read dmesg
allow dumpstate self:{ capability2 cap2_userns } syslog;
allow dumpstate kernel:system syslog_read;

# Read /sys/fs/pstore/console-ramoops
allow dumpstate pstorefs:dir { open getattr read search ioctl lock };
allow dumpstate pstorefs:file { getattr open read ioctl lock map };

# Get process attributes
allow dumpstate domain:process getattr;

# Signal java processes to dump their stack
allow dumpstate { appdomain system_server zygote }:process signal;

# Signal native processes to dump their stack.
allow dumpstate {
  # This list comes from native_processes_to_dump in dumputils/dump_utils.c
  audioserver
  cameraserver
  drmserver
  inputflinger
  mediadrmserver
  mediaextractor
  mediametrics
  mediaserver
  mediaswcodec
  sdcardd
  surfaceflinger
  vold

  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
  hal_audio_server
  hal_bluetooth_server
  hal_camera_server
  hal_codec2_server
  hal_drm_server
  hal_face_server
  hal_graphics_allocator_server
  hal_graphics_composer_server
  hal_health_server
  hal_omx_server
  hal_power_server
  hal_power_stats_server
  hal_sensors_server
  hal_thermal_server
  hal_vr_server
}:process signal;

# Connect to tombstoned to intercept dumps.

#line 96
allow dumpstate tombstoned_intercept_socket:sock_file write;
#line 96
allow dumpstate tombstoned:unix_stream_socket connectto;
#line 96


# Access to /sys
allow dumpstate sysfs_type:dir { open getattr read search ioctl lock };

allow dumpstate {
  sysfs_devices_block
  sysfs_dm
  sysfs_loop
  sysfs_usb
  sysfs_zram
}:file { getattr open read ioctl lock map };

# Other random bits of data we want to collect
allow dumpstate debugfs:file { getattr open read ioctl lock map };
auditallow dumpstate debugfs:file { getattr open read ioctl lock map };

allow dumpstate debugfs_mmc:file { getattr open read ioctl lock map };

# df for
allow dumpstate {
  block_device
  cache_file
  metadata_file
  rootfs
  selinuxfs
  storage_file
  tmpfs
}:dir { search getattr };
allow dumpstate fuse_device:chr_file getattr;
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
allow dumpstate { cache_file rootfs }:lnk_file { getattr read };

# Read /dev/cpuctl and /dev/cpuset

#line 130
allow dumpstate cgroup:dir { open getattr read search ioctl lock };
#line 130
allow dumpstate cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 130


# Allow dumpstate to make binder calls to any binder service

#line 133
# Call the server domain and optionally transfer references to it.
#line 133
allow dumpstate binderservicedomain:binder { call transfer };
#line 133
# Allow the serverdomain to transfer references to the client on the reply.
#line 133
allow binderservicedomain dumpstate:binder transfer;
#line 133
# Receive and use open files from the server.
#line 133
allow dumpstate binderservicedomain:fd use;
#line 133


#line 134
# Call the server domain and optionally transfer references to it.
#line 134
allow dumpstate { appdomain netd wificond }:binder { call transfer };
#line 134
# Allow the serverdomain to transfer references to the client on the reply.
#line 134
allow { appdomain netd wificond } dumpstate:binder transfer;
#line 134
# Receive and use open files from the server.
#line 134
allow dumpstate { appdomain netd wificond }:fd use;
#line 134



#line 136
typeattribute dumpstate halclientdomain;
#line 136
typeattribute dumpstate hal_dumpstate_client;
#line 136

#line 136
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 136
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 136
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 136

#line 136


#line 137
typeattribute dumpstate halclientdomain;
#line 137
typeattribute dumpstate hal_wifi_client;
#line 137

#line 137
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 137
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 137
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 137

#line 137


#line 138
typeattribute dumpstate halclientdomain;
#line 138
typeattribute dumpstate hal_graphics_allocator_client;
#line 138

#line 138
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 138
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 138
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 138

#line 138

# Vibrate the device after we are done collecting the bugreport

#line 140
typeattribute dumpstate halclientdomain;
#line 140
typeattribute dumpstate hal_vibrator_client;
#line 140

#line 140
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 140
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 140
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 140

#line 140


# Reading /proc/PID/maps of other processes
allow dumpstate self:{ capability cap_userns } sys_ptrace;

# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport
allow dumpstate shell_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow dumpstate shell_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Run a shell.
allow dumpstate shell_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# For running am and similar framework commands.
# Run /system/bin/app_process.
allow dumpstate zygote_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# For Bluetooth
allow dumpstate bluetooth_data_file:dir search;
allow dumpstate bluetooth_logs_data_file:dir { open getattr read search ioctl lock };
allow dumpstate bluetooth_logs_data_file:file { getattr open read ioctl lock map };

# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# logd access

#line 166
allow dumpstate logcat_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
#line 166

#line 166
allow dumpstate logdr_socket:sock_file write;
#line 166
allow dumpstate logd:unix_stream_socket connectto;
#line 166

#line 166


#line 167
# Group AID_LOG checked by filesystem & logd
#line 167
# to permit control commands
#line 167

#line 167
allow dumpstate logd_socket:sock_file write;
#line 167
allow dumpstate logd:unix_stream_socket connectto;
#line 167

#line 167


#line 168
allow dumpstate runtime_event_log_tags_file:file { getattr open read ioctl lock map };
#line 168


# Read files in /proc
allow dumpstate {
  proc_buddyinfo
  proc_cmdline
  proc_meminfo
  proc_modules
  proc_net_type
  proc_pipe_conf
  proc_pagetypeinfo
  proc_qtaguid_ctrl
  proc_qtaguid_stat
  proc_slabinfo
  proc_version
  proc_vmallocinfo
  proc_vmstat
}:file { getattr open read ioctl lock map };

# Read network state info files.
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file { getattr open read ioctl lock map };

# List sockets via ss.
allow dumpstate self:netlink_tcpdiag_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_read };

# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir { open getattr read search ioctl lock };
allow dumpstate tombstone_data_file:file { getattr open read ioctl lock map };

# Access /cache/recovery
allow dumpstate cache_recovery_file:dir { open getattr read search ioctl lock };
allow dumpstate cache_recovery_file:file { getattr open read ioctl lock map };

# Access /data/misc/recovery
allow dumpstate recovery_data_file:dir { open getattr read search ioctl lock };
allow dumpstate recovery_data_file:file { getattr open read ioctl lock map };

#Access /data/misc/update_engine_log
allow dumpstate update_engine_log_data_file:dir { open getattr read search ioctl lock };
allow dumpstate update_engine_log_data_file:file { getattr open read ioctl lock map };

# Access /data/misc/profiles/{cur,ref}/
#line 214


# Access /data/misc/logd
#line 220


allow dumpstate app_fuse_file:dir { open getattr read search ioctl lock };
allow dumpstate overlayfs_file:dir { open getattr read search ioctl lock };

allow dumpstate {
  service_manager_type
  -apex_service
  -dumpstate_service
  -gatekeeper_service
  -iorapd_service
  -virtual_touchpad_service
  -vold_service
  -vr_hwc_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
dontaudit dumpstate {
  apex_service
  dumpstate_service
  gatekeeper_service
  iorapd_service
  virtual_touchpad_service
  vold_service
  vr_hwc_service
}:service_manager find;

# Most of these are neverallowed.
dontaudit dumpstate hwservice_manager_type:hwservice_manager find;

allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;

allow dumpstate devpts:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Set properties.
# dumpstate_prop is used to share state with the Shell app.

#line 256

#line 256
allow dumpstate property_socket:sock_file write;
#line 256
allow dumpstate init:unix_stream_socket connectto;
#line 256

#line 256
allow dumpstate dumpstate_prop:property_service set;
#line 256

#line 256
allow dumpstate dumpstate_prop:file { getattr open read map };
#line 256

#line 256


#line 257

#line 257
allow dumpstate property_socket:sock_file write;
#line 257
allow dumpstate init:unix_stream_socket connectto;
#line 257

#line 257
allow dumpstate exported_dumpstate_prop:property_service set;
#line 257

#line 257
allow dumpstate exported_dumpstate_prop:file { getattr open read map };
#line 257

#line 257

# dumpstate_options_prop is used to pass extra command-line args.

#line 259

#line 259
allow dumpstate property_socket:sock_file write;
#line 259
allow dumpstate init:unix_stream_socket connectto;
#line 259

#line 259
allow dumpstate dumpstate_options_prop:property_service set;
#line 259

#line 259
allow dumpstate dumpstate_options_prop:file { getattr open read map };
#line 259

#line 259


# Read any system properties

#line 262
allow dumpstate property_type:file { getattr open read map };
#line 262


# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow dumpstate media_rw_data_file:dir getattr;
allow dumpstate proc_interrupts:file { getattr open read ioctl lock map };
allow dumpstate proc_zoneinfo:file { getattr open read ioctl lock map };

# Create a service for talking back to system_server

#line 272
  allow dumpstate dumpstate_service:service_manager { add find };
#line 272
  neverallow { domain -dumpstate } dumpstate_service:service_manager add;
#line 272


# use /dev/ion for screen capture
allow dumpstate ion_device:chr_file { getattr open read ioctl lock map };

# Allow dumpstate to run top
allow dumpstate proc_stat:file { getattr open read ioctl lock map };

# Allow dumpstate to talk to installd over binder

#line 281
# Call the server domain and optionally transfer references to it.
#line 281
allow dumpstate installd:binder { call transfer };
#line 281
# Allow the serverdomain to transfer references to the client on the reply.
#line 281
allow installd dumpstate:binder transfer;
#line 281
# Receive and use open files from the server.
#line 281
allow dumpstate installd:fd use;
#line 281
;

# Allow dumpstate to run ip xfrm policy
allow dumpstate self:netlink_xfrm_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_read };

# Allow dumpstate to run iotop
allow dumpstate self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# newer kernels (e.g. 4.4) have a new class for sockets
allow dumpstate self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };

# Allow dumpstate to run ss
allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } getattr;

# For when dumpstate runs df
dontaudit dumpstate mnt_vendor_file:dir search;
dontaudit dumpstate apex_mnt_dir:dir getattr;

# Allow dumpstate to talk to bufferhubd over binder

#line 299
# Call the server domain and optionally transfer references to it.
#line 299
allow dumpstate bufferhubd:binder { call transfer };
#line 299
# Allow the serverdomain to transfer references to the client on the reply.
#line 299
allow bufferhubd dumpstate:binder transfer;
#line 299
# Receive and use open files from the server.
#line 299
allow dumpstate bufferhubd:fd use;
#line 299
;

# Allow dumpstate to talk to mediaswcodec over binder

#line 302
# Call the server domain and optionally transfer references to it.
#line 302
allow dumpstate mediaswcodec:binder { call transfer };
#line 302
# Allow the serverdomain to transfer references to the client on the reply.
#line 302
allow mediaswcodec dumpstate:binder transfer;
#line 302
# Receive and use open files from the server.
#line 302
allow dumpstate mediaswcodec:fd use;
#line 302
;

# Allow dumpstate to kill vendor dumpstate service by init

#line 305

#line 305
allow dumpstate property_socket:sock_file write;
#line 305
allow dumpstate init:unix_stream_socket connectto;
#line 305

#line 305
allow dumpstate ctl_dumpstate_prop:property_service set;
#line 305

#line 305
allow dumpstate ctl_dumpstate_prop:file { getattr open read map };
#line 305

#line 305


###
### neverallow rules
###

# dumpstate has capability sys_ptrace, but should only use that capability for
# accessing sensitive /proc/PID files, never for using ptrace attach.
neverallow dumpstate *:process ptrace;

# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
neverallow {
  domain
  -system_server
  -shell
  -traceur_app
  -dumpstate
} dumpstate_service:service_manager find;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/e2fs.te"
type e2fs, domain, coredomain;
type e2fs_exec, system_file_type, exec_type, file_type;

allow e2fs devpts:chr_file { read write getattr ioctl };

allow e2fs dev_type:blk_file getattr;
allow e2fs block_device:dir search;
allow e2fs userdata_block_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };
allow e2fs metadata_block_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };
allow e2fs dm_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };
allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
  0x0000127d 0x00001277 0x0000127b 0x0000127c 0x0000125e
};

allow e2fs {
  proc_filesystems
  proc_mounts
  proc_swaps
}:file { getattr open read ioctl lock map };

# access /sys/fs/ext4/features
allow e2fs sysfs_fs_ext4_features:dir search;
allow e2fs sysfs_fs_ext4_features:file { getattr open read ioctl lock map };

# access SELinux context files
allow e2fs file_contexts_file:file { getattr open read ioctl lock map };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/ephemeral_app.te"
###
### Ephemeral apps.
###
### This file defines the security policy for apps with the ephemeral
### feature.
###
### The ephemeral_app domain is a reduced permissions sandbox allowing
### ephemeral applications to be safely installed and run. Non ephemeral
### applications may also opt-in to ephemeral to take advantage of the
### additional security features.
###
### PackageManager flags an app as ephemeral at install time.

type ephemeral_app, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/fastbootd.te"
# fastbootd (used in recovery init.rc for /sbin/fastbootd)

# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
type fastbootd, domain;

# But the allow rules are only included in the recovery policy.
# Otherwise fastbootd is only allowed the domain rules.
#line 107


###
### neverallow rules
###

# Write permission is required to wipe userdata
# until recovery supports vold.
neverallow fastbootd {
   data_file_type
}:file { { execute execute_no_trans } };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/file.te"
# Filesystem types
type labeledfs, fs_type;
type pipefs, fs_type;
type sockfs, fs_type;
type rootfs, fs_type;
type proc, fs_type, proc_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;
type proc_overcommit_memory, fs_type, proc_type;
type proc_min_free_order_shift, fs_type, proc_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type;
type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
type proc_bluetooth_writable, fs_type, proc_type;
type proc_abi, fs_type, proc_type;
type proc_asound, fs_type, proc_type;
type proc_buddyinfo, fs_type, proc_type;
type proc_cmdline, fs_type, proc_type;
type proc_cpuinfo, fs_type, proc_type;
type proc_dirty, fs_type, proc_type;
type proc_diskstats, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
type proc_fs_verity, fs_type, proc_type;
type proc_hostname, fs_type, proc_type;
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
type proc_iomem, fs_type, proc_type;
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
type proc_misc, fs_type, proc_type;
type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type, proc_type;
type proc_net, fs_type, proc_type, proc_net_type;
type proc_net_tcp_udp, fs_type, proc_type;
type proc_page_cluster, fs_type, proc_type;
type proc_pagetypeinfo, fs_type, proc_type;
type proc_panic, fs_type, proc_type;
type proc_perf, fs_type, proc_type;
type proc_pid_max, fs_type, proc_type;
type proc_pipe_conf, fs_type, proc_type;
type proc_pressure_cpu, fs_type, proc_type;
type proc_pressure_io, fs_type, proc_type;
type proc_pressure_mem, fs_type, proc_type;
type proc_random, fs_type, proc_type;
type proc_sched, fs_type, proc_type;
type proc_slabinfo, fs_type, proc_type;
type proc_stat, fs_type, proc_type;
type proc_swaps, fs_type, proc_type;
type proc_sysrq, fs_type, proc_type;
type proc_timer, fs_type, proc_type;
type proc_tty_drivers, fs_type, proc_type;
type proc_uid_cputime_showstat, fs_type, proc_type;
type proc_uid_cputime_removeuid, fs_type, proc_type;
type proc_uid_io_stats, fs_type, proc_type;
type proc_uid_procstat_set, fs_type, proc_type;
type proc_uid_time_in_state, fs_type, proc_type;
type proc_uid_concurrent_active_time, fs_type, proc_type;
type proc_uid_concurrent_policy_time, fs_type, proc_type;
type proc_uid_cpupower, fs_type, proc_type;
type proc_uptime, fs_type, proc_type;
type proc_version, fs_type, proc_type;
type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
type cgroup_bpf, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ipv4, fs_type, sysfs_type;
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_loop, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
type sysfs_net, fs_type, sysfs_type;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
type sysfs_transparent_hugepage, fs_type, sysfs_type;
type sysfs_usb, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type sysfs_fs_f2fs, sysfs_type, fs_type;
type fs_bpf, fs_type;
type configfs, fs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
# /sys/module/lowmemorykiller
type sysfs_lowmemorykiller, fs_type, sysfs_type;
# /sys/module/wlan/parameters/fwpath
type sysfs_wlan_fwpath, fs_type, sysfs_type;
type sysfs_vibrator, fs_type, sysfs_type;

type sysfs_thermal, sysfs_type, fs_type;

type sysfs_zram, fs_type, sysfs_type;
type sysfs_zram_uevent, fs_type, sysfs_type;
type inotify, fs_type, mlstrustedobject;
type devpts, fs_type, mlstrustedobject;
type tmpfs, fs_type;
type shm, fs_type;
type mqueue, fs_type;
type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_instances, fs_type, debugfs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;

type pstorefs, fs_type;
type functionfs, fs_type, mlstrustedobject;
type oemfs, fs_type, contextmount_type;
type usbfs, fs_type;
type binfmt_miscfs, fs_type;
type app_fusefs, fs_type, contextmount_type;

# File types
type unlabeled, file_type;

# Default type for anything under /system.
type system_file, system_file_type, file_type;
# Default type for /system/asan.options
type system_asan_options_file, system_file_type, file_type;
# Type for /system/etc/event-log-tags (liblog implementation detail)
type system_event_log_tags_file, system_file_type, file_type;
# Default type for anything under /system/lib[64].
type system_lib_file, system_file_type, file_type;
# system libraries that are available only to bootstrap processes
type system_bootstrap_lib_file, system_file_type, file_type;
# Default type for linker executable /system/bin/linker[64].
type system_linker_exec, system_file_type, file_type;
# Default type for linker config /system/etc/ld.config.*.
type system_linker_config_file, system_file_type, file_type;
# Default type for linker config /system/etc/seccomp_policy/*.
type system_seccomp_policy_file, system_file_type, file_type;
# Default type for cacerts in /system/etc/security/cacerts/*.
type system_security_cacerts_file, system_file_type, file_type;
# Default type for /system/bin/tcpdump.
type tcpdump_exec, system_file_type, exec_type, file_type;
# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
type system_zoneinfo_file, system_file_type, file_type;
# Cgroups description file under /system/etc/cgroups.json
type cgroup_desc_file, system_file_type, file_type;
# Vendor cgroups description file under /vendor/etc/cgroups.json
type vendor_cgroup_desc_file, vendor_file_type, file_type;
# Task profiles file under /system/etc/task_profiles.json
type task_profiles_file, system_file_type, file_type;
# Vendor task profiles file under /vendor/etc/task_profiles.json
type vendor_task_profiles_file, vendor_file_type, file_type;

# Default type for directories search for
# HAL implementations
type vendor_hal_file, vendor_file_type, file_type;
# Default type for under /vendor or /system/vendor
type vendor_file, vendor_file_type, file_type;
# Default type for everything in /vendor/app
type vendor_app_file, vendor_file_type, file_type;
# Default type for everything under /vendor/etc/
type vendor_configs_file, vendor_file_type, file_type;
# Default type for all *same process* HALs and their lib/bin dependencies.
# e.g. libEGL_xxx.so, [email protected]
type same_process_hal_file, vendor_file_type, file_type;
# Default type for vndk-sp libs. /vendor/lib/vndk-sp
type vndk_sp_file, vendor_file_type, file_type;
# Default type for everything in /vendor/framework
type vendor_framework_file, vendor_file_type, file_type;
# Default type for everything in /vendor/overlay
type vendor_overlay_file, vendor_file_type, file_type;
# Type for all vendor public libraries. These libs should only be exposed to
# apps. ABI stability of these libs is vendor's responsibility.
type vendor_public_lib_file, vendor_file_type, file_type;

# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
type vendor_keychars_file, vendor_file_type, file_type;
type vendor_idc_file, vendor_file_type, file_type;

# /metadata partition itself
type metadata_file, file_type;
# Vold files within /metadata
type vold_metadata_file, file_type;
# GSI files within /metadata
type gsi_metadata_file, file_type;
# system_server shares Weaver slot information in /metadata
type password_slot_metadata_file, file_type;
# APEX files within /metadata
type apex_metadata_file, file_type;

# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
type logcat_exec, system_file_type, exec_type, file_type;
# Speedup access to cgroup map file
type cgroup_rc_file, file_type;
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
# Type for /data/system/packages.list.
# TODO(b/129332765): Narrow down permissions to this.
# Find out users of system_data_file that should be granted only this.
type packages_list_file, file_type, data_file_type, core_data_file_type;
# Default type for anything under /data/vendor{_ce,_de}.
type vendor_data_file, file_type, data_file_type;
# Unencrypted data
type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
# /data/.layout_version or other installd-created files that
# are created in a system_data_file directory.
type install_data_file, file_type, data_file_type, core_data_file_type;
# /data/drm - DRM plugin data
type drm_data_file, file_type, data_file_type, core_data_file_type;
# /data/adb - adb debugging files
type adb_data_file, file_type, data_file_type, core_data_file_type;
# /data/anr - ANR traces
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/tombstones - core dumps
type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/vendor/tombstones/wifi - vendor wifi dumps
type tombstone_wifi_data_file, file_type, data_file_type;
# /data/apex - APEX data files
type apex_data_file, file_type, data_file_type, core_data_file_type;
# /data/app - user-installed apps
type apk_data_file, file_type, data_file_type, core_data_file_type;
type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/app-private - forward-locked apps
type apk_private_data_file, file_type, data_file_type, core_data_file_type;
type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/dalvik-cache
type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
# /data/ota
type ota_data_file, file_type, data_file_type, core_data_file_type;
# /data/ota_package
type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profiles
type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
# /data/local - writable by shell
type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/property
type property_data_file, file_type, data_file_type, core_data_file_type;
# /data/bootchart
type bootchart_data_file, file_type, data_file_type, core_data_file_type;
# /data/system/dropbox
type dropbox_data_file, file_type, data_file_type, core_data_file_type;
# /data/system/heapdump
type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/nativetest
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
# /data/system_de/0/ringtones
type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/preloads
type preloads_data_file, file_type, data_file_type, core_data_file_type;
# /data/preloads/media
type preloads_media_file, file_type, data_file_type, core_data_file_type;
# /data/misc/dhcp and /data/misc/dhcp-6.8.2
type dhcp_data_file, file_type, data_file_type, core_data_file_type;
# /data/server_configurable_flags
type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
# /data/app-staging
type staging_data_file, file_type, data_file_type, core_data_file_type;

# Mount locations managed by vold
type mnt_media_rw_file, file_type;
type mnt_user_file, file_type;
type mnt_expand_file, file_type;
type storage_file, file_type;

# Label for storage dirs which are just mount stubs
type mnt_media_rw_stub_file, file_type;
type storage_stub_file, file_type;

# Mount location for read-write vendor partitions.
type mnt_vendor_file, file_type;

# Mount location for read-write product partitions.
type mnt_product_file, file_type;

# Mount point used for APEX images
type apex_mnt_dir, file_type;

# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
type postinstall_file, file_type;
# /postinstall/apex: Mount point used for APEX images within /postinstall.
type postinstall_apex_mnt_dir, file_type;

# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
type camera_data_file, file_type, data_file_type, core_data_file_type;
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
type incident_data_file, file_type, data_file_type, core_data_file_type;
type keychain_data_file, file_type, data_file_type, core_data_file_type;
type keystore_data_file, file_type, data_file_type, core_data_file_type;
type media_data_file, file_type, data_file_type, core_data_file_type;
type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type misc_user_data_file, file_type, data_file_type, core_data_file_type;
type net_data_file, file_type, data_file_type, core_data_file_type;
type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
type nfc_data_file, file_type, data_file_type, core_data_file_type;
type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type;
type stats_data_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
type iorapd_data_file, file_type, data_file_type, core_data_file_type;
type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type gsi_data_file, file_type, data_file_type, core_data_file_type;

# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectories - priv-app sandboxes
type privapp_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectory for system UID apps.
type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for /cache/overlay /mnt/scratch/overlay
type overlayfs_file, file_type, data_file_type, core_data_file_type;
# Type for /cache/backup_stage/* (fd interchange with apps)
type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# type for anything under /cache/backup (local transport storage)
type cache_private_backup_file, file_type, data_file_type, core_data_file_type;
# Type for anything under /cache/recovery
type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for shortcut manager icon file.
type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for user icon file.
type icon_file, file_type, data_file_type, core_data_file_type;
# /mnt/asec
type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Elements of asec files (/mnt/asec) that are world readable
type asec_public_file, file_type, data_file_type, core_data_file_type;
# /data/app-asec
type asec_image_file, file_type, data_file_type, core_data_file_type;
# /data/backup and /data/secure/backup
type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# All devices have bluetooth efs files. But they
# vary per device, so this type is used in per
# device policy
type bluetooth_efs_file, file_type;
# Type for fingerprint template file
type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
# Type for _new_ fingerprint template file
type fingerprint_vendor_data_file, file_type, data_file_type;
# Type for appfuse file.
type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for face template file
type face_vendor_data_file, file_type, data_file_type;
# Type for iris template file
type iris_vendor_data_file, file_type, data_file_type;

# Socket types
type adbd_socket, file_type, coredomain_socket;
type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
type dumpstate_socket, file_type, coredomain_socket;
type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
type lmkd_socket, file_type, coredomain_socket;
type logd_socket, file_type, coredomain_socket, mlstrustedobject;
type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
type mdns_socket, file_type, coredomain_socket;
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
type mtpd_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
type recovery_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject;
type uncrypt_socket, file_type, coredomain_socket;
type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
# UART (for GPS) control proc file
type gps_control, file_type;

# PDX endpoint types
type pdx_display_dir, pdx_endpoint_dir_type, file_type;
type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;


#line 442
typeattribute pdx_display_dir pdx_display_client_endpoint_dir_type;
#line 442
type pdx_display_client_endpoint_socket, pdx_display_client_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
#line 442
type pdx_display_client_channel_socket, pdx_display_client_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
#line 442

#line 442


#line 443
typeattribute pdx_display_dir pdx_display_manager_endpoint_dir_type;
#line 443
type pdx_display_manager_endpoint_socket, pdx_display_manager_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
#line 443
type pdx_display_manager_channel_socket, pdx_display_manager_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
#line 443

#line 443


#line 444
typeattribute pdx_display_dir pdx_display_screenshot_endpoint_dir_type;
#line 444
type pdx_display_screenshot_endpoint_socket, pdx_display_screenshot_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
#line 444
type pdx_display_screenshot_channel_socket, pdx_display_screenshot_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
#line 444

#line 444


#line 445
typeattribute pdx_display_dir pdx_display_vsync_endpoint_dir_type;
#line 445
type pdx_display_vsync_endpoint_socket, pdx_display_vsync_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
#line 445
type pdx_display_vsync_channel_socket, pdx_display_vsync_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
#line 445

#line 445


#line 446
typeattribute pdx_performance_dir pdx_performance_client_endpoint_dir_type;
#line 446
type pdx_performance_client_endpoint_socket, pdx_performance_client_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
#line 446
type pdx_performance_client_channel_socket, pdx_performance_client_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
#line 446

#line 446


#line 447
typeattribute pdx_bufferhub_dir pdx_bufferhub_client_endpoint_dir_type;
#line 447
type pdx_bufferhub_client_endpoint_socket, pdx_bufferhub_client_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
#line 447
type pdx_bufferhub_client_channel_socket, pdx_bufferhub_client_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
#line 447

#line 447


# file_contexts files
type file_contexts_file, system_file_type, file_type;

# mac_permissions file
type mac_perms_file, system_file_type, file_type;

# property_contexts file
type property_contexts_file, system_file_type, file_type;

# seapp_contexts file
type seapp_contexts_file, system_file_type, file_type;

# sepolicy files binary and others
type sepolicy_file, system_file_type, file_type;

# service_contexts file
type service_contexts_file, system_file_type, file_type;

# nonplat service_contexts file (only accessible on non full-treble devices)
type nonplat_service_contexts_file, file_type;

# hwservice_contexts file
type hwservice_contexts_file, system_file_type, file_type;

# vndservice_contexts file
type vndservice_contexts_file, file_type;

# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
allow cgroup_bpf tmpfs:filesystem associate;
allow cgroup_rc_file tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;
allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;

# asanwrapper (run a sanitized app_process, to be used with wrap properties)


# Deprecated in SDK version 28
type audiohal_data_file, file_type, data_file_type, core_data_file_type;

# It's a bug to assign the file_type attribute and fs_type attribute
# to any type. Do not allow it.
#
# For example, the following is a bug:
#   type apk_data_file, file_type, data_file_type, fs_type;
# Should be:
#   type apk_data_file, file_type, data_file_type;
neverallow fs_type file_type:filesystem associate;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/fingerprintd.te"
type fingerprintd, domain;
type fingerprintd_exec, system_file_type, exec_type, file_type;


#line 4
# Call the servicemanager and transfer references to it.
#line 4
allow fingerprintd servicemanager:binder { call transfer };
#line 4
# servicemanager performs getpidcon on clients.
#line 4
allow servicemanager fingerprintd:dir search;
#line 4
allow servicemanager fingerprintd:file { read open };
#line 4
allow servicemanager fingerprintd:process getattr;
#line 4
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 4
# all domains in domain.te.
#line 4


# Scan through /system/lib64/hw looking for installed HALs
allow fingerprintd system_file:dir { open getattr read search ioctl lock };

# need to find KeyStore and add self

#line 10
  allow fingerprintd fingerprintd_service:service_manager { add find };
#line 10
  neverallow { domain -fingerprintd } fingerprintd_service:service_manager add;
#line 10


# allow HAL module to read dir contents
allow fingerprintd fingerprintd_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } } };

# allow HAL module to read/write/unlink contents of this dir
allow fingerprintd fingerprintd_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };

# Need to add auth tokens to KeyStore

#line 19
  allow keystore fingerprintd:dir search;
#line 19
  allow keystore fingerprintd:file { read open };
#line 19
  allow keystore fingerprintd:process getattr;
#line 19
  allow fingerprintd keystore_service:service_manager find;
#line 19

#line 19
# Call the server domain and optionally transfer references to it.
#line 19
allow fingerprintd keystore:binder { call transfer };
#line 19
# Allow the serverdomain to transfer references to the client on the reply.
#line 19
allow keystore fingerprintd:binder transfer;
#line 19
# Receive and use open files from the server.
#line 19
allow fingerprintd keystore:fd use;
#line 19

#line 19

#line 19
# Call the server domain and optionally transfer references to it.
#line 19
allow keystore fingerprintd:binder { call transfer };
#line 19
# Allow the serverdomain to transfer references to the client on the reply.
#line 19
allow fingerprintd keystore:binder transfer;
#line 19
# Receive and use open files from the server.
#line 19
allow keystore fingerprintd:fd use;
#line 19

#line 19

allow fingerprintd keystore:keystore_key { add_auth };

# For permissions checking

#line 23
# Call the server domain and optionally transfer references to it.
#line 23
allow fingerprintd system_server:binder { call transfer };
#line 23
# Allow the serverdomain to transfer references to the client on the reply.
#line 23
allow system_server fingerprintd:binder transfer;
#line 23
# Receive and use open files from the server.
#line 23
allow fingerprintd system_server:fd use;
#line 23
;
allow fingerprintd permission_service:service_manager find;

allow fingerprintd ion_device:chr_file { getattr open read ioctl lock map };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/flags_health_check.te"
# The flags_health_check command run by init.
type flags_health_check, domain, coredomain;
type flags_health_check_exec, system_file_type, exec_type, file_type;


#line 5

#line 5
allow flags_health_check property_socket:sock_file write;
#line 5
allow flags_health_check init:unix_stream_socket connectto;
#line 5

#line 5
allow flags_health_check device_config_boot_count_prop:property_service set;
#line 5

#line 5
allow flags_health_check device_config_boot_count_prop:file { getattr open read map };
#line 5

#line 5


#line 6

#line 6
allow flags_health_check property_socket:sock_file write;
#line 6
allow flags_health_check init:unix_stream_socket connectto;
#line 6

#line 6
allow flags_health_check device_config_reset_performed_prop:property_service set;
#line 6

#line 6
allow flags_health_check device_config_reset_performed_prop:file { getattr open read map };
#line 6

#line 6


#line 7

#line 7
allow flags_health_check property_socket:sock_file write;
#line 7
allow flags_health_check init:unix_stream_socket connectto;
#line 7

#line 7
allow flags_health_check device_config_runtime_native_boot_prop:property_service set;
#line 7

#line 7
allow flags_health_check device_config_runtime_native_boot_prop:file { getattr open read map };
#line 7

#line 7


#line 8

#line 8
allow flags_health_check property_socket:sock_file write;
#line 8
allow flags_health_check init:unix_stream_socket connectto;
#line 8

#line 8
allow flags_health_check device_config_runtime_native_prop:property_service set;
#line 8

#line 8
allow flags_health_check device_config_runtime_native_prop:file { getattr open read map };
#line 8

#line 8


#line 9

#line 9
allow flags_health_check property_socket:sock_file write;
#line 9
allow flags_health_check init:unix_stream_socket connectto;
#line 9

#line 9
allow flags_health_check device_config_input_native_boot_prop:property_service set;
#line 9

#line 9
allow flags_health_check device_config_input_native_boot_prop:file { getattr open read map };
#line 9

#line 9


#line 10

#line 10
allow flags_health_check property_socket:sock_file write;
#line 10
allow flags_health_check init:unix_stream_socket connectto;
#line 10

#line 10
allow flags_health_check device_config_netd_native_prop:property_service set;
#line 10

#line 10
allow flags_health_check device_config_netd_native_prop:file { getattr open read map };
#line 10

#line 10


#line 11

#line 11
allow flags_health_check property_socket:sock_file write;
#line 11
allow flags_health_check init:unix_stream_socket connectto;
#line 11

#line 11
allow flags_health_check device_config_activity_manager_native_boot_prop:property_service set;
#line 11

#line 11
allow flags_health_check device_config_activity_manager_native_boot_prop:file { getattr open read map };
#line 11

#line 11


#line 12

#line 12
allow flags_health_check property_socket:sock_file write;
#line 12
allow flags_health_check init:unix_stream_socket connectto;
#line 12

#line 12
allow flags_health_check device_config_media_native_prop:property_service set;
#line 12

#line 12
allow flags_health_check device_config_media_native_prop:file { getattr open read map };
#line 12

#line 12


allow flags_health_check server_configurable_flags_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow flags_health_check server_configurable_flags_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
# wrong timing, trigger server configurable flag related disaster recovery, which will override
# server configured values of all flags with default values.
neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;

# system property device_config_reset_performed_prop is used for indicating whether server
# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
# cause bad server configurable flags synced back to device.
neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;

# server_configurable_flags_data_file is used for storing whether server configurable flags which
# have been reset during current booting. Mistakenly modified by unrelated components can
# cause bad server configurable flags synced back to device.
neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file { append create link unlink relabelfrom rename setattr write };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/fsck.te"
# Any fsck program run by init
type fsck, domain;
type fsck_exec, system_file_type, exec_type, file_type;

# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow fsck tmpfs:chr_file { read write ioctl };

# Inherit and use pty created by android_fork_execvp_ext().
allow fsck devpts:chr_file { read write ioctl getattr };

# Allow stdin/out back to vold
allow fsck vold:fd use;
allow fsck vold:fifo_file { read write getattr };

# Run fsck on certain block devices
allow fsck block_device:dir search;
allow fsck userdata_block_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };
allow fsck cache_block_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };
allow fsck dm_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };
#line 23


# For the block devices where we have ioctl access,
# allow at a minimum the following common fsck ioctls.
allowxperm fsck dev_type:blk_file ioctl {
  0x0000127c
  0x0000125e
};

# To determine if it is safe to run fsck on a filesystem, e2fsck
# must first determine if the filesystem is mounted. To do that,
# e2fsck scans through /proc/mounts and collects all the mounted
# block devices. With that information, it runs stat() on each block
# device, comparing the major and minor numbers to the filesystem
# passed in on the command line. If there is a match, then the filesystem
# is currently mounted and running fsck is dangerous.
# Allow stat access to all block devices so that fsck can compare
# major/minor values.
allow fsck dev_type:blk_file getattr;

allow fsck {
  proc_mounts
  proc_swaps
}:file { getattr open read ioctl lock map };
allow fsck rootfs:dir { open getattr read search ioctl lock };

###
### neverallow rules
###

# fsck should never be run on these block devices
neverallow fsck {
  boot_block_device
  frp_block_device
  recovery_block_device
  root_block_device
  swap_block_device
  system_block_device

  vold_device
}:blk_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };

# Only allow entry from init or vold via fsck binaries
neverallow { domain -init -vold } fsck:process transition;
neverallow * fsck:process dyntransition;
neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/fsck_untrusted.te"
# Any fsck program run on untrusted block devices
type fsck_untrusted, domain;

# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };

# Allow stdin/out back to vold
allow fsck_untrusted vold:fd use;
allow fsck_untrusted vold:fifo_file { read write getattr };

# Run fsck on vold block devices
allow fsck_untrusted block_device:dir search;
allow fsck_untrusted vold_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };

allow fsck_untrusted proc_mounts:file { getattr open read ioctl lock map };

# To determine if it is safe to run fsck on a filesystem, e2fsck
# must first determine if the filesystem is mounted. To do that,
# e2fsck scans through /proc/mounts and collects all the mounted
# block devices. With that information, it runs stat() on each block
# device, comparing the major and minor numbers to the filesystem
# passed in on the command line. If there is a match, then the filesystem
# is currently mounted and running fsck is dangerous.
# Allow stat access to all block devices so that fsck can compare
# major/minor values.
allow fsck_untrusted dev_type:blk_file getattr;

###
### neverallow rules
###

# Untrusted fsck should never be run on block devices holding sensitive data
neverallow fsck_untrusted {
  boot_block_device
  frp_block_device
  metadata_block_device
  recovery_block_device
  root_block_device
  swap_block_device
  system_block_device
  userdata_block_device
  cache_block_device
  dm_device
}:blk_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };

# Only allow entry from vold via fsck binaries
neverallow { domain -vold } fsck_untrusted:process transition;
neverallow * fsck_untrusted:process dyntransition;
neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/fwk_bufferhub.te"

#line 1
# Call the server domain and optionally transfer references to it.
#line 1
allow hal_bufferhub_client hal_bufferhub_server:binder { call transfer };
#line 1
# Allow the serverdomain to transfer references to the client on the reply.
#line 1
allow hal_bufferhub_server hal_bufferhub_client:binder transfer;
#line 1
# Receive and use open files from the server.
#line 1
allow hal_bufferhub_client hal_bufferhub_server:fd use;
#line 1


#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_bufferhub_server hal_bufferhub_client:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_bufferhub_client hal_bufferhub_server:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_bufferhub_server hal_bufferhub_client:fd use;
#line 2



#line 4
  allow hal_bufferhub_client fwk_bufferhub_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_bufferhub_server fwk_bufferhub_hwservice:hwservice_manager { add find };
#line 4
  allow hal_bufferhub_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_bufferhub_server } fwk_bufferhub_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_bufferhub_client -hal_bufferhub_server } fwk_bufferhub_hwservice:hwservice_manager find;
#line 4

#line 4

#line 1 "system/sepolicy/prebuilts/api/29.0/public/gatekeeperd.te"
type gatekeeperd, domain;
type gatekeeperd_exec, system_file_type, exec_type, file_type;

# gatekeeperd

#line 5
typeattribute gatekeeperd binderservicedomain;
#line 5


#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow gatekeeperd servicemanager:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager gatekeeperd:dir search;
#line 6
allow servicemanager gatekeeperd:file { read open };
#line 6
allow servicemanager gatekeeperd:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6


### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
### These rules should eventually be granted only when needed.
allow gatekeeperd ion_device:chr_file { getattr open read ioctl lock map };
# Load HAL implementation
allow gatekeeperd system_file:dir { open getattr read search ioctl lock };
###

### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
### These rules should eventually be granted only when needed.

#line 17
typeattribute gatekeeperd halclientdomain;
#line 17
typeattribute gatekeeperd hal_gatekeeper_client;
#line 17

#line 17
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 17
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 17
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 17

#line 17

###

# need to find KeyStore and add self

#line 21
  allow gatekeeperd gatekeeper_service:service_manager { add find };
#line 21
  neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
#line 21


# Need to add auth tokens to KeyStore

#line 24
  allow keystore gatekeeperd:dir search;
#line 24
  allow keystore gatekeeperd:file { read open };
#line 24
  allow keystore gatekeeperd:process getattr;
#line 24
  allow gatekeeperd keystore_service:service_manager find;
#line 24

#line 24
# Call the server domain and optionally transfer references to it.
#line 24
allow gatekeeperd keystore:binder { call transfer };
#line 24
# Allow the serverdomain to transfer references to the client on the reply.
#line 24
allow keystore gatekeeperd:binder transfer;
#line 24
# Receive and use open files from the server.
#line 24
allow gatekeeperd keystore:fd use;
#line 24

#line 24

#line 24
# Call the server domain and optionally transfer references to it.
#line 24
allow keystore gatekeeperd:binder { call transfer };
#line 24
# Allow the serverdomain to transfer references to the client on the reply.
#line 24
allow gatekeeperd keystore:binder transfer;
#line 24
# Receive and use open files from the server.
#line 24
allow keystore gatekeeperd:fd use;
#line 24

#line 24

allow gatekeeperd keystore:keystore_key { add_auth };

# For permissions checking
allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;

# for SID file access
allow gatekeeperd gatekeeper_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow gatekeeperd gatekeeper_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;

# For checking whether GSI is running

#line 39
allow gatekeeperd gsid_prop:file { getattr open read map };
#line 39



#line 41
allow gatekeeperd cgroup:dir { open getattr read search ioctl lock };
#line 41
allow gatekeeperd cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 41

#line 1 "system/sepolicy/prebuilts/api/29.0/public/gpuservice.te"
# gpuservice - server for gpu stats and other gpu related services
type gpuservice, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_allocator.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_allocator_client hal_allocator_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_allocator_server hal_allocator_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_allocator_client hal_allocator_server:fd use;
#line 2



#line 4
  allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_allocator_server hidl_allocator_hwservice:hwservice_manager { add find };
#line 4
  allow hal_allocator_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_allocator_server } hidl_allocator_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_allocator_client -hal_allocator_server } hidl_allocator_hwservice:hwservice_manager find;
#line 4

#line 4

allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
allow hal_allocator_client same_process_hal_file:file { execute read open getattr map };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_atrace.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_atrace_client hal_atrace_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_atrace_server hal_atrace_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_atrace_client hal_atrace_server:fd use;
#line 2



#line 4
  allow hal_atrace_client hal_atrace_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_atrace_server hal_atrace_hwservice:hwservice_manager { add find };
#line 4
  allow hal_atrace_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_atrace_server } hal_atrace_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_atrace_client -hal_atrace_server } hal_atrace_hwservice:hwservice_manager find;
#line 4

#line 4

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_audio.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_audio_client hal_audio_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_audio_server hal_audio_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_audio_client hal_audio_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_audio_server hal_audio_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_audio_client hal_audio_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_audio_server hal_audio_client:fd use;
#line 3



#line 5
  allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_audio_server hal_audio_hwservice:hwservice_manager { add find };
#line 5
  allow hal_audio_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_audio_server } hal_audio_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_audio_client -hal_audio_server } hal_audio_hwservice:hwservice_manager find;
#line 5

#line 5


allow hal_audio ion_device:chr_file { getattr open read ioctl lock map };


#line 9
allow hal_audio proc:dir { open getattr read search ioctl lock };
#line 9
allow hal_audio proc:{ file lnk_file } { getattr open read ioctl lock map };
#line 9


#line 10
allow hal_audio proc_asound:dir { open getattr read search ioctl lock };
#line 10
allow hal_audio proc_asound:{ file lnk_file } { getattr open read ioctl lock map };
#line 10

allow hal_audio_server audio_device:dir { open getattr read search ioctl lock };
allow hal_audio_server audio_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Needed to provide debug dump output via dumpsys' pipes.
allow hal_audio shell:fd use;
allow hal_audio shell:fifo_file write;
allow hal_audio dumpstate:fd use;
allow hal_audio dumpstate:fifo_file write;

# allow hal audio to use vnbinder

#line 21
# Talk to the vndbinder device node
#line 21
allow hal_audio vndbinder_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
#line 21
# Call the vndservicemanager and transfer references to it.
#line 21
allow hal_audio vndservicemanager:binder { call transfer };
#line 21
# vndservicemanager performs getpidcon on clients.
#line 21
allow vndservicemanager hal_audio:dir search;
#line 21
allow vndservicemanager hal_audio:file { read open map };
#line 21
allow vndservicemanager hal_audio:process getattr;
#line 21


###
### neverallow rules
###

# Should never execute any executable without a domain transition
neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;

# Should never need network access.
# Disallow network sockets.
neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;

# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;


#line 37
allow hal_audio bluetooth_a2dp_offload_prop:file { getattr open read map };
#line 37


#line 38
allow hal_audio bluetooth_audio_hal_prop:file { getattr open read map };
#line 38

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_audiocontrol.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_audiocontrol_client hal_audiocontrol_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_audiocontrol_server hal_audiocontrol_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_audiocontrol_client hal_audiocontrol_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_audiocontrol_server hal_audiocontrol_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_audiocontrol_client hal_audiocontrol_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_audiocontrol_server hal_audiocontrol_client:fd use;
#line 3



#line 5
  allow hal_audiocontrol_client hal_audiocontrol_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_audiocontrol_server hal_audiocontrol_hwservice:hwservice_manager { add find };
#line 5
  allow hal_audiocontrol_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_audiocontrol_server } hal_audiocontrol_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_audiocontrol_client -hal_audiocontrol_server } hal_audiocontrol_hwservice:hwservice_manager find;
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_authsecret.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_authsecret_client hal_authsecret_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_authsecret_server hal_authsecret_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_authsecret_client hal_authsecret_server:fd use;
#line 2



#line 4
  allow hal_authsecret_client hal_authsecret_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_authsecret_server hal_authsecret_hwservice:hwservice_manager { add find };
#line 4
  allow hal_authsecret_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_authsecret_server } hal_authsecret_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_authsecret_client -hal_authsecret_server } hal_authsecret_hwservice:hwservice_manager find;
#line 4

#line 4

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_bluetooth.te"
# HwBinder IPC from clients into server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_bluetooth_client hal_bluetooth_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_bluetooth_server hal_bluetooth_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_bluetooth_client hal_bluetooth_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_bluetooth_server hal_bluetooth_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_bluetooth_client hal_bluetooth_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_bluetooth_server hal_bluetooth_client:fd use;
#line 3



#line 5
  allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_bluetooth_server hal_bluetooth_hwservice:hwservice_manager { add find };
#line 5
  allow hal_bluetooth_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_bluetooth_server } hal_bluetooth_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_bluetooth_client -hal_bluetooth_server } hal_bluetooth_hwservice:hwservice_manager find;
#line 5

#line 5



#line 7
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 7
# deprecated.
#line 7
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 7
allow hal_bluetooth sysfs_wake_lock:file { { getattr open read ioctl lock map } { open append write lock map } };
#line 7
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 7
allow hal_bluetooth self:{ capability2 cap2_userns } block_suspend;
#line 7
# system_suspend permissions
#line 7

#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow hal_bluetooth system_suspend_server:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow system_suspend_server hal_bluetooth:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow hal_bluetooth system_suspend_server:fd use;
#line 7

#line 7
allow hal_bluetooth system_suspend_hwservice:hwservice_manager find;
#line 7
# halclientdomain permissions
#line 7

#line 7
# Call the hwservicemanager and transfer references to it.
#line 7
allow hal_bluetooth hwservicemanager:binder { call transfer };
#line 7
# Allow hwservicemanager to send out callbacks
#line 7
allow hwservicemanager hal_bluetooth:binder { call transfer };
#line 7
# hwservicemanager performs getpidcon on clients.
#line 7
allow hwservicemanager hal_bluetooth:dir search;
#line 7
allow hwservicemanager hal_bluetooth:file { read open map };
#line 7
allow hwservicemanager hal_bluetooth:process getattr;
#line 7
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7

#line 7

#line 7
allow hal_bluetooth hwservicemanager_prop:file { getattr open read map };
#line 7

#line 7
allow hal_bluetooth hidl_manager_hwservice:hwservice_manager find;
#line 7
;

# The HAL toggles rfkill to power the chip off/on.
allow hal_bluetooth self:{ capability cap_userns } net_admin;

# bluetooth factory file accesses.

#line 13
allow hal_bluetooth bluetooth_efs_file:dir { open getattr read search ioctl lock };
#line 13
allow hal_bluetooth bluetooth_efs_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 13


allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# sysfs access.

#line 18
allow hal_bluetooth sysfs_type:dir { open getattr read search ioctl lock };
#line 18
allow hal_bluetooth sysfs_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 18

allow hal_bluetooth sysfs_bluetooth_writable:file { { getattr open read ioctl lock map } { open append write lock map } };
allow hal_bluetooth self:{ capability2 cap2_userns } wake_alarm;

# Allow write access to bluetooth-specific properties

#line 23

#line 23
allow hal_bluetooth property_socket:sock_file write;
#line 23
allow hal_bluetooth init:unix_stream_socket connectto;
#line 23

#line 23
allow hal_bluetooth bluetooth_a2dp_offload_prop:property_service set;
#line 23

#line 23
allow hal_bluetooth bluetooth_a2dp_offload_prop:file { getattr open read map };
#line 23

#line 23


#line 24

#line 24
allow hal_bluetooth property_socket:sock_file write;
#line 24
allow hal_bluetooth init:unix_stream_socket connectto;
#line 24

#line 24
allow hal_bluetooth bluetooth_audio_hal_prop:property_service set;
#line 24

#line 24
allow hal_bluetooth bluetooth_audio_hal_prop:file { getattr open read map };
#line 24

#line 24


#line 25

#line 25
allow hal_bluetooth property_socket:sock_file write;
#line 25
allow hal_bluetooth init:unix_stream_socket connectto;
#line 25

#line 25
allow hal_bluetooth bluetooth_prop:property_service set;
#line 25

#line 25
allow hal_bluetooth bluetooth_prop:file { getattr open read map };
#line 25

#line 25


#line 26

#line 26
allow hal_bluetooth property_socket:sock_file write;
#line 26
allow hal_bluetooth init:unix_stream_socket connectto;
#line 26

#line 26
allow hal_bluetooth exported_bluetooth_prop:property_service set;
#line 26

#line 26
allow hal_bluetooth exported_bluetooth_prop:file { getattr open read map };
#line 26

#line 26


# /proc access (bluesleep etc.).
allow hal_bluetooth proc_bluetooth_writable:file { { getattr open read ioctl lock map } { open append write lock map } };

# allow to run with real-time scheduling policy
allow hal_bluetooth self:{ capability cap_userns } sys_nice;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_bootctl.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_bootctl_client hal_bootctl_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_bootctl_server hal_bootctl_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_bootctl_client hal_bootctl_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_bootctl_server hal_bootctl_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_bootctl_client hal_bootctl_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_bootctl_server hal_bootctl_client:fd use;
#line 3



#line 5
  allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_bootctl_server hal_bootctl_hwservice:hwservice_manager { add find };
#line 5
  allow hal_bootctl_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_bootctl_server } hal_bootctl_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_bootctl_client -hal_bootctl_server } hal_bootctl_hwservice:hwservice_manager find;
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_broadcastradio.te"

#line 1
# Call the server domain and optionally transfer references to it.
#line 1
allow hal_broadcastradio_client hal_broadcastradio_server:binder { call transfer };
#line 1
# Allow the serverdomain to transfer references to the client on the reply.
#line 1
allow hal_broadcastradio_server hal_broadcastradio_client:binder transfer;
#line 1
# Receive and use open files from the server.
#line 1
allow hal_broadcastradio_client hal_broadcastradio_server:fd use;
#line 1


#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_broadcastradio_server hal_broadcastradio_client:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_broadcastradio_client hal_broadcastradio_server:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_broadcastradio_server hal_broadcastradio_client:fd use;
#line 2



#line 4
  allow hal_broadcastradio_client hal_broadcastradio_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_broadcastradio_server hal_broadcastradio_hwservice:hwservice_manager { add find };
#line 4
  allow hal_broadcastradio_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_broadcastradio_server } hal_broadcastradio_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_broadcastradio_client -hal_broadcastradio_server } hal_broadcastradio_hwservice:hwservice_manager find;
#line 4

#line 4

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_camera.te"
# HwBinder IPC from clients to server and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_camera_client hal_camera_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_camera_server hal_camera_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_camera_client hal_camera_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_camera_server hal_camera_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_camera_client hal_camera_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_camera_server hal_camera_client:fd use;
#line 3



#line 5
  allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_camera_server hal_camera_hwservice:hwservice_manager { add find };
#line 5
  allow hal_camera_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_camera_server } hal_camera_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_camera_client -hal_camera_server } hal_camera_hwservice:hwservice_manager find;
#line 5

#line 5


allow hal_camera device:dir { open getattr read search ioctl lock };
allow hal_camera video_device:dir { open getattr read search ioctl lock };
allow hal_camera video_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow hal_camera camera_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow hal_camera ion_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
# Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;

# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
allow hal_camera { appdomain -isolated_app }:fd use;
allow hal_camera surfaceflinger:fd use;
allow hal_camera hal_allocator_server:fd use;

# Needed to provide debug dump output via dumpsys' pipes.
allow hal_camera shell:fd use;
allow hal_camera shell:fifo_file write;

###
### neverallow rules
###

# hal_camera should never execute any executable without a
# domain transition
neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;

# hal_camera should never need network access. Disallow network sockets.
neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;

# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_cas.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_cas_client hal_cas_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_cas_server hal_cas_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_cas_client hal_cas_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_cas_server hal_cas_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_cas_client hal_cas_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_cas_server hal_cas_client:fd use;
#line 3



#line 5
  allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_cas_server hal_cas_hwservice:hwservice_manager { add find };
#line 5
  allow hal_cas_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_cas_server } hal_cas_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_cas_client -hal_cas_server } hal_cas_hwservice:hwservice_manager find;
#line 5

#line 5

allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;

# Permit reading device's serial number from system properties

#line 9
allow hal_cas_server serialno_prop:file { getattr open read map };
#line 9


# Read files already opened under /data
allow hal_cas system_data_file:file { getattr read };

# Read access to pseudo filesystems

#line 15
allow hal_cas cgroup:dir { open getattr read search ioctl lock };
#line 15
allow hal_cas cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 15

allow hal_cas cgroup:dir { search write };
allow hal_cas cgroup:file { open append write lock map };

# Allow access to ion memory allocation device
allow hal_cas ion_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow hal_cas hal_graphics_allocator:fd use;

allow hal_cas tee_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

###
### neverallow rules
###

# hal_cas should never execute any executable without a
# domain transition
neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;

# do not allow privileged socket ioctl commands
neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl
#line 34
{
#line 34
# qualcomm rmnet ioctls
#line 34
0x00006900 0x00006902
#line 34
# socket ioctls
#line 34
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 34
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 34
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 34
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 34
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 34
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 34
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 34
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 34
0x00008991 0x00008992 0x00008993 0x00008994
#line 34
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 34
# device and protocol specific ioctls
#line 34
0x000089f0-0x000089ff
#line 34
0x000089e0-0x000089ef
#line 34
# Wireless extension ioctls
#line 34
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 34
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 34
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 34
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 34
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 34
0x00008b34 0x00008b35 0x00008b36
#line 34
# Dev private ioctl i.e. hardware specific ioctls
#line 34
0x00008be0-0x00008bff
#line 34
};
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_codec2.te"

#line 1
# Call the server domain and optionally transfer references to it.
#line 1
allow hal_codec2_client hal_codec2_server:binder { call transfer };
#line 1
# Allow the serverdomain to transfer references to the client on the reply.
#line 1
allow hal_codec2_server hal_codec2_client:binder transfer;
#line 1
# Receive and use open files from the server.
#line 1
allow hal_codec2_client hal_codec2_server:fd use;
#line 1


#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_codec2_server hal_codec2_client:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_codec2_client hal_codec2_server:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_codec2_server hal_codec2_client:fd use;
#line 2



#line 4
  allow hal_codec2_client hal_codec2_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_codec2_server hal_codec2_hwservice:hwservice_manager { add find };
#line 4
  allow hal_codec2_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_codec2_server } hal_codec2_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_codec2_client -hal_codec2_server } hal_codec2_hwservice:hwservice_manager find;
#line 4

#line 4


# The following permissions are added to hal_codec2_server because vendor and
# vndk libraries provided for Codec2 implementation need them.

# Allow server access to composer sync fences
allow hal_codec2_server hal_graphics_composer:fd use;

# Allow both server and client access to ion
allow hal_codec2_server ion_device:chr_file { getattr open read ioctl lock map };

# Allow server access to camera HAL's fences
allow hal_codec2_server hal_camera:fd use;

# Receive gralloc buffer FDs from bufferhubd.
allow hal_codec2_server bufferhubd:fd use;

allow hal_codec2_client ion_device:chr_file { getattr open read ioctl lock map };

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_configstore.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_configstore_client hal_configstore_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_configstore_server hal_configstore_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_configstore_client hal_configstore_server:fd use;
#line 2



#line 4
  allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
#line 4

#line 4
  allow hal_configstore_server hal_configstore_ISurfaceFlingerConfigs:hwservice_manager { add find };
#line 4
  allow hal_configstore_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_configstore_server } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_configstore_client -hal_configstore_server } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
#line 4

#line 4


# hal_configstore runs with a strict seccomp filter. Use crash_dump's
# fallback path to collect crash data.

#line 8

#line 8
allow hal_configstore_server anr_data_file:file append;
#line 8
allow hal_configstore_server dumpstate:fd use;
#line 8
allow hal_configstore_server incidentd:fd use;
#line 8
# TODO: Figure out why write is needed.
#line 8
allow hal_configstore_server dumpstate:fifo_file { append write };
#line 8
allow hal_configstore_server incidentd:fifo_file { append write };
#line 8
allow hal_configstore_server system_server:fifo_file { append write };
#line 8
allow hal_configstore_server tombstoned:unix_stream_socket connectto;
#line 8
allow hal_configstore_server tombstoned:fd use;
#line 8
allow hal_configstore_server tombstoned_crash_socket:sock_file write;
#line 8
allow hal_configstore_server tombstone_data_file:file append;
#line 8


###
### neverallow rules
###

# Should never execute an executable without a domain transition
neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;

# Should never need network access. Disallow sockets except for
# for unix stream/dgram sockets used for logging/debugging.
neverallow hal_configstore_server domain:{
  rawip_socket tcp_socket udp_socket
  netlink_route_socket netlink_selinux_socket
  socket netlink_socket packet_socket key_socket appletalk_socket
  netlink_tcpdiag_socket netlink_nflog_socket
  netlink_xfrm_socket netlink_audit_socket
  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
  netlink_rdma_socket netlink_crypto_socket
} *;
neverallow hal_configstore_server {
  domain
  -hal_configstore_server
  -logd

  -tombstoned

}:{ unix_dgram_socket unix_stream_socket } *;

# Should never need access to anything on /data
neverallow hal_configstore_server {
  data_file_type
  -anr_data_file # for crash dump collection
  -tombstone_data_file # for crash dump collection
  -zoneinfo_data_file # granted to domain

}:{ file fifo_file sock_file } *;

# Should never need sdcard access
neverallow hal_configstore_server {
    sdcard_type
    fuse sdcardfs vfat exfat        # manual expansion for completeness
}:dir ~getattr;
neverallow hal_configstore_server {
    sdcard_type
    fuse sdcardfs vfat exfat        # manual expansion for completeness
}:file *;

# Do not permit access to service_manager and vndservice_manager
neverallow hal_configstore_server *:service_manager *;

# No privileged capabilities
neverallow hal_configstore_server self:{ capability capability2 cap_userns cap2_userns } *;

# No ptracing other processes
neverallow hal_configstore_server *:process ptrace;

# no relabeling
neverallow hal_configstore_server *:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { relabelfrom relabelto };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_confirmationui.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_confirmationui_client hal_confirmationui_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_confirmationui_server hal_confirmationui_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_confirmationui_client hal_confirmationui_server:fd use;
#line 2



#line 4
  allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_confirmationui_server hal_confirmationui_hwservice:hwservice_manager { add find };
#line 4
  allow hal_confirmationui_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_confirmationui_server } hal_confirmationui_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_confirmationui_client -hal_confirmationui_server } hal_confirmationui_hwservice:hwservice_manager find;
#line 4

#line 4

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_contexthub.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_contexthub_client hal_contexthub_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_contexthub_server hal_contexthub_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_contexthub_client hal_contexthub_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_contexthub_server hal_contexthub_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_contexthub_client hal_contexthub_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_contexthub_server hal_contexthub_client:fd use;
#line 3



#line 5
  allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_contexthub_server hal_contexthub_hwservice:hwservice_manager { add find };
#line 5
  allow hal_contexthub_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_contexthub_server } hal_contexthub_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_contexthub_client -hal_contexthub_server } hal_contexthub_hwservice:hwservice_manager find;
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_drm.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_drm_client hal_drm_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_drm_server hal_drm_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_drm_client hal_drm_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_drm_server hal_drm_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_drm_client hal_drm_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_drm_server hal_drm_client:fd use;
#line 3



#line 5
  allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_drm_server hal_drm_hwservice:hwservice_manager { add find };
#line 5
  allow hal_drm_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_drm_server } hal_drm_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_drm_client -hal_drm_server } hal_drm_hwservice:hwservice_manager find;
#line 5

#line 5


allow hal_drm hidl_memory_hwservice:hwservice_manager find;

# Required by Widevine DRM (b/22990512)
allow hal_drm self:process execmem;

# Permit reading device's serial number from system properties

#line 13
allow hal_drm serialno_prop:file { getattr open read map };
#line 13


# Read files already opened under /data
allow hal_drm system_data_file:file { getattr read };

# Read access to pseudo filesystems

#line 19
allow hal_drm cgroup:dir { open getattr read search ioctl lock };
#line 19
allow hal_drm cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 19

allow hal_drm cgroup:dir { search write };
allow hal_drm cgroup:file { open append write lock map };

# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow hal_drm hal_graphics_allocator:fd use;

# Allow access to fds allocated by mediaserver
allow hal_drm mediaserver:fd use;

allow hal_drm sysfs:file { getattr open read ioctl lock map };

allow hal_drm tee_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# only allow unprivileged socket ioctl commands
allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
  ioctl {
#line 36
{
#line 36
# Socket ioctls for gathering information about the interface
#line 36
0x00008906 0x00008907
#line 36
0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919
#line 36
0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942
#line 36
# Wireless extension ioctls. Primarily get functions.
#line 36
0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d
#line 36
0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23
#line 36
0x00008b25 0x00008b27 0x00008b29 0x00008b2d
#line 36
} {
#line 36
  0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005413 0x00005414 0x0000540e
#line 36
  0x00005403 0x0000540b 0x00005410 0x0000540f
#line 36
} };

###
### neverallow rules
###

# hal_drm should never execute any executable without a
# domain transition
neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;

# do not allow privileged socket ioctl commands
neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl
#line 47
{
#line 47
# qualcomm rmnet ioctls
#line 47
0x00006900 0x00006902
#line 47
# socket ioctls
#line 47
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 47
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 47
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 47
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 47
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 47
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 47
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 47
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 47
0x00008991 0x00008992 0x00008993 0x00008994
#line 47
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 47
# device and protocol specific ioctls
#line 47
0x000089f0-0x000089ff
#line 47
0x000089e0-0x000089ef
#line 47
# Wireless extension ioctls
#line 47
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 47
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 47
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 47
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 47
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 47
0x00008b34 0x00008b35 0x00008b36
#line 47
# Dev private ioctl i.e. hardware specific ioctls
#line 47
0x00008be0-0x00008bff
#line 47
};
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_dumpstate.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_dumpstate_client hal_dumpstate_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_dumpstate_server hal_dumpstate_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_dumpstate_client hal_dumpstate_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_dumpstate_server hal_dumpstate_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_dumpstate_client hal_dumpstate_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_dumpstate_server hal_dumpstate_client:fd use;
#line 3



#line 5
  allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_dumpstate_server hal_dumpstate_hwservice:hwservice_manager { add find };
#line 5
  allow hal_dumpstate_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_dumpstate_server } hal_dumpstate_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_dumpstate_client -hal_dumpstate_server } hal_dumpstate_hwservice:hwservice_manager find;
#line 5

#line 5


# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
# allow reading /proc/interrupts for all hal impls
allow hal_dumpstate proc_interrupts:file { getattr open read ioctl lock map };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_evs.te"

#line 1
# Call the hwservicemanager and transfer references to it.
#line 1
allow hal_evs_client hwservicemanager:binder { call transfer };
#line 1
# Allow hwservicemanager to send out callbacks
#line 1
allow hwservicemanager hal_evs_client:binder { call transfer };
#line 1
# hwservicemanager performs getpidcon on clients.
#line 1
allow hwservicemanager hal_evs_client:dir search;
#line 1
allow hwservicemanager hal_evs_client:file { read open map };
#line 1
allow hwservicemanager hal_evs_client:process getattr;
#line 1
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 1
# all domains in domain.te.
#line 1


#line 2
# Call the hwservicemanager and transfer references to it.
#line 2
allow hal_evs_server hwservicemanager:binder { call transfer };
#line 2
# Allow hwservicemanager to send out callbacks
#line 2
allow hwservicemanager hal_evs_server:binder { call transfer };
#line 2
# hwservicemanager performs getpidcon on clients.
#line 2
allow hwservicemanager hal_evs_server:dir search;
#line 2
allow hwservicemanager hal_evs_server:file { read open map };
#line 2
allow hwservicemanager hal_evs_server:process getattr;
#line 2
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 2
# all domains in domain.te.
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_evs_client hal_evs_server:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_evs_server hal_evs_client:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_evs_client hal_evs_server:fd use;
#line 3


#line 4
# Call the server domain and optionally transfer references to it.
#line 4
allow hal_evs_server hal_evs_client:binder { call transfer };
#line 4
# Allow the serverdomain to transfer references to the client on the reply.
#line 4
allow hal_evs_client hal_evs_server:binder transfer;
#line 4
# Receive and use open files from the server.
#line 4
allow hal_evs_server hal_evs_client:fd use;
#line 4

allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_face.te"
# Allow HwBinder IPC from client to server, and vice versa for callbacks.

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_face_client hal_face_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_face_server hal_face_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_face_client hal_face_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_face_server hal_face_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_face_client hal_face_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_face_server hal_face_client:fd use;
#line 3



#line 5
  allow hal_face_client hal_face_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_face_server hal_face_hwservice:hwservice_manager { add find };
#line 5
  allow hal_face_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_face_server } hal_face_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_face_client -hal_face_server } hal_face_hwservice:hwservice_manager find;
#line 5

#line 5


# Allow access to the ion memory allocation device.
allow hal_face ion_device:chr_file { getattr open read ioctl lock map };

# Allow read/write access to the face template directory.
allow hal_face face_vendor_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow hal_face face_vendor_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_fingerprint.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_fingerprint_client hal_fingerprint_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_fingerprint_server hal_fingerprint_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_fingerprint_client hal_fingerprint_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_fingerprint_server hal_fingerprint_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_fingerprint_client hal_fingerprint_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_fingerprint_server hal_fingerprint_client:fd use;
#line 3



#line 5
  allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_fingerprint_server hal_fingerprint_hwservice:hwservice_manager { add find };
#line 5
  allow hal_fingerprint_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_fingerprint_server } hal_fingerprint_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_fingerprint_client -hal_fingerprint_server } hal_fingerprint_hwservice:hwservice_manager find;
#line 5

#line 5


# For memory allocation
allow hal_fingerprint ion_device:chr_file { getattr open read ioctl lock map };

allow hal_fingerprint fingerprint_vendor_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } } };
allow hal_fingerprint fingerprint_vendor_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };


#line 13
allow hal_fingerprint cgroup:dir { open getattr read search ioctl lock };
#line 13
allow hal_fingerprint cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 13


#line 14
allow hal_fingerprint sysfs:dir { open getattr read search ioctl lock };
#line 14
allow hal_fingerprint sysfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 14



#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_gatekeeper.te"

#line 1
# Call the server domain and optionally transfer references to it.
#line 1
allow hal_gatekeeper_client hal_gatekeeper_server:binder { call transfer };
#line 1
# Allow the serverdomain to transfer references to the client on the reply.
#line 1
allow hal_gatekeeper_server hal_gatekeeper_client:binder transfer;
#line 1
# Receive and use open files from the server.
#line 1
allow hal_gatekeeper_client hal_gatekeeper_server:fd use;
#line 1



#line 3
  allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
#line 3

#line 3
  allow hal_gatekeeper_server hal_gatekeeper_hwservice:hwservice_manager { add find };
#line 3
  allow hal_gatekeeper_server hidl_base_hwservice:hwservice_manager add;
#line 3
  neverallow { domain -hal_gatekeeper_server } hal_gatekeeper_hwservice:hwservice_manager add;
#line 3

#line 3

#line 3

#line 3
    neverallow { domain -hal_gatekeeper_client -hal_gatekeeper_server } hal_gatekeeper_hwservice:hwservice_manager find;
#line 3

#line 3


# TEE access.
allow hal_gatekeeper tee_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow hal_gatekeeper ion_device:chr_file { getattr open read ioctl lock map };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_gnss.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_gnss_client hal_gnss_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_gnss_server hal_gnss_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_gnss_client hal_gnss_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_gnss_server hal_gnss_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_gnss_client hal_gnss_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_gnss_server hal_gnss_client:fd use;
#line 3



#line 5
  allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_gnss_server hal_gnss_hwservice:hwservice_manager { add find };
#line 5
  allow hal_gnss_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_gnss_server } hal_gnss_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_gnss_client -hal_gnss_server } hal_gnss_hwservice:hwservice_manager find;
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_graphics_allocator.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_graphics_allocator_client hal_graphics_allocator_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_graphics_allocator_server hal_graphics_allocator_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_graphics_allocator_client hal_graphics_allocator_server:fd use;
#line 2



#line 4
  allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_graphics_allocator_server hal_graphics_allocator_hwservice:hwservice_manager { add find };
#line 4
  allow hal_graphics_allocator_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_graphics_allocator_server } hal_graphics_allocator_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_graphics_allocator_client -hal_graphics_allocator_server } hal_graphics_allocator_hwservice:hwservice_manager find;
#line 4

#line 4

allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };

# GPU device access
allow hal_graphics_allocator gpu_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow hal_graphics_allocator ion_device:chr_file { getattr open read ioctl lock map };

# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:{ capability cap_userns } sys_nice;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_graphics_composer.te"
type hal_graphics_composer_server_tmpfs, file_type;
attribute hal_graphics_composer_client_tmpfs;
expandattribute hal_graphics_composer_client_tmpfs true;

# HwBinder IPC from client to server, and callbacks

#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow hal_graphics_composer_client hal_graphics_composer_server:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow hal_graphics_composer_server hal_graphics_composer_client:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow hal_graphics_composer_client hal_graphics_composer_server:fd use;
#line 6


#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow hal_graphics_composer_server hal_graphics_composer_client:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow hal_graphics_composer_client hal_graphics_composer_server:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow hal_graphics_composer_server hal_graphics_composer_client:fd use;
#line 7

allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };


#line 11
  allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
#line 11

#line 11
  allow hal_graphics_composer_server hal_graphics_composer_hwservice:hwservice_manager { add find };
#line 11
  allow hal_graphics_composer_server hidl_base_hwservice:hwservice_manager add;
#line 11
  neverallow { domain -hal_graphics_composer_server } hal_graphics_composer_hwservice:hwservice_manager add;
#line 11

#line 11

#line 11

#line 11
    neverallow { domain -hal_graphics_composer_client -hal_graphics_composer_server } hal_graphics_composer_hwservice:hwservice_manager find;
#line 11

#line 11


# Coordinate with hal_graphics_mapper
allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;

# GPU device access
allow hal_graphics_composer gpu_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow hal_graphics_composer ion_device:chr_file { getattr open read ioctl lock map };
allow hal_graphics_composer hal_graphics_allocator:fd use;

# Access /dev/graphics/fb0.
allow hal_graphics_composer graphics_device:dir search;
allow hal_graphics_composer graphics_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Fences
allow hal_graphics_composer system_server:fd use;
allow hal_graphics_composer bootanim:fd use;
allow hal_graphics_composer appdomain:fd use;

# allow self to set SCHED_FIFO
allow hal_graphics_composer self:{ capability cap_userns } sys_nice;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_health.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_health_client hal_health_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_health_server hal_health_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_health_client hal_health_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_health_server hal_health_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_health_client hal_health_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_health_server hal_health_client:fd use;
#line 3



#line 5
  allow hal_health_client hal_health_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_health_server hal_health_hwservice:hwservice_manager { add find };
#line 5
  allow hal_health_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_health_server } hal_health_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_health_client -hal_health_server } hal_health_hwservice:hwservice_manager find;
#line 5

#line 5


# Common rules for a health service.

# Allow to listen to uevents for updates
allow hal_health_server self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };

# Allow to read /sys/class/power_supply directory
allow hal_health_server sysfs:dir { open getattr read search ioctl lock };

# Allow to read files under /sys/class/power_supply. Implementations typically have symlinks
# to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health
# HAL service.

#line 18
allow hal_health_server sysfs_batteryinfo:dir { open getattr read search ioctl lock };
#line 18
allow hal_health_server sysfs_batteryinfo:{ file lnk_file } { getattr open read ioctl lock map };
#line 18


# Allow to wake up to send periodic events

#line 21
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 21
# deprecated.
#line 21
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 21
allow hal_health_server sysfs_wake_lock:file { { getattr open read ioctl lock map } { open append write lock map } };
#line 21
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 21
allow hal_health_server self:{ capability2 cap2_userns } block_suspend;
#line 21
# system_suspend permissions
#line 21

#line 21
# Call the server domain and optionally transfer references to it.
#line 21
allow hal_health_server system_suspend_server:binder { call transfer };
#line 21
# Allow the serverdomain to transfer references to the client on the reply.
#line 21
allow system_suspend_server hal_health_server:binder transfer;
#line 21
# Receive and use open files from the server.
#line 21
allow hal_health_server system_suspend_server:fd use;
#line 21

#line 21
allow hal_health_server system_suspend_hwservice:hwservice_manager find;
#line 21
# halclientdomain permissions
#line 21

#line 21
# Call the hwservicemanager and transfer references to it.
#line 21
allow hal_health_server hwservicemanager:binder { call transfer };
#line 21
# Allow hwservicemanager to send out callbacks
#line 21
allow hwservicemanager hal_health_server:binder { call transfer };
#line 21
# hwservicemanager performs getpidcon on clients.
#line 21
allow hwservicemanager hal_health_server:dir search;
#line 21
allow hwservicemanager hal_health_server:file { read open map };
#line 21
allow hwservicemanager hal_health_server:process getattr;
#line 21
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 21
# all domains in domain.te.
#line 21

#line 21

#line 21
allow hal_health_server hwservicemanager_prop:file { getattr open read map };
#line 21

#line 21
allow hal_health_server hidl_manager_hwservice:hwservice_manager find;
#line 21


# Write to /dev/kmsg
allow hal_health_server kmsg_device:chr_file { getattr { open append write lock map } };

# Allow to use timerfd to wake itself up periodically to send health info.
allow hal_health_server self:capability2 wake_alarm;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_health_storage.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_health_storage_client hal_health_storage_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_health_storage_server hal_health_storage_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_health_storage_client hal_health_storage_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_health_storage_server hal_health_storage_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_health_storage_client hal_health_storage_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_health_storage_server hal_health_storage_client:fd use;
#line 3



#line 5
  allow hal_health_storage_client hal_health_storage_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_health_storage_server hal_health_storage_hwservice:hwservice_manager { add find };
#line 5
  allow hal_health_storage_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_health_storage_server } hal_health_storage_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_health_storage_client -hal_health_storage_server } hal_health_storage_hwservice:hwservice_manager find;
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_input_classifier.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_input_classifier_client hal_input_classifier_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_input_classifier_server hal_input_classifier_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_input_classifier_client hal_input_classifier_server:fd use;
#line 2



#line 4
  allow hal_input_classifier_client hal_input_classifier_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_input_classifier_server hal_input_classifier_hwservice:hwservice_manager { add find };
#line 4
  allow hal_input_classifier_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_input_classifier_server } hal_input_classifier_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_input_classifier_client -hal_input_classifier_server } hal_input_classifier_hwservice:hwservice_manager find;
#line 4

#line 4

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_ir.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_ir_client hal_ir_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_ir_server hal_ir_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_ir_client hal_ir_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_ir_server hal_ir_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_ir_client hal_ir_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_ir_server hal_ir_client:fd use;
#line 3



#line 5
  allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_ir_server hal_ir_hwservice:hwservice_manager { add find };
#line 5
  allow hal_ir_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_ir_server } hal_ir_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_ir_client -hal_ir_server } hal_ir_hwservice:hwservice_manager find;
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_keymaster.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_keymaster_client hal_keymaster_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_keymaster_server hal_keymaster_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_keymaster_client hal_keymaster_server:fd use;
#line 2



#line 4
  allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_keymaster_server hal_keymaster_hwservice:hwservice_manager { add find };
#line 4
  allow hal_keymaster_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_keymaster_server } hal_keymaster_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_keymaster_client -hal_keymaster_server } hal_keymaster_hwservice:hwservice_manager find;
#line 4

#line 4


allow hal_keymaster tee_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow hal_keymaster ion_device:chr_file { getattr open read ioctl lock map };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_light.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_light_client hal_light_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_light_server hal_light_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_light_client hal_light_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_light_server hal_light_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_light_client hal_light_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_light_server hal_light_client:fd use;
#line 3



#line 5
  allow hal_light_client hal_light_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_light_server hal_light_hwservice:hwservice_manager { add find };
#line 5
  allow hal_light_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_light_server } hal_light_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_light_client -hal_light_server } hal_light_hwservice:hwservice_manager find;
#line 5

#line 5


allow hal_light sysfs_leds:lnk_file read;
allow hal_light sysfs_leds:file { { getattr open read ioctl lock map } { open append write lock map } };
allow hal_light sysfs_leds:dir { open getattr read search ioctl lock };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_lowpan.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_lowpan_client hal_lowpan_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_lowpan_server hal_lowpan_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_lowpan_client hal_lowpan_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_lowpan_server hal_lowpan_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_lowpan_client hal_lowpan_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_lowpan_server hal_lowpan_client:fd use;
#line 3



# Allow hal_lowpan_client to be able to find the hal_lowpan_server

#line 7
  allow hal_lowpan_client hal_lowpan_hwservice:hwservice_manager find;
#line 7

#line 7
  allow hal_lowpan_server hal_lowpan_hwservice:hwservice_manager { add find };
#line 7
  allow hal_lowpan_server hidl_base_hwservice:hwservice_manager add;
#line 7
  neverallow { domain -hal_lowpan_server } hal_lowpan_hwservice:hwservice_manager add;
#line 7

#line 7

#line 7

#line 7
    neverallow { domain -hal_lowpan_client -hal_lowpan_server } hal_lowpan_hwservice:hwservice_manager find;
#line 7

#line 7


# hal_lowpan domain can write/read to/from lowpan_prop

#line 10

#line 10
allow hal_lowpan_server property_socket:sock_file write;
#line 10
allow hal_lowpan_server init:unix_stream_socket connectto;
#line 10

#line 10
allow hal_lowpan_server lowpan_prop:property_service set;
#line 10

#line 10
allow hal_lowpan_server lowpan_prop:file { getattr open read map };
#line 10

#line 10


# Allow hal_lowpan_server to open lowpan_devices
allow hal_lowpan_server lowpan_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

###
### neverallow rules
###

# Only LoWPAN HAL may directly access LoWPAN hardware
neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_memtrack.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_memtrack_client hal_memtrack_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_memtrack_server hal_memtrack_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_memtrack_client hal_memtrack_server:fd use;
#line 2



#line 4
  allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_memtrack_server hal_memtrack_hwservice:hwservice_manager { add find };
#line 4
  allow hal_memtrack_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_memtrack_server } hal_memtrack_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_memtrack_client -hal_memtrack_server } hal_memtrack_hwservice:hwservice_manager find;
#line 4

#line 4

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_neuralnetworks.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_neuralnetworks_client hal_neuralnetworks_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_neuralnetworks_server hal_neuralnetworks_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_neuralnetworks_client hal_neuralnetworks_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_neuralnetworks_server hal_neuralnetworks_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_neuralnetworks_client hal_neuralnetworks_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_neuralnetworks_server hal_neuralnetworks_client:fd use;
#line 3



#line 5
  allow hal_neuralnetworks_client hal_neuralnetworks_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_neuralnetworks_server hal_neuralnetworks_hwservice:hwservice_manager { add find };
#line 5
  allow hal_neuralnetworks_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_neuralnetworks_server } hal_neuralnetworks_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_neuralnetworks_client -hal_neuralnetworks_server } hal_neuralnetworks_hwservice:hwservice_manager find;
#line 5

#line 5

allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
allow hal_neuralnetworks hal_allocator:fd use;

# Allow NN HAL service to use a client-provided fd residing in /data/data/.
allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map };

# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };

# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).

#line 19
allow hal_neuralnetworks_client nnapi_ext_deny_product_prop:file { getattr open read map };
#line 19
;
# This property is only expected to be found in /product/build.prop,
# allow to be set only by init.
neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_neverallows.te"
# only HALs responsible for network hardware should have privileged
# network capabilities
neverallow {
  halserverdomain
  -hal_bluetooth_server
  -hal_wifi_server
  -hal_wifi_hostapd_server
  -hal_wifi_supplicant_server
  -hal_telephony_server
} self:{ capability cap_userns } { net_admin net_raw };

# Unless a HAL's job is to communicate over the network, or control network
# hardware, it should not be using network sockets.
# NOTE: HALs for automotive devices have an exemption from this rule because in
# a car it is common to have external modules and HALs need to communicate to
# those modules using network.  Using this exemption for non-automotive builds
# will result in CTS failure.
neverallow {
  halserverdomain
  -hal_automotive_socket_exemption
  -hal_tetheroffload_server
  -hal_wifi_server
  -hal_wifi_hostapd_server
  -hal_wifi_supplicant_server
  -hal_telephony_server
} domain:{ tcp_socket udp_socket rawip_socket } *;

###
# HALs are defined as an attribute and so a given domain could hypothetically
# have multiple HALs in it (or even all of them) with the subsequent policy of
# the domain comprised of the union of all the HALs.
#
# This is a problem because
# 1) Security sensitive components should only be accessed by specific HALs.
# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
#    the platform.
# 3) The platform cannot reason about defense in depth if there are
#    monolithic domains etc.
#
# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
# its OK for them to share a process its not OK with them to share processes
# with other hals.
#
# The following neverallow rules, in conjuntion with CTS tests, assert that
# these security principles are adhered to.
#
# Do not allow a hal to exec another process without a domain transition.
# TODO remove exemptions.
neverallow {
  halserverdomain
  -hal_dumpstate_server
  -hal_telephony_server
} { file_type fs_type }:file execute_no_trans;
# Do not allow a process other than init to transition into a HAL domain.
neverallow { domain -init } halserverdomain:process transition;
# Only allow transitioning to a domain by running its executable. Do not
# allow transitioning into a HAL domain by use of seclabel in an
# init.*.rc script.
neverallow * halserverdomain:process dyntransition;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_nfc.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_nfc_client hal_nfc_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_nfc_server hal_nfc_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_nfc_client hal_nfc_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_nfc_server hal_nfc_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_nfc_client hal_nfc_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_nfc_server hal_nfc_client:fd use;
#line 3



#line 5
  allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_nfc_server hal_nfc_hwservice:hwservice_manager { add find };
#line 5
  allow hal_nfc_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_nfc_server } hal_nfc_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_nfc_client -hal_nfc_server } hal_nfc_hwservice:hwservice_manager find;
#line 5

#line 5


# Set NFC properties (used by bcm2079x HAL).

#line 8

#line 8
allow hal_nfc property_socket:sock_file write;
#line 8
allow hal_nfc init:unix_stream_socket connectto;
#line 8

#line 8
allow hal_nfc nfc_prop:property_service set;
#line 8

#line 8
allow hal_nfc nfc_prop:file { getattr open read map };
#line 8

#line 8


# NFC device access.
allow hal_nfc nfc_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_oemlock.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_oemlock_client hal_oemlock_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_oemlock_server hal_oemlock_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_oemlock_client hal_oemlock_server:fd use;
#line 2



#line 4
  allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_oemlock_server hal_oemlock_hwservice:hwservice_manager { add find };
#line 4
  allow hal_oemlock_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_oemlock_server } hal_oemlock_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_oemlock_client -hal_oemlock_server } hal_oemlock_hwservice:hwservice_manager find;
#line 4

#line 4

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_omx.te"
# applies all permissions to hal_omx NOT hal_omx_server
# since OMX must always be in its own process.


#line 4
# Call the server domain and optionally transfer references to it.
#line 4
allow hal_omx_server binderservicedomain:binder { call transfer };
#line 4
# Allow the serverdomain to transfer references to the client on the reply.
#line 4
allow binderservicedomain hal_omx_server:binder transfer;
#line 4
# Receive and use open files from the server.
#line 4
allow hal_omx_server binderservicedomain:fd use;
#line 4


#line 5
# Call the server domain and optionally transfer references to it.
#line 5
allow hal_omx_server { appdomain -isolated_app }:binder { call transfer };
#line 5
# Allow the serverdomain to transfer references to the client on the reply.
#line 5
allow { appdomain -isolated_app } hal_omx_server:binder transfer;
#line 5
# Receive and use open files from the server.
#line 5
allow hal_omx_server { appdomain -isolated_app }:fd use;
#line 5


# Allow hal_omx_server access to composer sync fences
allow hal_omx_server hal_graphics_composer:fd use;

allow hal_omx_server ion_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow hal_omx_server hal_camera:fd use;


#line 13

#line 13
allow hal_omx_server anr_data_file:file append;
#line 13
allow hal_omx_server dumpstate:fd use;
#line 13
allow hal_omx_server incidentd:fd use;
#line 13
# TODO: Figure out why write is needed.
#line 13
allow hal_omx_server dumpstate:fifo_file { append write };
#line 13
allow hal_omx_server incidentd:fifo_file { append write };
#line 13
allow hal_omx_server system_server:fifo_file { append write };
#line 13
allow hal_omx_server tombstoned:unix_stream_socket connectto;
#line 13
allow hal_omx_server tombstoned:fd use;
#line 13
allow hal_omx_server tombstoned_crash_socket:sock_file write;
#line 13
allow hal_omx_server tombstone_data_file:file append;
#line 13


# Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
# via PDX. Thus, there is no need to use pdx_client macro.
allow hal_omx_server bufferhubd:fd use;


#line 21
  allow hal_omx_client hal_omx_hwservice:hwservice_manager find;
#line 21

#line 21
  allow hal_omx_server hal_omx_hwservice:hwservice_manager { add find };
#line 21
  allow hal_omx_server hidl_base_hwservice:hwservice_manager add;
#line 21
  neverallow { domain -hal_omx_server } hal_omx_hwservice:hwservice_manager add;
#line 21

#line 21

#line 21

#line 21
    neverallow { domain -hal_omx_client -hal_omx_server } hal_omx_hwservice:hwservice_manager find;
#line 21

#line 21


allow hal_omx_client hidl_token_hwservice:hwservice_manager find;


#line 25
# Call the server domain and optionally transfer references to it.
#line 25
allow hal_omx_client hal_omx_server:binder { call transfer };
#line 25
# Allow the serverdomain to transfer references to the client on the reply.
#line 25
allow hal_omx_server hal_omx_client:binder transfer;
#line 25
# Receive and use open files from the server.
#line 25
allow hal_omx_client hal_omx_server:fd use;
#line 25


#line 26
# Call the server domain and optionally transfer references to it.
#line 26
allow hal_omx_server hal_omx_client:binder { call transfer };
#line 26
# Allow the serverdomain to transfer references to the client on the reply.
#line 26
allow hal_omx_client hal_omx_server:binder transfer;
#line 26
# Receive and use open files from the server.
#line 26
allow hal_omx_server hal_omx_client:fd use;
#line 26


###
### neverallow rules
###

# hal_omx_server should never execute any executable without a
# domain transition
neverallow hal_omx_server { file_type fs_type }:file execute_no_trans;

# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_power.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_power_client hal_power_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_power_server hal_power_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_power_client hal_power_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_power_server hal_power_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_power_client hal_power_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_power_server hal_power_client:fd use;
#line 3



#line 5
  allow hal_power_client hal_power_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_power_server hal_power_hwservice:hwservice_manager { add find };
#line 5
  allow hal_power_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_power_server } hal_power_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_power_client -hal_power_server } hal_power_hwservice:hwservice_manager find;
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_power_stats.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_power_stats_client hal_power_stats_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_power_stats_server hal_power_stats_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_power_stats_client hal_power_stats_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_power_stats_server hal_power_stats_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_power_stats_client hal_power_stats_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_power_stats_server hal_power_stats_client:fd use;
#line 3



#line 5
  allow hal_power_stats_client hal_power_stats_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_power_stats_server hal_power_stats_hwservice:hwservice_manager { add find };
#line 5
  allow hal_power_stats_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_power_stats_server } hal_power_stats_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_power_stats_client -hal_power_stats_server } hal_power_stats_hwservice:hwservice_manager find;
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_secure_element.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_secure_element_client hal_secure_element_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_secure_element_server hal_secure_element_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_secure_element_client hal_secure_element_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_secure_element_server hal_secure_element_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_secure_element_client hal_secure_element_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_secure_element_server hal_secure_element_client:fd use;
#line 3



#line 5
  allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_secure_element_server hal_secure_element_hwservice:hwservice_manager { add find };
#line 5
  allow hal_secure_element_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_secure_element_server } hal_secure_element_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_secure_element_client -hal_secure_element_server } hal_secure_element_hwservice:hwservice_manager find;
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_sensors.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_sensors_client hal_sensors_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_sensors_server hal_sensors_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_sensors_client hal_sensors_server:fd use;
#line 2



#line 4
  allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_sensors_server hal_sensors_hwservice:hwservice_manager { add find };
#line 4
  allow hal_sensors_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_sensors_server } hal_sensors_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_sensors_client -hal_sensors_server } hal_sensors_hwservice:hwservice_manager find;
#line 4

#line 4


# Allow sensor hals to access ashmem memory allocated by apps
allow hal_sensors { appdomain -isolated_app }:fd use;

# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
# fd is passed in from framework sensorservice HAL.
allow hal_sensors hal_allocator:fd use;

# allow to run with real-time scheduling policy
allow hal_sensors self:{ capability cap_userns } sys_nice;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_telephony.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_telephony_client hal_telephony_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_telephony_server hal_telephony_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_telephony_client hal_telephony_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_telephony_server hal_telephony_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_telephony_client hal_telephony_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_telephony_server hal_telephony_client:fd use;
#line 3



#line 5
  allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_telephony_server hal_telephony_hwservice:hwservice_manager { add find };
#line 5
  allow hal_telephony_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_telephony_server } hal_telephony_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_telephony_client -hal_telephony_server } hal_telephony_hwservice:hwservice_manager find;
#line 5

#line 5


allowxperm hal_telephony_server self:udp_socket ioctl
#line 7
{
#line 7
# qualcomm rmnet ioctls
#line 7
0x00006900 0x00006902
#line 7
# socket ioctls
#line 7
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 7
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 7
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 7
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 7
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 7
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 7
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 7
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 7
0x00008991 0x00008992 0x00008993 0x00008994
#line 7
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 7
# device and protocol specific ioctls
#line 7
0x000089f0-0x000089ff
#line 7
0x000089e0-0x000089ef
#line 7
# Wireless extension ioctls
#line 7
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 7
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 7
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 7
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 7
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 7
0x00008b34 0x00008b35 0x00008b36
#line 7
# Dev private ioctl i.e. hardware specific ioctls
#line 7
0x00008be0-0x00008bff
#line 7
};

allow hal_telephony_server self:netlink_route_socket nlmsg_write;
allow hal_telephony_server kernel:system module_request;
allow hal_telephony_server self:{ capability cap_userns } { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow hal_telephony_server cgroup:{ file lnk_file } { getattr open read ioctl lock map };
allow hal_telephony_server radio_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow hal_telephony_server radio_device:blk_file { getattr open read ioctl lock map };
allow hal_telephony_server efs_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow hal_telephony_server efs_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow hal_telephony_server vendor_shell_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow hal_telephony_server bluetooth_efs_file:file { getattr open read ioctl lock map };
allow hal_telephony_server bluetooth_efs_file:dir { open getattr read search ioctl lock };

# property service

#line 23

#line 23
allow hal_telephony_server property_socket:sock_file write;
#line 23
allow hal_telephony_server init:unix_stream_socket connectto;
#line 23

#line 23
allow hal_telephony_server radio_prop:property_service set;
#line 23

#line 23
allow hal_telephony_server radio_prop:file { getattr open read map };
#line 23

#line 23


#line 24

#line 24
allow hal_telephony_server property_socket:sock_file write;
#line 24
allow hal_telephony_server init:unix_stream_socket connectto;
#line 24

#line 24
allow hal_telephony_server exported_radio_prop:property_service set;
#line 24

#line 24
allow hal_telephony_server exported_radio_prop:file { getattr open read map };
#line 24

#line 24


#line 25

#line 25
allow hal_telephony_server property_socket:sock_file write;
#line 25
allow hal_telephony_server init:unix_stream_socket connectto;
#line 25

#line 25
allow hal_telephony_server exported2_radio_prop:property_service set;
#line 25

#line 25
allow hal_telephony_server exported2_radio_prop:file { getattr open read map };
#line 25

#line 25


#line 26

#line 26
allow hal_telephony_server property_socket:sock_file write;
#line 26
allow hal_telephony_server init:unix_stream_socket connectto;
#line 26

#line 26
allow hal_telephony_server exported3_radio_prop:property_service set;
#line 26

#line 26
allow hal_telephony_server exported3_radio_prop:file { getattr open read map };
#line 26

#line 26


allow hal_telephony_server tty_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Allow hal_telephony_server to create and use netlink sockets.
allow hal_telephony_server self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_telephony_server self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_telephony_server self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };

# Access to wake locks

#line 36
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 36
# deprecated.
#line 36
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 36
allow hal_telephony_server sysfs_wake_lock:file { { getattr open read ioctl lock map } { open append write lock map } };
#line 36
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 36
allow hal_telephony_server self:{ capability2 cap2_userns } block_suspend;
#line 36
# system_suspend permissions
#line 36

#line 36
# Call the server domain and optionally transfer references to it.
#line 36
allow hal_telephony_server system_suspend_server:binder { call transfer };
#line 36
# Allow the serverdomain to transfer references to the client on the reply.
#line 36
allow system_suspend_server hal_telephony_server:binder transfer;
#line 36
# Receive and use open files from the server.
#line 36
allow hal_telephony_server system_suspend_server:fd use;
#line 36

#line 36
allow hal_telephony_server system_suspend_hwservice:hwservice_manager find;
#line 36
# halclientdomain permissions
#line 36

#line 36
# Call the hwservicemanager and transfer references to it.
#line 36
allow hal_telephony_server hwservicemanager:binder { call transfer };
#line 36
# Allow hwservicemanager to send out callbacks
#line 36
allow hwservicemanager hal_telephony_server:binder { call transfer };
#line 36
# hwservicemanager performs getpidcon on clients.
#line 36
allow hwservicemanager hal_telephony_server:dir search;
#line 36
allow hwservicemanager hal_telephony_server:file { read open map };
#line 36
allow hwservicemanager hal_telephony_server:process getattr;
#line 36
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 36
# all domains in domain.te.
#line 36

#line 36

#line 36
allow hal_telephony_server hwservicemanager_prop:file { getattr open read map };
#line 36

#line 36
allow hal_telephony_server hidl_manager_hwservice:hwservice_manager find;
#line 36



#line 38
allow hal_telephony_server proc_net_type:dir { open getattr read search ioctl lock };
#line 38
allow hal_telephony_server proc_net_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 38


#line 39
allow hal_telephony_server sysfs_type:dir { open getattr read search ioctl lock };
#line 39
allow hal_telephony_server sysfs_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 39


# granting the ioctl permission for hal_telephony_server should be device specific
allow hal_telephony_server self:socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_tetheroffload.te"
## HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_tetheroffload_client hal_tetheroffload_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_tetheroffload_server hal_tetheroffload_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_tetheroffload_client hal_tetheroffload_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_tetheroffload_server hal_tetheroffload_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_tetheroffload_client hal_tetheroffload_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_tetheroffload_server hal_tetheroffload_client:fd use;
#line 3



#line 5
  allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_tetheroffload_server hal_tetheroffload_hwservice:hwservice_manager { add find };
#line 5
  allow hal_tetheroffload_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_tetheroffload_server } hal_tetheroffload_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_tetheroffload_client -hal_tetheroffload_server } hal_tetheroffload_hwservice:hwservice_manager find;
#line 5

#line 5


# allow the client to pass the server already open netlink sockets
allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_thermal.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_thermal_client hal_thermal_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_thermal_server hal_thermal_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_thermal_client hal_thermal_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_thermal_server hal_thermal_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_thermal_client hal_thermal_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_thermal_server hal_thermal_client:fd use;
#line 3



#line 5
  allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_thermal_server hal_thermal_hwservice:hwservice_manager { add find };
#line 5
  allow hal_thermal_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_thermal_server } hal_thermal_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_thermal_client -hal_thermal_server } hal_thermal_hwservice:hwservice_manager find;
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_tv_cec.te"
# HwBinder IPC from clients into server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_tv_cec_client hal_tv_cec_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_tv_cec_server hal_tv_cec_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_tv_cec_client hal_tv_cec_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_tv_cec_server hal_tv_cec_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_tv_cec_client hal_tv_cec_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_tv_cec_server hal_tv_cec_client:fd use;
#line 3



#line 5
  allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_tv_cec_server hal_tv_cec_hwservice:hwservice_manager { add find };
#line 5
  allow hal_tv_cec_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_tv_cec_server } hal_tv_cec_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_tv_cec_client -hal_tv_cec_server } hal_tv_cec_hwservice:hwservice_manager find;
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_tv_input.te"
# HwBinder IPC from clients into server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_tv_input_client hal_tv_input_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_tv_input_server hal_tv_input_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_tv_input_client hal_tv_input_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_tv_input_server hal_tv_input_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_tv_input_client hal_tv_input_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_tv_input_server hal_tv_input_client:fd use;
#line 3



#line 5
  allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_tv_input_server hal_tv_input_hwservice:hwservice_manager { add find };
#line 5
  allow hal_tv_input_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_tv_input_server } hal_tv_input_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_tv_input_client -hal_tv_input_server } hal_tv_input_hwservice:hwservice_manager find;
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_usb.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_usb_client hal_usb_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_usb_server hal_usb_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_usb_client hal_usb_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_usb_server hal_usb_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_usb_client hal_usb_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_usb_server hal_usb_client:fd use;
#line 3



#line 5
  allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_usb_server hal_usb_hwservice:hwservice_manager { add find };
#line 5
  allow hal_usb_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_usb_server } hal_usb_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_usb_client -hal_usb_server } hal_usb_hwservice:hwservice_manager find;
#line 5

#line 5


allow hal_usb self:netlink_kobject_uevent_socket create;
allow hal_usb self:netlink_kobject_uevent_socket setopt;
allow hal_usb self:netlink_kobject_uevent_socket getopt;
allow hal_usb self:netlink_kobject_uevent_socket bind;
allow hal_usb self:netlink_kobject_uevent_socket read;
allow hal_usb sysfs:dir open;
allow hal_usb sysfs:dir read;
allow hal_usb sysfs:file read;
allow hal_usb sysfs:file open;
allow hal_usb sysfs:file write;
allow hal_usb sysfs:file getattr;

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_usb_gadget.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_usb_gadget_client hal_usb_gadget_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_usb_gadget_server hal_usb_gadget_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_usb_gadget_client hal_usb_gadget_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_usb_gadget_server hal_usb_gadget_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_usb_gadget_client hal_usb_gadget_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_usb_gadget_server hal_usb_gadget_client:fd use;
#line 3



#line 5
  allow hal_usb_gadget_client hal_usb_gadget_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_usb_gadget_server hal_usb_gadget_hwservice:hwservice_manager { add find };
#line 5
  allow hal_usb_gadget_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_usb_gadget_server } hal_usb_gadget_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_usb_gadget_client -hal_usb_gadget_server } hal_usb_gadget_hwservice:hwservice_manager find;
#line 5

#line 5


# Configuring usb gadget functions
allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
allow hal_usb_gadget_server configfs:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow hal_usb_gadget_server configfs:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow hal_usb_gadget_server functionfs:dir { read search };
allow hal_usb_gadget_server functionfs:file read;

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_vehicle.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_vehicle_client hal_vehicle_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_vehicle_server hal_vehicle_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_vehicle_client hal_vehicle_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_vehicle_server hal_vehicle_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_vehicle_client hal_vehicle_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_vehicle_server hal_vehicle_client:fd use;
#line 3




#line 6
  allow hal_vehicle_client hal_vehicle_hwservice:hwservice_manager find;
#line 6

#line 6
  allow hal_vehicle_server hal_vehicle_hwservice:hwservice_manager { add find };
#line 6
  allow hal_vehicle_server hidl_base_hwservice:hwservice_manager add;
#line 6
  neverallow { domain -hal_vehicle_server } hal_vehicle_hwservice:hwservice_manager add;
#line 6

#line 6

#line 6

#line 6
    neverallow { domain -hal_vehicle_client -hal_vehicle_server } hal_vehicle_hwservice:hwservice_manager find;
#line 6

#line 6

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_vibrator.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_vibrator_client hal_vibrator_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_vibrator_server hal_vibrator_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_vibrator_client hal_vibrator_server:fd use;
#line 2



#line 4
  allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_vibrator_server hal_vibrator_hwservice:hwservice_manager { add find };
#line 4
  allow hal_vibrator_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_vibrator_server } hal_vibrator_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_vibrator_client -hal_vibrator_server } hal_vibrator_hwservice:hwservice_manager find;
#line 4

#line 4


# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file { { getattr open read ioctl lock map } { open append write lock map } };
allow hal_vibrator sysfs_vibrator:dir search;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_vr.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_vr_client hal_vr_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_vr_server hal_vr_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_vr_client hal_vr_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_vr_server hal_vr_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_vr_client hal_vr_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_vr_server hal_vr_client:fd use;
#line 3



#line 5
  allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_vr_server hal_vr_hwservice:hwservice_manager { add find };
#line 5
  allow hal_vr_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_vr_server } hal_vr_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_vr_client -hal_vr_server } hal_vr_hwservice:hwservice_manager find;
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_weaver.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_weaver_client hal_weaver_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_weaver_server hal_weaver_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_weaver_client hal_weaver_server:fd use;
#line 2



#line 4
  allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find;
#line 4

#line 4
  allow hal_weaver_server hal_weaver_hwservice:hwservice_manager { add find };
#line 4
  allow hal_weaver_server hidl_base_hwservice:hwservice_manager add;
#line 4
  neverallow { domain -hal_weaver_server } hal_weaver_hwservice:hwservice_manager add;
#line 4

#line 4

#line 4

#line 4
    neverallow { domain -hal_weaver_client -hal_weaver_server } hal_weaver_hwservice:hwservice_manager find;
#line 4

#line 4

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_wifi.te"
# HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_wifi_client hal_wifi_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_wifi_server hal_wifi_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_wifi_client hal_wifi_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_wifi_server hal_wifi_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_wifi_client hal_wifi_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_wifi_server hal_wifi_client:fd use;
#line 3



#line 5
  allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_wifi_server hal_wifi_hwservice:hwservice_manager { add find };
#line 5
  allow hal_wifi_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_wifi_server } hal_wifi_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_wifi_client -hal_wifi_server } hal_wifi_hwservice:hwservice_manager find;
#line 5

#line 5



#line 7
allow hal_wifi proc_net_type:dir { open getattr read search ioctl lock };
#line 7
allow hal_wifi proc_net_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 7


#line 8
allow hal_wifi sysfs_type:dir { open getattr read search ioctl lock };
#line 8
allow hal_wifi sysfs_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 8



#line 10

#line 10
allow hal_wifi property_socket:sock_file write;
#line 10
allow hal_wifi init:unix_stream_socket connectto;
#line 10

#line 10
allow hal_wifi exported_wifi_prop:property_service set;
#line 10

#line 10
allow hal_wifi exported_wifi_prop:file { getattr open read map };
#line 10

#line 10


#line 11

#line 11
allow hal_wifi property_socket:sock_file write;
#line 11
allow hal_wifi init:unix_stream_socket connectto;
#line 11

#line 11
allow hal_wifi wifi_prop:property_service set;
#line 11

#line 11
allow hal_wifi wifi_prop:file { getattr open read map };
#line 11

#line 11


# allow hal wifi set interfaces up and down and get the factory MAC
allow hal_wifi self:udp_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allowxperm hal_wifi self:udp_socket ioctl { 0x00008914 0x00008924 0x00008946 };

allow hal_wifi self:{ capability cap_userns } { net_admin net_raw };
# allow hal_wifi to speak to nl80211 in the kernel
allow hal_wifi self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
allow hal_wifi self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# hal_wifi writes firmware paths to this file.
allow hal_wifi sysfs_wlan_fwpath:file { { open append write lock map } };
# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
allow hal_wifi proc_modules:file { getattr open read };
# Allow hal_wifi to send dump info to dumpstate
allow hal_wifi dumpstate:fifo_file write;

# allow hal_wifi to write into /data/vendor/tombstones/wifi
allow hal_wifi_server tombstone_wifi_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow hal_wifi_server tombstone_wifi_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_wifi_hostapd.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_wifi_hostapd_client hal_wifi_hostapd_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_wifi_hostapd_server hal_wifi_hostapd_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_wifi_hostapd_client hal_wifi_hostapd_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_wifi_hostapd_server hal_wifi_hostapd_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_wifi_hostapd_client hal_wifi_hostapd_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_wifi_hostapd_server hal_wifi_hostapd_client:fd use;
#line 3



#line 5
  allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_wifi_hostapd_server hal_wifi_hostapd_hwservice:hwservice_manager { add find };
#line 5
  allow hal_wifi_hostapd_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_wifi_hostapd_server } hal_wifi_hostapd_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_wifi_hostapd_client -hal_wifi_hostapd_server } hal_wifi_hostapd_hwservice:hwservice_manager find;
#line 5

#line 5


allow hal_wifi_hostapd_server self:{ capability cap_userns } { net_admin net_raw };

allow hal_wifi_hostapd_server sysfs_net:dir search;

# Allow hal_wifi_hostapd to access /proc/net/psched
allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };

# Various socket permissions.
allowxperm hal_wifi_hostapd_server self:udp_socket ioctl
#line 15
{
#line 15
# qualcomm rmnet ioctls
#line 15
0x00006900 0x00006902
#line 15
# socket ioctls
#line 15
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 15
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 15
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 15
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 15
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 15
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 15
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 15
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 15
0x00008991 0x00008992 0x00008993 0x00008994
#line 15
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 15
# device and protocol specific ioctls
#line 15
0x000089f0-0x000089ff
#line 15
0x000089e0-0x000089ef
#line 15
# Wireless extension ioctls
#line 15
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 15
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 15
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 15
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 15
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 15
0x00008b34 0x00008b35 0x00008b36
#line 15
# Dev private ioctl i.e. hardware specific ioctls
#line 15
0x00008be0-0x00008bff
#line 15
};
allow hal_wifi_hostapd_server self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_wifi_hostapd_server self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_wifi_hostapd_server self:packet_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;

###
### neverallow rules
###

# hal_wifi_hostapd should not trust any data from sdcards
neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
neverallow hal_wifi_hostapd_server sdcard_type:file *;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_wifi_offload.te"
## HwBinder IPC from client to server, and callbacks

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_wifi_offload_client hal_wifi_offload_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_wifi_offload_server hal_wifi_offload_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_wifi_offload_client hal_wifi_offload_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_wifi_offload_server hal_wifi_offload_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_wifi_offload_client hal_wifi_offload_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_wifi_offload_server hal_wifi_offload_client:fd use;
#line 3



#line 5
  allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_wifi_offload_server hal_wifi_offload_hwservice:hwservice_manager { add find };
#line 5
  allow hal_wifi_offload_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_wifi_offload_server } hal_wifi_offload_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_wifi_offload_client -hal_wifi_offload_server } hal_wifi_offload_hwservice:hwservice_manager find;
#line 5

#line 5



#line 7
allow hal_wifi_offload proc_net_type:dir { open getattr read search ioctl lock };
#line 7
allow hal_wifi_offload proc_net_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 7


#line 8
allow hal_wifi_offload sysfs_type:dir { open getattr read search ioctl lock };
#line 8
allow hal_wifi_offload sysfs_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 8

#line 1 "system/sepolicy/prebuilts/api/29.0/public/hal_wifi_supplicant.te"
# HwBinder IPC from client to server

#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_wifi_supplicant_client hal_wifi_supplicant_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_wifi_supplicant_server hal_wifi_supplicant_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_wifi_supplicant_client hal_wifi_supplicant_server:fd use;
#line 2


#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_wifi_supplicant_server hal_wifi_supplicant_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_wifi_supplicant_client hal_wifi_supplicant_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_wifi_supplicant_server hal_wifi_supplicant_client:fd use;
#line 3



#line 5
  allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
#line 5

#line 5
  allow hal_wifi_supplicant_server hal_wifi_supplicant_hwservice:hwservice_manager { add find };
#line 5
  allow hal_wifi_supplicant_server hidl_base_hwservice:hwservice_manager add;
#line 5
  neverallow { domain -hal_wifi_supplicant_server } hal_wifi_supplicant_hwservice:hwservice_manager add;
#line 5

#line 5

#line 5

#line 5
    neverallow { domain -hal_wifi_supplicant_client -hal_wifi_supplicant_server } hal_wifi_supplicant_hwservice:hwservice_manager find;
#line 5

#line 5


# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl
#line 8
{
#line 8
# qualcomm rmnet ioctls
#line 8
0x00006900 0x00006902
#line 8
# socket ioctls
#line 8
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 8
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 8
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 8
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 8
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 8
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 8
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 8
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 8
0x00008991 0x00008992 0x00008993 0x00008994
#line 8
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 8
# device and protocol specific ioctls
#line 8
0x000089f0-0x000089ff
#line 8
0x000089e0-0x000089ef
#line 8
# Wireless extension ioctls
#line 8
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 8
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 8
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 8
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 8
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 8
0x00008b34 0x00008b35 0x00008b36
#line 8
# Dev private ioctl i.e. hardware specific ioctls
#line 8
0x00008be0-0x00008bff
#line 8
};


#line 10
allow hal_wifi_supplicant sysfs_type:dir { open getattr read search ioctl lock };
#line 10
allow hal_wifi_supplicant sysfs_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 10


#line 11
allow hal_wifi_supplicant proc_net_type:dir { open getattr read search ioctl lock };
#line 11
allow hal_wifi_supplicant proc_net_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 11


allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:{ capability cap_userns } { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_wifi_supplicant self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_wifi_supplicant self:packet_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allowxperm hal_wifi_supplicant self:packet_socket ioctl {
#line 20
{
#line 20
# Socket ioctls for gathering information about the interface
#line 20
0x00008906 0x00008907
#line 20
0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919
#line 20
0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942
#line 20
# Wireless extension ioctls. Primarily get functions.
#line 20
0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d
#line 20
0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23
#line 20
0x00008b25 0x00008b27 0x00008b29 0x00008b2d
#line 20
}
#line 20
{
#line 20
# qualcomm rmnet ioctls
#line 20
0x00006900 0x00006902
#line 20
# socket ioctls
#line 20
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 20
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 20
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 20
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 20
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 20
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 20
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 20
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 20
0x00008991 0x00008992 0x00008993 0x00008994
#line 20
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 20
# device and protocol specific ioctls
#line 20
0x000089f0-0x000089ff
#line 20
0x000089e0-0x000089ef
#line 20
# Wireless extension ioctls
#line 20
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 20
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 20
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 20
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 20
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 20
0x00008b34 0x00008b35 0x00008b36
#line 20
# Dev private ioctl i.e. hardware specific ioctls
#line 20
0x00008be0-0x00008bff
#line 20
} {
#line 20
  0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005413 0x00005414 0x0000540e
#line 20
  0x00005403 0x0000540b 0x00005410 0x0000540f
#line 20
} };

###
### neverallow rules
###

# wpa_supplicant should not trust any data from sdcards
neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
neverallow hal_wifi_supplicant_server sdcard_type:file *;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/healthd.te"
# healthd - battery/charger monitoring service daemon
type healthd, domain;
type healthd_exec, system_file_type, exec_type, file_type;

# Write to /dev/kmsg
allow healthd kmsg_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Read access to pseudo filesystems.
allow healthd sysfs_type:dir search;
# Allow to read /sys/class/power_supply directory.
allow healthd sysfs:dir { open getattr read search ioctl lock };

#line 12
allow healthd rootfs:dir { open getattr read search ioctl lock };
#line 12
allow healthd rootfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 12


#line 13
allow healthd cgroup:dir { open getattr read search ioctl lock };
#line 13
allow healthd cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 13


allow healthd self:{ capability cap_userns } { sys_tty_config };
allow healthd self:{ capability cap_userns } sys_boot;
dontaudit healthd self:{ capability cap_userns } sys_resource;

allow healthd self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };


#line 21
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 21
# deprecated.
#line 21
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 21
allow healthd sysfs_wake_lock:file { { getattr open read ioctl lock map } { open append write lock map } };
#line 21
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 21
allow healthd self:{ capability2 cap2_userns } block_suspend;
#line 21
# system_suspend permissions
#line 21

#line 21
# Call the server domain and optionally transfer references to it.
#line 21
allow healthd system_suspend_server:binder { call transfer };
#line 21
# Allow the serverdomain to transfer references to the client on the reply.
#line 21
allow system_suspend_server healthd:binder transfer;
#line 21
# Receive and use open files from the server.
#line 21
allow healthd system_suspend_server:fd use;
#line 21

#line 21
allow healthd system_suspend_hwservice:hwservice_manager find;
#line 21
# halclientdomain permissions
#line 21

#line 21
# Call the hwservicemanager and transfer references to it.
#line 21
allow healthd hwservicemanager:binder { call transfer };
#line 21
# Allow hwservicemanager to send out callbacks
#line 21
allow hwservicemanager healthd:binder { call transfer };
#line 21
# hwservicemanager performs getpidcon on clients.
#line 21
allow hwservicemanager healthd:dir search;
#line 21
allow hwservicemanager healthd:file { read open map };
#line 21
allow hwservicemanager healthd:process getattr;
#line 21
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 21
# all domains in domain.te.
#line 21

#line 21

#line 21
allow healthd hwservicemanager_prop:file { getattr open read map };
#line 21

#line 21
allow healthd hidl_manager_hwservice:hwservice_manager find;
#line 21



#line 23
typeattribute healthd halclientdomain;
#line 23
typeattribute healthd hal_health_client;
#line 23

#line 23
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 23
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 23
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 23

#line 23


# Read/write to /sys/power/state
allow healthd sysfs_power:file { { getattr open read ioctl lock map } { open append write lock map } };

# TODO: added to match above sysfs rule. Remove me?
allow healthd sysfs_usb:file write;


#line 31
allow healthd sysfs_batteryinfo:dir { open getattr read search ioctl lock };
#line 31
allow healthd sysfs_batteryinfo:{ file lnk_file } { getattr open read ioctl lock map };
#line 31


###
### healthd: charger mode
###

# Read /sys/fs/pstore/console-ramoops
# Don't worry about overly broad permissions for now, as there's
# only one file in /sys/fs/pstore
allow healthd pstorefs:dir { open getattr read search ioctl lock };
allow healthd pstorefs:file { getattr open read ioctl lock map };

allow healthd graphics_device:dir { open getattr read search ioctl lock };
allow healthd graphics_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow healthd input_device:dir { open getattr read search ioctl lock };
allow healthd input_device:chr_file { getattr open read ioctl lock map };
allow healthd tty_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow healthd ashmem_device:chr_file execute;
allow healthd self:process execmem;
allow healthd proc_sysrq:file { { getattr open read ioctl lock map } { open append write lock map } };

# Healthd needs to tell init to continue the boot
# process when running in charger mode.

#line 54

#line 54
allow healthd property_socket:sock_file write;
#line 54
allow healthd init:unix_stream_socket connectto;
#line 54

#line 54
allow healthd system_prop:property_service set;
#line 54

#line 54
allow healthd system_prop:file { getattr open read map };
#line 54

#line 54


#line 55

#line 55
allow healthd property_socket:sock_file write;
#line 55
allow healthd init:unix_stream_socket connectto;
#line 55

#line 55
allow healthd exported_system_prop:property_service set;
#line 55

#line 55
allow healthd exported_system_prop:file { getattr open read map };
#line 55

#line 55


#line 56

#line 56
allow healthd property_socket:sock_file write;
#line 56
allow healthd init:unix_stream_socket connectto;
#line 56

#line 56
allow healthd exported2_system_prop:property_service set;
#line 56

#line 56
allow healthd exported2_system_prop:file { getattr open read map };
#line 56

#line 56


#line 57

#line 57
allow healthd property_socket:sock_file write;
#line 57
allow healthd init:unix_stream_socket connectto;
#line 57

#line 57
allow healthd exported3_system_prop:property_service set;
#line 57

#line 57
allow healthd exported3_system_prop:file { getattr open read map };
#line 57

#line 57

#line 1 "system/sepolicy/prebuilts/api/29.0/public/heapprofd.te"
type heapprofd, domain, coredomain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hwservice.te"
type default_android_hwservice, hwservice_manager_type;
type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice;
type hal_atrace_hwservice, hwservice_manager_type;
type hal_audiocontrol_hwservice, hwservice_manager_type;
type hal_audio_hwservice, hwservice_manager_type;
type hal_authsecret_hwservice, hwservice_manager_type;
type hal_bluetooth_hwservice, hwservice_manager_type;
type hal_bootctl_hwservice, hwservice_manager_type;
type hal_broadcastradio_hwservice, hwservice_manager_type;
type hal_camera_hwservice, hwservice_manager_type;
type hal_codec2_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
type hal_confirmationui_hwservice, hwservice_manager_type;
type hal_contexthub_hwservice, hwservice_manager_type;
type hal_drm_hwservice, hwservice_manager_type;
type hal_cas_hwservice, hwservice_manager_type;
type hal_dumpstate_hwservice, hwservice_manager_type;
type hal_evs_hwservice, hwservice_manager_type;
type hal_face_hwservice, hwservice_manager_type;
type hal_fingerprint_hwservice, hwservice_manager_type;
type hal_gatekeeper_hwservice, hwservice_manager_type;
type hal_gnss_hwservice, hwservice_manager_type;
type hal_graphics_allocator_hwservice, hwservice_manager_type;
type hal_graphics_composer_hwservice, hwservice_manager_type;
type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
type hal_health_hwservice, hwservice_manager_type;
type hal_health_storage_hwservice, hwservice_manager_type;
type hal_input_classifier_hwservice, hwservice_manager_type;
type hal_ir_hwservice, hwservice_manager_type;
type hal_keymaster_hwservice, hwservice_manager_type;
type hal_light_hwservice, hwservice_manager_type;
type hal_lowpan_hwservice, hwservice_manager_type;
type hal_memtrack_hwservice, hwservice_manager_type;
type hal_neuralnetworks_hwservice, hwservice_manager_type;
type hal_nfc_hwservice, hwservice_manager_type;
type hal_oemlock_hwservice, hwservice_manager_type;
type hal_omx_hwservice, hwservice_manager_type;
type hal_power_hwservice, hwservice_manager_type;
type hal_power_stats_hwservice, hwservice_manager_type;
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
type hal_secure_element_hwservice, hwservice_manager_type;
type hal_sensors_hwservice, hwservice_manager_type;
type hal_telephony_hwservice, hwservice_manager_type;
type hal_tetheroffload_hwservice, hwservice_manager_type;
type hal_thermal_hwservice, hwservice_manager_type;
type hal_tv_cec_hwservice, hwservice_manager_type;
type hal_tv_input_hwservice, hwservice_manager_type;
type hal_usb_hwservice, hwservice_manager_type;
type hal_usb_gadget_hwservice, hwservice_manager_type;
type hal_vehicle_hwservice, hwservice_manager_type;
type hal_vibrator_hwservice, hwservice_manager_type;
type hal_vr_hwservice, hwservice_manager_type;
type hal_weaver_hwservice, hwservice_manager_type;
type hal_wifi_hwservice, hwservice_manager_type;
type hal_wifi_hostapd_hwservice, hwservice_manager_type;
type hal_wifi_offload_hwservice, hwservice_manager_type;
type hal_wifi_supplicant_hwservice, hwservice_manager_type;
type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_base_hwservice, hwservice_manager_type;
type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice;
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
type thermalcallback_hwservice, hwservice_manager_type;

###
### Neverallow rules
###

# hwservicemanager handles registering or looking up named services.
# It does not make sense to register or lookup something which is not a
# hwservice. Trigger a compile error if this occurs.
neverallow domain ~hwservice_manager_type:hwservice_manager { add find };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/hwservicemanager.te"
# hwservicemanager - the Binder context manager for HAL services
type hwservicemanager, domain, mlstrustedsubject;
type hwservicemanager_exec, system_file_type, exec_type, file_type;

# Note that we do not use the binder_* macros here.
# hwservicemanager provides name service (aka context manager)
# for hwbinder.
# Additionally, it initiates binder IPC calls to
# clients who request service notifications. The permission
# to do this is granted in the hwbinder_use macro.
allow hwservicemanager self:binder set_context_mgr;


#line 13

#line 13
allow hwservicemanager property_socket:sock_file write;
#line 13
allow hwservicemanager init:unix_stream_socket connectto;
#line 13

#line 13
allow hwservicemanager hwservicemanager_prop:property_service set;
#line 13

#line 13
allow hwservicemanager hwservicemanager_prop:file { getattr open read map };
#line 13

#line 13


# Scan through /system/lib64/hw looking for installed HALs
allow hwservicemanager system_file:dir { open getattr read search ioctl lock };

# Read hwservice_contexts
allow hwservicemanager hwservice_contexts_file:file { getattr open read ioctl lock map };

# Check SELinux permissions.

#line 22

#line 22
allow hwservicemanager selinuxfs:dir { open getattr read search ioctl lock };
#line 22
allow hwservicemanager selinuxfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 22

#line 22
allow hwservicemanager selinuxfs:file { open append write lock map };
#line 22
allow hwservicemanager kernel:security compute_av;
#line 22
allow hwservicemanager self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 22

#line 1 "system/sepolicy/prebuilts/api/29.0/public/idmap.te"
# idmap, when executed by installd
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;

# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow idmap resourcecache_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };

# Ignore reading /proc/<pid>/maps after a fork.
dontaudit idmap installd:file read;

# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file { getattr open read ioctl lock map };
allow idmap apk_data_file:dir search;

# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
allow idmap { apk_tmp_file apk_private_tmp_file }:file { getattr open read ioctl lock map };
allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;

# Allow apps access to /vendor/app

#line 23
allow idmap vendor_app_file:dir { open getattr read search ioctl lock };
#line 23
allow idmap vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 23


# Allow apps access to /vendor/overlay

#line 26
allow idmap vendor_overlay_file:dir { open getattr read search ioctl lock };
#line 26
allow idmap vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 26


# Allow the idmap2d binary to register as a service and communicate via AIDL

#line 29
# Call the servicemanager and transfer references to it.
#line 29
allow idmap servicemanager:binder { call transfer };
#line 29
# servicemanager performs getpidcon on clients.
#line 29
allow servicemanager idmap:dir search;
#line 29
allow servicemanager idmap:file { read open };
#line 29
allow servicemanager idmap:process getattr;
#line 29
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 29
# all domains in domain.te.
#line 29


#line 30
  allow idmap idmap_service:service_manager { add find };
#line 30
  neverallow { domain -idmap } idmap_service:service_manager add;
#line 30

#line 1 "system/sepolicy/prebuilts/api/29.0/public/incident.te"
# The incident command is used to call into the incidentd service to
# take an incident report (binary, shared bugreport), download incident
# reports that have already been taken, and monitor for new ones.
# It doesn't do anything else.

# incident
type incident, domain;

#line 1 "system/sepolicy/prebuilts/api/29.0/public/incident_helper.te"
# The incident_helper is called by incidentd and
# can only read/write data from/to incidentd

# incident_helper
type incident_helper, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/incidentd.te"
# incidentd
type incidentd, domain;

#line 1 "system/sepolicy/prebuilts/api/29.0/public/init.te"
# init is its own domain.
type init, domain, mlstrustedsubject;
type init_exec, system_file_type, exec_type, file_type;
type init_tmpfs, file_type;

# /dev/__null__ node created by init.
allow init tmpfs:chr_file { create setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

#
# init direct restorecon calls.
#
# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { getattr write relabelto };
# /dev/kmsg_debug
#line 18

# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
# /dev/__properties__/property_info
allow init properties_device:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow init property_info:file relabelto;
# /dev/event-log-tags
allow init device:file relabelfrom;
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
allow init { device socket_device }:dir relabelto;
# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
allow init { null_device ptmx_device random_device } : chr_file relabelto;
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;
allow init block_device:{ dir blk_file lnk_file } relabelto;
allow init dm_device:{ chr_file blk_file } relabelto;
allow init kernel:fd use;
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
allow init {
  metadata_block_device
  misc_block_device
  recovery_block_device
  system_block_device
  userdata_block_device
}:{ blk_file lnk_file } relabelto;

# setrlimit
allow init self:{ capability cap_userns } sys_resource;

# Remove /dev/.booting and load /debug_ramdisk/* files
allow init tmpfs:file { getattr unlink };

# Access pty created for fsck.
allow init devpts:chr_file { read write open };

# Create /dev/fscklogs files.
allow init fscklogs:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Access /dev/__null__ node created prior to initial policy load.
allow init tmpfs:chr_file write;

# Access /dev/console.
allow init console_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Access /dev/tty0.
allow init tty_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Call mount(2).
allow init self:{ capability cap_userns } sys_admin;

# Call setns(2).
allow init self:{ capability cap_userns } sys_chroot;

# Create and mount on directories in /.
allow init rootfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
allow init cgroup_bpf:dir { create mounton };

# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;

# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;

# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;

# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };

# Mount debugfs on /sys/kernel/debug.
allow init sysfs:dir mounton;

# Create cgroups mount points in tmpfs and mount cgroups on them.
allow init tmpfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow init tmpfs:dir mounton;
allow init cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow init cgroup:file { { getattr open read ioctl lock map } { open append write lock map } };
allow init cgroup_rc_file:file { { getattr open read ioctl lock map } { open append write lock map } };
allow init cgroup_desc_file:file { getattr open read ioctl lock map };
allow init vendor_cgroup_desc_file:file { getattr open read ioctl lock map };

# /config
allow init configfs:dir mounton;
allow init configfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow init configfs:{ file lnk_file } { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# /metadata
allow init metadata_file:dir mounton;

# Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom;

# Create directories under /dev/cpuctl after chowning it to system.
allow init self:{ capability cap_userns } { dac_override dac_read_search };

# Set system clock.
allow init self:{ capability cap_userns } sys_time;

allow init self:{ capability cap_userns } { sys_rawio mknod };

# Mounting filesystems from block devices.
allow init dev_type:blk_file { getattr open read ioctl lock map };
allowxperm init dev_type:blk_file ioctl 0x0000125d;

# Mounting filesystems.
# Only allow relabelto for types used in context= mount options,
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
allow init fs_type:filesystem ~relabelto;
allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;

# Allow read-only access to context= mounted filesystems.
allow init contextmount_type:dir { open getattr read search ioctl lock };
allow init contextmount_type:{ file lnk_file sock_file fifo_file } { getattr open read ioctl lock map };

# restorecon /adb_keys or any other rootfs files and directories to a more
# specific type.
allow init rootfs:{ dir file } relabelfrom;

# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow init self:{ capability cap_userns } { chown fowner fsetid };

allow init {
  file_type
  -app_data_file
  -exec_type
  -misc_logd_file
  -nativetest_data_file
  -privapp_data_file
  -system_app_data_file
  -system_file_type
  -vendor_file_type
}:dir { create search getattr open read setattr ioctl };

allow init {
  file_type
  -app_data_file
  -exec_type
  -gsi_data_file
  -iorapd_data_file
  -keystore_data_file
  -misc_logd_file
  -nativetest_data_file
  -privapp_data_file
  -shell_data_file
  -system_app_data_file
  -system_file_type
  -vendor_file_type
  -vold_data_file
}:dir { write add_name remove_name rmdir relabelfrom };

allow init {
  file_type
  -app_data_file
  -exec_type
  -gsi_data_file
  -iorapd_data_file
  -keystore_data_file
  -misc_logd_file
  -nativetest_data_file
  -privapp_data_file
  -runtime_event_log_tags_file
  -shell_data_file
  -system_app_data_file
  -system_file_type
  -vendor_file_type
  -vold_data_file
}:file { create getattr open read write setattr relabelfrom unlink map };

allow init {
  file_type
  -app_data_file
  -exec_type
  -gsi_data_file
  -iorapd_data_file
  -keystore_data_file
  -misc_logd_file
  -nativetest_data_file
  -privapp_data_file
  -shell_data_file
  -system_app_data_file
  -system_file_type
  -vendor_file_type
  -vold_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };

allow init {
  file_type
  -apex_mnt_dir
  -app_data_file
  -exec_type
  -gsi_data_file
  -iorapd_data_file
  -keystore_data_file
  -misc_logd_file
  -nativetest_data_file
  -privapp_data_file
  -shell_data_file
  -system_app_data_file
  -system_file_type
  -vendor_file_type
  -vold_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };

allow init cache_file:lnk_file { getattr open read ioctl lock map };

allow init {
  file_type
  -system_file_type
  -vendor_file_type
  -exec_type
  -app_data_file
  -privapp_data_file
}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;

allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow init dev_type:lnk_file create;

# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow init debugfs_tracing:file { open append write lock map };

# Setup and control wifi event tracing (see wifi-events.rc)
allow init debugfs_tracing_instances:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow init debugfs_tracing_instances:file { open append write lock map };
allow init debugfs_wifi_tracing:file { open append write lock map };

# chown/chmod on pseudo files.
allow init {
  fs_type
  -contextmount_type
  -keychord_device
  -proc_type
  -sdcard_type
  -sysfs_type
  -rootfs
}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };

allow init {
  ashmem_device
  binder_device
  console_device
  devpts
  dm_device
  hwbinder_device
  hw_random_device
  input_device
  kmsg_device
  null_device
  owntty_device
  pmsg_device
  ptmx_device
  random_device
  tty_device
  zero_device
}:chr_file { read open };

# chown/chmod on devices.
allow init {
  dev_type
  -keychord_device
  -port_device
}:chr_file setattr;

# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } } relabelfrom };
allow init unlabeled:{ file lnk_file sock_file fifo_file } { { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } } relabelfrom };

# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
allow init kernel:system syslog_mod;
allow init self:{ capability2 cap2_userns } syslog;

# init access to /proc.

#line 306
allow init proc_net_type:dir { open getattr read search ioctl lock };
#line 306
allow init proc_net_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 306

allow init proc_filesystems:file { getattr open read ioctl lock map };

#line 314


allow init {
  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
  proc_cmdline
  proc_diskstats
  proc_kmsg # Open /proc/kmsg for logd service.
  proc_meminfo
  proc_stat # Read /proc/stat for bootchart.
  proc_uptime
  proc_version
}:file { getattr open read ioctl lock map };

allow init {
  proc_abi
  proc_dirty
  proc_hostname
  proc_hung_task
  proc_extra_free_kbytes
  proc_net_type
  proc_max_map_count
  proc_min_free_order_shift
  proc_overcommit_memory
  proc_panic
  proc_page_cluster
  proc_perf
  proc_sched
  proc_sysrq
}:file { open append write lock map };

allow init {
  proc_security
}:file { { getattr open read ioctl lock map } { open append write lock map } };

# init chmod/chown access to /proc files.
allow init {
  proc_cmdline
  proc_kmsg
  proc_net
  proc_qtaguid_stat
  proc_slabinfo
  proc_sysrq
  proc_qtaguid_ctrl
  proc_vmallocinfo
}:file setattr;

# init access to /sys files.
allow init {
  sysfs_android_usb
  sysfs_leds
  sysfs_power
  sysfs_fs_f2fs
  sysfs_dm
}:file { open append write lock map };

allow init {
  sysfs_dt_firmware_android
  sysfs_fs_ext4_features
}:file { getattr open read ioctl lock map };

allow init {
  sysfs_zram
}:file { { getattr open read ioctl lock map } { open append write lock map } };

# allow init to create loop devices with /dev/loop-control
allow init loop_control_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow init loop_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };
allowxperm init loop_device:blk_file ioctl {
  0x00004c00
  0x00004c01
  0x00004c82
  0x00004c09
  0x00004c08
};

# Allow init to write to vibrator/trigger
allow init sysfs_vibrator:file { open append write lock map };

# init chmod/chown access to /sys files.
allow init {
  sysfs_android_usb
  sysfs_devices_system_cpu
  sysfs_ipv4
  sysfs_leds
  sysfs_lowmemorykiller
  sysfs_power
  sysfs_vibrator
  sysfs_wake_lock
  sysfs_zram
}:file setattr;

# Set usermodehelpers.
allow init { usermodehelper sysfs_usermodehelper }:file { { getattr open read ioctl lock map } { open append write lock map } };

allow init self:{ capability cap_userns } net_admin;

# Reboot.
allow init self:{ capability cap_userns } sys_boot;

# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
# Init will also walk through the directory as part of a recursive restorecon.
allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
allow init misc_logd_file:file { open create getattr setattr write };

# Support "adb shell stop"
allow init self:{ capability cap_userns } kill;
allow init domain:process { getpgid sigkill signal };

# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };

# Init creates vold's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init vold_data_file:dir { open create read getattr setattr search };
allow init vold_data_file:file { getattr };

# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };

# Set UID, GID, and adjust capability bounding set for services.
allow init self:{ capability cap_userns } { setuid setgid setpcap };

# For bootchart to read the /proc/$pid/cmdline file of each process,
# we need to have following line to allow init to have access
# to different domains.

#line 442
allow init domain:dir { open getattr read search ioctl lock };
#line 442
allow init domain:{ file lnk_file } { getattr open read ioctl lock map };
#line 442


# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };

# Get file context
allow init file_contexts_file:file { getattr open read ioctl lock map };

# sepolicy access
allow init sepolicy_file:file { getattr open read ioctl lock map };

# Perform SELinux access checks on setting properties.

#line 457

#line 457
allow init selinuxfs:dir { open getattr read search ioctl lock };
#line 457
allow init selinuxfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 457

#line 457
allow init selinuxfs:file { open append write lock map };
#line 457
allow init kernel:security compute_av;
#line 457
allow init self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 457


# Ask the kernel for the new context on services to label their sockets.
allow init kernel:security compute_create;

# Create sockets for the services.
allow init domain:unix_stream_socket { create bind setopt };
allow init domain:unix_dgram_socket { create bind setopt };

# Create /data/property and files within it.
allow init property_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow init property_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Set any property.
allow init property_type:property_service set;

# Send an SELinux userspace denial to the kernel audit subsystem,
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
allow init self:netlink_audit_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_relay };
allow init self:{ capability cap_userns } audit_write;

# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
# in addition to unpriv ioctls granted to all domains, init also needs:
allowxperm init self:udp_socket ioctl 0x00008914;
allow init self:{ capability cap_userns } net_raw;

# Set scheduling info for psi monitor thread.
allow init kernel:process { getsched setsched };

# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };

# Read from /dev/hw_random if present.
# system/core/init/init.c - mix_hwrng_into_linux_rng_action
allow init hw_random_device:chr_file { getattr open read ioctl lock map };

# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
# TODO:  Move these files into their own type unless they are
# only ever accessed by init.
allow init device:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# keychord retrieval from /dev/input/ devices
allow init input_device:dir { open getattr read search ioctl lock };
allow init input_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Access device mapper for setting up dm-verity
allow init dm_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow init dm_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };

# Access metadata block device for storing dm-verity state
allow init metadata_block_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };

# Read /sys/fs/pstore/console-ramoops to detect restarts caused
# by dm-verity detecting corrupted blocks
allow init pstorefs:dir search;
allow init pstorefs:file { getattr open read ioctl lock map };
allow init kernel:system syslog_read;

# linux keyring configuration
allow init init:key { write search setattr };

# Allow init to create /data/unencrypted
allow init unencrypted_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };

# Set encryption policy on dirs in /data
allowxperm init data_file_type:dir ioctl {
  0x400c6615
  0x800c6613
};

# Allow init to write to /proc/sys/vm/overcommit_memory
allow init proc_overcommit_memory:file { write };

# Raw writes to misc block device
allow init misc_block_device:blk_file { open append write lock map };


#line 537
allow init system_file:dir { open getattr read search ioctl lock };
#line 537
allow init system_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 537


#line 538
allow init vendor_file_type:dir { open getattr read search ioctl lock };
#line 538
allow init vendor_file_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 538


allow init system_data_file:file { getattr read };
allow init system_data_file:lnk_file { getattr open read ioctl lock map };

# For init to be able to run shell scripts from vendor
allow init vendor_shell_exec:file execute;

# Metadata setup
allow init vold_metadata_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow init vold_metadata_file:file getattr;

# Allow init to use binder

#line 551
# Call the servicemanager and transfer references to it.
#line 551
allow init servicemanager:binder { call transfer };
#line 551
# servicemanager performs getpidcon on clients.
#line 551
allow servicemanager init:dir search;
#line 551
allow servicemanager init:file { read open };
#line 551
allow servicemanager init:process getattr;
#line 551
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 551
# all domains in domain.te.
#line 551
;
allow init apex_service:service_manager find;
# Allow servicemanager to pass it
allow servicemanager init:binder transfer;
# Allow calls from init to apexd
allow init apexd:binder call;

# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { { { getattr open read ioctl lock map } { open append write lock map } } setattr };

# init is using bootstrap bionic
allow init system_bootstrap_lib_file:dir { open getattr read search ioctl lock };
allow init system_bootstrap_lib_file:file { execute read open getattr map };

###
### neverallow rules
###

# The init domain is only entered via an exec based transition from the
# kernel domain, never via setcon().
neverallow domain init:process dyntransition;
neverallow { domain -kernel } init:process transition;
neverallow init { file_type fs_type -init_exec }:file entrypoint;

# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
neverallow init { app_data_file privapp_data_file }:lnk_file read;

# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;

# init can only find the APEX service
neverallow init { service_manager_type -apex_service }:service_manager { find };
# init can never add binder services
neverallow init service_manager_type:service_manager { add };
# init can never list binder services
neverallow init servicemanager:service_manager list;

# Init should not be creating subdirectories in /data/local/tmp
neverallow init shell_data_file:dir { write add_name remove_name };

# Init should not access sysfs node that are not explicitly labeled.
neverallow init sysfs:file { open read write };

# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/inputflinger.te"
# inputflinger
type inputflinger, domain;
type inputflinger_exec, system_file_type, exec_type, file_type;


#line 5
# Call the servicemanager and transfer references to it.
#line 5
allow inputflinger servicemanager:binder { call transfer };
#line 5
# servicemanager performs getpidcon on clients.
#line 5
allow servicemanager inputflinger:dir search;
#line 5
allow servicemanager inputflinger:file { read open };
#line 5
allow servicemanager inputflinger:process getattr;
#line 5
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 5
# all domains in domain.te.
#line 5


#line 6
typeattribute inputflinger binderservicedomain;
#line 6



#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow inputflinger system_server:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow system_server inputflinger:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow inputflinger system_server:fd use;
#line 8



#line 10
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 10
# deprecated.
#line 10
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 10
allow inputflinger sysfs_wake_lock:file { { getattr open read ioctl lock map } { open append write lock map } };
#line 10
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 10
allow inputflinger self:{ capability2 cap2_userns } block_suspend;
#line 10
# system_suspend permissions
#line 10

#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow inputflinger system_suspend_server:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow system_suspend_server inputflinger:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow inputflinger system_suspend_server:fd use;
#line 10

#line 10
allow inputflinger system_suspend_hwservice:hwservice_manager find;
#line 10
# halclientdomain permissions
#line 10

#line 10
# Call the hwservicemanager and transfer references to it.
#line 10
allow inputflinger hwservicemanager:binder { call transfer };
#line 10
# Allow hwservicemanager to send out callbacks
#line 10
allow hwservicemanager inputflinger:binder { call transfer };
#line 10
# hwservicemanager performs getpidcon on clients.
#line 10
allow hwservicemanager inputflinger:dir search;
#line 10
allow hwservicemanager inputflinger:file { read open map };
#line 10
allow hwservicemanager inputflinger:process getattr;
#line 10
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 10
# all domains in domain.te.
#line 10

#line 10

#line 10
allow inputflinger hwservicemanager_prop:file { getattr open read map };
#line 10

#line 10
allow inputflinger hidl_manager_hwservice:hwservice_manager find;
#line 10


allow inputflinger input_device:dir { open getattr read search ioctl lock };
allow inputflinger input_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };


#line 15
allow inputflinger cgroup:dir { open getattr read search ioctl lock };
#line 15
allow inputflinger cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 15

#line 1 "system/sepolicy/prebuilts/api/29.0/public/install_recovery.te"
# service flash_recovery in init.rc
type install_recovery, domain;
type install_recovery_exec, system_file_type, exec_type, file_type;

allow install_recovery self:{ capability cap_userns } { dac_override dac_read_search };

# /system/bin/install-recovery.sh is a shell script.
# Needs to execute /system/bin/sh
allow install_recovery shell_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# Execute /system/bin/applypatch
allow install_recovery system_file:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };


allow install_recovery toolbox_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# Update the recovery block device based off a diff of the boot block device
allow install_recovery block_device:dir search;
allow install_recovery boot_block_device:blk_file { getattr open read ioctl lock map };
allow install_recovery recovery_block_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };

# Create and delete /cache/saved.file
allow install_recovery cache_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow install_recovery cache_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Write to /proc/sys/vm/drop_caches
allow install_recovery proc_drop_caches:file { open append write lock map };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/installd.te"
# installer daemon
type installd, domain;
type installd_exec, system_file_type, exec_type, file_type;
typeattribute installd mlstrustedsubject;
allow installd self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };

# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
allow installd dalvikcache_data_file:file { relabelto link };

# Allow movement of APK files between volumes
allow installd apk_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } } relabelfrom };
allow installd apk_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } } relabelfrom link };
allow installd apk_data_file:lnk_file { create { getattr open read ioctl lock map } unlink };

# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
# TODO(b/120629632): this path is deprecated, remove when possible.
allowxperm installd apk_data_file:file ioctl {
  0x6685 0x6686
};

allow installd asec_apk_file:file { getattr open read ioctl lock map };
allow installd apk_tmp_file:file { { getattr open read ioctl lock map } unlink };
allow installd apk_tmp_file:dir { relabelfrom { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } } };
allow installd oemfs:dir { open getattr read search ioctl lock };
allow installd oemfs:file { getattr open read ioctl lock map };
allow installd cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.

#line 31

#line 31
allow installd selinuxfs:dir { open getattr read search ioctl lock };
#line 31
allow installd selinuxfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 31

#line 31
allow installd selinuxfs:file { open append write lock map };
#line 31
allow installd kernel:security check_context;
#line 31



#line 33
allow installd rootfs:dir { open getattr read search ioctl lock };
#line 33
allow installd rootfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 33

# Scan through APKs in /system/app and /system/priv-app

#line 35
allow installd system_file:dir { open getattr read search ioctl lock };
#line 35
allow installd system_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 35

# Scan through APKs in /vendor/app

#line 37
allow installd vendor_app_file:dir { open getattr read search ioctl lock };
#line 37
allow installd vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 37

# Scan through JARs in /vendor/framework

#line 39
allow installd vendor_framework_file:dir { open getattr read search ioctl lock };
#line 39
allow installd vendor_framework_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 39

# Scan through Runtime Resource Overlay APKs in /vendor/overlay

#line 41
allow installd vendor_overlay_file:dir { open getattr read search ioctl lock };
#line 41
allow installd vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 41

# Get file context
allow installd file_contexts_file:file { getattr open read ioctl lock map };
# Get seapp_context
allow installd seapp_contexts_file:file { getattr open read ioctl lock map };

# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
allow installd asec_image_file:file getattr;

# Create /data/user and /data/user/0 if necessary.
# Also required to initially create /data/data subdirectories
# and lib symlinks before the setfilecon call.  May want to
# move symlink creation after setfilecon in installd.
allow installd system_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
# Also, allow read for lnk_file so that we can process /data/user/0 links when
# optimizing application code.
allow installd system_data_file:lnk_file { create getattr read setattr unlink };

# Upgrade /data/media for multi-user if necessary.
allow installd media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow installd media_rw_data_file:file { getattr unlink };
# restorecon new /data/media directory.
allow installd system_data_file:dir relabelfrom;
allow installd media_rw_data_file:dir relabelto;

# Delete /data/media files through sdcardfs, instead of going behind its back
allow installd tmpfs:dir { open getattr read search ioctl lock };
allow installd storage_file:dir search;
allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
allow installd sdcard_type:file { getattr unlink };

# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow installd misc_user_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow installd keychain_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow installd keychain_data_file:file {{ getattr open read ioctl lock map } unlink};

# Create /data/.layout_version.* file
allow installd install_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Create files under /data/dalvik-cache.
allow installd dalvikcache_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow installd dalvikcache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow installd dalvikcache_data_file:lnk_file getattr;

# Create files under /data/resource-cache.
allow installd resourcecache_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow installd resourcecache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } rmdir };
allow installd unlabeled:{ file lnk_file sock_file fifo_file } { getattr relabelfrom rename unlink setattr };
# Read pkg.apk file for input during dexopt.
allow installd unlabeled:file { getattr open read ioctl lock map };

# Upgrade from before system_app_data_file was used for system UID apps.
# Just need enough to relabel it and to unlink removed package files.
# Directory access covered by earlier rule above.
allow installd system_data_file:{ file lnk_file sock_file fifo_file } { getattr relabelfrom unlink };

# Manage /data/data subdirectories, including initially labeling them
# upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
# Types extracted from seapp_contexts type= fields.
allow installd {
    system_app_data_file
    bluetooth_data_file
    nfc_data_file
    radio_data_file
    shell_data_file
    app_data_file
    privapp_data_file
}:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } } relabelfrom relabelto };

allow installd {
    system_app_data_file
    bluetooth_data_file
    nfc_data_file
    radio_data_file
    shell_data_file
    app_data_file
    privapp_data_file
}:{ file lnk_file sock_file fifo_file } { { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } } relabelfrom relabelto };

# Similar for the files under /data/misc/profiles/
allow installd user_profile_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow installd user_profile_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow installd user_profile_data_file:dir rmdir;
allow installd user_profile_data_file:file unlink;

# Files created/updated by profman dumps.
allow installd profman_dump_data_file:dir { search add_name write };
allow installd profman_dump_data_file:file { create setattr open write };

# Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# execute toybox for app relocation
allow installd toolbox_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# Allow installd to publish a binder service and make binder calls.

#line 145
# Call the servicemanager and transfer references to it.
#line 145
allow installd servicemanager:binder { call transfer };
#line 145
# servicemanager performs getpidcon on clients.
#line 145
allow servicemanager installd:dir search;
#line 145
allow servicemanager installd:file { read open };
#line 145
allow servicemanager installd:process getattr;
#line 145
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 145
# all domains in domain.te.
#line 145


#line 146
  allow installd installd_service:service_manager { add find };
#line 146
  neverallow { domain -installd } installd_service:service_manager add;
#line 146

allow installd dumpstate:fifo_file  { getattr write };

# Allow installd to call into the system server so it can check permissions.

#line 150
# Call the server domain and optionally transfer references to it.
#line 150
allow installd system_server:binder { call transfer };
#line 150
# Allow the serverdomain to transfer references to the client on the reply.
#line 150
allow system_server installd:binder transfer;
#line 150
# Receive and use open files from the server.
#line 150
allow installd system_server:fd use;
#line 150

allow installd permission_service:service_manager find;

# Allow installd to read and write quotas
allow installd block_device:dir { search };
allow installd labeledfs:filesystem { quotaget quotamod };

# Allow installd to delete from /data/preloads when trimming data caches
# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
allow installd preloads_data_file:file { { getattr open read ioctl lock map } unlink };
allow installd preloads_data_file:dir { { open getattr read search ioctl lock } write remove_name rmdir };
allow installd preloads_media_file:file { { getattr open read ioctl lock map } unlink };
allow installd preloads_media_file:dir { { open getattr read search ioctl lock } write remove_name rmdir };

###
### Neverallow rules
###

# only system_server, installd and dumpstate may interact with installd over binder
neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
neverallow { domain -system_server -dumpstate } installd:binder call;
neverallow installd {
    domain
    -ashmemd
    -system_server
    -servicemanager

}:binder call;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/iorapd.te"
# volume manager
type iorapd, domain;
type iorapd_exec, exec_type, file_type, system_file_type;
type iorapd_tmpfs, file_type;


#line 6
allow iorapd rootfs:dir { open getattr read search ioctl lock };
#line 6
allow iorapd rootfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 6


# Allow read/write /proc/sys/vm/drop/caches
allow iorapd proc_drop_caches:file { { getattr open read ioctl lock map } { open append write lock map } };

# Give iorapd a place where only iorapd can store files; everyone else is off limits
allow iorapd iorapd_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow iorapd iorapd_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Allow iorapd to publish a binder service and make binder calls.

#line 16
# Call the servicemanager and transfer references to it.
#line 16
allow iorapd servicemanager:binder { call transfer };
#line 16
# servicemanager performs getpidcon on clients.
#line 16
allow servicemanager iorapd:dir search;
#line 16
allow servicemanager iorapd:file { read open };
#line 16
allow servicemanager iorapd:process getattr;
#line 16
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 16
# all domains in domain.te.
#line 16


#line 17
  allow iorapd iorapd_service:service_manager { add find };
#line 17
  neverallow { domain -iorapd } iorapd_service:service_manager add;
#line 17


# Allow iorapd to call into the system server so it can check permissions.

#line 20
# Call the server domain and optionally transfer references to it.
#line 20
allow iorapd system_server:binder { call transfer };
#line 20
# Allow the serverdomain to transfer references to the client on the reply.
#line 20
allow system_server iorapd:binder transfer;
#line 20
# Receive and use open files from the server.
#line 20
allow iorapd system_server:fd use;
#line 20

allow iorapd permission_service:service_manager find;
# IUserManager
allow iorapd user_service:service_manager find;
# IPackageManagerNative
allow iorapd package_native_service:service_manager find;

# talk to batteryservice

#line 28
# Call the server domain and optionally transfer references to it.
#line 28
allow iorapd healthd:binder { call transfer };
#line 28
# Allow the serverdomain to transfer references to the client on the reply.
#line 28
allow healthd iorapd:binder transfer;
#line 28
# Receive and use open files from the server.
#line 28
allow iorapd healthd:fd use;
#line 28


# TODO: does each of the service_manager allow finds above need the binder_call?

# iorapd temporarily changes its priority when running benchmarks
allow iorapd self:{ capability cap_userns } sys_nice;

# Allow to access Perfetto traced's privileged consumer socket to start/stop
# tracing sessions and read trace data.

#line 37
allow iorapd traced_consumer_socket:sock_file write;
#line 37
allow iorapd traced:unix_stream_socket connectto;
#line 37


###
### neverallow rules
###

neverallow {
    domain
    -iorapd
} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };

neverallow {
    domain
    -init
    -iorapd
} iorapd_data_file:dir *;

neverallow {
    domain
    -kernel
    -iorapd
} iorapd_data_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr };

neverallow {
    domain
    -init
    -kernel
    -vendor_init
    -iorapd
} { iorapd_data_file }:{ file lnk_file sock_file fifo_file } *;

# Only system_server can interact with iorapd over binder
neverallow { domain -system_server -iorapd } iorapd_service:service_manager find;
neverallow iorapd {
  domain
  -healthd
  -servicemanager
  -system_server

}:binder call;

neverallow { domain -init } iorapd:process { transition dyntransition };
neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/isolated_app.te"
###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules for isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###

type isolated_app, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/kernel.te"
# Life begins with the kernel.
type kernel, domain, mlstrustedsubject;

allow kernel self:{ capability cap_userns } sys_nice;

# Root fs.

#line 7
allow kernel rootfs:dir { open getattr read search ioctl lock };
#line 7
allow kernel rootfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 7

allow kernel proc_cmdline:file { getattr open read ioctl lock map };

# Get SELinux enforcing status.
allow kernel selinuxfs:dir { open getattr read search ioctl lock };
allow kernel selinuxfs:file { getattr open read ioctl lock map };

# Get file contexts during first stage
allow kernel file_contexts_file:file { getattr open read ioctl lock map };

# Allow init relabel itself.
allow kernel rootfs:file relabelfrom;
allow kernel init_exec:file relabelto;
# TODO: investigate why we need this.
allow kernel init:process share;

# cgroup filesystem initialization prior to setting the cgroup root directory label.
allow kernel unlabeled:dir search;

# Mount usbfs.
allow kernel usbfs:filesystem mount;
allow kernel usbfs:dir search;

# Initial setenforce by init prior to switching to init domain.
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled.
dontaudit kernel self:security setenforce;

# Write to /proc/1/oom_adj prior to switching to init domain.
allow kernel self:{ capability cap_userns } sys_resource;

# Init reboot before switching selinux domains under certain error
# conditions. Allow it.
# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
# remount filesystems read-only. /data is not mounted at this point,
# so we could ignore this. For now, we allow it.
allow kernel self:{ capability cap_userns } sys_boot;
allow kernel proc_sysrq:file { open append write lock map };

# Allow writing to /dev/kmsg which was created prior to loading policy.
allow kernel tmpfs:chr_file write;

# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel selinuxfs:file write;
allow kernel self:security setcheckreqprot;

# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
allow kernel sdcard_type:file { read write };

# f_mtp driver accesses files from kernel context.
allow kernel mediaprovider:fd use;

# Allow the kernel to read OBB files from app directories. (b/17428116)
# Kernel thread "loop0" reads a vold supplied file descriptor.
# Fixes CTS tests:
#  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
#  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
allow kernel vold:fd use;
allow kernel { app_data_file privapp_data_file }:file read;
allow kernel asec_image_file:file read;

# Allow reading loop device in update_engine_unittests. (b/28319454)
# and for LTP kernel tests (b/73220071)
#line 73


# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow kernel media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow kernel media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Access to /data/misc/vold/virtual_disk.
allow kernel vold_data_file:file { read write };

# Allow the kernel to read APEX file descriptors and (staged) data files;
# Needed because APEX uses the loopback driver, which issues requests from
# a kernel thread in earlier kernel version.
allow kernel apexd:fd use;
allow kernel apex_data_file:file read;
allow kernel staging_data_file:file read;

# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
# before the domain is switched to the target domain. So, we need to allow the kernel
# domain (the source domain) to execute the dynamic linker (system_file type).
# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
# kernel older than 4.8.
allow kernel system_file:file execute;
# The label for the dynamic linker is rootfs in the recovery partition. This is because
# the recovery partition which is rootfs does not support xattr and thus labeling can't be
# done at build-time. All files are by default labeled as rootfs upon booting.
#line 104


# required by VTS lidbm unit test
allow kernel appdomain_tmpfs:file read;

###
### neverallow rules
###

# The initial task starts in the kernel domain (assigned via
# initial_sid_contexts), but nothing ever transitions to it.
neverallow * kernel:process { transition dyntransition };

# The kernel domain is never entered via an exec, nor should it
# ever execute a program outside the rootfs without changing to another domain.
# If you encounter an execute_no_trans denial on the kernel domain, then
# possible causes include:
# - The program is a kernel usermodehelper.  In this case, define a domain
#   for the program and domain_auto_trans() to it.
# - You are running an exploit which switched to the init task credentials
#   and is then trying to exec a shell or other program.  You lose!
neverallow kernel *:file { entrypoint execute_no_trans };

# the kernel should not be accessing files owned by other users.
# Instead of adding dac_{read_search,override}, fix the unix permissions
# on files being accessed.
neverallow kernel self:{ capability cap_userns } { dac_override dac_read_search };

# Nobody should be ptracing kernel threads
neverallow * kernel:process ptrace;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/keystore.te"
type keystore, domain;
type keystore_exec, system_file_type, exec_type, file_type;

# keystore daemon
typeattribute keystore mlstrustedsubject;

#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow keystore servicemanager:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager keystore:dir search;
#line 6
allow servicemanager keystore:file { read open };
#line 6
allow servicemanager keystore:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6


#line 7
typeattribute keystore binderservicedomain;
#line 7


#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow keystore system_server:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow system_server keystore:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow keystore system_server:fd use;
#line 8


allow keystore keystore_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow keystore keystore_data_file:{ file lnk_file sock_file fifo_file } { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow keystore keystore_exec:file { getattr };


#line 14
  allow keystore keystore_service:service_manager { add find };
#line 14
  neverallow { domain -keystore } keystore_service:service_manager add;
#line 14

allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;

# Check SELinux permissions.

#line 19

#line 19
allow keystore selinuxfs:dir { open getattr read search ioctl lock };
#line 19
allow keystore selinuxfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 19

#line 19
allow keystore selinuxfs:file { open append write lock map };
#line 19
allow keystore kernel:security compute_av;
#line 19
allow keystore self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 19



#line 21
allow keystore cgroup:dir { open getattr read search ioctl lock };
#line 21
allow keystore cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 21


###
### Neverallow rules
###
### Protect ourself from others
###

neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -keystore } keystore_data_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr };

neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:{ file lnk_file sock_file fifo_file } *;

neverallow * keystore:process ptrace;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/llkd.te"
# llkd Live LocK Daemon
type llkd, domain, mlstrustedsubject;
type llkd_exec, system_file_type, exec_type, file_type;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/lmkd.te"
# lmkd low memory killer daemon
type lmkd, domain, mlstrustedsubject;
type lmkd_exec, system_file_type, exec_type, file_type;

allow lmkd self:{ capability cap_userns } { dac_override dac_read_search sys_resource kill };

# lmkd locks itself in memory, to prevent it from being
# swapped out and unable to kill other memory hogs.
# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
# b/16236289
allow lmkd self:{ capability cap_userns } ipc_lock;

## Open and write to /proc/PID/oom_score_adj
## TODO: maybe scope this down?

#line 15
allow lmkd appdomain:dir { open getattr read search ioctl lock };
#line 15
allow lmkd appdomain:{ file lnk_file } { getattr open read ioctl lock map };
#line 15

allow lmkd appdomain:file write;

#line 17
allow lmkd system_server:dir { open getattr read search ioctl lock };
#line 17
allow lmkd system_server:{ file lnk_file } { getattr open read ioctl lock map };
#line 17

allow lmkd system_server:file write;

## Writes to /sys/module/lowmemorykiller/parameters/minfree

#line 21
allow lmkd sysfs_lowmemorykiller:dir { open getattr read search ioctl lock };
#line 21
allow lmkd sysfs_lowmemorykiller:{ file lnk_file } { getattr open read ioctl lock map };
#line 21

allow lmkd sysfs_lowmemorykiller:file { open append write lock map };

# setsched and send kill signals
allow lmkd appdomain:process { setsched sigkill };
allow lmkd kernel:process { setsched };

# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };

# Allow to read memcg stats
allow lmkd cgroup:file { getattr open read ioctl lock map };

# Set self to SCHED_FIFO
allow lmkd self:{ capability cap_userns } sys_nice;

allow lmkd proc_zoneinfo:file { getattr open read ioctl lock map };

# Set sys.lmk.* properties.

#line 40

#line 40
allow lmkd property_socket:sock_file write;
#line 40
allow lmkd init:unix_stream_socket connectto;
#line 40

#line 40
allow lmkd system_lmk_prop:property_service set;
#line 40

#line 40
allow lmkd system_lmk_prop:file { getattr open read map };
#line 40

#line 40


# live lock watchdog process allowed to look through /proc/
allow lmkd domain:dir { search open read };
allow lmkd domain:file { open read };

# live lock watchdog process allowed to dump process trace and
# reboot because orderly shutdown may not be possible.
allow lmkd proc_sysrq:file { { getattr open read ioctl lock map } { open append write lock map } };

# Read /proc/meminfo
allow lmkd proc_meminfo:file { getattr open read ioctl lock map };

# Read /proc/pressure/cpu and /proc/pressure/io
allow lmkd proc_pressure_cpu:file { getattr open read ioctl lock map };
allow lmkd proc_pressure_io:file { getattr open read ioctl lock map };

# Read/Write /proc/pressure/memory
allow lmkd proc_pressure_mem:file { { getattr open read ioctl lock map } { open append write lock map } };

# Allow lmkd to write to statsd.

#line 61
allow lmkd statsdw_socket:sock_file write;
#line 61
allow lmkd statsd:unix_dgram_socket sendto;
#line 61


### neverallow rules

# never honor LD_PRELOAD
neverallow * lmkd:process noatsecure;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/logd.te"
# android user-space log manager
type logd, domain, mlstrustedsubject;
type logd_exec, system_file_type, exec_type, file_type;

# Read access to pseudo filesystems.

#line 6
allow logd cgroup:dir { open getattr read search ioctl lock };
#line 6
allow logd cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 6


#line 7
allow logd proc_kmsg:dir { open getattr read search ioctl lock };
#line 7
allow logd proc_kmsg:{ file lnk_file } { getattr open read ioctl lock map };
#line 7


#line 8
allow logd proc_meminfo:dir { open getattr read search ioctl lock };
#line 8
allow logd proc_meminfo:{ file lnk_file } { getattr open read ioctl lock map };
#line 8


allow logd self:{ capability cap_userns } { setuid setgid setpcap sys_nice audit_control };
allow logd self:{ capability2 cap2_userns } syslog;
allow logd self:netlink_audit_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_write };
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file { getattr { open append write lock map } };
allow logd system_data_file:{ file lnk_file } { getattr open read ioctl lock map };
allow logd packages_list_file:file { getattr open read ioctl lock map };
allow logd pstorefs:dir search;
allow logd pstorefs:file { getattr open read ioctl lock map };
#line 23

allow logd runtime_event_log_tags_file:file { { getattr open read ioctl lock map } { open append write lock map } };

# Access device logging gating property

#line 27
allow logd device_logging_prop:file { getattr open read map };
#line 27



#line 29
allow logd domain:dir { open getattr read search ioctl lock };
#line 29
allow logd domain:{ file lnk_file } { getattr open read ioctl lock map };
#line 29


allow logd kernel:system syslog_mod;


#line 33
# Group AID_LOG checked by filesystem & logd
#line 33
# to permit control commands
#line 33

#line 33
allow logd logd_socket:sock_file write;
#line 33
allow logd logd:unix_stream_socket connectto;
#line 33

#line 33


#line 34
allow logd runtime_event_log_tags_file:file { getattr open read ioctl lock map };
#line 34


allow runtime_event_log_tags_file tmpfs:filesystem associate;
# Typically harmlessly blindly trying to access via liblog
# event tag mapping while in the untrusted_app domain.
# Access for that domain is controlled and gated via the
# event log tag service (albeit at a performance penalty,
# expected to be locally cached).
dontaudit domain runtime_event_log_tags_file:file { map open read };

###
### Neverallow rules
###
### logd should NEVER do any of this

# Block device access.
neverallow logd dev_type:blk_file { read write };

# ptrace any other app
neverallow logd domain:process ptrace;

# ... and nobody may ptrace me (except on userdebug or eng builds)
neverallow { domain  } logd:process ptrace;

# Write to /system.
neverallow logd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;

# Write to files in /data/data or system files on /data
neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;

# Only init is allowed to enter the logd domain via exec()
neverallow { domain -init } logd:process transition;
neverallow * logd:process dyntransition;

# protect the event-log-tags file
neverallow {
  domain
  -init
  -logd
} runtime_event_log_tags_file:file { append create link unlink relabelfrom rename setattr write };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/logpersist.te"
# android debug logging, logpersist domains
type logpersist, domain;

###
### Neverallow rules
###
### logpersist should NEVER do any of this

# Block device access.
neverallow logpersist dev_type:blk_file { read write };

# ptrace any other app
neverallow logpersist domain:process ptrace;

# Write to files in /data/data or system files on /data except misc_logd_file
neverallow logpersist { privapp_data_file app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;

# Only init should be allowed to enter the logpersist domain via exec()
# Following is a list of debug domains we know that transition to logpersist
# neverallow_with_undefined_domains {
#   domain
#   -init       # goldfish, logcatd, raft
#   -mmi        # bat, mtp8996, msmcobalt
#   -system_app # Smith.apk
# } logpersist:process transition;
neverallow * logpersist:process dyntransition;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/mdnsd.te"
# mdns daemon
type mdnsd, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/mediadrmserver.te"
# mediadrmserver - mediadrm daemon
type mediadrmserver, domain;
type mediadrmserver_exec, system_file_type, exec_type, file_type;

typeattribute mediadrmserver mlstrustedsubject;


#line 7
typeattribute mediadrmserver netdomain;
#line 7


#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow mediadrmserver servicemanager:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager mediadrmserver:dir search;
#line 8
allow servicemanager mediadrmserver:file { read open };
#line 8
allow servicemanager mediadrmserver:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8


#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow mediadrmserver binderservicedomain:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow binderservicedomain mediadrmserver:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow mediadrmserver binderservicedomain:fd use;
#line 9


#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow mediadrmserver appdomain:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow appdomain mediadrmserver:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow mediadrmserver appdomain:fd use;
#line 10


#line 11
typeattribute mediadrmserver binderservicedomain;
#line 11


#line 12
typeattribute mediadrmserver halclientdomain;
#line 12
typeattribute mediadrmserver hal_drm_client;
#line 12

#line 12
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 12
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 12
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 12

#line 12



#line 14
  allow mediadrmserver mediadrmserver_service:service_manager { add find };
#line 14
  neverallow { domain -mediadrmserver } mediadrmserver_service:service_manager add;
#line 14

allow mediadrmserver mediaserver_service:service_manager find;
allow mediadrmserver mediametrics_service:service_manager find;
allow mediadrmserver processinfo_service:service_manager find;
allow mediadrmserver surfaceflinger_service:service_manager find;
allow mediadrmserver system_file:dir { open getattr read search ioctl lock };

# TODO(b/80317992): remove

#line 22
# Call the server domain and optionally transfer references to it.
#line 22
allow mediadrmserver hal_omx_server:binder { call transfer };
#line 22
# Allow the serverdomain to transfer references to the client on the reply.
#line 22
allow hal_omx_server mediadrmserver:binder transfer;
#line 22
# Receive and use open files from the server.
#line 22
allow mediadrmserver hal_omx_server:fd use;
#line 22


###
### neverallow rules
###

# mediadrmserver should never execute any executable without a
# domain transition
neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;

# do not allow privileged socket ioctl commands
neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl
#line 33
{
#line 33
# qualcomm rmnet ioctls
#line 33
0x00006900 0x00006902
#line 33
# socket ioctls
#line 33
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 33
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 33
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 33
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 33
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 33
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 33
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 33
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 33
0x00008991 0x00008992 0x00008993 0x00008994
#line 33
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 33
# device and protocol specific ioctls
#line 33
0x000089f0-0x000089ff
#line 33
0x000089e0-0x000089ef
#line 33
# Wireless extension ioctls
#line 33
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 33
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 33
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 33
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 33
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 33
0x00008b34 0x00008b35 0x00008b36
#line 33
# Dev private ioctl i.e. hardware specific ioctls
#line 33
0x00008be0-0x00008bff
#line 33
};
#line 1 "system/sepolicy/prebuilts/api/29.0/public/mediaextractor.te"
# mediaextractor - multimedia daemon
type mediaextractor, domain;
type mediaextractor_exec, system_file_type, exec_type, file_type;
type mediaextractor_tmpfs, file_type;

typeattribute mediaextractor mlstrustedsubject;


#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow mediaextractor servicemanager:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager mediaextractor:dir search;
#line 8
allow servicemanager mediaextractor:file { read open };
#line 8
allow servicemanager mediaextractor:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8


#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow mediaextractor binderservicedomain:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow binderservicedomain mediaextractor:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow mediaextractor binderservicedomain:fd use;
#line 9


#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow mediaextractor appdomain:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow appdomain mediaextractor:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow mediaextractor appdomain:fd use;
#line 10


#line 11
typeattribute mediaextractor binderservicedomain;
#line 11



#line 13
  allow mediaextractor mediaextractor_service:service_manager { add find };
#line 13
  neverallow { domain -mediaextractor } mediaextractor_service:service_manager add;
#line 13

allow mediaextractor mediametrics_service:service_manager find;
allow mediaextractor hidl_token_hwservice:hwservice_manager find;

allow mediaextractor system_server:fd use;


#line 19
typeattribute mediaextractor halclientdomain;
#line 19
typeattribute mediaextractor hal_cas_client;
#line 19

#line 19
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 19
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 19
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 19

#line 19


#line 20
typeattribute mediaextractor halclientdomain;
#line 20
typeattribute mediaextractor hal_allocator_client;
#line 20

#line 20
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 20
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 20
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 20

#line 20



#line 22
allow mediaextractor cgroup:dir { open getattr read search ioctl lock };
#line 22
allow mediaextractor cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 22

allow mediaextractor proc_meminfo:file { getattr open read ioctl lock map };


#line 25

#line 25
allow mediaextractor anr_data_file:file append;
#line 25
allow mediaextractor dumpstate:fd use;
#line 25
allow mediaextractor incidentd:fd use;
#line 25
# TODO: Figure out why write is needed.
#line 25
allow mediaextractor dumpstate:fifo_file { append write };
#line 25
allow mediaextractor incidentd:fifo_file { append write };
#line 25
allow mediaextractor system_server:fifo_file { append write };
#line 25
allow mediaextractor tombstoned:unix_stream_socket connectto;
#line 25
allow mediaextractor tombstoned:fd use;
#line 25
allow mediaextractor tombstoned_crash_socket:sock_file write;
#line 25
allow mediaextractor tombstone_data_file:file append;
#line 25


# allow mediaextractor read permissions for file sources
allow mediaextractor sdcard_type:file { getattr read };
allow mediaextractor media_rw_data_file:file { getattr read };
allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };

# Read resources from open apk files passed over Binder
allow mediaextractor apk_data_file:file { read getattr };
allow mediaextractor asec_apk_file:file { read getattr };
allow mediaextractor ringtone_file:file { read getattr };

# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };


#line 40
allow mediaextractor device_config_media_native_prop:file { getattr open read map };
#line 40


###
### neverallow rules
###

# mediaextractor should never execute any executable without a
# domain transition
neverallow mediaextractor { file_type fs_type }:file execute_no_trans;

# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;

# mediaextractor should not be opening /data files directly. Any files
# it touches (with a few exceptions) need to be passed to it via a file
# descriptor opened outside the process.
neverallow mediaextractor {
  data_file_type
  -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
   # for loading media extractor plugins

}:file open;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/mediametrics.te"
# mediametrics - daemon for collecting media.metrics data
type mediametrics, domain;
type mediametrics_exec, system_file_type, exec_type, file_type;



#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow mediametrics servicemanager:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager mediametrics:dir search;
#line 6
allow servicemanager mediametrics:file { read open };
#line 6
allow servicemanager mediametrics:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6


#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow mediametrics binderservicedomain:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow binderservicedomain mediametrics:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow mediametrics binderservicedomain:fd use;
#line 7


#line 8
typeattribute mediametrics binderservicedomain;
#line 8



#line 10
  allow mediametrics mediametrics_service:service_manager { add find };
#line 10
  neverallow { domain -mediametrics } mediametrics_service:service_manager add;
#line 10


allow mediametrics system_server:fd use;


#line 14
allow mediametrics cgroup:dir { open getattr read search ioctl lock };
#line 14
allow mediametrics cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 14

allow mediametrics proc_meminfo:file { getattr open read ioctl lock map };

# allows interactions with dumpsys to GMScore
allow mediametrics { app_data_file privapp_data_file }:file write;

# allow access to package manager for uid->apk mapping
allow mediametrics package_native_service:service_manager find;

# Allow metrics service to send information to statsd socket.

#line 24
allow mediametrics statsdw_socket:sock_file write;
#line 24
allow mediametrics statsd:unix_dgram_socket sendto;
#line 24


###
### neverallow rules
###

# mediametrics should never execute any executable without a
# domain transition
neverallow mediametrics { file_type fs_type }:file execute_no_trans;

# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/mediaprovider.te"
###
### A domain for android.process.media, which contains both
### MediaProvider and DownloadProvider and associated services.
###

type mediaprovider, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/mediaserver.te"
# mediaserver - multimedia daemon
type mediaserver, domain;
type mediaserver_exec, system_file_type, exec_type, file_type;
type mediaserver_tmpfs, file_type;

typeattribute mediaserver mlstrustedsubject;


#line 8
typeattribute mediaserver netdomain;
#line 8



#line 10
allow mediaserver sdcard_type:dir { open getattr read search ioctl lock };
#line 10
allow mediaserver sdcard_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 10


#line 11
allow mediaserver cgroup:dir { open getattr read search ioctl lock };
#line 11
allow mediaserver cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 11


# stat /proc/self
allow mediaserver proc:lnk_file getattr;

# open /vendor/lib/mediadrm
allow mediaserver system_file:dir { open getattr read search ioctl lock };

#line 22



#line 24
# Call the servicemanager and transfer references to it.
#line 24
allow mediaserver servicemanager:binder { call transfer };
#line 24
# servicemanager performs getpidcon on clients.
#line 24
allow servicemanager mediaserver:dir search;
#line 24
allow servicemanager mediaserver:file { read open };
#line 24
allow servicemanager mediaserver:process getattr;
#line 24
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 24
# all domains in domain.te.
#line 24


#line 25
# Call the server domain and optionally transfer references to it.
#line 25
allow mediaserver binderservicedomain:binder { call transfer };
#line 25
# Allow the serverdomain to transfer references to the client on the reply.
#line 25
allow binderservicedomain mediaserver:binder transfer;
#line 25
# Receive and use open files from the server.
#line 25
allow mediaserver binderservicedomain:fd use;
#line 25


#line 26
# Call the server domain and optionally transfer references to it.
#line 26
allow mediaserver appdomain:binder { call transfer };
#line 26
# Allow the serverdomain to transfer references to the client on the reply.
#line 26
allow appdomain mediaserver:binder transfer;
#line 26
# Receive and use open files from the server.
#line 26
allow mediaserver appdomain:fd use;
#line 26


#line 27
typeattribute mediaserver binderservicedomain;
#line 27


allow mediaserver media_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow mediaserver media_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
allow mediaserver sdcard_type:file write;
allow mediaserver gpu_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow mediaserver video_device:dir { open getattr read search ioctl lock };
allow mediaserver video_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };


#line 37

#line 37
allow mediaserver property_socket:sock_file write;
#line 37
allow mediaserver init:unix_stream_socket connectto;
#line 37

#line 37
allow mediaserver audio_prop:property_service set;
#line 37

#line 37
allow mediaserver audio_prop:file { getattr open read map };
#line 37

#line 37


# Read resources from open apk files passed over Binder.
allow mediaserver apk_data_file:file { read getattr };
allow mediaserver asec_apk_file:file { read getattr };
allow mediaserver ringtone_file:file { read getattr };

# Read /data/data/com.android.providers.telephony files passed over Binder.
allow mediaserver radio_data_file:file { read getattr };

# Use pipes passed over Binder from app domains.
allow mediaserver appdomain:fifo_file { getattr read write };

allow mediaserver rpmsg_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Inter System processes communicate over named pipe (FIFO)
allow mediaserver system_server:fifo_file { getattr open read ioctl lock map };


#line 55
allow mediaserver media_rw_data_file:dir { open getattr read search ioctl lock };
#line 55
allow mediaserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 55


# Grant access to read files on appfuse.
allow mediaserver app_fuse_file:file { read getattr };

# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.

#line 62
allow mediaserver drmserver_socket:sock_file write;
#line 62
allow mediaserver drmserver:unix_stream_socket connectto;
#line 62


# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.

#line 66
allow mediaserver bluetooth_socket:sock_file write;
#line 66
allow mediaserver bluetooth:unix_stream_socket connectto;
#line 66



#line 68
  allow mediaserver mediaserver_service:service_manager { add find };
#line 68
  neverallow { domain -mediaserver } mediaserver_service:service_manager add;
#line 68

allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
allow mediaserver audio_service:service_manager find;
allow mediaserver audioserver_service:service_manager find;
allow mediaserver cameraserver_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaextractor_service:service_manager find;
allow mediaserver mediacodec_service:service_manager find;
allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find;
allow mediaserver scheduling_policy_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;

# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;

# For hybrid interfaces
allow mediaserver hidl_token_hwservice:hwservice_manager find;

# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file { getattr open read ioctl lock map };

# /vendor apk access
allow mediaserver vendor_app_file:file { read map getattr };


#line 99
  allow drmserver mediaserver:dir search;
#line 99
  allow drmserver mediaserver:file { read open };
#line 99
  allow drmserver mediaserver:process getattr;
#line 99

allow mediaserver drmserver:drmservice {
    consumeRights
    setPlaybackStatus
    openDecryptSession
    closeDecryptSession
    initializeDecryptUnit
    decrypt
    finalizeDecryptUnit
    pread
};

# only allow unprivileged socket ioctl commands
allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
  ioctl {
#line 113
{
#line 113
# Socket ioctls for gathering information about the interface
#line 113
0x00008906 0x00008907
#line 113
0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919
#line 113
0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942
#line 113
# Wireless extension ioctls. Primarily get functions.
#line 113
0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d
#line 113
0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23
#line 113
0x00008b25 0x00008b27 0x00008b29 0x00008b2d
#line 113
} {
#line 113
  0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005413 0x00005414 0x0000540e
#line 113
  0x00005403 0x0000540b 0x00005410 0x0000540f
#line 113
} };

# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow mediaserver media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow mediaserver media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Access to media in /data/preloads
allow mediaserver preloads_media_file:file { getattr read ioctl };

allow mediaserver ion_device:chr_file { getattr open read ioctl lock map };
allow mediaserver hal_graphics_allocator:fd use;
allow mediaserver hal_graphics_composer:fd use;
allow mediaserver hal_camera:fd use;

allow mediaserver system_server:fd use;

# b/120491318 allow mediaserver to access void:fd
allow mediaserver vold:fd use;


#line 134
typeattribute mediaserver halclientdomain;
#line 134
typeattribute mediaserver hal_allocator_client;
#line 134

#line 134
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 134
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 134
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 134

#line 134


###
### neverallow rules
###

# mediaserver should never execute any executable without a
# domain transition
neverallow mediaserver { file_type fs_type }:file execute_no_trans;

# do not allow privileged socket ioctl commands
neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl
#line 145
{
#line 145
# qualcomm rmnet ioctls
#line 145
0x00006900 0x00006902
#line 145
# socket ioctls
#line 145
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 145
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 145
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 145
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 145
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 145
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 145
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 145
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 145
0x00008991 0x00008992 0x00008993 0x00008994
#line 145
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 145
# device and protocol specific ioctls
#line 145
0x000089f0-0x000089ff
#line 145
0x000089e0-0x000089ef
#line 145
# Wireless extension ioctls
#line 145
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 145
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 145
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 145
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 145
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 145
0x00008b34 0x00008b35 0x00008b36
#line 145
# Dev private ioctl i.e. hardware specific ioctls
#line 145
0x00008be0-0x00008bff
#line 145
};
#line 1 "system/sepolicy/prebuilts/api/29.0/public/mediaswcodec.te"
type mediaswcodec, domain;
type mediaswcodec_exec, system_file_type, exec_type, file_type;


#line 4
typeattribute mediaswcodec halserverdomain;
#line 4
typeattribute mediaswcodec hal_codec2_server;
#line 4
typeattribute mediaswcodec hal_codec2;
#line 4


# mediaswcodec may use an input surface from a different Codec2 service or an
# OMX service

#line 8
typeattribute mediaswcodec halclientdomain;
#line 8
typeattribute mediaswcodec hal_codec2_client;
#line 8

#line 8
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 8
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 8
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 8

#line 8


#line 9
typeattribute mediaswcodec halclientdomain;
#line 9
typeattribute mediaswcodec hal_omx_client;
#line 9

#line 9
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 9
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 9
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 9

#line 9



#line 11
typeattribute mediaswcodec halclientdomain;
#line 11
typeattribute mediaswcodec hal_allocator_client;
#line 11

#line 11
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 11
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 11
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 11

#line 11


#line 12
typeattribute mediaswcodec halclientdomain;
#line 12
typeattribute mediaswcodec hal_graphics_allocator_client;
#line 12

#line 12
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 12
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 12
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 12

#line 12



#line 14
allow mediaswcodec device_config_media_native_prop:file { getattr open read map };
#line 14



#line 16

#line 16
allow mediaswcodec anr_data_file:file append;
#line 16
allow mediaswcodec dumpstate:fd use;
#line 16
allow mediaswcodec incidentd:fd use;
#line 16
# TODO: Figure out why write is needed.
#line 16
allow mediaswcodec dumpstate:fifo_file { append write };
#line 16
allow mediaswcodec incidentd:fifo_file { append write };
#line 16
allow mediaswcodec system_server:fifo_file { append write };
#line 16
allow mediaswcodec tombstoned:unix_stream_socket connectto;
#line 16
allow mediaswcodec tombstoned:fd use;
#line 16
allow mediaswcodec tombstoned_crash_socket:sock_file write;
#line 16
allow mediaswcodec tombstone_data_file:file append;
#line 16


# mediaswcodec_server should never execute any executable without a
# domain transition
neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;

# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;

#line 1 "system/sepolicy/prebuilts/api/29.0/public/modprobe.te"
type modprobe, domain;

allow modprobe proc_modules:file { getattr open read ioctl lock map };
allow modprobe self:{ capability cap_userns } sys_module;
allow modprobe kernel:key search;
#line 9

#line 1 "system/sepolicy/prebuilts/api/29.0/public/mtp.te"
# vpn tunneling protocol manager
type mtp, domain;
type mtp_exec, system_file_type, exec_type, file_type;


#line 5
typeattribute mtp netdomain;
#line 5


# pptp policy
allow mtp self:{ socket pppox_socket } { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow mtp self:{ capability cap_userns } net_raw;
allow mtp ppp:process signal;
allow mtp vpn_data_file:dir search;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/net.te"
## Network types
type node, node_type;
type netif, netif_type;
type port, port_type;

###
### Domain with network access
###

# Use network sockets.
allow netdomain self:tcp_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } };
allow netdomain self:{ icmp_socket udp_socket rawip_socket } { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } };

# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
# Bind to ports.
allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };

# Talks to netd via dnsproxyd socket.

#line 24
allow netdomain dnsproxyd_socket:sock_file write;
#line 24
allow netdomain netd:unix_stream_socket connectto;
#line 24


# Talks to netd via fwmarkd socket.

#line 27
allow netdomain fwmarkd_socket:sock_file write;
#line 27
allow netdomain netd:unix_stream_socket connectto;
#line 27


# Connect to mdnsd via mdnsd socket.

#line 30
allow netdomain mdnsd_socket:sock_file write;
#line 30
allow netdomain mdnsd:unix_stream_socket connectto;
#line 30

#line 1 "system/sepolicy/prebuilts/api/29.0/public/netd.te"
# network manager
type netd, domain, mlstrustedsubject;
type netd_exec, system_file_type, exec_type, file_type;


#line 5
typeattribute netd netdomain;
#line 5

# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl
#line 7
{
#line 7
# qualcomm rmnet ioctls
#line 7
0x00006900 0x00006902
#line 7
# socket ioctls
#line 7
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 7
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 7
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 7
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 7
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 7
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 7
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 7
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 7
0x00008991 0x00008992 0x00008993 0x00008994
#line 7
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 7
# device and protocol specific ioctls
#line 7
0x000089f0-0x000089ff
#line 7
0x000089e0-0x000089ef
#line 7
# Wireless extension ioctls
#line 7
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 7
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 7
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 7
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 7
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 7
0x00008b34 0x00008b35 0x00008b36
#line 7
# Dev private ioctl i.e. hardware specific ioctls
#line 7
0x00008be0-0x00008bff
#line 7
};


#line 9
allow netd cgroup:dir { open getattr read search ioctl lock };
#line 9
allow netd cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 9


allow netd system_server:fd use;

allow netd self:{ capability cap_userns } { net_admin net_raw kill };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set.  We do not appear to truly need this capability
# for netd to operate.
dontaudit netd self:{ capability cap_userns } fsetid;

# Allow netd to open /dev/tun, set it up and pass it to clatd
allow netd tun_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allowxperm netd tun_device:chr_file ioctl { 0x800454d2 0x400454ca };
allow netd self:tun_socket create;

allow netd self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow netd self:netlink_route_socket nlmsg_write;
allow netd self:netlink_nflog_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow netd self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow netd self:netlink_tcpdiag_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_read nlmsg_write };
allow netd self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow netd self:netlink_netfilter_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow netd shell_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow netd system_file:file { getattr execute execute_no_trans map };

allow netd devpts:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Acquire advisory lock on /system/etc/xtables.lock
allow netd system_file:file lock;

# Allow netd to write to qtaguid ctrl file.
# TODO: Add proper rules to prevent other process to access qtaguid_proc file
# after migration complete
allow netd proc_qtaguid_ctrl:file { { getattr open read ioctl lock map } { open append write lock map } };
# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
allow netd qtaguid_device:chr_file { getattr open read ioctl lock map };


#line 49
allow netd proc_net_type:dir { open getattr read search ioctl lock };
#line 49
allow netd proc_net_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 49

# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net_type:file { { getattr open read ioctl lock map } { open append write lock map } };

# Enables PppController and interface enumeration (among others)
allow netd sysfs:dir { open getattr read search ioctl lock };

#line 55
allow netd sysfs_net:dir { open getattr read search ioctl lock };
#line 55
allow netd sysfs_net:{ file lnk_file } { getattr open read ioctl lock map };
#line 55


# Allows setting interface MTU
allow netd sysfs_net:file { open append write lock map };

# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;


#line 63
allow netd cgroup_bpf:dir { open getattr read search ioctl lock };
#line 63
allow netd cgroup_bpf:{ file lnk_file } { getattr open read ioctl lock map };
#line 63


allow netd fs_bpf:dir search;
allow netd fs_bpf:file { read write setattr };

# TODO: netd previously thought it needed these permissions to do WiFi related
#       work.  However, after all the WiFi stuff is gone, we still need them.
#       Why?
allow netd self:{ capability cap_userns } { dac_override dac_read_search chown };

# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow netd net_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow netd self:{ capability cap_userns } fowner;

# Needed to lock the iptables lock.
allow netd system_file:file lock;

# Allow netd to spawn dnsmasq in it's own domain
allow netd dnsmasq:process signal;

# Allow netd to start clatd in its own domain
allow netd clatd:process signal;


#line 87

#line 87
allow netd property_socket:sock_file write;
#line 87
allow netd init:unix_stream_socket connectto;
#line 87

#line 87
allow netd ctl_mdnsd_prop:property_service set;
#line 87

#line 87
allow netd ctl_mdnsd_prop:file { getattr open read map };
#line 87

#line 87


#line 88

#line 88
allow netd property_socket:sock_file write;
#line 88
allow netd init:unix_stream_socket connectto;
#line 88

#line 88
allow netd netd_stable_secret_prop:property_service set;
#line 88

#line 88
allow netd netd_stable_secret_prop:file { getattr open read map };
#line 88

#line 88


# Allow netd to publish a binder service and make binder calls.

#line 91
# Call the servicemanager and transfer references to it.
#line 91
allow netd servicemanager:binder { call transfer };
#line 91
# servicemanager performs getpidcon on clients.
#line 91
allow servicemanager netd:dir search;
#line 91
allow servicemanager netd:file { read open };
#line 91
allow servicemanager netd:process getattr;
#line 91
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 91
# all domains in domain.te.
#line 91


#line 92
  allow netd netd_service:service_manager { add find };
#line 92
  neverallow { domain -netd } netd_service:service_manager add;
#line 92


#line 93
  allow netd dnsresolver_service:service_manager { add find };
#line 93
  neverallow { domain -netd } dnsresolver_service:service_manager add;
#line 93

allow netd dumpstate:fifo_file  { getattr write };

# Allow netd to call into the system server so it can check permissions.
allow netd system_server:binder call;
allow netd permission_service:service_manager find;

# Allow netd to talk to the framework service which collects netd events.
allow netd netd_listener_service:service_manager find;

# Allow netd to operate on sockets that are passed to it.
allow netd netdomain:{
  icmp_socket
  tcp_socket
  udp_socket
  rawip_socket
  tun_socket
} { read write getattr setattr getopt setopt };
allow netd netdomain:fd use;

# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_write nlmsg_read };

# Allow netd to register as hal server.

#line 117
  allow netd system_net_netd_hwservice:hwservice_manager { add find };
#line 117
  allow netd hidl_base_hwservice:hwservice_manager add;
#line 117
  neverallow { domain -netd } system_net_netd_hwservice:hwservice_manager add;
#line 117


#line 118
# Call the hwservicemanager and transfer references to it.
#line 118
allow netd hwservicemanager:binder { call transfer };
#line 118
# Allow hwservicemanager to send out callbacks
#line 118
allow hwservicemanager netd:binder { call transfer };
#line 118
# hwservicemanager performs getpidcon on clients.
#line 118
allow hwservicemanager netd:dir search;
#line 118
allow hwservicemanager netd:file { read open map };
#line 118
allow hwservicemanager netd:process getattr;
#line 118
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 118
# all domains in domain.te.
#line 118


#line 119
allow netd hwservicemanager_prop:file { getattr open read map };
#line 119


#line 120
allow netd device_config_netd_native_prop:file { getattr open read map };
#line 120


###
### Neverallow rules
###
### netd should NEVER do any of this

# Block device access.
neverallow netd dev_type:blk_file { read write };

# ptrace any other app
neverallow netd { domain }:process ptrace;

# Write to /system.
neverallow netd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;

# Write to files in /data/data or system files on /data
neverallow netd { app_data_file privapp_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;

# only system_server, dumpstate and network stack app may find netd service
neverallow {
    domain
    -system_server
    -dumpstate
    -network_stack
    -netd
    -netutils_wrapper
} netd_service:service_manager find;

# only system_server, dumpstate and network stack app may find dnsresolver service
neverallow {
    domain
    -system_server
    -dumpstate
    -network_stack
    -netd
    -netutils_wrapper
} dnsresolver_service:service_manager find;

# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack  }:binder call;

# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file { getattr open read ioctl lock map };

# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;

# If an already existing file is opened with O_CREATE, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
neverallow netd proc_net:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
dontaudit netd proc_net:dir write;

neverallow netd sysfs_net:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
dontaudit netd sysfs_net:dir write;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/netutils_wrapper.te"
type netutils_wrapper, domain;
type netutils_wrapper_exec, system_file_type, exec_type, file_type;

neverallow domain netutils_wrapper_exec:file execute_no_trans;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/network_stack.te"
# Network stack service app
type network_stack, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/nfc.te"
# nfc subsystem
type nfc, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/perfetto.te"
type perfetto, domain, coredomain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/performanced.te"
# performanced
type performanced, domain, mlstrustedsubject;
type performanced_exec, system_file_type, exec_type, file_type;

# Needed to check for app permissions.

#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow performanced servicemanager:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager performanced:dir search;
#line 6
allow servicemanager performanced:file { read open };
#line 6
allow servicemanager performanced:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6


#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow performanced system_server:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow system_server performanced:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow performanced system_server:fd use;
#line 7

allow performanced permission_service:service_manager find;


#line 10
# Mark the server domain as a PDX server.
#line 10
typeattribute performanced pdx_performance_client_server_type;
#line 10
# Allow the init process to create the initial endpoint socket.
#line 10
allow init pdx_performance_client_endpoint_socket_type:unix_stream_socket { create bind };
#line 10
# Allow the server domain to use the endpoint socket and accept connections on it.
#line 10
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 10
# than we need (e.g. we don"t need "bind" or "connect").
#line 10
allow performanced pdx_performance_client_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
#line 10
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
#line 10
allow performanced self:process setsockcreate;
#line 10
# Allow the server domain to create a client channel socket.
#line 10
allow performanced pdx_performance_client_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } };
#line 10
# Prevent other processes from claiming to be a server for the same service.
#line 10
neverallow {domain -performanced} pdx_performance_client_endpoint_socket_type:unix_stream_socket { listen accept };
#line 10


# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
allow performanced self:{ capability cap_userns } { setuid setgid sys_nice };

# Access /proc to validate we're only affecting threads in the same thread group.
# Performanced also shields unbound kernel threads.  It scans every task in the
# root cpu set, but only affects the kernel threads.

#line 18
allow performanced { appdomain bufferhubd kernel surfaceflinger }:dir { open getattr read search ioctl lock };
#line 18
allow performanced { appdomain bufferhubd kernel surfaceflinger }:{ file lnk_file } { getattr open read ioctl lock map };
#line 18

dontaudit performanced domain:dir read;
allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;

# These /proc accesses only show up in permissive mode but they
# generate a lot of noise in the log.
#line 27


# Access /dev/cpuset/cpuset.cpus

#line 30
allow performanced cgroup:dir { open getattr read search ioctl lock };
#line 30
allow performanced cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 30

#line 1 "system/sepolicy/prebuilts/api/29.0/public/perfprofd.te"
# perfprofd - perf profile collection daemon
type perfprofd, domain;
type perfprofd_exec, system_file_type, exec_type, file_type;

#line 121

#line 1 "system/sepolicy/prebuilts/api/29.0/public/platform_app.te"
###
### Apps signed with the platform key.
###

type platform_app, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/postinstall.te"
# Domain where the postinstall program runs during the update.
# Extend the permissions in this domain to allow this program to access other
# files needed by the specific device on your device's sepolicy directory.
type postinstall, domain;

# Allow postinstall to write to its stdout/stderr when redirected via pipes to
# update_engine.
allow postinstall update_engine_common:fd use;
allow postinstall update_engine_common:fifo_file { { getattr open read ioctl lock map } { open append write lock map } };

# Allow postinstall to read and execute directories and files in the same
# mounted location.
allow postinstall postinstall_file:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow postinstall postinstall_file:lnk_file { getattr open read ioctl lock map };
allow postinstall postinstall_file:dir { open getattr read search ioctl lock };

# Allow postinstall to execute the shell or other system executables.
allow postinstall shell_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow postinstall system_file:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow postinstall toolbox_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# Allow postinstall to execute shell in recovery.
#line 25


#
# For OTA dexopt.
#

# Allow postinstall scripts to talk to the system server.

#line 32
# Call the servicemanager and transfer references to it.
#line 32
allow postinstall servicemanager:binder { call transfer };
#line 32
# servicemanager performs getpidcon on clients.
#line 32
allow servicemanager postinstall:dir search;
#line 32
allow servicemanager postinstall:file { read open };
#line 32
allow servicemanager postinstall:process getattr;
#line 32
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 32
# all domains in domain.te.
#line 32


#line 33
# Call the server domain and optionally transfer references to it.
#line 33
allow postinstall system_server:binder { call transfer };
#line 33
# Allow the serverdomain to transfer references to the client on the reply.
#line 33
allow system_server postinstall:binder transfer;
#line 33
# Receive and use open files from the server.
#line 33
allow postinstall system_server:fd use;
#line 33


# Need to talk to the otadexopt service.
allow postinstall otadexopt_service:service_manager find;

# Allow postinstall scripts to trigger f2fs garbage collection
allow postinstall sysfs_fs_f2fs:file { { getattr open read ioctl lock map } { open append write lock map } };
allow postinstall sysfs_fs_f2fs:dir { open getattr read search ioctl lock };

# No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/ppp.te"
# Point to Point Protocol daemon
type ppp, domain;
type ppp_device, dev_type;
type ppp_exec, system_file_type, exec_type, file_type;


#line 6
typeattribute ppp netdomain;
#line 6



#line 8
allow ppp proc_net_type:dir { open getattr read search ioctl lock };
#line 8
allow ppp proc_net_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 8


allow ppp mtp:{ socket pppox_socket } { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map };

# ioctls needed for VPN.
allowxperm ppp self:udp_socket ioctl
#line 13
{
#line 13
# qualcomm rmnet ioctls
#line 13
0x00006900 0x00006902
#line 13
# socket ioctls
#line 13
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 13
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 13
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 13
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 13
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 13
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 13
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 13
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 13
0x00008991 0x00008992 0x00008993 0x00008994
#line 13
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 13
# device and protocol specific ioctls
#line 13
0x000089f0-0x000089ff
#line 13
0x000089e0-0x000089ef
#line 13
# Wireless extension ioctls
#line 13
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 13
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 13
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 13
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 13
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 13
0x00008b34 0x00008b35 0x00008b36
#line 13
# Dev private ioctl i.e. hardware specific ioctls
#line 13
0x00008be0-0x00008bff
#line 13
};
allowxperm ppp mtp:{ socket pppox_socket } ioctl {
#line 14
0x7436 0x7437 0x7438 0x7439
#line 14
0x743a 0x743b 0x743c 0x743d
#line 14
0x743e 0x743f 0x7440 0x7441
#line 14
0x7446 0x7447 0x744b 0x744c
#line 14
0x744d 0x744e 0x744f
#line 14
0x7450 0x7451 0x7452 0x7453
#line 14
0x7454 0x7455 0x7456 0x7457
#line 14
0x7458 0x7459 0x745a 0x7480
#line 14
0x7481 0x7482 0x7483 0x7484
#line 14
0x7485 0x7486 0x7487 0x7488
#line 14
};

allow ppp mtp:unix_dgram_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map };
allow ppp ppp_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow ppp self:{ capability cap_userns } net_admin;
allow ppp system_file:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

allow ppp vpn_data_file:dir { open search write add_name remove_name lock };
allow ppp vpn_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow ppp mtp:fd use;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/priv_app.te"
###
### A domain for further sandboxing privileged apps.
###

type priv_app, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/profman.te"
# profman
type profman, domain;
type profman_exec, system_file_type, exec_type, file_type;

allow profman user_profile_data_file:file { getattr read write lock map };

# Dumping profile info opens the application APK file for pretty printing.
allow profman asec_apk_file:file { read map };
allow profman apk_data_file:file { getattr read map };
allow profman apk_data_file:dir { getattr read search };

allow profman oemfs:file { read map };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
allow profman tmpfs:file { read map };
allow profman profman_dump_data_file:file { write map };

allow profman installd:fd use;

# Allow profman to analyze profiles for the secondary dex files. These
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
allow profman { privapp_data_file app_data_file }:dir { getattr read search };

###
### neverallow rules
###

neverallow profman { privapp_data_file app_data_file }:{ file lnk_file sock_file fifo_file } open;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/property.te"
type apexd_prop, property_type;
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
type boottime_public_prop, property_type;
type bluetooth_a2dp_offload_prop, property_type;
type bluetooth_audio_hal_prop, property_type;
type bluetooth_prop, property_type;
type bpf_progs_loaded_prop, property_type;
type bootloader_boot_reason_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
type cpu_variant_prop, property_type;
type ctl_adbd_prop, property_type;
type ctl_bootanim_prop, property_type;
type ctl_bugreport_prop, property_type;
type ctl_console_prop, property_type;
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_fuse_prop, property_type;
type ctl_gsid_prop, property_type;
type ctl_interface_restart_prop, property_type;
type ctl_interface_start_prop, property_type;
type ctl_interface_stop_prop, property_type;
type ctl_mdnsd_prop, property_type;
type ctl_restart_prop, property_type;
type ctl_rildaemon_prop, property_type;
type ctl_sigstop_prop, property_type;
type ctl_start_prop, property_type;
type ctl_stop_prop, property_type;
type dalvik_prop, property_type, core_property_type;
type debuggerd_prop, property_type, core_property_type;
type debug_prop, property_type, core_property_type;
type default_prop, property_type, core_property_type;
type device_config_activity_manager_native_boot_prop, property_type;
type device_config_boot_count_prop, property_type;
type device_config_reset_performed_prop, property_type;
type device_config_input_native_boot_prop, property_type;
type device_config_netd_native_prop, property_type;
type device_config_runtime_native_boot_prop, property_type;
type device_config_runtime_native_prop, property_type;
type device_config_media_native_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
type dumpstate_prop, property_type, core_property_type;
type dynamic_system_prop, property_type;
type exported_secure_prop, property_type;
type sota_prop, property_type;
type ffs_prop, property_type, core_property_type;
type fingerprint_prop, property_type, core_property_type;
type firstboot_prop, property_type;
type gsid_prop, property_type;
type heapprofd_enabled_prop, property_type;
type heapprofd_prop, property_type;
type hwservicemanager_prop, property_type;
type last_boot_reason_prop, property_type;
type system_lmk_prop, property_type;
type llkd_prop, property_type;
type logd_prop, property_type, core_property_type;
type logpersistd_logging_prop, property_type;
type log_prop, property_type, log_property_type;
type log_tag_prop, property_type, log_property_type;
type lowpan_prop, property_type;
type lpdumpd_prop, property_type;
type mmc_prop, property_type;
type net_dns_prop, property_type;
type net_radio_prop, property_type, core_property_type;
type netd_stable_secret_prop, property_type;
type nfc_prop, property_type, core_property_type;
type nnapi_ext_deny_product_prop, property_type;
type overlay_prop, property_type;
type pan_result_prop, property_type, core_property_type;
type persist_debug_prop, property_type, core_property_type;
type persistent_properties_ready_prop, property_type;
type pm_prop, property_type;
type powerctl_prop, property_type, core_property_type;
type radio_prop, property_type, core_property_type;
type restorecon_prop, property_type, core_property_type;
type safemode_prop, property_type;
type serialno_prop, property_type;
type shell_prop, property_type, core_property_type;
type system_boot_reason_prop, property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
type system_trace_prop, property_type;
type test_boot_reason_prop, property_type;
type test_harness_prop, property_type;
type theme_prop, property_type;
type time_prop, property_type;
type traced_enabled_prop, property_type;
type traced_lazy_prop, property_type;
type use_memfd_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
type vendor_security_patch_level_prop, property_type;

# Properties for whitelisting
type exported_audio_prop, property_type;
type exported_bluetooth_prop, property_type;
type exported_config_prop, property_type;
type exported_dalvik_prop, property_type;
type exported_default_prop, property_type;
type exported_dumpstate_prop, property_type;
type exported_ffs_prop, property_type;
type exported_fingerprint_prop, property_type;
type exported_overlay_prop, property_type;
type exported_pm_prop, property_type;
type exported_radio_prop, property_type;
type exported_system_prop, property_type;
type exported_system_radio_prop, property_type;
type exported_vold_prop, property_type;
type exported_wifi_prop, property_type;
type exported2_config_prop, property_type;
type exported2_default_prop, property_type;
type exported2_radio_prop, property_type;
type exported2_system_prop, property_type;
type exported2_vold_prop, property_type;
type exported3_default_prop, property_type;
type exported3_radio_prop, property_type;
type exported3_system_prop, property_type;
type vendor_default_prop, property_type;

allow property_type tmpfs:filesystem associate;

###
### Neverallow rules
###

# There is no need to perform ioctl or advisory locking operations on
# property files. If this neverallow is being triggered, it is
# likely that the policy is using r_file_perms directly instead of
# the get_prop() macro.
neverallow domain property_type:file { ioctl lock };

# core_property_type should not be used for new properties or
# device specific properties. Properties with this attribute
# are readable to everyone, which is overly broad and should
# be avoided.
# New properties should have appropriate read / write access
# control rules written.

neverallow * {
  core_property_type
  -audio_prop
  -config_prop
  -cppreopt_prop
  -dalvik_prop
  -debuggerd_prop
  -debug_prop
  -default_prop
  -dhcp_prop
  -dumpstate_prop
  -ffs_prop
  -fingerprint_prop
  -logd_prop
  -net_radio_prop
  -nfc_prop
  -pan_result_prop
  -persist_debug_prop
  -powerctl_prop
  -radio_prop
  -restorecon_prop
  -shell_prop
  -system_prop
  -system_radio_prop
  -vold_prop
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };

# sigstop property is only used for debugging; should only be set by su which is permissive
# for userdebug/eng
neverallow {
  domain
  -init
  -vendor_init
} ctl_sigstop_prop:property_service set;

# Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
# in the audit log
dontaudit domain {
  ctl_bootanim_prop
  ctl_bugreport_prop
  ctl_console_prop
  ctl_default_prop
  ctl_dumpstate_prop
  ctl_fuse_prop
  ctl_mdnsd_prop
  ctl_rildaemon_prop
}:property_service set;


#line 191
# Prevent properties from being set
#line 191
  neverallow {
#line 191
    domain
#line 191
    -coredomain
#line 191
    -appdomain
#line 191
    -vendor_init
#line 191
  } {
#line 191
    core_property_type
#line 191
    extended_core_property_type
#line 191
    exported_config_prop
#line 191
    exported_dalvik_prop
#line 191
    exported_default_prop
#line 191
    exported_dumpstate_prop
#line 191
    exported_ffs_prop
#line 191
    exported_fingerprint_prop
#line 191
    exported_system_prop
#line 191
    exported_system_radio_prop
#line 191
    exported_vold_prop
#line 191
    exported2_config_prop
#line 191
    exported2_default_prop
#line 191
    exported2_system_prop
#line 191
    exported2_vold_prop
#line 191
    exported3_default_prop
#line 191
    exported3_system_prop
#line 191
    -nfc_prop
#line 191
    -powerctl_prop
#line 191
    -radio_prop
#line 191
  }:property_service set;
#line 191

#line 191
  neverallow {
#line 191
    domain
#line 191
    -coredomain
#line 191
    -appdomain
#line 191
    -hal_nfc_server
#line 191
  } {
#line 191
    nfc_prop
#line 191
  }:property_service set;
#line 191

#line 191
  neverallow {
#line 191
    domain
#line 191
    -coredomain
#line 191
    -appdomain
#line 191
    -hal_telephony_server
#line 191
    -vendor_init
#line 191
  } {
#line 191
    exported_radio_prop
#line 191
    exported3_radio_prop
#line 191
  }:property_service set;
#line 191

#line 191
  neverallow {
#line 191
    domain
#line 191
    -coredomain
#line 191
    -appdomain
#line 191
    -hal_telephony_server
#line 191
  } {
#line 191
    exported2_radio_prop
#line 191
    radio_prop
#line 191
  }:property_service set;
#line 191

#line 191
  neverallow {
#line 191
    domain
#line 191
    -coredomain
#line 191
    -bluetooth
#line 191
    -hal_bluetooth_server
#line 191
  } {
#line 191
    bluetooth_prop
#line 191
  }:property_service set;
#line 191

#line 191
  neverallow {
#line 191
    domain
#line 191
    -coredomain
#line 191
    -bluetooth
#line 191
    -hal_bluetooth_server
#line 191
    -vendor_init
#line 191
  } {
#line 191
    exported_bluetooth_prop
#line 191
  }:property_service set;
#line 191

#line 191
  neverallow {
#line 191
    domain
#line 191
    -coredomain
#line 191
    -hal_wifi_server
#line 191
    -wificond
#line 191
  } {
#line 191
    wifi_prop
#line 191
  }:property_service set;
#line 191

#line 191
  neverallow {
#line 191
    domain
#line 191
    -coredomain
#line 191
    -hal_wifi_server
#line 191
    -wificond
#line 191
    -vendor_init
#line 191
  } {
#line 191
    exported_wifi_prop
#line 191
  }:property_service set;
#line 191

#line 191
# Prevent properties from being read
#line 191
  neverallow {
#line 191
    domain
#line 191
    -coredomain
#line 191
    -appdomain
#line 191
    -vendor_init
#line 191
  } {
#line 191
    core_property_type
#line 191
    extended_core_property_type
#line 191
    exported_dalvik_prop
#line 191
    exported_ffs_prop
#line 191
    exported_system_radio_prop
#line 191
    exported2_config_prop
#line 191
    exported2_system_prop
#line 191
    exported2_vold_prop
#line 191
    exported3_default_prop
#line 191
    exported3_system_prop
#line 191
    -debug_prop
#line 191
    -logd_prop
#line 191
    -nfc_prop
#line 191
    -powerctl_prop
#line 191
    -radio_prop
#line 191
  }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };
#line 191

#line 191
  neverallow {
#line 191
    domain
#line 191
    -coredomain
#line 191
    -appdomain
#line 191
    -hal_nfc_server
#line 191
  } {
#line 191
    nfc_prop
#line 191
  }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };
#line 191

#line 191
  neverallow {
#line 191
    domain
#line 191
    -coredomain
#line 191
    -appdomain
#line 191
    -hal_telephony_server
#line 191
  } {
#line 191
    radio_prop
#line 191
  }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };
#line 191

#line 191
  neverallow {
#line 191
    domain
#line 191
    -coredomain
#line 191
    -bluetooth
#line 191
    -hal_bluetooth_server
#line 191
  } {
#line 191
    bluetooth_prop
#line 191
  }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };
#line 191

#line 191
  neverallow {
#line 191
    domain
#line 191
    -coredomain
#line 191
    -hal_wifi_server
#line 191
    -wificond
#line 191
  } {
#line 191
    wifi_prop
#line 191
  }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock };
#line 348



#line 350
  # Neverallow coredomain to set vendor properties
#line 350
  neverallow {
#line 350
    coredomain
#line 350
    -init
#line 350
    -system_writes_vendor_properties_violators
#line 350
  } {
#line 350
    property_type
#line 350
    -apexd_prop
#line 350
    -audio_prop
#line 350
    -bluetooth_a2dp_offload_prop
#line 350
    -bluetooth_audio_hal_prop
#line 350
    -bluetooth_prop
#line 350
    -bootloader_boot_reason_prop
#line 350
    -boottime_prop
#line 350
    -boottime_public_prop
#line 350
    -bpf_progs_loaded_prop
#line 350
    -config_prop
#line 350
    -cppreopt_prop
#line 350
    -ctl_adbd_prop
#line 350
    -ctl_bootanim_prop
#line 350
    -ctl_bugreport_prop
#line 350
    -ctl_console_prop
#line 350
    -ctl_default_prop
#line 350
    -ctl_dumpstate_prop
#line 350
    -ctl_fuse_prop
#line 350
    -ctl_gsid_prop
#line 350
    -ctl_interface_restart_prop
#line 350
    -ctl_interface_start_prop
#line 350
    -ctl_interface_stop_prop
#line 350
    -ctl_mdnsd_prop
#line 350
    -ctl_restart_prop
#line 350
    -ctl_rildaemon_prop
#line 350
    -ctl_sigstop_prop
#line 350
    -ctl_start_prop
#line 350
    -ctl_stop_prop
#line 350
    -dalvik_prop
#line 350
    -debug_prop
#line 350
    -debuggerd_prop
#line 350
    -default_prop
#line 350
    -device_logging_prop
#line 350
    -dhcp_prop
#line 350
    -dumpstate_options_prop
#line 350
    -dumpstate_prop
#line 350
    -exported2_config_prop
#line 350
    -exported2_default_prop
#line 350
    -exported2_radio_prop
#line 350
    -exported2_system_prop
#line 350
    -exported2_vold_prop
#line 350
    -exported3_default_prop
#line 350
    -exported3_radio_prop
#line 350
    -exported3_system_prop
#line 350
    -exported_bluetooth_prop
#line 350
    -exported_config_prop
#line 350
    -exported_dalvik_prop
#line 350
    -exported_default_prop
#line 350
    -exported_dumpstate_prop
#line 350
    -exported_ffs_prop
#line 350
    -exported_fingerprint_prop
#line 350
    -exported_overlay_prop
#line 350
    -exported_pm_prop
#line 350
    -exported_radio_prop
#line 350
    -exported_secure_prop
#line 350
    -exported_system_prop
#line 350
    -exported_system_radio_prop
#line 350
    -exported_vold_prop
#line 350
    -exported_wifi_prop
#line 350
    -extended_core_property_type
#line 350
    -sota_prop
#line 350
    -ffs_prop
#line 350
    -fingerprint_prop
#line 350
    -firstboot_prop
#line 350
    -device_config_activity_manager_native_boot_prop
#line 350
    -device_config_reset_performed_prop
#line 350
    -device_config_boot_count_prop
#line 350
    -device_config_input_native_boot_prop
#line 350
    -device_config_netd_native_prop
#line 350
    -device_config_runtime_native_boot_prop
#line 350
    -device_config_runtime_native_prop
#line 350
    -device_config_media_native_prop
#line 350
    -dynamic_system_prop
#line 350
    -gsid_prop
#line 350
    -heapprofd_enabled_prop
#line 350
    -heapprofd_prop
#line 350
    -hwservicemanager_prop
#line 350
    -last_boot_reason_prop
#line 350
    -system_lmk_prop
#line 350
    -log_prop
#line 350
    -log_tag_prop
#line 350
    -logd_prop
#line 350
    -logpersistd_logging_prop
#line 350
    -lowpan_prop
#line 350
    -lpdumpd_prop
#line 350
    -mmc_prop
#line 350
    -net_dns_prop
#line 350
    -net_radio_prop
#line 350
    -netd_stable_secret_prop
#line 350
    -nfc_prop
#line 350
    -overlay_prop
#line 350
    -pan_result_prop
#line 350
    -persist_debug_prop
#line 350
    -persistent_properties_ready_prop
#line 350
    -pm_prop
#line 350
    -powerctl_prop
#line 350
    -radio_prop
#line 350
    -restorecon_prop
#line 350
    -safemode_prop
#line 350
    -serialno_prop
#line 350
    -shell_prop
#line 350
    -system_boot_reason_prop
#line 350
    -system_prop
#line 350
    -system_radio_prop
#line 350
    -system_trace_prop
#line 350
    -test_boot_reason_prop
#line 350
    -test_harness_prop
#line 350
    -theme_prop
#line 350
    -time_prop
#line 350
    -traced_enabled_prop
#line 350
    -traced_lazy_prop
#line 350
    -vendor_default_prop
#line 350
    -vendor_security_patch_level_prop
#line 350
    -vold_prop
#line 350
    -wifi_log_prop
#line 350
    -wifi_prop
#line 350
  }:property_service set;
#line 475

#line 1 "system/sepolicy/prebuilts/api/29.0/public/racoon.te"
# IKE key management daemon
type racoon, domain;
type racoon_exec, system_file_type, exec_type, file_type;

typeattribute racoon mlstrustedsubject;


#line 7
typeattribute racoon netdomain;
#line 7

allowxperm racoon self:udp_socket ioctl { 0x00008914 0x00008916 0x0000891c };


#line 10
# Call the servicemanager and transfer references to it.
#line 10
allow racoon servicemanager:binder { call transfer };
#line 10
# servicemanager performs getpidcon on clients.
#line 10
allow servicemanager racoon:dir search;
#line 10
allow servicemanager racoon:file { read open };
#line 10
allow servicemanager racoon:process getattr;
#line 10
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 10
# all domains in domain.te.
#line 10


allow racoon tun_device:chr_file { getattr open read ioctl lock map };
allowxperm racoon tun_device:chr_file ioctl 0x400454ca;
allow racoon cgroup:dir { add_name create };
allow racoon kernel:system module_request;

allow racoon self:key_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow racoon self:tun_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow racoon self:{ capability cap_userns } { net_admin net_bind_service net_raw };

# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

allow racoon vpn_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow racoon vpn_data_file:dir { open search write add_name remove_name lock };


#line 27
  allow keystore racoon:dir search;
#line 27
  allow keystore racoon:file { read open };
#line 27
  allow keystore racoon:process getattr;
#line 27
  allow racoon keystore_service:service_manager find;
#line 27

#line 27
# Call the server domain and optionally transfer references to it.
#line 27
allow racoon keystore:binder { call transfer };
#line 27
# Allow the serverdomain to transfer references to the client on the reply.
#line 27
allow keystore racoon:binder transfer;
#line 27
# Receive and use open files from the server.
#line 27
allow racoon keystore:fd use;
#line 27

#line 27

#line 27
# Call the server domain and optionally transfer references to it.
#line 27
allow keystore racoon:binder { call transfer };
#line 27
# Allow the serverdomain to transfer references to the client on the reply.
#line 27
allow racoon keystore:binder transfer;
#line 27
# Receive and use open files from the server.
#line 27
allow keystore racoon:fd use;
#line 27

#line 27


# Racoon (VPN) has a restricted set of permissions from the default.
allow racoon keystore:keystore_key {
	get
	sign
	verify
};
#line 1 "system/sepolicy/prebuilts/api/29.0/public/radio.te"
# phone subsystem
type radio, domain, mlstrustedsubject;


#line 4
typeattribute radio netdomain;
#line 4


#line 5
typeattribute radio bluetoothdomain;
#line 5


#line 6
typeattribute radio binderservicedomain;
#line 6


# Talks to hal_telephony_server via the rild socket only for devices without full treble


# Data file accesses.
allow radio radio_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow radio radio_data_file:{ file lnk_file sock_file fifo_file } { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };


allow radio net_data_file:dir search;
allow radio net_data_file:file { getattr open read ioctl lock map };

# Property service

#line 20

#line 20
allow radio property_socket:sock_file write;
#line 20
allow radio init:unix_stream_socket connectto;
#line 20

#line 20
allow radio radio_prop:property_service set;
#line 20

#line 20
allow radio radio_prop:file { getattr open read map };
#line 20

#line 20


#line 21

#line 21
allow radio property_socket:sock_file write;
#line 21
allow radio init:unix_stream_socket connectto;
#line 21

#line 21
allow radio exported_radio_prop:property_service set;
#line 21

#line 21
allow radio exported_radio_prop:file { getattr open read map };
#line 21

#line 21


#line 22

#line 22
allow radio property_socket:sock_file write;
#line 22
allow radio init:unix_stream_socket connectto;
#line 22

#line 22
allow radio exported2_radio_prop:property_service set;
#line 22

#line 22
allow radio exported2_radio_prop:file { getattr open read map };
#line 22

#line 22


#line 23

#line 23
allow radio property_socket:sock_file write;
#line 23
allow radio init:unix_stream_socket connectto;
#line 23

#line 23
allow radio exported3_radio_prop:property_service set;
#line 23

#line 23
allow radio exported3_radio_prop:file { getattr open read map };
#line 23

#line 23


#line 24

#line 24
allow radio property_socket:sock_file write;
#line 24
allow radio init:unix_stream_socket connectto;
#line 24

#line 24
allow radio net_radio_prop:property_service set;
#line 24

#line 24
allow radio net_radio_prop:file { getattr open read map };
#line 24

#line 24


# ctl interface

#line 27

#line 27
allow radio property_socket:sock_file write;
#line 27
allow radio init:unix_stream_socket connectto;
#line 27

#line 27
allow radio ctl_rildaemon_prop:property_service set;
#line 27

#line 27
allow radio ctl_rildaemon_prop:file { getattr open read map };
#line 27

#line 27



#line 29
  allow radio radio_service:service_manager { add find };
#line 29
  neverallow { domain -radio } radio_service:service_manager add;
#line 29

allow radio audioserver_service:service_manager find;
allow radio cameraserver_service:service_manager find;
allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find;
allow radio nfc_service:service_manager find;
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
allow radio timedetector_service:service_manager find;

# Perform HwBinder IPC.

#line 40
# Call the hwservicemanager and transfer references to it.
#line 40
allow radio hwservicemanager:binder { call transfer };
#line 40
# Allow hwservicemanager to send out callbacks
#line 40
allow hwservicemanager radio:binder { call transfer };
#line 40
# hwservicemanager performs getpidcon on clients.
#line 40
allow hwservicemanager radio:dir search;
#line 40
allow hwservicemanager radio:file { read open map };
#line 40
allow hwservicemanager radio:process getattr;
#line 40
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 40
# all domains in domain.te.
#line 40


#line 41
typeattribute radio halclientdomain;
#line 41
typeattribute radio hal_telephony_client;
#line 41

#line 41
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 41
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 41
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 41

#line 41


# Used by TelephonyManager
allow radio proc_cmdline:file { getattr open read ioctl lock map };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/recovery.te"
# recovery console (used in recovery init.rc for /sbin/recovery)

# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
type recovery, domain;

# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
#line 141


###
### neverallow rules
###

# Recovery should never touch /data.
#
# In particular, if /data is encrypted, it is not accessible
# to recovery anyway.
#
# For now, we only enforce write/execute restrictions, as domain.te
# contains a number of read-only rules that apply to all
# domains, including recovery.
#
# TODO: tighten this up further.
neverallow recovery {
   data_file_type
   -cache_file
   -cache_recovery_file

}:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } };
neverallow recovery {
   data_file_type
   -cache_file
   -cache_recovery_file

}:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/recovery_persist.te"
# android recovery persistent log manager
type recovery_persist, domain;
type recovery_persist_exec, system_file_type, exec_type, file_type;

allow recovery_persist pstorefs:dir search;
allow recovery_persist pstorefs:file { getattr open read ioctl lock map };

allow recovery_persist recovery_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow recovery_persist recovery_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };

allow recovery_persist cache_file:dir search;
allow recovery_persist cache_file:lnk_file read;
allow recovery_persist cache_recovery_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow recovery_persist cache_recovery_file:file { { getattr open read ioctl lock map } unlink };

###
### Neverallow rules
###
### recovery_persist should NEVER do any of this

# Block device access.
neverallow recovery_persist dev_type:blk_file { read write };

# ptrace any other app
neverallow recovery_persist domain:process ptrace;

# Write to /system.
neverallow recovery_persist system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;

# Write to files in /data/data
neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;

#line 1 "system/sepolicy/prebuilts/api/29.0/public/recovery_refresh.te"
# android recovery refresh log manager
type recovery_refresh, domain;
type recovery_refresh_exec, system_file_type, exec_type, file_type;

allow recovery_refresh pstorefs:dir search;
allow recovery_refresh pstorefs:file { getattr open read ioctl lock map };
# NB: domain inherits write_logd which hands us write to pmsg_device

###
### Neverallow rules
###
### recovery_refresh should NEVER do any of this

# Block device access.
neverallow recovery_refresh dev_type:blk_file { read write };

# ptrace any other app
neverallow recovery_refresh domain:process ptrace;

# Write to /system.
neverallow recovery_refresh system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;

# Write to files in /data/data or system files on /data
neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/rs.te"
type rs, domain, coredomain;
type rs_exec, system_file_type, exec_type, file_type;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/rss_hwm_reset.te"
# rss_hwm_reset resets RSS high-water mark counters for all procesess.
type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/runas.te"
type runas, domain, mlstrustedsubject;
type runas_exec, system_file_type, exec_type, file_type;

allow runas adbd:fd use;
allow runas adbd:process sigchld;
allow runas adbd:unix_stream_socket { read write };
allow runas shell:fd use;
allow runas shell:fifo_file { read write };
allow runas shell:unix_stream_socket { read write };
allow runas devpts:chr_file { read write ioctl };
allow runas shell_data_file:file { read write };

# run-as reads package information.
allow runas system_data_file:file { getattr open read ioctl lock map };
allow runas system_data_file:lnk_file getattr;
allow runas packages_list_file:file { getattr open read ioctl lock map };

# The app's data dir may be accessed through a symlink.
allow runas system_data_file:lnk_file read;

# run-as checks and changes to the app data dir.
dontaudit runas self:{ capability cap_userns } { dac_override dac_read_search };
allow runas app_data_file:dir { getattr search };

# run-as switches to the app UID/GID.
allow runas self:{ capability cap_userns } { setuid setgid };

# run-as switches to the app security context.

#line 29

#line 29
allow runas selinuxfs:dir { open getattr read search ioctl lock };
#line 29
allow runas selinuxfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 29

#line 29
allow runas selinuxfs:file { open append write lock map };
#line 29
allow runas kernel:security check_context;
#line 29
 # validate context
allow runas self:process setcurrent;
allow runas { appdomain -system_app }:process dyntransition; # setcon

# runas/libselinux needs access to seapp_contexts_file to
# determine which domain to transition to.
allow runas seapp_contexts_file:file { getattr open read ioctl lock map };

###
### neverallow rules
###

# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
neverallow runas self:{ capability cap_userns } ~{ setuid setgid };
neverallow runas self:{ capability2 cap2_userns } *;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/runas_app.te"
type runas_app, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/scheduler_service_server.te"

#line 1
  allow scheduler_service_server fwk_scheduler_hwservice:hwservice_manager { add find };
#line 1
  allow scheduler_service_server hidl_base_hwservice:hwservice_manager add;
#line 1
  neverallow { domain -scheduler_service_server } fwk_scheduler_hwservice:hwservice_manager add;
#line 1

#line 1 "system/sepolicy/prebuilts/api/29.0/public/sdcardd.te"
type sdcardd, domain;
type sdcardd_exec, system_file_type, exec_type, file_type;

allow sdcardd cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow sdcardd fuse_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow sdcardd rootfs:dir mounton;  # TODO: deprecated in M
allow sdcardd sdcardfs:filesystem remount;
allow sdcardd tmpfs:dir { open getattr read search ioctl lock };
allow sdcardd mnt_media_rw_file:dir { open getattr read search ioctl lock };
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
allow sdcardd sdcard_type:filesystem { mount unmount };
allow sdcardd self:{ capability cap_userns } { setuid setgid dac_override dac_read_search sys_admin sys_resource };

allow sdcardd sdcard_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow sdcardd sdcard_type:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

allow sdcardd media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow sdcardd media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Read /data/system/packages.list.
allow sdcardd system_data_file:file { getattr open read ioctl lock map };
allow sdcardd packages_list_file:file { getattr open read ioctl lock map };

# Read /data/.layout_version
allow sdcardd install_data_file:file { getattr open read ioctl lock map };

# Allow stdin/out back to vold
allow sdcardd vold:fd use;
allow sdcardd vold:fifo_file { read write getattr };

# Allow running on top of expanded storage
allow sdcardd mnt_expand_file:dir search;

# access /proc/filesystems
allow sdcardd proc_filesystems:file { getattr open read ioctl lock map };

###
### neverallow rules
###

# The sdcard daemon should no longer be started from init
neverallow init sdcardd_exec:file execute;
neverallow init sdcardd:process { transition dyntransition };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/secure_element.te"
# secure_element subsystem
type secure_element, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/sensor_service_server.te"

#line 1
  allow sensor_service_server fwk_sensor_hwservice:hwservice_manager { add find };
#line 1
  allow sensor_service_server hidl_base_hwservice:hwservice_manager add;
#line 1
  neverallow { domain -sensor_service_server } fwk_sensor_hwservice:hwservice_manager add;
#line 1

#line 1 "system/sepolicy/prebuilts/api/29.0/public/service.te"
type apex_service,              service_manager_type;
type audioserver_service,       service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service,         service_manager_type;
type cameraserver_service,      service_manager_type;
type default_android_service,   service_manager_type;
type dnsresolver_service,       service_manager_type;
type drmserver_service,         service_manager_type;
type dumpstate_service,         service_manager_type;
type fingerprintd_service,      service_manager_type;
type hal_fingerprint_service,   service_manager_type;
type gatekeeper_service,        app_api_service, service_manager_type;
type gpu_service,               app_api_service, service_manager_type;
type idmap_service,             service_manager_type;
type iorapd_service,            service_manager_type;
type incident_service,          service_manager_type;
type installd_service,          service_manager_type;
type keystore_service,          service_manager_type;
type lpdump_service,            service_manager_type;
type mediaserver_service,       service_manager_type;
type mediametrics_service,      service_manager_type;
type mediaextractor_service,    service_manager_type;
type mediacodec_service,        service_manager_type;
type mediadrmserver_service,    service_manager_type;
type netd_service,              service_manager_type;
type nfc_service,               service_manager_type;
type perfprofd_service,         service_manager_type;
type radio_service,             service_manager_type;
type secure_element_service,    service_manager_type;
type storaged_service,          service_manager_type;
type surfaceflinger_service,    app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service,        service_manager_type;
type system_suspend_control_service, service_manager_type;
type update_engine_service,     service_manager_type;
type virtual_touchpad_service,  service_manager_type;
type vold_service,              service_manager_type;
type vr_hwc_service,            service_manager_type;
type vrflinger_vsync_service,   service_manager_type;

# system_server_services broken down
type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type adb_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type battery_service, system_server_service, service_manager_type;
type binder_calls_stats_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type broadcastradio_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service,  system_server_service, service_manager_type;
type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
type coverage_service, system_server_service, service_manager_type;
type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_config_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type;
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type color_display_service, system_api_service, system_server_service, service_manager_type;
type external_vibrator_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netd_listener_service, system_server_service, service_manager_type;
type network_watchlist_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
type bugreport_service, system_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type lock_settings_service, system_api_service, system_server_service, service_manager_type;
type looper_stats_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type meminfo_service, system_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_score_service, system_api_service, system_server_service, service_manager_type;
type network_stack_service, system_server_service, service_manager_type;
type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type oem_lock_service, system_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
type rollback_service, app_api_service, system_server_service, service_manager_type;
type runtime_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type;
type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type shortcut_service, app_api_service, system_server_service, service_manager_type;
type slice_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type testharness_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type;
type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
type wificond_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
type inputflinger_service, system_api_service, system_server_service, service_manager_type;
type wpantund_service, system_api_service, service_manager_type;

###
### Neverallow rules
###

# servicemanager handles registering or looking up named services.
# It does not make sense to register or lookup something which is not a service.
# Trigger a compile error if this occurs.
neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/servicemanager.te"
# servicemanager - the Binder context manager
type servicemanager, domain, mlstrustedsubject;
type servicemanager_exec, system_file_type, exec_type, file_type;

# Note that we do not use the binder_* macros here.
# servicemanager is unique in that it only provides
# name service (aka context manager) for Binder.
# As such, it only ever receives and transfers other references
# created by other domains.  It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
allow servicemanager {
  domain
  -init
  -vendor_init
  -hwservicemanager
  -vndservicemanager
}:binder transfer;

allow servicemanager service_contexts_file:file { getattr open read ioctl lock map };
# nonplat_service_contexts only accessible on non full-treble devices


# Check SELinux permissions.

#line 25

#line 25
allow servicemanager selinuxfs:dir { open getattr read search ioctl lock };
#line 25
allow servicemanager selinuxfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 25

#line 25
allow servicemanager selinuxfs:file { open append write lock map };
#line 25
allow servicemanager kernel:security compute_av;
#line 25
allow servicemanager self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 25

#line 1 "system/sepolicy/prebuilts/api/29.0/public/sgdisk.te"
# sgdisk called from vold
type sgdisk, domain;
type sgdisk_exec, system_file_type, exec_type, file_type;

# Allowed to read/write low-level partition tables
allow sgdisk block_device:dir search;
allow sgdisk vold_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };
# HDIO_GETGEO needed to get the number of disk heads
# on vold_device. How quaint.
allowxperm sgdisk vold_device:blk_file ioctl { 0x00000301 };
# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64
# is granted to all block device users in domain.te, so
# no need to mention it here. sgdisk should not be
# using the BLKGETSIZE ioctl as it is useless for devices over
# 2T in size, but we allow it for now and hope that sgdisk
# will fix their bug.
allowxperm sgdisk vold_device:blk_file ioctl { 0x00001260 };
# Force a re-read of the partition table.
allowxperm sgdisk vold_device:blk_file ioctl { 0x0000125f };

# Inherit and use pty created by android_fork_execvp()
allow sgdisk devpts:chr_file { read write ioctl getattr };

# Allow stdin/out back to vold
allow sgdisk vold:fd use;
allow sgdisk vold:fifo_file { read write getattr };

# Used to probe kernel to reload partition tables
allow sgdisk self:{ capability cap_userns } sys_admin;

# Only allow entry from vold
neverallow { domain -vold } sgdisk:process transition;
neverallow * sgdisk:process dyntransition;
neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/shared_relro.te"
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;

# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow shared_relro shared_relro_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Needs to contact the "webviewupdate" and "activity" services
allow shared_relro activity_service:service_manager find;
allow shared_relro webviewupdate_service:service_manager find;
allow shared_relro package_service:service_manager find;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/shell.te"
# Domain for shell processes spawned by ADB or console service.
type shell, domain, mlstrustedsubject;
type shell_exec, system_file_type, exec_type, file_type;

# Create and use network sockets.

#line 6
typeattribute shell netdomain;
#line 6


# logcat

#line 9
allow shell logcat_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
#line 9

#line 9
allow shell logdr_socket:sock_file write;
#line 9
allow shell logd:unix_stream_socket connectto;
#line 9

#line 9


#line 10
# Group AID_LOG checked by filesystem & logd
#line 10
# to permit control commands
#line 10

#line 10
allow shell logd_socket:sock_file write;
#line 10
allow shell logd:unix_stream_socket connectto;
#line 10

#line 10

# logcat -L (directly, or via dumpstate)
allow shell pstorefs:dir search;
allow shell pstorefs:file { getattr open read ioctl lock map };

# Root fs.
allow shell rootfs:dir { open getattr read search ioctl lock };

# read files in /data/anr
allow shell anr_data_file:dir { open getattr read search ioctl lock };
allow shell anr_data_file:file { getattr open read ioctl lock map };

# Access /data/local/tmp.
allow shell shell_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow shell shell_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow shell shell_data_file:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow shell shell_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Read and delete from /data/local/traces.
allow shell trace_data_file:file { { getattr open read ioctl lock map } unlink };
allow shell trace_data_file:dir { { open getattr read search ioctl lock } remove_name write };

# Access /data/misc/profman.
allow shell profman_dump_data_file:dir { write remove_name { open getattr read search ioctl lock } };
allow shell profman_dump_data_file:file { unlink { getattr open read ioctl lock map } };

# Read/execute files in /data/nativetest
#line 40


# adb bugreport

#line 43
allow shell dumpstate_socket:sock_file write;
#line 43
allow shell dumpstate:unix_stream_socket connectto;
#line 43


allow shell devpts:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow shell tty_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow shell console_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

allow shell input_device:dir { open getattr read search ioctl lock };
allow shell input_device:chr_file { getattr open read ioctl lock map };


#line 52
allow shell system_file:dir { open getattr read search ioctl lock };
#line 52
allow shell system_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 52

allow shell system_file:file { getattr execute execute_no_trans map };
allow shell toolbox_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow shell tzdatacheck_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow shell shell_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow shell zygote_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };


#line 59
allow shell apk_data_file:dir { open getattr read search ioctl lock };
#line 59
allow shell apk_data_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 59


# Set properties.

#line 62

#line 62
allow shell property_socket:sock_file write;
#line 62
allow shell init:unix_stream_socket connectto;
#line 62

#line 62
allow shell shell_prop:property_service set;
#line 62

#line 62
allow shell shell_prop:file { getattr open read map };
#line 62

#line 62


#line 63

#line 63
allow shell property_socket:sock_file write;
#line 63
allow shell init:unix_stream_socket connectto;
#line 63

#line 63
allow shell ctl_bugreport_prop:property_service set;
#line 63

#line 63
allow shell ctl_bugreport_prop:file { getattr open read map };
#line 63

#line 63


#line 64

#line 64
allow shell property_socket:sock_file write;
#line 64
allow shell init:unix_stream_socket connectto;
#line 64

#line 64
allow shell ctl_dumpstate_prop:property_service set;
#line 64

#line 64
allow shell ctl_dumpstate_prop:file { getattr open read map };
#line 64

#line 64


#line 65

#line 65
allow shell property_socket:sock_file write;
#line 65
allow shell init:unix_stream_socket connectto;
#line 65

#line 65
allow shell dumpstate_prop:property_service set;
#line 65

#line 65
allow shell dumpstate_prop:file { getattr open read map };
#line 65

#line 65


#line 66

#line 66
allow shell property_socket:sock_file write;
#line 66
allow shell init:unix_stream_socket connectto;
#line 66

#line 66
allow shell exported_dumpstate_prop:property_service set;
#line 66

#line 66
allow shell exported_dumpstate_prop:file { getattr open read map };
#line 66

#line 66


#line 67

#line 67
allow shell property_socket:sock_file write;
#line 67
allow shell init:unix_stream_socket connectto;
#line 67

#line 67
allow shell debug_prop:property_service set;
#line 67

#line 67
allow shell debug_prop:file { getattr open read map };
#line 67

#line 67


#line 68

#line 68
allow shell property_socket:sock_file write;
#line 68
allow shell init:unix_stream_socket connectto;
#line 68

#line 68
allow shell powerctl_prop:property_service set;
#line 68

#line 68
allow shell powerctl_prop:file { getattr open read map };
#line 68

#line 68


#line 69

#line 69
allow shell property_socket:sock_file write;
#line 69
allow shell init:unix_stream_socket connectto;
#line 69

#line 69
allow shell log_tag_prop:property_service set;
#line 69

#line 69
allow shell log_tag_prop:file { getattr open read map };
#line 69

#line 69


#line 70

#line 70
allow shell property_socket:sock_file write;
#line 70
allow shell init:unix_stream_socket connectto;
#line 70

#line 70
allow shell wifi_log_prop:property_service set;
#line 70

#line 70
allow shell wifi_log_prop:file { getattr open read map };
#line 70

#line 70

# Allow shell to start/stop traced via the persist.traced.enable
# property (which also takes care of /data/misc initialization).

#line 73

#line 73
allow shell property_socket:sock_file write;
#line 73
allow shell init:unix_stream_socket connectto;
#line 73

#line 73
allow shell traced_enabled_prop:property_service set;
#line 73

#line 73
allow shell traced_enabled_prop:file { getattr open read map };
#line 73

#line 73

# adjust is_loggable properties

# logpersist script

# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
# property.

#line 80

#line 80
allow shell property_socket:sock_file write;
#line 80
allow shell init:unix_stream_socket connectto;
#line 80

#line 80
allow shell heapprofd_enabled_prop:property_service set;
#line 80

#line 80
allow shell heapprofd_enabled_prop:file { getattr open read map };
#line 80

#line 80

# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.

#line 82

#line 82
allow shell property_socket:sock_file write;
#line 82
allow shell init:unix_stream_socket connectto;
#line 82

#line 82
allow shell ctl_gsid_prop:property_service set;
#line 82

#line 82
allow shell ctl_gsid_prop:file { getattr open read map };
#line 82

#line 82

# Allow shell to enable Dynamic System Update

#line 84

#line 84
allow shell property_socket:sock_file write;
#line 84
allow shell init:unix_stream_socket connectto;
#line 84

#line 84
allow shell dynamic_system_prop:property_service set;
#line 84

#line 84
allow shell dynamic_system_prop:file { getattr open read map };
#line 84

#line 84


#line 91


# Read device's serial number from system properties

#line 94
allow shell serialno_prop:file { getattr open read map };
#line 94


# Allow shell to read the vendor security patch level for CTS

#line 97
allow shell vendor_security_patch_level_prop:file { getattr open read map };
#line 97


# Read state of logging-related properties

#line 100
allow shell device_logging_prop:file { getattr open read map };
#line 100


# Read state of boot reason properties

#line 103
allow shell bootloader_boot_reason_prop:file { getattr open read map };
#line 103


#line 104
allow shell last_boot_reason_prop:file { getattr open read map };
#line 104


#line 105
allow shell system_boot_reason_prop:file { getattr open read map };
#line 105


# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
# TODO: why is this so broad? Tightening candidate? It needs at list:
# - dumpstate_service (so it can receive dumpstate progress updates)
allow shell {
  service_manager_type
  -apex_service
  -dnsresolver_service
  -gatekeeper_service
  -incident_service
  -installd_service
  -iorapd_service
  -netd_service
  -system_suspend_control_service
  -virtual_touchpad_service
  -vold_service
  -vr_hwc_service
}:service_manager find;
allow shell dumpstate:binder call;

# allow shell to get information from hwservicemanager
# for instance, listing hardware services with lshal

#line 130
# Call the hwservicemanager and transfer references to it.
#line 130
allow shell hwservicemanager:binder { call transfer };
#line 130
# Allow hwservicemanager to send out callbacks
#line 130
allow hwservicemanager shell:binder { call transfer };
#line 130
# hwservicemanager performs getpidcon on clients.
#line 130
allow hwservicemanager shell:dir search;
#line 130
allow hwservicemanager shell:file { read open map };
#line 130
allow hwservicemanager shell:process getattr;
#line 130
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 130
# all domains in domain.te.
#line 130

allow shell hwservicemanager:hwservice_manager list;

# allow shell to look through /proc/ for lsmod, ps, top, netstat.

#line 134
allow shell proc_net_type:dir { open getattr read search ioctl lock };
#line 134
allow shell proc_net_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 134


allow shell {
  proc_asound
  proc_filesystems
  proc_interrupts
  proc_loadavg # b/124024827
  proc_meminfo
  proc_modules
  proc_pid_max
  proc_slabinfo
  proc_stat
  proc_timer
  proc_uptime
  proc_version
  proc_zoneinfo
}:file { getattr open read ioctl lock map };

# allow listing network interfaces under /sys/class/net.
allow shell sysfs_net:dir { open getattr read search ioctl lock };


#line 155
allow shell cgroup:dir { open getattr read search ioctl lock };
#line 155
allow shell cgroup:{ file lnk_file } { getattr open read ioctl lock map };
#line 155

allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };

# statvfs() of /proc and other labeled filesystems
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
allow shell { proc labeledfs }:filesystem getattr;

# stat() of /dev
allow shell device:dir getattr;

# allow shell to read /proc/pid/attr/current for ps -Z
allow shell domain:process getattr;

# Allow pulling the SELinux policy for CTS purposes
allow shell selinuxfs:dir { open getattr read search ioctl lock };
allow shell selinuxfs:file { getattr open read ioctl lock map };

# enable shell domain to read/write files/dirs for bootchart data
# User will creates the start and stop file via adb shell
# and read other files created by init process under /data/bootchart
allow shell bootchart_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow shell bootchart_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Make sure strace works for the non-privileged shell user
allow shell self:process ptrace;

# allow shell to get battery info
allow shell sysfs:dir { open getattr read search ioctl lock };
allow shell sysfs_batteryinfo:dir { open getattr read search ioctl lock };
allow shell sysfs_batteryinfo:file { getattr open read ioctl lock map };

# Allow access to ion memory allocation device.
allow shell ion_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

#
# filesystem test for insecure chr_file's is done
# via a host side test
#
allow shell dev_type:dir { open getattr read search ioctl lock };
allow shell dev_type:chr_file getattr;

# /dev/fd is a symlink
allow shell proc:lnk_file getattr;

#
# filesystem test for insucre blk_file's is done
# via hostside test
#
allow shell dev_type:blk_file getattr;

# read selinux policy files
allow shell file_contexts_file:file { getattr open read ioctl lock map };
allow shell property_contexts_file:file { getattr open read ioctl lock map };
allow shell seapp_contexts_file:file { getattr open read ioctl lock map };
allow shell service_contexts_file:file { getattr open read ioctl lock map };
allow shell sepolicy_file:file { getattr open read ioctl lock map };

# Allow shell to start up vendor shell
allow shell vendor_shell_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# Everything is labeled as rootfs in recovery mode. Allow shell to
# execute them.
#line 220


###
### Neverallow rules
###

# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure the shell user never has this
# capability.
neverallow shell file_type:file link;

# Do not allow privileged socket ioctl commands
neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl
#line 235
{
#line 235
# qualcomm rmnet ioctls
#line 235
0x00006900 0x00006902
#line 235
# socket ioctls
#line 235
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 235
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 235
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 235
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 235
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 235
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 235
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 235
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 235
0x00008991 0x00008992 0x00008993 0x00008994
#line 235
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 235
# device and protocol specific ioctls
#line 235
0x000089f0-0x000089ff
#line 235
0x000089e0-0x000089ef
#line 235
# Wireless extension ioctls
#line 235
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 235
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 235
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 235
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 235
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 235
0x00008b34 0x00008b35 0x00008b36
#line 235
# Dev private ioctl i.e. hardware specific ioctls
#line 235
0x00008be0-0x00008bff
#line 235
};

# limit shell access to sensitive char drivers to
# only getattr required for host side test.
neverallow shell {
  fuse_device
  hw_random_device
  port_device
}:chr_file ~getattr;

# Limit shell to only getattr on blk devices for host side tests.
neverallow shell dev_type:blk_file ~getattr;

# b/30861057: Shell access to existing input devices is an abuse
# vector. The shell user can inject events that look like they
# originate from the touchscreen etc.
# Everyone should have already moved to UiAutomation#injectInputEvent
# if they are running instrumentation tests (i.e. CTS), Monkey for
# their stress tests, and the input command (adb shell input ...) for
# injecting swipes and things.
neverallow shell input_device:chr_file { append create link unlink relabelfrom rename setattr write };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/simpleperf_app_runner.te"
type simpleperf_app_runner, domain, mlstrustedsubject;
type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;

# run simpleperf_app_runner in adb shell.
allow simpleperf_app_runner adbd:fd use;
allow simpleperf_app_runner shell:fd use;
allow simpleperf_app_runner devpts:chr_file { read write ioctl };

# simpleperf_app_runner reads package information.
allow simpleperf_app_runner system_data_file:file { getattr open read ioctl lock map };
allow simpleperf_app_runner system_data_file:lnk_file getattr;
allow simpleperf_app_runner packages_list_file:file { getattr open read ioctl lock map };

# The app's data dir may be accessed through a symlink.
allow simpleperf_app_runner system_data_file:lnk_file read;

# simpleperf_app_runner switches to the app UID/GID.
allow simpleperf_app_runner self:{ capability cap_userns } { setuid setgid };

# simpleperf_app_runner switches to the app security context.

#line 21

#line 21
allow simpleperf_app_runner selinuxfs:dir { open getattr read search ioctl lock };
#line 21
allow simpleperf_app_runner selinuxfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 21

#line 21
allow simpleperf_app_runner selinuxfs:file { open append write lock map };
#line 21
allow simpleperf_app_runner kernel:security check_context;
#line 21
 # validate context
allow simpleperf_app_runner self:process setcurrent;
allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon

# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
# determine which domain to transition to.
allow simpleperf_app_runner seapp_contexts_file:file { getattr open read ioctl lock map };

# simpleperf_app_runner passes pipe fds.
allow simpleperf_app_runner shell:fifo_file read;

# simpleperf_app_runner checks shell data paths.
# simpleperf_app_runner passes shell data fds.
allow simpleperf_app_runner shell_data_file:dir { getattr search };
allow simpleperf_app_runner shell_data_file:file { getattr write };

###
### neverallow rules
###

# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
neverallow simpleperf_app_runner self:{ capability cap_userns } ~{ setuid setgid };
neverallow simpleperf_app_runner self:{ capability2 cap2_userns } *;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/slideshow.te"
# slideshow seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type slideshow, domain;

allow slideshow kmsg_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

#line 6
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 6
# deprecated.
#line 6
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 6
allow slideshow sysfs_wake_lock:file { { getattr open read ioctl lock map } { open append write lock map } };
#line 6
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 6
allow slideshow self:{ capability2 cap2_userns } block_suspend;
#line 6
# system_suspend permissions
#line 6

#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow slideshow system_suspend_server:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow system_suspend_server slideshow:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow slideshow system_suspend_server:fd use;
#line 6

#line 6
allow slideshow system_suspend_hwservice:hwservice_manager find;
#line 6
# halclientdomain permissions
#line 6

#line 6
# Call the hwservicemanager and transfer references to it.
#line 6
allow slideshow hwservicemanager:binder { call transfer };
#line 6
# Allow hwservicemanager to send out callbacks
#line 6
allow hwservicemanager slideshow:binder { call transfer };
#line 6
# hwservicemanager performs getpidcon on clients.
#line 6
allow hwservicemanager slideshow:dir search;
#line 6
allow hwservicemanager slideshow:file { read open map };
#line 6
allow hwservicemanager slideshow:process getattr;
#line 6
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6

#line 6

#line 6
allow slideshow hwservicemanager_prop:file { getattr open read map };
#line 6

#line 6
allow slideshow hidl_manager_hwservice:hwservice_manager find;
#line 6

allow slideshow device:dir { open getattr read search ioctl lock };
allow slideshow self:{ capability cap_userns } sys_tty_config;
allow slideshow graphics_device:dir { open getattr read search ioctl lock };
allow slideshow graphics_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow slideshow input_device:dir { open getattr read search ioctl lock };
allow slideshow input_device:chr_file { getattr open read ioctl lock map };
allow slideshow tty_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

#line 1 "system/sepolicy/prebuilts/api/29.0/public/stats_service_server.te"

#line 1
  allow stats_service_server fwk_stats_hwservice:hwservice_manager { add find };
#line 1
  allow stats_service_server hidl_base_hwservice:hwservice_manager add;
#line 1
  neverallow { domain -stats_service_server } fwk_stats_hwservice:hwservice_manager add;
#line 1

#line 1 "system/sepolicy/prebuilts/api/29.0/public/statsd.te"
type statsd, domain, mlstrustedsubject;

type statsd_exec, system_file_type, exec_type, file_type;

#line 4
# Call the servicemanager and transfer references to it.
#line 4
allow statsd servicemanager:binder { call transfer };
#line 4
# servicemanager performs getpidcon on clients.
#line 4
allow servicemanager statsd:dir search;
#line 4
allow servicemanager statsd:file { read open };
#line 4
allow servicemanager statsd:process getattr;
#line 4
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 4
# all domains in domain.te.
#line 4


# Allow statsd to scan through /proc/pid for all processes.

#line 7
allow statsd domain:dir { open getattr read search ioctl lock };
#line 7
allow statsd domain:{ file lnk_file } { getattr open read ioctl lock map };
#line 7


# Allow executing files on system, such as running a shell or running:
#   /system/bin/toolbox
#   /system/bin/logcat
#   /system/bin/dumpsys
allow statsd devpts:chr_file { getattr ioctl read write };
allow statsd shell_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow statsd system_file:file execute_no_trans;
allow statsd toolbox_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

#line 20


# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
allow statsd stats_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow statsd stats_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Allow statsd to make binder calls to any binder service.

#line 27
# Call the server domain and optionally transfer references to it.
#line 27
allow statsd appdomain:binder { call transfer };
#line 27
# Allow the serverdomain to transfer references to the client on the reply.
#line 27
allow appdomain statsd:binder transfer;
#line 27
# Receive and use open files from the server.
#line 27
allow statsd appdomain:fd use;
#line 27


#line 28
# Call the server domain and optionally transfer references to it.
#line 28
allow statsd healthd:binder { call transfer };
#line 28
# Allow the serverdomain to transfer references to the client on the reply.
#line 28
allow healthd statsd:binder transfer;
#line 28
# Receive and use open files from the server.
#line 28
allow statsd healthd:fd use;
#line 28


#line 29
# Call the server domain and optionally transfer references to it.
#line 29
allow statsd incidentd:binder { call transfer };
#line 29
# Allow the serverdomain to transfer references to the client on the reply.
#line 29
allow incidentd statsd:binder transfer;
#line 29
# Receive and use open files from the server.
#line 29
allow statsd incidentd:fd use;
#line 29

#line 32


#line 33
# Call the server domain and optionally transfer references to it.
#line 33
allow statsd system_server:binder { call transfer };
#line 33
# Allow the serverdomain to transfer references to the client on the reply.
#line 33
allow system_server statsd:binder transfer;
#line 33
# Receive and use open files from the server.
#line 33
allow statsd system_server:fd use;
#line 33


# Allow statsd to interact with gpuservice
allow statsd gpu_service:service_manager find;

#line 37
# Call the server domain and optionally transfer references to it.
#line 37
allow statsd gpuservice:binder { call transfer };
#line 37
# Allow the serverdomain to transfer references to the client on the reply.
#line 37
allow gpuservice statsd:binder transfer;
#line 37
# Receive and use open files from the server.
#line 37
allow statsd gpuservice:fd use;
#line 37


# Allow logd access.

#line 40
allow statsd logcat_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
#line 40

#line 40
allow statsd logdr_socket:sock_file write;
#line 40
allow statsd logd:unix_stream_socket connectto;
#line 40

#line 40


#line 41
# Group AID_LOG checked by filesystem & logd
#line 41
# to permit control commands
#line 41

#line 41
allow statsd logd_socket:sock_file write;
#line 41
allow statsd logd:unix_stream_socket connectto;
#line 41

#line 41


# Grant statsd with permissions to register the services.
allow statsd {
  app_api_service
  incident_service

#line 50
  system_api_service
}:service_manager find;

# Grant statsd to access health hal to access battery metrics.
allow statsd hal_health_hwservice:hwservice_manager find;

# Allow statsd to send dump info to dumpstate
allow statsd dumpstate:fd use;
allow statsd dumpstate:fifo_file { getattr write };

# Allow access to with hardware layer and process stats.
allow statsd proc_uid_cputime_showstat:file { getattr open read };

#line 62
typeattribute statsd halclientdomain;
#line 62
typeattribute statsd hal_health_client;
#line 62

#line 62
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 62
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 62
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 62

#line 62


#line 63
typeattribute statsd halclientdomain;
#line 63
typeattribute statsd hal_power_client;
#line 63

#line 63
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 63
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 63
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 63

#line 63


#line 64
typeattribute statsd halclientdomain;
#line 64
typeattribute statsd hal_power_stats_client;
#line 64

#line 64
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 64
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 64
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 64

#line 64


#line 65
typeattribute statsd halclientdomain;
#line 65
typeattribute statsd hal_thermal_client;
#line 65

#line 65
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 65
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 65
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 65

#line 65


# Allow 'adb shell cmd' to upload configs and download output.
allow statsd adbd:fd use;
allow statsd adbd:unix_stream_socket { getattr read write };
allow statsd shell:fifo_file { getattr read write };


#line 72
allow statsd statsdw_socket:sock_file write;
#line 72
allow statsd statsd:unix_dgram_socket sendto;
#line 72


###
### neverallow rules
###

# Only statsd and the other root services in limited circumstances.
# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
# Other services are prohibitted from accessing the file.
neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;

# Limited access to the directory itself.
neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/su.te"
# All types must be defined regardless of build variant to ensure
# policy compilation succeeds with userdebug/user combination at boot
type su, domain;

# File types must be defined for file_contexts.
type su_exec, system_file_type, exec_type, file_type;

#line 104

#line 1 "system/sepolicy/prebuilts/api/29.0/public/surfaceflinger.te"
# surfaceflinger - display compositor service
type surfaceflinger, domain;
type surfaceflinger_tmpfs, file_type;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/system_app.te"
###
### Apps that run with the system UID, e.g. com.android.system.ui,
### com.android.settings.  These are not as privileged as the system
### server.
###

type system_app, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/system_server.te"
#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
type system_server, domain;
type system_server_tmpfs, file_type, mlstrustedobject;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/system_suspend_server.te"
# Required to export a HIDL interface.

#line 2
# Call the hwservicemanager and transfer references to it.
#line 2
allow system_suspend_server hwservicemanager:binder { call transfer };
#line 2
# Allow hwservicemanager to send out callbacks
#line 2
allow hwservicemanager system_suspend_server:binder { call transfer };
#line 2
# hwservicemanager performs getpidcon on clients.
#line 2
allow hwservicemanager system_suspend_server:dir search;
#line 2
allow hwservicemanager system_suspend_server:file { read open map };
#line 2
allow hwservicemanager system_suspend_server:process getattr;
#line 2
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 2
# all domains in domain.te.
#line 2


#line 3
allow system_suspend_server hwservicemanager_prop:file { getattr open read map };
#line 3


# To serve ISystemSuspend.hal.

#line 6
  allow system_suspend_server system_suspend_hwservice:hwservice_manager { add find };
#line 6
  allow system_suspend_server hidl_base_hwservice:hwservice_manager add;
#line 6
  neverallow { domain -system_suspend_server } system_suspend_hwservice:hwservice_manager add;
#line 6

#line 1 "system/sepolicy/prebuilts/api/29.0/public/tee.te"
##
# trusted execution environment (tee) daemon
#
type tee, domain;

# Device(s) for communicating with the TEE
type tee_device, dev_type;

allow tee fingerprint_vendor_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow tee fingerprint_vendor_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

#line 1 "system/sepolicy/prebuilts/api/29.0/public/tombstoned.te"
# debugger interface
type tombstoned, domain, mlstrustedsubject;
type tombstoned_exec, system_file_type, exec_type, file_type;

# Write to arbitrary pipes given to us.
allow tombstoned domain:fd use;
allow tombstoned domain:fifo_file write;

allow tombstoned domain:dir { open getattr read search ioctl lock };
allow tombstoned domain:file { getattr open read ioctl lock map };
allow tombstoned tombstone_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow tombstoned tombstone_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } } link };

# Changes for the new stack dumping mechanism. Each trace goes into a
# separate file, and these files are managed by tombstoned.
allow tombstoned anr_data_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow tombstoned anr_data_file:file { append create getattr open link unlink };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/toolbox.te"
# Any toolbox command run by init.
# At present, the only known usage is for running mkswap via fs_mgr.
# Do NOT use this domain for toolbox when run by any other domain.
type toolbox, domain;
type toolbox_exec, system_file_type, exec_type, file_type;

# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow toolbox tmpfs:chr_file { read write ioctl };

# Inherit and use pty created by android_fork_execvp_ext().
allow toolbox devpts:chr_file { read write getattr ioctl };

# mkswap-specific.
# Read/write block devices used for swap partitions.
# Assign swap_block_device type any such partition in your
# device/<vendor>/<product>/sepolicy/file_contexts file.
allow toolbox block_device:dir search;
allow toolbox swap_block_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };

# Only allow entry from init via the toolbox binary.
neverallow { domain -init } toolbox:process transition;
neverallow * toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/traced.te"
type traced, domain, coredomain, mlstrustedsubject;

#line 1 "system/sepolicy/prebuilts/api/29.0/public/traced_probes.te"
type traced_probes, domain, coredomain, mlstrustedsubject;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/traceur_app.te"
type traceur_app, domain;

allow traceur_app servicemanager:service_manager list;
allow traceur_app hwservicemanager:hwservice_manager list;

# Allow Traceur to enable traced if necessary.

#line 7

#line 7
allow traceur_app property_socket:sock_file write;
#line 7
allow traceur_app init:unix_stream_socket connectto;
#line 7

#line 7
allow traceur_app traced_enabled_prop:property_service set;
#line 7

#line 7
allow traceur_app traced_enabled_prop:file { getattr open read map };
#line 7

#line 7



#line 9

#line 9
allow traceur_app property_socket:sock_file write;
#line 9
allow traceur_app init:unix_stream_socket connectto;
#line 9

#line 9
allow traceur_app debug_prop:property_service set;
#line 9

#line 9
allow traceur_app debug_prop:file { getattr open read map };
#line 9

#line 9


allow traceur_app {
  service_manager_type
  -apex_service
  -dnsresolver_service
  -gatekeeper_service
  -incident_service
  -installd_service
  -iorapd_service
  -lpdump_service
  -netd_service
  -virtual_touchpad_service
  -vold_service
  -vr_hwc_service
}:service_manager find;

# Allow traceur_app to use atrace HAL

#line 27
typeattribute traceur_app halclientdomain;
#line 27
typeattribute traceur_app hal_atrace_client;
#line 27

#line 27
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 27
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 27
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 27

#line 27


dontaudit traceur_app service_manager_type:service_manager find;
dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
dontaudit traceur_app domain:binder call;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/tzdatacheck.te"
# The tzdatacheck command run by init.
type tzdatacheck, domain;
type tzdatacheck_exec, system_file_type, exec_type, file_type;

allow tzdatacheck zoneinfo_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow tzdatacheck zoneinfo_data_file:file unlink;

# Below are strong assertion that only init, system_server and tzdatacheck
# can modify the /data time zone rules directories. This is to make it very
# clear that only these domains should modify the actual time zone rules data.
# The tzdatacheck binary itself may be executed by shell for tests but it must
# not be able to modify the real rules.
# If other users / binaries could modify time zone rules on device this might
# have negative implications for users (who may get incorrect local times)
# or break assumptions made / invalidate data held by the components actually
# responsible for updating time zone rules.
neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file { append create link unlink relabelfrom rename setattr write };
neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/ueventd.te"
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
type ueventd_tmpfs, file_type;

# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

allow ueventd self:{ capability cap_userns } { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner };
allow ueventd device:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };


#line 12
allow ueventd rootfs:dir { open getattr read search ioctl lock };
#line 12
allow ueventd rootfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 12


# ueventd needs write access to files in /sys to regenerate uevents
allow ueventd sysfs_type:file { open append write lock map };

#line 16
allow ueventd sysfs_type:dir { open getattr read search ioctl lock };
#line 16
allow ueventd sysfs_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 16

allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
allow ueventd tmpfs:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow ueventd dev_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { getattr create setattr unlink };
allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow ueventd efs_file:dir search;
allow ueventd efs_file:file { getattr open read ioctl lock map };

# Get SELinux enforcing status.

#line 29
allow ueventd selinuxfs:dir { open getattr read search ioctl lock };
#line 29
allow ueventd selinuxfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 29


# Access for /vendor/ueventd.rc and /vendor/firmware

#line 32
allow ueventd { vendor_file_type -vendor_app_file -vendor_overlay_file }:dir { open getattr read search ioctl lock };
#line 32
allow ueventd { vendor_file_type -vendor_app_file -vendor_overlay_file }:{ file lnk_file } { getattr open read ioctl lock map };
#line 32


# Get file contexts for new device nodes
allow ueventd file_contexts_file:file { getattr open read ioctl lock map };

# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;

# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
allow ueventd proc_cmdline:file { getattr open read ioctl lock map };

# Everything is labeled as rootfs in recovery mode. ueventd has to execute
# the dynamic linker and shared libraries.
#line 47


# Suppress denials for ueventd to getattr /postinstall. This occurs when the
# linker tries to resolve paths in ld.config.txt.
dontaudit ueventd postinstall_mnt_dir:dir getattr;

# ueventd loads modules in response to modalias events.
allow ueventd self:{ capability cap_userns } sys_module;
allow ueventd vendor_file:system module_load;
allow ueventd kernel:key search;

# ueventd is using bootstrap bionic
allow ueventd system_bootstrap_lib_file:dir { open getattr read search ioctl lock };
allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };

#####
##### neverallow rules
#####

# ueventd must never set properties, otherwise deadlocks may occur.
# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
# No writing to the property socket, connecting to init, or setting properties.
neverallow ueventd property_socket:sock_file write;
neverallow ueventd init:unix_stream_socket connectto;
neverallow ueventd property_type:property_service set;

# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };

# Only relabelto as we would never want to relabelfrom port_device
neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };

# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/uncrypt.te"
# uncrypt
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, system_file_type, exec_type, file_type;

allow uncrypt self:{ capability cap_userns } { dac_override dac_read_search };

#line 10


# Read /cache/recovery/command
# Read /cache/recovery/uncrypt_file
allow uncrypt cache_file:dir search;
allow uncrypt cache_recovery_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow uncrypt cache_recovery_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Read OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir { open getattr read search ioctl lock };
allow uncrypt ota_package_file:file { getattr open read ioctl lock map };

# Write to /dev/socket/uncrypt

#line 23
allow uncrypt uncrypt_socket:sock_file write;
#line 23
allow uncrypt uncrypt:unix_stream_socket connectto;
#line 23


# Set a property to reboot the device.

#line 26

#line 26
allow uncrypt property_socket:sock_file write;
#line 26
allow uncrypt init:unix_stream_socket connectto;
#line 26

#line 26
allow uncrypt powerctl_prop:property_service set;
#line 26

#line 26
allow uncrypt powerctl_prop:file { getattr open read map };
#line 26

#line 26


# Raw writes to block device
allow uncrypt self:{ capability cap_userns } sys_rawio;
allow uncrypt misc_block_device:blk_file { open append write lock map };
allow uncrypt block_device:dir { open getattr read search ioctl lock };

# Access userdata block device.
allow uncrypt userdata_block_device:blk_file { open append write lock map };


#line 36
allow uncrypt rootfs:dir { open getattr read search ioctl lock };
#line 36
allow uncrypt rootfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 36


# uncrypt reads /proc/cmdline
allow uncrypt proc_cmdline:file { getattr open read ioctl lock map };

# Read files in /sys

#line 42
allow uncrypt sysfs_dt_firmware_android:dir { open getattr read search ioctl lock };
#line 42
allow uncrypt sysfs_dt_firmware_android:{ file lnk_file } { getattr open read ioctl lock map };
#line 42

#line 1 "system/sepolicy/prebuilts/api/29.0/public/untrusted_app.te"
###
### Untrusted apps.
###
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory).  The untrusted_app domain is the default assignment in
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml.  In current AOSP, this
### domain is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key.  To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###

type untrusted_app, domain;
type untrusted_app_27, domain;
type untrusted_app_25, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/update_engine.te"
# Domain for update_engine daemon.
type update_engine, domain, update_engine_common;
type update_engine_exec, system_file_type, exec_type, file_type;


#line 5
typeattribute update_engine netdomain;
#line 5
;

# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
allow update_engine self:{ capability cap_userns } { fowner sys_admin };
# Note: fsetid checks are triggered when creating a file in a directory with
# the setgid bit set to determine if the file should inherit setgid. In this
# case, setgid on the file is undesirable so we should just suppress the
# denial.
dontaudit update_engine self:{ capability cap_userns } fsetid;

allow update_engine kmsg_device:chr_file { getattr { open append write lock map } };
allow update_engine update_engine_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

#line 18
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 18
# deprecated.
#line 18
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 18
allow update_engine sysfs_wake_lock:file { { getattr open read ioctl lock map } { open append write lock map } };
#line 18
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 18
allow update_engine self:{ capability2 cap2_userns } block_suspend;
#line 18
# system_suspend permissions
#line 18

#line 18
# Call the server domain and optionally transfer references to it.
#line 18
allow update_engine system_suspend_server:binder { call transfer };
#line 18
# Allow the serverdomain to transfer references to the client on the reply.
#line 18
allow system_suspend_server update_engine:binder transfer;
#line 18
# Receive and use open files from the server.
#line 18
allow update_engine system_suspend_server:fd use;
#line 18

#line 18
allow update_engine system_suspend_hwservice:hwservice_manager find;
#line 18
# halclientdomain permissions
#line 18

#line 18
# Call the hwservicemanager and transfer references to it.
#line 18
allow update_engine hwservicemanager:binder { call transfer };
#line 18
# Allow hwservicemanager to send out callbacks
#line 18
allow hwservicemanager update_engine:binder { call transfer };
#line 18
# hwservicemanager performs getpidcon on clients.
#line 18
allow hwservicemanager update_engine:dir search;
#line 18
allow hwservicemanager update_engine:file { read open map };
#line 18
allow hwservicemanager update_engine:process getattr;
#line 18
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 18
# all domains in domain.te.
#line 18

#line 18

#line 18
allow update_engine hwservicemanager_prop:file { getattr open read map };
#line 18

#line 18
allow update_engine hidl_manager_hwservice:hwservice_manager find;
#line 18
;

# Ignore these denials.
dontaudit update_engine kernel:process setsched;
dontaudit update_engine self:{ capability cap_userns } sys_rawio;

# Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow update_engine update_engine_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Allow using persistent storage in /data/misc/update_engine_log.
allow update_engine update_engine_log_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow update_engine update_engine_log_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;

# Register the service to perform Binder IPC.

#line 36
# Call the servicemanager and transfer references to it.
#line 36
allow update_engine servicemanager:binder { call transfer };
#line 36
# servicemanager performs getpidcon on clients.
#line 36
allow servicemanager update_engine:dir search;
#line 36
allow servicemanager update_engine:file { read open };
#line 36
allow servicemanager update_engine:process getattr;
#line 36
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 36
# all domains in domain.te.
#line 36


#line 37
  allow update_engine update_engine_service:service_manager { add find };
#line 37
  neverallow { domain -update_engine } update_engine_service:service_manager add;
#line 37


# Allow update_engine to call the callback function provided by priv_app.

#line 40
# Call the server domain and optionally transfer references to it.
#line 40
allow update_engine priv_app:binder { call transfer };
#line 40
# Allow the serverdomain to transfer references to the client on the reply.
#line 40
allow priv_app update_engine:binder transfer;
#line 40
# Receive and use open files from the server.
#line 40
allow update_engine priv_app:fd use;
#line 40


# Allow update_engine to call the callback function provided by system_server.

#line 43
# Call the server domain and optionally transfer references to it.
#line 43
allow update_engine system_server:binder { call transfer };
#line 43
# Allow the serverdomain to transfer references to the client on the reply.
#line 43
allow system_server update_engine:binder transfer;
#line 43
# Receive and use open files from the server.
#line 43
allow update_engine system_server:fd use;
#line 43


# Read OTA zip file at /data/ota_package/.
allow update_engine ota_package_file:file { getattr open read ioctl lock map };
allow update_engine ota_package_file:dir { open getattr read search ioctl lock };

# Use Boot Control HAL

#line 50
typeattribute update_engine halclientdomain;
#line 50
typeattribute update_engine hal_bootctl_client;
#line 50

#line 50
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 50
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 50
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 50

#line 50


# access /proc/misc
allow update_engine proc_misc:file { getattr open read ioctl lock map };

# read directories on /system and /vendor
allow update_engine system_file:dir { open getattr read search ioctl lock };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/update_engine_common.te"
# update_engine payload application permissions. These are shared between the
# background daemon and the recovery tool to sideload an update.

# Allow update_engine to reach block devices in /dev/block.
allow update_engine_common block_device:dir search;

# Allow read/write on system and boot partitions.
allow update_engine_common boot_block_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };
allow update_engine_common system_block_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };

# Where ioctls are granted via standard allow rules to block devices,
# automatically allow common ioctls that are generally needed by
# update_engine.
allowxperm update_engine_common dev_type:blk_file ioctl {
  0x00001277
  0x0000127c
  0x0000125e
  0x0000125d
  0x0000127d
  0x0000127f
};

# Allow to set recovery options in the BCB. Used to trigger factory reset when
# the update to an older version (channel change) or incompatible version
# requires it.
allow update_engine_common misc_block_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };

# read fstab
allow update_engine_common rootfs:dir getattr;
allow update_engine_common rootfs:file { getattr open read ioctl lock map };

# Allow update_engine_common to mount on the /postinstall directory and reset the
# labels on the mounted filesystem to postinstall_file.
allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
allow update_engine_common labeledfs:filesystem relabelfrom;

# Allow update_engine_common to read and execute postinstall_file.
allow update_engine_common postinstall_file:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow update_engine_common postinstall_file:lnk_file { getattr open read ioctl lock map };
allow update_engine_common postinstall_file:dir { open getattr read search ioctl lock };

# install update.zip from cache

#line 44
allow update_engine_common cache_file:dir { open getattr read search ioctl lock };
#line 44
allow update_engine_common cache_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 44


# A postinstall program is typically a shell script (with a #!), so we allow
# to execute those.
allow update_engine_common shell_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop sigkill };

# access /proc/cmdline
allow update_engine_common proc_cmdline:file { getattr open read ioctl lock map };

# Read files in /sys/firmware/devicetree/base/firmware/android/

#line 57
allow update_engine_common sysfs_dt_firmware_android:dir { open getattr read search ioctl lock };
#line 57
allow update_engine_common sysfs_dt_firmware_android:{ file lnk_file } { getattr open read ioctl lock map };
#line 57


# read / write on /dev/device-mapper to map / unmap devices
allow update_engine_common dm_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# apply / verify updates on devices mapped via device mapper
allow update_engine_common dm_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };

# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file { { getattr open read ioctl lock map } { open append write lock map } };

# ioctl on super device to get block device alignment and alignment offset
allowxperm update_engine_common super_block_device_type:blk_file ioctl { 0x00001278 0x0000127a };

# get physical block device to map logical partitions on device mapper
allow update_engine_common block_device:dir { open getattr read search ioctl lock };

# Allow update_engine_common to write to statsd socket.

#line 75
allow update_engine_common statsdw_socket:sock_file write;
#line 75
allow update_engine_common statsd:unix_dgram_socket sendto;
#line 75

#line 1 "system/sepolicy/prebuilts/api/29.0/public/update_verifier.te"
# update_verifier
type update_verifier, domain;
type update_verifier_exec, system_file_type, exec_type, file_type;

# Allow update_verifier to reach block devices in /dev/block.
allow update_verifier block_device:dir search;

# Read care map in /data/ota_package/.
allow update_verifier ota_package_file:dir { open getattr read search ioctl lock };
allow update_verifier ota_package_file:file { getattr open read ioctl lock map };

# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
allow update_verifier sysfs:dir { open getattr read search ioctl lock };

# Read /sys/block/dm-X/dm/name (which is a symlink to
# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
# dm-X and system/vendor partitions.
allow update_verifier sysfs_dm:dir { open getattr read search ioctl lock };
allow update_verifier sysfs_dm:file { getattr open read ioctl lock map };

# Read all blocks in DM wrapped system partition.
allow update_verifier dm_device:blk_file { getattr open read ioctl lock map };

# Write to kernel message.
allow update_verifier kmsg_device:chr_file { getattr { open append write lock map } };

# Allow update_verifier to reboot the device.

#line 28

#line 28
allow update_verifier property_socket:sock_file write;
#line 28
allow update_verifier init:unix_stream_socket connectto;
#line 28

#line 28
allow update_verifier powerctl_prop:property_service set;
#line 28

#line 28
allow update_verifier powerctl_prop:file { getattr open read map };
#line 28

#line 28


# Use Boot Control HAL

#line 31
typeattribute update_verifier halclientdomain;
#line 31
typeattribute update_verifier hal_bootctl_client;
#line 31

#line 31
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 31
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 31
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 31

#line 31


# Access Checkpoint commands over binder
allow update_verifier vold_service:service_manager find;

#line 35
# Call the server domain and optionally transfer references to it.
#line 35
allow update_verifier servicemanager:binder { call transfer };
#line 35
# Allow the serverdomain to transfer references to the client on the reply.
#line 35
allow servicemanager update_verifier:binder transfer;
#line 35
# Receive and use open files from the server.
#line 35
allow update_verifier servicemanager:fd use;
#line 35


#line 36
# Call the server domain and optionally transfer references to it.
#line 36
allow update_verifier vold:binder { call transfer };
#line 36
# Allow the serverdomain to transfer references to the client on the reply.
#line 36
allow vold update_verifier:binder transfer;
#line 36
# Receive and use open files from the server.
#line 36
allow update_verifier vold:fd use;
#line 36

#line 1 "system/sepolicy/prebuilts/api/29.0/public/usbd.te"
type usbd, domain;
type usbd_exec, system_file_type, exec_type, file_type;

# Start/stop adbd via ctl.start adbd

#line 5

#line 5
allow usbd property_socket:sock_file write;
#line 5
allow usbd init:unix_stream_socket connectto;
#line 5

#line 5
allow usbd ctl_adbd_prop:property_service set;
#line 5

#line 5
allow usbd ctl_adbd_prop:file { getattr open read map };
#line 5

#line 5

#line 1 "system/sepolicy/prebuilts/api/29.0/public/vdc.te"
# vdc spawned from init for the following services:
#  defaultcrypto
#  encrypt
#
# We also transition into this domain from dumpstate, when
# collecting bug reports.

type vdc, domain;
type vdc_exec, system_file_type, exec_type, file_type;

# vdc can be invoked with logwrapper, so let it write to pty
allow vdc devpts:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# vdc writes directly to kmsg during the boot process
allow vdc kmsg_device:chr_file { getattr { open append write lock map } };

# vdc talks to vold over Binder

#line 18
# Call the servicemanager and transfer references to it.
#line 18
allow vdc servicemanager:binder { call transfer };
#line 18
# servicemanager performs getpidcon on clients.
#line 18
allow servicemanager vdc:dir search;
#line 18
allow servicemanager vdc:file { read open };
#line 18
allow servicemanager vdc:process getattr;
#line 18
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 18
# all domains in domain.te.
#line 18


#line 19
# Call the server domain and optionally transfer references to it.
#line 19
allow vdc vold:binder { call transfer };
#line 19
# Allow the serverdomain to transfer references to the client on the reply.
#line 19
allow vold vdc:binder transfer;
#line 19
# Receive and use open files from the server.
#line 19
allow vdc vold:fd use;
#line 19

allow vdc vold_service:service_manager find;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/vendor_init.te"
# vendor_init is its own domain.
type vendor_init, domain, mlstrustedsubject;

# Communication to the main init process
allow vendor_init init:unix_stream_socket { read write };

# Logging to kmsg
allow vendor_init kmsg_device:chr_file { open getattr write };

# Mount on /dev/usb-ffs/adb.
allow vendor_init device:dir mounton;

# Create and remove symlinks in /.
allow vendor_init rootfs:lnk_file { create unlink };

# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow vendor_init cgroup:file { open append write lock map };

# /config
allow vendor_init configfs:dir mounton;
allow vendor_init configfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow vendor_init configfs:{ file lnk_file } { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Create directories under /dev/cpuctl after chowning it to system.
allow vendor_init self:{ capability cap_userns } { dac_override dac_read_search };

# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow vendor_init self:{ capability cap_userns } { chown fowner fsetid };

# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
allow vendor_init unencrypted_data_file:dir search;
allow vendor_init unencrypted_data_file:file { getattr open read ioctl lock map };

# Set encryption policy on dirs in /data
allowxperm vendor_init data_file_type:dir ioctl {
  0x400c6615
  0x800c6613
};

allow vendor_init system_data_file:dir getattr;

allow vendor_init {
  file_type
  -core_data_file_type
  -exec_type
  -system_file_type
  -mnt_product_file
  -password_slot_metadata_file
  -unlabeled
  -vendor_file_type
  -vold_metadata_file
  -gsi_metadata_file
  -apex_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };

allow vendor_init unlabeled:{ dir { file lnk_file sock_file fifo_file } } { getattr relabelfrom };

allow vendor_init {
  file_type
  -core_data_file_type
  -exec_type
  -password_slot_metadata_file
  -runtime_event_log_tags_file
  -system_file_type
  -unlabeled
  -vendor_file_type
  -vold_metadata_file
  -gsi_metadata_file
  -apex_metadata_file
}:file { create getattr open read write setattr relabelfrom unlink map };

allow vendor_init {
  file_type
  -core_data_file_type
  -exec_type
  -password_slot_metadata_file
  -system_file_type
  -unlabeled
  -vendor_file_type
  -vold_metadata_file
  -gsi_metadata_file
  -apex_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };

allow vendor_init {
  file_type
  -apex_mnt_dir
  -core_data_file_type
  -exec_type
  -password_slot_metadata_file
  -system_file_type
  -unlabeled
  -vendor_file_type
  -vold_metadata_file
  -gsi_metadata_file
  -apex_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };

allow vendor_init {
  file_type
  -core_data_file_type
  -exec_type
  -mnt_product_file
  -password_slot_metadata_file
  -system_file_type
  -vendor_file_type
  -vold_metadata_file
  -gsi_metadata_file
  -apex_metadata_file
}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;

allow vendor_init dev_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow vendor_init dev_type:lnk_file create;

# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow vendor_init debugfs_tracing:file { open append write lock map };

# chown/chmod on pseudo files.
allow vendor_init {
  fs_type
  -contextmount_type
  -keychord_device
  -sdcard_type
  -rootfs
  -proc_uid_time_in_state
  -proc_uid_concurrent_active_time
  -proc_uid_concurrent_policy_time
}:file { open read setattr map };

allow vendor_init {
  fs_type
  -contextmount_type
  -sdcard_type
  -rootfs
  -proc_uid_time_in_state
  -proc_uid_concurrent_active_time
  -proc_uid_concurrent_policy_time
}:dir  { open read setattr search };

# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
  dev_type
  -keychord_device
  -port_device
  -lowpan_device
  -hw_random_device
}:chr_file setattr;

allow vendor_init dev_type:blk_file getattr;

# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.

#line 157
allow vendor_init proc_net_type:dir { open getattr read search ioctl lock };
#line 157
allow vendor_init proc_net_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 157

allow vendor_init proc_net_type:file { open append write lock map };
allow vendor_init self:{ capability cap_userns } net_admin;

# Write to /proc/sys/vm/page-cluster
allow vendor_init proc_page_cluster:file { open append write lock map };

# Write to sysfs nodes.
allow vendor_init sysfs_type:dir { open getattr read search ioctl lock };
allow vendor_init sysfs_type:lnk_file read;
allow vendor_init { sysfs_type -sysfs_usermodehelper }:file { { getattr open read ioctl lock map } { open append write lock map } };

# setfscreatecon() for labeling directories and socket files.
allow vendor_init self:process { setfscreate };


#line 172
allow vendor_init vendor_file_type:dir { open getattr read search ioctl lock };
#line 172
allow vendor_init vendor_file_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 172


# Vendor init can read properties
allow vendor_init serialno_prop:file { getattr open read map };

# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:{ capability cap_userns } sys_admin;

# Raw writes to misc block device
allow vendor_init misc_block_device:blk_file { open append write lock map };

# vendor_init is using bootstrap bionic
allow vendor_init system_bootstrap_lib_file:dir { open getattr read search ioctl lock };
allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };

# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
# the dynamic linker and shared libraries.
#line 191


#line 215


# Get file context
allow vendor_init file_contexts_file:file { getattr open read ioctl lock map };


#line 220

#line 220
allow vendor_init property_socket:sock_file write;
#line 220
allow vendor_init init:unix_stream_socket connectto;
#line 220

#line 220
allow vendor_init bluetooth_a2dp_offload_prop:property_service set;
#line 220

#line 220
allow vendor_init bluetooth_a2dp_offload_prop:file { getattr open read map };
#line 220

#line 220


#line 221

#line 221
allow vendor_init property_socket:sock_file write;
#line 221
allow vendor_init init:unix_stream_socket connectto;
#line 221

#line 221
allow vendor_init bluetooth_audio_hal_prop:property_service set;
#line 221

#line 221
allow vendor_init bluetooth_audio_hal_prop:file { getattr open read map };
#line 221

#line 221


#line 222

#line 222
allow vendor_init property_socket:sock_file write;
#line 222
allow vendor_init init:unix_stream_socket connectto;
#line 222

#line 222
allow vendor_init cpu_variant_prop:property_service set;
#line 222

#line 222
allow vendor_init cpu_variant_prop:file { getattr open read map };
#line 222

#line 222


#line 223

#line 223
allow vendor_init property_socket:sock_file write;
#line 223
allow vendor_init init:unix_stream_socket connectto;
#line 223

#line 223
allow vendor_init debug_prop:property_service set;
#line 223

#line 223
allow vendor_init debug_prop:file { getattr open read map };
#line 223

#line 223


#line 224

#line 224
allow vendor_init property_socket:sock_file write;
#line 224
allow vendor_init init:unix_stream_socket connectto;
#line 224

#line 224
allow vendor_init exported_audio_prop:property_service set;
#line 224

#line 224
allow vendor_init exported_audio_prop:file { getattr open read map };
#line 224

#line 224


#line 225

#line 225
allow vendor_init property_socket:sock_file write;
#line 225
allow vendor_init init:unix_stream_socket connectto;
#line 225

#line 225
allow vendor_init exported_bluetooth_prop:property_service set;
#line 225

#line 225
allow vendor_init exported_bluetooth_prop:file { getattr open read map };
#line 225

#line 225


#line 226

#line 226
allow vendor_init property_socket:sock_file write;
#line 226
allow vendor_init init:unix_stream_socket connectto;
#line 226

#line 226
allow vendor_init exported_config_prop:property_service set;
#line 226

#line 226
allow vendor_init exported_config_prop:file { getattr open read map };
#line 226

#line 226


#line 227

#line 227
allow vendor_init property_socket:sock_file write;
#line 227
allow vendor_init init:unix_stream_socket connectto;
#line 227

#line 227
allow vendor_init exported_dalvik_prop:property_service set;
#line 227

#line 227
allow vendor_init exported_dalvik_prop:file { getattr open read map };
#line 227

#line 227


#line 228

#line 228
allow vendor_init property_socket:sock_file write;
#line 228
allow vendor_init init:unix_stream_socket connectto;
#line 228

#line 228
allow vendor_init exported_default_prop:property_service set;
#line 228

#line 228
allow vendor_init exported_default_prop:file { getattr open read map };
#line 228

#line 228


#line 229

#line 229
allow vendor_init property_socket:sock_file write;
#line 229
allow vendor_init init:unix_stream_socket connectto;
#line 229

#line 229
allow vendor_init exported_ffs_prop:property_service set;
#line 229

#line 229
allow vendor_init exported_ffs_prop:file { getattr open read map };
#line 229

#line 229


#line 230

#line 230
allow vendor_init property_socket:sock_file write;
#line 230
allow vendor_init init:unix_stream_socket connectto;
#line 230

#line 230
allow vendor_init exported_overlay_prop:property_service set;
#line 230

#line 230
allow vendor_init exported_overlay_prop:file { getattr open read map };
#line 230

#line 230


#line 231

#line 231
allow vendor_init property_socket:sock_file write;
#line 231
allow vendor_init init:unix_stream_socket connectto;
#line 231

#line 231
allow vendor_init exported_pm_prop:property_service set;
#line 231

#line 231
allow vendor_init exported_pm_prop:file { getattr open read map };
#line 231

#line 231


#line 232

#line 232
allow vendor_init property_socket:sock_file write;
#line 232
allow vendor_init init:unix_stream_socket connectto;
#line 232

#line 232
allow vendor_init exported_radio_prop:property_service set;
#line 232

#line 232
allow vendor_init exported_radio_prop:file { getattr open read map };
#line 232

#line 232


#line 233

#line 233
allow vendor_init property_socket:sock_file write;
#line 233
allow vendor_init init:unix_stream_socket connectto;
#line 233

#line 233
allow vendor_init exported_system_radio_prop:property_service set;
#line 233

#line 233
allow vendor_init exported_system_radio_prop:file { getattr open read map };
#line 233

#line 233


#line 234

#line 234
allow vendor_init property_socket:sock_file write;
#line 234
allow vendor_init init:unix_stream_socket connectto;
#line 234

#line 234
allow vendor_init exported_wifi_prop:property_service set;
#line 234

#line 234
allow vendor_init exported_wifi_prop:file { getattr open read map };
#line 234

#line 234


#line 235

#line 235
allow vendor_init property_socket:sock_file write;
#line 235
allow vendor_init init:unix_stream_socket connectto;
#line 235

#line 235
allow vendor_init exported2_config_prop:property_service set;
#line 235

#line 235
allow vendor_init exported2_config_prop:file { getattr open read map };
#line 235

#line 235


#line 236

#line 236
allow vendor_init property_socket:sock_file write;
#line 236
allow vendor_init init:unix_stream_socket connectto;
#line 236

#line 236
allow vendor_init exported2_system_prop:property_service set;
#line 236

#line 236
allow vendor_init exported2_system_prop:file { getattr open read map };
#line 236

#line 236


#line 237

#line 237
allow vendor_init property_socket:sock_file write;
#line 237
allow vendor_init init:unix_stream_socket connectto;
#line 237

#line 237
allow vendor_init exported2_vold_prop:property_service set;
#line 237

#line 237
allow vendor_init exported2_vold_prop:file { getattr open read map };
#line 237

#line 237


#line 238

#line 238
allow vendor_init property_socket:sock_file write;
#line 238
allow vendor_init init:unix_stream_socket connectto;
#line 238

#line 238
allow vendor_init exported3_default_prop:property_service set;
#line 238

#line 238
allow vendor_init exported3_default_prop:file { getattr open read map };
#line 238

#line 238


#line 239

#line 239
allow vendor_init property_socket:sock_file write;
#line 239
allow vendor_init init:unix_stream_socket connectto;
#line 239

#line 239
allow vendor_init exported3_radio_prop:property_service set;
#line 239

#line 239
allow vendor_init exported3_radio_prop:file { getattr open read map };
#line 239

#line 239


#line 240

#line 240
allow vendor_init property_socket:sock_file write;
#line 240
allow vendor_init init:unix_stream_socket connectto;
#line 240

#line 240
allow vendor_init logd_prop:property_service set;
#line 240

#line 240
allow vendor_init logd_prop:file { getattr open read map };
#line 240

#line 240


#line 241

#line 241
allow vendor_init property_socket:sock_file write;
#line 241
allow vendor_init init:unix_stream_socket connectto;
#line 241

#line 241
allow vendor_init log_tag_prop:property_service set;
#line 241

#line 241
allow vendor_init log_tag_prop:file { getattr open read map };
#line 241

#line 241


#line 242

#line 242
allow vendor_init property_socket:sock_file write;
#line 242
allow vendor_init init:unix_stream_socket connectto;
#line 242

#line 242
allow vendor_init log_prop:property_service set;
#line 242

#line 242
allow vendor_init log_prop:file { getattr open read map };
#line 242

#line 242


#line 243

#line 243
allow vendor_init property_socket:sock_file write;
#line 243
allow vendor_init init:unix_stream_socket connectto;
#line 243

#line 243
allow vendor_init serialno_prop:property_service set;
#line 243

#line 243
allow vendor_init serialno_prop:file { getattr open read map };
#line 243

#line 243


#line 244

#line 244
allow vendor_init property_socket:sock_file write;
#line 244
allow vendor_init init:unix_stream_socket connectto;
#line 244

#line 244
allow vendor_init vendor_default_prop:property_service set;
#line 244

#line 244
allow vendor_init vendor_default_prop:file { getattr open read map };
#line 244

#line 244


#line 245

#line 245
allow vendor_init property_socket:sock_file write;
#line 245
allow vendor_init init:unix_stream_socket connectto;
#line 245

#line 245
allow vendor_init vendor_security_patch_level_prop:property_service set;
#line 245

#line 245
allow vendor_init vendor_security_patch_level_prop:file { getattr open read map };
#line 245

#line 245


#line 246

#line 246
allow vendor_init property_socket:sock_file write;
#line 246
allow vendor_init init:unix_stream_socket connectto;
#line 246

#line 246
allow vendor_init wifi_log_prop:property_service set;
#line 246

#line 246
allow vendor_init wifi_log_prop:file { getattr open read map };
#line 246

#line 246



#line 248
allow vendor_init exported2_radio_prop:file { getattr open read map };
#line 248


#line 249
allow vendor_init exported3_system_prop:file { getattr open read map };
#line 249


#line 250
allow vendor_init theme_prop:file { getattr open read map };
#line 250


###
### neverallow rules
###

# Vendor init shouldn't communicate with any vendor process, nor most system processes.

#line 257
  neverallow vendor_init { domain -init -logd -su -vendor_init }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } { connect sendto };
#line 257
  neverallow vendor_init { domain -init -logd -su -vendor_init }:unix_stream_socket connectto;
#line 257
;

# The vendor_init domain is only entered via an exec based transition from the
# init domain, never via setcon().
neverallow domain vendor_init:process dyntransition;
neverallow { domain -init } vendor_init:process transition;
neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;

# Never read/follow symlinks created by shell or untrusted apps.
neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
neverallow vendor_init shell_data_file:lnk_file read;
# Init should not be creating subdirectories in /data/local/tmp
neverallow vendor_init shell_data_file:dir { write add_name remove_name };

# init should never execute a program without changing to another domain.
neverallow vendor_init { file_type fs_type }:file execute_no_trans;

# Init never adds or uses services via service_manager.
neverallow vendor_init service_manager_type:service_manager { add find };
neverallow vendor_init servicemanager:service_manager list;

# vendor_init should never be ptraced
neverallow * vendor_init:process ptrace;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/vendor_misc_writer.te"
# vendor_misc_writer
type vendor_misc_writer, domain;
type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;

# Raw writes to misc_block_device
allow vendor_misc_writer misc_block_device:blk_file { open append write lock map };
allow vendor_misc_writer block_device:dir { open getattr read search ioctl lock };

# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
dontaudit vendor_misc_writer proc_cmdline:file read;
dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/vendor_shell.te"
type vendor_shell, domain;
type vendor_shell_exec, exec_type, vendor_file_type, file_type;

allow vendor_shell vendor_shell_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };
allow vendor_shell vendor_toolbox_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# Use fd from shell when vendor_shell is started from shell
allow vendor_shell shell:fd use;

# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
allow vendor_shell adbd:fd use;
allow vendor_shell adbd:process sigchld;
allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };

allow vendor_shell devpts:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow vendor_shell tty_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow vendor_shell console_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow vendor_shell input_device:dir { open getattr read search ioctl lock };
allow vendor_shell input_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/vendor_toolbox.te"
# Toolbox installation for vendor binaries / scripts
# Non-vendor processes are not allowed to execute the binary
# and is always executed without transition.
type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;

# Do not allow domains to transition to vendor toolbox
# or read, execute the vendor_toolbox file.

#line 8
    # Do not allow non-vendor domains to transition
#line 8
    # to vendor toolbox except for the allowlisted domains.
#line 8
    neverallow {
#line 8
        coredomain
#line 8
        -init
#line 8
        -modprobe
#line 8
    } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
#line 16

#line 1 "system/sepolicy/prebuilts/api/29.0/public/virtual_touchpad.te"
type virtual_touchpad, domain;
type virtual_touchpad_exec, system_file_type, exec_type, file_type;


#line 4
# Call the servicemanager and transfer references to it.
#line 4
allow virtual_touchpad servicemanager:binder { call transfer };
#line 4
# servicemanager performs getpidcon on clients.
#line 4
allow servicemanager virtual_touchpad:dir search;
#line 4
allow servicemanager virtual_touchpad:file { read open };
#line 4
allow servicemanager virtual_touchpad:process getattr;
#line 4
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 4
# all domains in domain.te.
#line 4


#line 5
typeattribute virtual_touchpad binderservicedomain;
#line 5


#line 6
  allow virtual_touchpad virtual_touchpad_service:service_manager { add find };
#line 6
  neverallow { domain -virtual_touchpad } virtual_touchpad_service:service_manager add;
#line 6


# Needed to check app permissions.

#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow virtual_touchpad system_server:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow system_server virtual_touchpad:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow virtual_touchpad system_server:fd use;
#line 9


# Requires access to /dev/uinput to create and feed the virtual device.
allow virtual_touchpad uhid_device:chr_file { { open append write lock map } ioctl };

# Requires access to the permission service to validate that clients have the
# appropriate VR permissions.
allow virtual_touchpad permission_service:service_manager find;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/vndservice.te"
type default_android_vndservice, vndservice_manager_type;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/vndservicemanager.te"
# vndservicemanager - the Binder context manager for vendor processes
type vndservicemanager, domain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/vold.te"
# volume manager
type vold, domain;
type vold_exec, exec_type, file_type, system_file_type;

# Read already opened /cache files.
allow vold cache_file:dir { open getattr read search ioctl lock };
allow vold cache_file:file { getattr read };
allow vold cache_file:lnk_file { getattr open read ioctl lock map };


#line 10
allow vold { sysfs_type -sysfs_batteryinfo }:dir { open getattr read search ioctl lock };
#line 10
allow vold { sysfs_type -sysfs_batteryinfo }:{ file lnk_file } { getattr open read ioctl lock map };
#line 10

# XXX Label sysfs files with a specific type?
allow vold {
  sysfs # writing to /sys/*/uevent during coldboot.
  sysfs_devices_block
  sysfs_dm
  sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
  sysfs_usb
  sysfs_zram_uevent
  sysfs_fs_f2fs
}:file { open append write lock map };


#line 22
allow vold rootfs:dir { open getattr read search ioctl lock };
#line 22
allow vold rootfs:{ file lnk_file } { getattr open read ioctl lock map };
#line 22


#line 23
allow vold metadata_file:dir { open getattr read search ioctl lock };
#line 23
allow vold metadata_file:{ file lnk_file } { getattr open read ioctl lock map };
#line 23

allow vold {
  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
  proc_cmdline
  proc_drop_caches
  proc_filesystems
  proc_meminfo
  proc_mounts
}:file { getattr open read ioctl lock map };

#Get file contexts
allow vold file_contexts_file:file { getattr open read ioctl lock map };

# Allow us to jump into execution domains of above tools
allow vold self:process setexec;

# For formatting adoptable storage devices
allow vold e2fs_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# Run fstrim on mounted partitions
# allowxperm still requires the ioctl permission for the individual type
allowxperm vold { fs_type file_type }:dir ioctl 0xc0185879;

# Get encryption policy for dirs in /data
allowxperm vold data_file_type:dir ioctl {
  0x400c6615
  0x800c6613
};

# Find the location on the raw block device where the
# crypto key is stored so it can be destroyed
allowxperm vold vold_data_file:file ioctl {
  0xc020660b
};

typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:file { getattr execute execute_no_trans map };

allow vold block_device:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow vold device:dir write;
allow vold devpts:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow vold rootfs:dir mounton;
allow vold sdcard_type:dir mounton; # TODO: deprecated in M
allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
allow vold sdcard_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } }; # TODO: deprecated in M
allow vold sdcard_type:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } }; # TODO: deprecated in M

# Manage locations where storage is mounted
allow vold { mnt_media_rw_file storage_file sdcard_type }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow vold { mnt_media_rw_file storage_file sdcard_type }:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Access to storage that backs emulated FUSE daemons for migration optimization
allow vold media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow vold media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Allow mounting of storage devices
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };

# Manage per-user primary symlinks
allow vold mnt_user_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } } mounton };
allow vold mnt_user_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow vold mnt_user_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# Allow to create and mount expanded storage
allow vold mnt_expand_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } } mounton };
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };

allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow vold tmpfs:dir mounton;
allow vold self:{ capability cap_userns } { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow vold loop_control_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow vold loop_device:blk_file { create setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allowxperm vold loop_device:blk_file ioctl {
  0x00004c01
  0x00004c82
  0x00004c05
  0x00004c00
  0x00004c04
};
allow vold vold_device:blk_file { create setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allowxperm vold vold_device:blk_file ioctl { 0x00001277 0x00001260 };
allow vold dm_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow vold dm_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };
allowxperm vold dm_device:blk_file ioctl 0x0000127d;
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir { open getattr read search ioctl lock };
allow vold domain:{ file lnk_file } { getattr open read ioctl lock map };
allow vold domain:process { signal sigkill };
allow vold self:{ capability cap_userns } { sys_ptrace kill };

allow vold kmsg_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };

# Run fsck in the fsck domain.
allow vold fsck_exec:file { { getattr open read ioctl lock map } execute };

# Log fsck results
allow vold fscklogs:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow vold fscklogs:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

#
# Rules to support encrypted fs support.
#

# Unmount and mount the fs.
allow vold labeledfs:filesystem { mount unmount remount };

# Access /efs/userdata_footer.
# XXX Split into a separate type?
allow vold efs_file:file { { getattr open read ioctl lock map } { open append write lock map } };

# Create and mount on /data/tmp_mnt and management of expansion mounts
allow vold system_data_file:dir { create { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } mounton setattr rmdir };
allow vold system_data_file:lnk_file getattr;

# Vold create users in /data/vendor_{ce,de}/[0-9]+
allow vold vendor_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };

# for secdiscard
allow vold system_data_file:file read;

# Set scheduling policy of kernel processes
allow vold kernel:process setsched;

# Property Service

#line 151

#line 151
allow vold property_socket:sock_file write;
#line 151
allow vold init:unix_stream_socket connectto;
#line 151

#line 151
allow vold vold_prop:property_service set;
#line 151

#line 151
allow vold vold_prop:file { getattr open read map };
#line 151

#line 151


#line 152

#line 152
allow vold property_socket:sock_file write;
#line 152
allow vold init:unix_stream_socket connectto;
#line 152

#line 152
allow vold exported_vold_prop:property_service set;
#line 152

#line 152
allow vold exported_vold_prop:file { getattr open read map };
#line 152

#line 152


#line 153

#line 153
allow vold property_socket:sock_file write;
#line 153
allow vold init:unix_stream_socket connectto;
#line 153

#line 153
allow vold exported2_vold_prop:property_service set;
#line 153

#line 153
allow vold exported2_vold_prop:file { getattr open read map };
#line 153

#line 153


#line 154

#line 154
allow vold property_socket:sock_file write;
#line 154
allow vold init:unix_stream_socket connectto;
#line 154

#line 154
allow vold powerctl_prop:property_service set;
#line 154

#line 154
allow vold powerctl_prop:file { getattr open read map };
#line 154

#line 154


#line 155

#line 155
allow vold property_socket:sock_file write;
#line 155
allow vold init:unix_stream_socket connectto;
#line 155

#line 155
allow vold ctl_fuse_prop:property_service set;
#line 155

#line 155
allow vold ctl_fuse_prop:file { getattr open read map };
#line 155

#line 155


#line 156

#line 156
allow vold property_socket:sock_file write;
#line 156
allow vold init:unix_stream_socket connectto;
#line 156

#line 156
allow vold restorecon_prop:property_service set;
#line 156

#line 156
allow vold restorecon_prop:file { getattr open read map };
#line 156

#line 156


# ASEC
allow vold asec_image_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow vold asec_image_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow vold asec_apk_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } } mounton relabelfrom relabelto };
allow vold asec_public_file:dir { relabelto setattr };
allow vold asec_apk_file:file { { getattr open read ioctl lock map } setattr relabelfrom relabelto };
allow vold asec_public_file:file { relabelto setattr };
# restorecon files in asec containers created on 4.2 or earlier.
allow vold unlabeled:dir { { open getattr read search ioctl lock } setattr relabelfrom };
allow vold unlabeled:file { { getattr open read ioctl lock map } setattr relabelfrom };

# Handle wake locks (used for device encryption)

#line 170
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 170
# deprecated.
#line 170
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 170
allow vold sysfs_wake_lock:file { { getattr open read ioctl lock map } { open append write lock map } };
#line 170
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 170
allow vold self:{ capability2 cap2_userns } block_suspend;
#line 170
# system_suspend permissions
#line 170

#line 170
# Call the server domain and optionally transfer references to it.
#line 170
allow vold system_suspend_server:binder { call transfer };
#line 170
# Allow the serverdomain to transfer references to the client on the reply.
#line 170
allow system_suspend_server vold:binder transfer;
#line 170
# Receive and use open files from the server.
#line 170
allow vold system_suspend_server:fd use;
#line 170

#line 170
allow vold system_suspend_hwservice:hwservice_manager find;
#line 170
# halclientdomain permissions
#line 170

#line 170
# Call the hwservicemanager and transfer references to it.
#line 170
allow vold hwservicemanager:binder { call transfer };
#line 170
# Allow hwservicemanager to send out callbacks
#line 170
allow hwservicemanager vold:binder { call transfer };
#line 170
# hwservicemanager performs getpidcon on clients.
#line 170
allow hwservicemanager vold:dir search;
#line 170
allow hwservicemanager vold:file { read open map };
#line 170
allow hwservicemanager vold:process getattr;
#line 170
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 170
# all domains in domain.te.
#line 170

#line 170

#line 170
allow vold hwservicemanager_prop:file { getattr open read map };
#line 170

#line 170
allow vold hidl_manager_hwservice:hwservice_manager find;
#line 170


# Allow vold to publish a binder service and make binder calls.

#line 173
# Call the servicemanager and transfer references to it.
#line 173
allow vold servicemanager:binder { call transfer };
#line 173
# servicemanager performs getpidcon on clients.
#line 173
allow servicemanager vold:dir search;
#line 173
allow servicemanager vold:file { read open };
#line 173
allow servicemanager vold:process getattr;
#line 173
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 173
# all domains in domain.te.
#line 173


#line 174
  allow vold vold_service:service_manager { add find };
#line 174
  neverallow { domain -vold } vold_service:service_manager add;
#line 174


# Allow vold to call into the system server so it can check permissions.

#line 177
# Call the server domain and optionally transfer references to it.
#line 177
allow vold system_server:binder { call transfer };
#line 177
# Allow the serverdomain to transfer references to the client on the reply.
#line 177
allow system_server vold:binder transfer;
#line 177
# Receive and use open files from the server.
#line 177
allow vold system_server:fd use;
#line 177

allow vold permission_service:service_manager find;

# talk to batteryservice

#line 181
# Call the server domain and optionally transfer references to it.
#line 181
allow vold healthd:binder { call transfer };
#line 181
# Allow the serverdomain to transfer references to the client on the reply.
#line 181
allow healthd vold:binder transfer;
#line 181
# Receive and use open files from the server.
#line 181
allow vold healthd:fd use;
#line 181


# talk to keymaster

#line 184
typeattribute vold halclientdomain;
#line 184
typeattribute vold hal_keymaster_client;
#line 184

#line 184
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 184
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 184
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 184

#line 184


# talk to health storage HAL

#line 187
typeattribute vold halclientdomain;
#line 187
typeattribute vold hal_health_storage_client;
#line 187

#line 187
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 187
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 187
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 187

#line 187


# talk to bootloader HAL

#line 190
typeattribute vold halclientdomain;
#line 190
typeattribute vold hal_bootctl_client;
#line 190

#line 190
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 190
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 190
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 190

#line 190


# Access userdata block device.
allow vold userdata_block_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };
allowxperm vold userdata_block_device:blk_file ioctl 0x0000127d;

# Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file { { getattr open read ioctl lock map } { open append write lock map } };

# Allow vold to manipulate /data/unencrypted
allow vold unencrypted_data_file:{ file } { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };
allow vold unencrypted_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };

# Write to /proc/sys/vm/drop_caches
allow vold proc_drop_caches:file { open append write lock map };

# Give vold a place where only vold can store files; everyone else is off limits
allow vold vold_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow vold vold_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# And a similar place in the metadata partition
allow vold vold_metadata_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };
allow vold vold_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map } { open append write lock map } } };

# linux keyring configuration
allow vold init:key { write search setattr };
allow vold vold:key { write search setattr };

# vold temporarily changes its priority when running benchmarks
allow vold self:{ capability cap_userns } sys_nice;

# vold needs to chroot into app namespaces to remount when runtime permissions change
allow vold self:{ capability cap_userns } sys_chroot;
allow vold storage_file:dir mounton;

# For AppFuse.
allow vold fuse_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow vold fuse:filesystem { relabelfrom };
allow vold app_fusefs:filesystem { relabelfrom relabelto };
allow vold app_fusefs:filesystem { mount unmount };
allow vold app_fuse_file:dir { { open getattr read search ioctl lock } { open search write add_name remove_name lock } };
allow vold app_fuse_file:file { read write open getattr append };

# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file { { getattr open read ioctl lock map } { getattr execute execute_no_trans map } };

# Prepare profile dir for users.
allow vold user_profile_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock } { open search write add_name remove_name lock } } };

# Raw writes to misc block device
allow vold misc_block_device:blk_file { open append write lock map };

# vold might need to search or mount /mnt/vendor/*
allow vold mnt_vendor_file:dir search;

dontaudit vold self:{ capability cap_userns } sys_resource;

# vold needs to know whether we're running a GSI.
allow vold gsi_metadata_file:dir { open getattr read search ioctl lock };
allow vold gsi_metadata_file:file { getattr open read ioctl lock map };

neverallow {
    domain
    -vold
    -vold_prepare_subdirs
} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };

neverallow {
    domain
    -init
    -vold
    -vold_prepare_subdirs
} vold_data_file:dir *;

neverallow {
    domain
    -init
    -vold
} vold_metadata_file:dir *;

neverallow {
    domain
    -kernel
    -vold
    -vold_prepare_subdirs
} vold_data_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr };

neverallow {
    domain
    -init
    -vold
    -vold_prepare_subdirs
} vold_metadata_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr };

neverallow {
    domain
    -init
    -kernel
    -vold
    -vold_prepare_subdirs
} { vold_data_file vold_metadata_file }:{ file lnk_file sock_file fifo_file } *;

neverallow { domain -vold -init } restorecon_prop:property_service set;

neverallow {
    domain
    -system_server
    -vdc
    -vold
    -update_verifier
    -apexd
} vold_service:service_manager find;

neverallow vold {
  domain
  -ashmemd
  -hal_health_storage_server
  -hal_keymaster_server
  -system_suspend_server
  -hal_bootctl_server
  -healthd
  -hwservicemanager
  -iorapd_service
  -servicemanager
  -system_server

}:binder call;

neverallow vold fsck_exec:file execute_no_trans;
neverallow { domain -init } vold:process { transition dyntransition };
neverallow vold *:process ptrace;
neverallow vold *:rawip_socket *;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/vold_prepare_subdirs.te"
# SELinux directory creation and labelling for vold-managed directories

type vold_prepare_subdirs, domain;
type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type;

typeattribute vold_prepare_subdirs coredomain;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/vr_hwc.te"
type vr_hwc, domain;
type vr_hwc_exec, system_file_type, exec_type, file_type;

# Get buffer metadata.

#line 5
typeattribute vr_hwc halclientdomain;
#line 5
typeattribute vr_hwc hal_graphics_allocator_client;
#line 5

#line 5
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 5
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 5
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 5

#line 5



#line 7
# Call the servicemanager and transfer references to it.
#line 7
allow vr_hwc servicemanager:binder { call transfer };
#line 7
# servicemanager performs getpidcon on clients.
#line 7
allow servicemanager vr_hwc:dir search;
#line 7
allow servicemanager vr_hwc:file { read open };
#line 7
allow servicemanager vr_hwc:process getattr;
#line 7
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7


#line 8
typeattribute vr_hwc binderservicedomain;
#line 8



#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow vr_hwc surfaceflinger:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow surfaceflinger vr_hwc:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow vr_hwc surfaceflinger:fd use;
#line 10

# Needed to check for app permissions.

#line 12
# Call the server domain and optionally transfer references to it.
#line 12
allow vr_hwc system_server:binder { call transfer };
#line 12
# Allow the serverdomain to transfer references to the client on the reply.
#line 12
allow system_server vr_hwc:binder transfer;
#line 12
# Receive and use open files from the server.
#line 12
allow vr_hwc system_server:fd use;
#line 12



#line 14
  allow vr_hwc vr_hwc_service:service_manager { add find };
#line 14
  neverallow { domain -vr_hwc } vr_hwc_service:service_manager add;
#line 14


# Hosts the VR HWC implementation and provides a simple Binder interface for VR
# Window Manager to receive the layers/buffers.

#line 18
# Call the hwservicemanager and transfer references to it.
#line 18
allow vr_hwc hwservicemanager:binder { call transfer };
#line 18
# Allow hwservicemanager to send out callbacks
#line 18
allow hwservicemanager vr_hwc:binder { call transfer };
#line 18
# hwservicemanager performs getpidcon on clients.
#line 18
allow hwservicemanager vr_hwc:dir search;
#line 18
allow hwservicemanager vr_hwc:file { read open map };
#line 18
allow hwservicemanager vr_hwc:process getattr;
#line 18
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 18
# all domains in domain.te.
#line 18


# Load vendor libraries.
allow vr_hwc system_file:dir { open getattr read search ioctl lock };

allow vr_hwc ion_device:chr_file { getattr open read ioctl lock map };

# Allow connection to VR DisplayClient to get the primary display metadata
# (ie: size).

#line 27

#line 27
# Allow client to open the service endpoint file.
#line 27
allow vr_hwc pdx_display_client_endpoint_dir_type:dir { open getattr read search ioctl lock };
#line 27
allow vr_hwc pdx_display_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map } { open append write lock map } };
#line 27
# Allow the client to connect to endpoint socket.
#line 27
allow vr_hwc pdx_display_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
#line 27

#line 27

#line 27
# Allow the client to use the PDX channel socket.
#line 27
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 27
# than we need (e.g. we don"t need "bind" or "connect").
#line 27
allow vr_hwc pdx_display_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 27
# Client needs to use an channel event fd from the server.
#line 27
allow vr_hwc pdx_display_client_server_type:fd use;
#line 27
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 27
# This could be tightened on a per-server basis, but keeping track of service
#line 27
# clients is error prone.
#line 27
allow pdx_display_client_server_type vr_hwc:fd use;
#line 27

#line 27


# Requires access to the permission service to validate that clients have the
# appropriate VR permissions.
allow vr_hwc permission_service:service_manager find;

allow vr_hwc vrflinger_vsync_service:service_manager find;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/watchdogd.te"
# watchdogd seclabel is specified in init.<board>.rc
type watchdogd, domain;
type watchdogd_exec, system_file_type, exec_type, file_type;

allow watchdogd watchdog_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow watchdogd kmsg_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
#line 1 "system/sepolicy/prebuilts/api/29.0/public/webview_zygote.te"
# webview_zygote is an auxiliary zygote process that is used to spawn
# isolated_app processes for rendering untrusted web content.

type webview_zygote, domain;
type webview_zygote_exec, exec_type, file_type;
type webview_zygote_tmpfs, file_type;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/wificond.te"
# wificond
type wificond, domain;
type wificond_exec, system_file_type, exec_type, file_type;


#line 5
# Call the servicemanager and transfer references to it.
#line 5
allow wificond servicemanager:binder { call transfer };
#line 5
# servicemanager performs getpidcon on clients.
#line 5
allow servicemanager wificond:dir search;
#line 5
allow servicemanager wificond:file { read open };
#line 5
allow servicemanager wificond:process getattr;
#line 5
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 5
# all domains in domain.te.
#line 5


#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow wificond system_server:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow system_server wificond:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow wificond system_server:fd use;
#line 6



#line 8
  allow wificond wificond_service:service_manager { add find };
#line 8
  neverallow { domain -wificond } wificond_service:service_manager add;
#line 8



#line 10

#line 10
allow wificond property_socket:sock_file write;
#line 10
allow wificond init:unix_stream_socket connectto;
#line 10

#line 10
allow wificond exported_wifi_prop:property_service set;
#line 10

#line 10
allow wificond exported_wifi_prop:file { getattr open read map };
#line 10

#line 10


#line 11

#line 11
allow wificond property_socket:sock_file write;
#line 11
allow wificond init:unix_stream_socket connectto;
#line 11

#line 11
allow wificond wifi_prop:property_service set;
#line 11

#line 11
allow wificond wifi_prop:file { getattr open read map };
#line 11

#line 11


#line 12

#line 12
allow wificond property_socket:sock_file write;
#line 12
allow wificond init:unix_stream_socket connectto;
#line 12

#line 12
allow wificond ctl_default_prop:property_service set;
#line 12

#line 12
allow wificond ctl_default_prop:file { getattr open read map };
#line 12

#line 12


# create sockets to set interfaces up and down
allow wificond self:udp_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# setting interface state up/down is a privileged ioctl
allowxperm wificond self:udp_socket ioctl { 0x00008914 0x00008924 };
allow wificond self:{ capability cap_userns } { net_admin net_raw };
# allow wificond to speak to nl80211 in the kernel
allow wificond self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
allow wificond self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };


#line 24
allow wificond proc_net_type:dir { open getattr read search ioctl lock };
#line 24
allow wificond proc_net_type:{ file lnk_file } { getattr open read ioctl lock map };
#line 24


# allow wificond to check permission for dumping logs
allow wificond permission_service:service_manager find;

# dumpstate support
allow wificond dumpstate:fd use;
allow wificond dumpstate:fifo_file write;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/wpantund.te"
type wpantund, domain;
type wpantund_exec, system_file_type, exec_type, file_type;


#line 4
typeattribute wpantund halclientdomain;
#line 4
typeattribute wpantund hal_lowpan_client;
#line 4

#line 4
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 4
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 4
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 4

#line 4


#line 5
typeattribute wpantund netdomain;
#line 5



#line 7
# Call the servicemanager and transfer references to it.
#line 7
allow wpantund servicemanager:binder { call transfer };
#line 7
# servicemanager performs getpidcon on clients.
#line 7
allow servicemanager wpantund:dir search;
#line 7
allow servicemanager wpantund:file { read open };
#line 7
allow servicemanager wpantund:process getattr;
#line 7
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7


#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow wpantund system_server:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow system_server wpantund:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow wpantund system_server:fd use;
#line 8


# wpantund needs to be able to check in with the lowpan_service
allow wpantund lowpan_service:service_manager find;

# Allow wpantund to call any callbacks that have been registered with it.
# Generally, only privileged apps are able to register callbacks with
# wpantund, so we are limiting the scope for callbacks to only privileged
# apps. We also add shell to allow the command-line utility `lowpanctl`
# to work properly from `adb shell`.
allow wpantund {priv_app shell}:binder call;

# create sockets to set interfaces up and down, add multicast groups, etc.
allow wpantund self:udp_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } };

# setting interface state up/down and changing MTU are privileged ioctls
allowxperm wpantund self:udp_socket ioctl { 0x00008914 0x00008922 };

# Allow us to bring up a TUN network interface.
allow wpantund tun_device:chr_file { { getattr open read ioctl lock map } { open append write lock map } };
allow wpantund self:{ capability cap_userns } { net_admin net_raw };
allow wpantund self:tun_socket create;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/zygote.te"
# zygote
type zygote, domain;
type zygote_tmpfs, file_type;
type zygote_exec, system_file_type, exec_type, file_type;
#line 1 "system/sepolicy/reqd_mask/reqd_mask.te"
type reqd_mask_type;
#line 1 "system/sepolicy/reqd_mask/roles_decl"
role r;
#line 1 "system/sepolicy/prebuilts/api/29.0/public/roles"
role r types domain;
#line 1 "system/sepolicy/reqd_mask/roles"
role r types reqd_mask_type;
#line 1 "system/sepolicy/reqd_mask/users"
user u roles { r } level s0 range s0 - s0:c0.c1023;
#line 1 "system/sepolicy/reqd_mask/initial_sid_contexts"
sid reqd_mask u:r:reqd_mask_type:s0