├── .gitignore
├── Android.bp
├── CleanSpec.mk
├── METADATA
├── MODULE_LICENSE_PUBLIC_DOMAIN
├── NOTICE
├── OWNERS
├── PREUPLOAD.cfg
├── README.apps.md
├── README.md
├── TEST_MAPPING
├── apex
├── Android.bp
├── apex.test-file_contexts
├── com.android.adbd-file_contexts
├── com.android.adservices-file_contexts
├── com.android.appsearch-file_contexts
├── com.android.art-file_contexts
├── com.android.art.debug-file_contexts
├── com.android.biometrics.virtual.face-file_contexts
├── com.android.biometrics.virtual.fingerprint-file_contexts
├── com.android.bluetooth-file_contexts
├── com.android.bootanimation-file_contexts
├── com.android.btservices-file_contexts
├── com.android.car.framework-file_contexts
├── com.android.cellbroadcast-file_contexts
├── com.android.compos-file_contexts
├── com.android.configinfrastructure-file_contexts
├── com.android.conscrypt-file_contexts
├── com.android.crashrecovery-file_contexts
├── com.android.devicelock-file_contexts
├── com.android.documentsuibundle-file_contexts
├── com.android.extservices-file_contexts
├── com.android.federatedcompute-file_contexts
├── com.android.geotz-file_contexts
├── com.android.gki-file_contexts
├── com.android.healthfitness-file_contexts
├── com.android.i18n-file_contexts
├── com.android.ipsec-file_contexts
├── com.android.media-file_contexts
├── com.android.media.swcodec-file_contexts
├── com.android.mediaprovider-file_contexts
├── com.android.neuralnetworks-file_contexts
├── com.android.nfcservices-file_contexts
├── com.android.ondevicepersonalization-file_contexts
├── com.android.os.statsd-file_contexts
├── com.android.permission-file_contexts
├── com.android.profiling-file_contexts
├── com.android.resolv-file_contexts
├── com.android.rkpd-file_contexts
├── com.android.runtime-file_contexts
├── com.android.scheduling-file_contexts
├── com.android.sdkext-file_contexts
├── com.android.telephonymodules-file_contexts
├── com.android.tethering-file_contexts
├── com.android.tzdata-file_contexts
├── com.android.uprobestats-file_contexts
├── com.android.uwb-file_contexts
├── com.android.virt-file_contexts
├── com.android.vndk-file_contexts
├── com.android.webview.bootstrap-file_contexts
└── com.android.wifi-file_contexts
├── build
├── Android.bp
├── build_sepolicy.py
├── file_utils.py
└── soong
│ ├── Android.bp
│ ├── bug_map.go
│ ├── build_files.go
│ ├── cil_compat_map.go
│ ├── compat_cil.go
│ ├── flags.go
│ ├── go.mod
│ ├── go.sum
│ ├── mac_permissions.go
│ ├── policy.go
│ ├── selinux.go
│ ├── selinux_contexts.go
│ ├── selinux_test.go
│ ├── sepolicy_freeze.go
│ ├── sepolicy_neverallow.go
│ ├── sepolicy_vers.go
│ ├── service_fuzzer_bindings.go
│ ├── validate_bindings.go
│ └── versioned_policy.go
├── compat
├── Android.bp
├── libgenfslabelsversion
│ ├── Android.bp
│ ├── include
│ │ └── genfslabelsversion.h
│ └── src
│ │ └── lib.rs
└── plat_sepolicy_genfs_202504.cil
├── contexts
├── Android.bp
└── plat_file_contexts_test
├── flagging
├── Android.bp
└── flagging_macros
├── mac_permissions
└── Android.bp
├── microdroid
├── Android.bp
├── TEST_MAPPING
├── reqd_mask
│ ├── access_vectors
│ ├── initial_sid_contexts
│ ├── initial_sids
│ ├── keys.conf
│ ├── mac_permissions.xml
│ ├── mls
│ ├── mls_decl
│ ├── mls_macros
│ ├── property_contexts
│ ├── reqd_mask.te
│ ├── roles
│ ├── roles_decl
│ ├── seapp_contexts
│ ├── security_classes
│ ├── service_contexts
│ └── users
├── system
│ ├── private
│ │ ├── access_vectors
│ │ ├── adbd.te
│ │ ├── apexd.te
│ │ ├── apkdmverity.te
│ │ ├── atrace.te
│ │ ├── attributes
│ │ ├── authfs.te
│ │ ├── authfs_service.te
│ │ ├── bug_map
│ │ ├── compos.te
│ │ ├── compos_key_helper.te
│ │ ├── crash_dump.te
│ │ ├── derive_classpath.te
│ │ ├── dex2oat.te
│ │ ├── domain.te
│ │ ├── encryptedstore.te
│ │ ├── file.te
│ │ ├── file_contexts
│ │ ├── fs_use
│ │ ├── genfs_contexts
│ │ ├── init.te
│ │ ├── init_debug_policy.te
│ │ ├── initial_sid_contexts
│ │ ├── initial_sids
│ │ ├── kernel.te
│ │ ├── kexec.te
│ │ ├── keys.conf
│ │ ├── linkerconfig.te
│ │ ├── mac_permissions.xml
│ │ ├── microdroid_app.te
│ │ ├── microdroid_manager.te
│ │ ├── microdroid_payload.te
│ │ ├── mls
│ │ ├── mls_decl
│ │ ├── mls_macros
│ │ ├── net.te
│ │ ├── odrefresh.te
│ │ ├── perfetto.te
│ │ ├── policy_capabilities
│ │ ├── port_contexts
│ │ ├── prng_seeder.te
│ │ ├── property.te
│ │ ├── property_contexts
│ │ ├── roles_decl
│ │ ├── seapp_contexts
│ │ ├── security_classes
│ │ ├── shell.te
│ │ ├── statsd.te
│ │ ├── su.te
│ │ ├── toolbox.te
│ │ ├── traced.te
│ │ ├── traced_probes.te
│ │ ├── ueventd.te
│ │ ├── users
│ │ ├── vendor_init.te
│ │ └── zipfuse.te
│ └── public
│ │ ├── adbd.te
│ │ ├── apexd.te
│ │ ├── attributes
│ │ ├── crash_dump.te
│ │ ├── device.te
│ │ ├── file.te
│ │ ├── global_macros
│ │ ├── init.te
│ │ ├── ioctl_defines
│ │ ├── ioctl_macros
│ │ ├── kernel.te
│ │ ├── neverallow_macros
│ │ ├── property.te
│ │ ├── roles
│ │ ├── shell.te
│ │ ├── statsd.te
│ │ ├── su.te
│ │ ├── te_macros
│ │ ├── toolbox.te
│ │ ├── type.te
│ │ ├── ueventd.te
│ │ └── vendor_init.te
└── vendor
│ └── file_contexts
├── prebuilts
└── api
│ ├── 202404
│ ├── 202404_general_sepolicy.conf
│ ├── 202404_mapping.cil
│ ├── 202404_plat_sepolicy.cil
│ ├── Android.bp
│ ├── private
│ │ ├── access_vectors
│ │ ├── aconfigd.te
│ │ ├── adbd.te
│ │ ├── aidl_lazy_test_server.te
│ │ ├── apex_test_prepostinstall.te
│ │ ├── apexd.te
│ │ ├── apexd_derive_classpath.te
│ │ ├── app.te
│ │ ├── app_neverallows.te
│ │ ├── app_zygote.te
│ │ ├── art_boot.te
│ │ ├── artd.te
│ │ ├── asan_extract.te
│ │ ├── atrace.te
│ │ ├── attributes
│ │ ├── audioserver.te
│ │ ├── auditctl.te
│ │ ├── automotive_display_service.te
│ │ ├── binderservicedomain.te
│ │ ├── blank_screen.te
│ │ ├── blkid.te
│ │ ├── blkid_untrusted.te
│ │ ├── bluetooth.te
│ │ ├── bluetoothdomain.te
│ │ ├── bootanim.te
│ │ ├── bootstat.te
│ │ ├── boringssl_self_test.te
│ │ ├── bpfdomain.te
│ │ ├── bpfloader.te
│ │ ├── bufferhubd.te
│ │ ├── bug_map
│ │ ├── cameraserver.te
│ │ ├── canhalconfigurator.te
│ │ ├── charger.te
│ │ ├── charger_type.te
│ │ ├── clatd.te
│ │ ├── compat
│ │ │ ├── 29.0
│ │ │ │ ├── 29.0.cil
│ │ │ │ ├── 29.0.compat.cil
│ │ │ │ └── 29.0.ignore.cil
│ │ │ ├── 30.0
│ │ │ │ ├── 30.0.cil
│ │ │ │ ├── 30.0.compat.cil
│ │ │ │ └── 30.0.ignore.cil
│ │ │ ├── 31.0
│ │ │ │ ├── 31.0.cil
│ │ │ │ ├── 31.0.compat.cil
│ │ │ │ └── 31.0.ignore.cil
│ │ │ ├── 32.0
│ │ │ │ ├── 32.0.cil
│ │ │ │ ├── 32.0.compat.cil
│ │ │ │ └── 32.0.ignore.cil
│ │ │ ├── 33.0
│ │ │ │ ├── 33.0.cil
│ │ │ │ ├── 33.0.compat.cil
│ │ │ │ └── 33.0.ignore.cil
│ │ │ └── 34.0
│ │ │ │ ├── 34.0.cil
│ │ │ │ ├── 34.0.compat.cil
│ │ │ │ └── 34.0.ignore.cil
│ │ ├── compos_fd_server.te
│ │ ├── compos_verify.te
│ │ ├── composd.te
│ │ ├── coredomain.te
│ │ ├── cppreopts.te
│ │ ├── crash_dump.te
│ │ ├── credstore.te
│ │ ├── crosvm.te
│ │ ├── derive_classpath.te
│ │ ├── derive_sdk.te
│ │ ├── device_as_webcam.te
│ │ ├── dex2oat.te
│ │ ├── dexopt_chroot_setup.te
│ │ ├── dexoptanalyzer.te
│ │ ├── dhcp.te
│ │ ├── dmesgd.te
│ │ ├── dnsmasq.te
│ │ ├── domain.te
│ │ ├── drmserver.te
│ │ ├── dumpstate.te
│ │ ├── ephemeral_app.te
│ │ ├── evsmanagerd.te
│ │ ├── extra_free_kbytes.te
│ │ ├── fastbootd.te
│ │ ├── file.te
│ │ ├── file_contexts
│ │ ├── file_contexts_asan
│ │ ├── file_contexts_overlayfs
│ │ ├── fingerprintd.te
│ │ ├── flags_health_check.te
│ │ ├── fs_use
│ │ ├── fsck.te
│ │ ├── fsck_untrusted.te
│ │ ├── fsverity_init.te
│ │ ├── fuseblkd.te
│ │ ├── fuseblkd_untrusted.te
│ │ ├── fwk_bufferhub.te
│ │ ├── gatekeeperd.te
│ │ ├── genfs_contexts
│ │ ├── gki_apex_prepostinstall.te
│ │ ├── gmscore_app.te
│ │ ├── gpuservice.te
│ │ ├── gsid.te
│ │ ├── hal_allocator_default.te
│ │ ├── hal_lazy_test.te
│ │ ├── halclientdomain.te
│ │ ├── halserverdomain.te
│ │ ├── healthd.te
│ │ ├── heapprofd.te
│ │ ├── hidl_lazy_test_server.te
│ │ ├── hwservice.te
│ │ ├── hwservice_contexts
│ │ ├── hwservicemanager.te
│ │ ├── idmap.te
│ │ ├── incident.te
│ │ ├── incident_helper.te
│ │ ├── incidentd.te
│ │ ├── init.te
│ │ ├── initial_sid_contexts
│ │ ├── initial_sids
│ │ ├── inputflinger.te
│ │ ├── installd.te
│ │ ├── isolated_app.te
│ │ ├── isolated_app_all.te
│ │ ├── isolated_compute_app.te
│ │ ├── iw.te
│ │ ├── kernel.te
│ │ ├── keys.conf
│ │ ├── keystore.te
│ │ ├── keystore2_key_contexts
│ │ ├── keystore_keys.te
│ │ ├── linkerconfig.te
│ │ ├── llkd.te
│ │ ├── lmkd.te
│ │ ├── logd.te
│ │ ├── logpersist.te
│ │ ├── lpdumpd.te
│ │ ├── mac_permissions.xml
│ │ ├── mdnsd.te
│ │ ├── mediadrmserver.te
│ │ ├── mediaextractor.te
│ │ ├── mediametrics.te
│ │ ├── mediaprovider.te
│ │ ├── mediaprovider_app.te
│ │ ├── mediaserver.te
│ │ ├── mediaswcodec.te
│ │ ├── mediatranscoding.te
│ │ ├── mediatuner.te
│ │ ├── migrate_legacy_obb_data.te
│ │ ├── misctrl.te
│ │ ├── mls
│ │ ├── mls_decl
│ │ ├── mls_macros
│ │ ├── mlstrustedsubject.te
│ │ ├── mm_events.te
│ │ ├── modprobe.te
│ │ ├── mtectrl.te
│ │ ├── net.te
│ │ ├── netd.te
│ │ ├── netutils_wrapper.te
│ │ ├── network_stack.te
│ │ ├── nfc.te
│ │ ├── odrefresh.te
│ │ ├── odsign.te
│ │ ├── ot_daemon.te
│ │ ├── otapreopt_chroot.te
│ │ ├── otapreopt_slot.te
│ │ ├── perfetto.te
│ │ ├── performanced.te
│ │ ├── permissioncontroller_app.te
│ │ ├── platform_app.te
│ │ ├── policy_capabilities
│ │ ├── port_contexts
│ │ ├── postinstall.te
│ │ ├── postinstall_dexopt.te
│ │ ├── preloads_copy.te
│ │ ├── preopt2cachename.te
│ │ ├── priv_app.te
│ │ ├── prng_seeder.te
│ │ ├── profcollectd.te
│ │ ├── profman.te
│ │ ├── property.te
│ │ ├── property_contexts
│ │ ├── radio.te
│ │ ├── recovery.te
│ │ ├── recovery_persist.te
│ │ ├── recovery_refresh.te
│ │ ├── remount.te
│ │ ├── rkpd.te
│ │ ├── rkpd_app.te
│ │ ├── roles_decl
│ │ ├── rs.te
│ │ ├── rss_hwm_reset.te
│ │ ├── runas.te
│ │ ├── runas_app.te
│ │ ├── sdcardd.te
│ │ ├── sdk_sandbox_34.te
│ │ ├── sdk_sandbox_all.te
│ │ ├── sdk_sandbox_audit.te
│ │ ├── sdk_sandbox_current.te
│ │ ├── sdk_sandbox_next.te
│ │ ├── seapp_contexts
│ │ ├── secure_element.te
│ │ ├── security_classes
│ │ ├── service.te
│ │ ├── service_contexts
│ │ ├── servicemanager.te
│ │ ├── sgdisk.te
│ │ ├── shared_relro.te
│ │ ├── shell.te
│ │ ├── simpleperf.te
│ │ ├── simpleperf_app_runner.te
│ │ ├── simpleperf_boot.te
│ │ ├── slideshow.te
│ │ ├── snapshotctl.te
│ │ ├── snapuserd.te
│ │ ├── stats.te
│ │ ├── statsd.te
│ │ ├── storaged.te
│ │ ├── su.te
│ │ ├── surfaceflinger.te
│ │ ├── system_app.te
│ │ ├── system_server.te
│ │ ├── system_server_startup.te
│ │ ├── system_suspend.te
│ │ ├── technical_debt.cil
│ │ ├── tombstoned.te
│ │ ├── toolbox.te
│ │ ├── traced.te
│ │ ├── traced_perf.te
│ │ ├── traced_probes.te
│ │ ├── traceur_app.te
│ │ ├── ueventd.te
│ │ ├── uncrypt.te
│ │ ├── untrusted_app.te
│ │ ├── untrusted_app_25.te
│ │ ├── untrusted_app_27.te
│ │ ├── untrusted_app_29.te
│ │ ├── untrusted_app_30.te
│ │ ├── untrusted_app_32.te
│ │ ├── untrusted_app_all.te
│ │ ├── update_engine.te
│ │ ├── update_engine_common.te
│ │ ├── update_verifier.te
│ │ ├── uprobestats.te
│ │ ├── usbd.te
│ │ ├── users
│ │ ├── vdc.te
│ │ ├── vehicle_binding_util.te
│ │ ├── vendor_init.te
│ │ ├── vfio_handler.te
│ │ ├── viewcompiler.te
│ │ ├── virtual_camera.te
│ │ ├── virtual_touchpad.te
│ │ ├── virtualizationmanager.te
│ │ ├── virtualizationservice.te
│ │ ├── vold.te
│ │ ├── vold_prepare_subdirs.te
│ │ ├── vzwomatrigger_app.te
│ │ ├── wait_for_keymaster.te
│ │ ├── watchdogd.te
│ │ ├── webview_zygote.te
│ │ ├── wificond.te
│ │ └── zygote.te
│ └── public
│ │ ├── adbd.te
│ │ ├── aidl_lazy_test_server.te
│ │ ├── apexd.te
│ │ ├── app.te
│ │ ├── app_zygote.te
│ │ ├── artd.te
│ │ ├── asan_extract.te
│ │ ├── atrace.te
│ │ ├── attributes
│ │ ├── audioserver.te
│ │ ├── blkid.te
│ │ ├── blkid_untrusted.te
│ │ ├── bluetooth.te
│ │ ├── bootanim.te
│ │ ├── bootstat.te
│ │ ├── bpfloader.te
│ │ ├── bufferhubd.te
│ │ ├── camera_service_server.te
│ │ ├── cameraserver.te
│ │ ├── charger.te
│ │ ├── charger_type.te
│ │ ├── charger_vendor.te
│ │ ├── crash_dump.te
│ │ ├── credstore.te
│ │ ├── device.te
│ │ ├── dhcp.te
│ │ ├── display_service_server.te
│ │ ├── dnsmasq.te
│ │ ├── domain.te
│ │ ├── drmserver.te
│ │ ├── dumpstate.te
│ │ ├── e2fs.te
│ │ ├── ephemeral_app.te
│ │ ├── evsmanagerd.te
│ │ ├── extra_free_kbytes.te
│ │ ├── fastbootd.te
│ │ ├── file.te
│ │ ├── fingerprintd.te
│ │ ├── flags_health_check.te
│ │ ├── fsck.te
│ │ ├── fsck_untrusted.te
│ │ ├── gatekeeperd.te
│ │ ├── global_macros
│ │ ├── gmscore_app.te
│ │ ├── gpuservice.te
│ │ ├── hal_allocator.te
│ │ ├── hal_atrace.te
│ │ ├── hal_audio.te
│ │ ├── hal_audiocontrol.te
│ │ ├── hal_authgraph.te
│ │ ├── hal_authsecret.te
│ │ ├── hal_bluetooth.te
│ │ ├── hal_bootctl.te
│ │ ├── hal_broadcastradio.te
│ │ ├── hal_camera.te
│ │ ├── hal_can.te
│ │ ├── hal_cas.te
│ │ ├── hal_codec2.te
│ │ ├── hal_configstore.te
│ │ ├── hal_confirmationui.te
│ │ ├── hal_contexthub.te
│ │ ├── hal_drm.te
│ │ ├── hal_dumpstate.te
│ │ ├── hal_evs.te
│ │ ├── hal_face.te
│ │ ├── hal_fastboot.te
│ │ ├── hal_fingerprint.te
│ │ ├── hal_gatekeeper.te
│ │ ├── hal_gnss.te
│ │ ├── hal_graphics_allocator.te
│ │ ├── hal_graphics_composer.te
│ │ ├── hal_health.te
│ │ ├── hal_health_storage.te
│ │ ├── hal_identity.te
│ │ ├── hal_input_classifier.te
│ │ ├── hal_input_processor.te
│ │ ├── hal_ir.te
│ │ ├── hal_ivn.te
│ │ ├── hal_keymaster.te
│ │ ├── hal_keymint.te
│ │ ├── hal_light.te
│ │ ├── hal_lowpan.te
│ │ ├── hal_macsec.te
│ │ ├── hal_memtrack.te
│ │ ├── hal_neuralnetworks.te
│ │ ├── hal_neverallows.te
│ │ ├── hal_nfc.te
│ │ ├── hal_nlinterceptor.te
│ │ ├── hal_oemlock.te
│ │ ├── hal_omx.te
│ │ ├── hal_power.te
│ │ ├── hal_power_stats.te
│ │ ├── hal_rebootescrow.te
│ │ ├── hal_remoteaccess.te
│ │ ├── hal_remotelyprovisionedcomponent_avf.te
│ │ ├── hal_secretkeeper.te
│ │ ├── hal_secure_element.te
│ │ ├── hal_sensors.te
│ │ ├── hal_telephony.te
│ │ ├── hal_tetheroffload.te
│ │ ├── hal_thermal.te
│ │ ├── hal_threadnetwork.te
│ │ ├── hal_tv_cec.te
│ │ ├── hal_tv_hdmi_cec.te
│ │ ├── hal_tv_hdmi_connection.te
│ │ ├── hal_tv_hdmi_earc.te
│ │ ├── hal_tv_input.te
│ │ ├── hal_tv_tuner.te
│ │ ├── hal_usb.te
│ │ ├── hal_usb_gadget.te
│ │ ├── hal_uwb.te
│ │ ├── hal_vehicle.te
│ │ ├── hal_vibrator.te
│ │ ├── hal_vr.te
│ │ ├── hal_weaver.te
│ │ ├── hal_wifi.te
│ │ ├── hal_wifi_hostapd.te
│ │ ├── hal_wifi_supplicant.te
│ │ ├── healthd.te
│ │ ├── heapprofd.te
│ │ ├── hwservice.te
│ │ ├── hwservicemanager.te
│ │ ├── idmap.te
│ │ ├── incident.te
│ │ ├── incident_helper.te
│ │ ├── incidentd.te
│ │ ├── init.te
│ │ ├── inputflinger.te
│ │ ├── installd.te
│ │ ├── ioctl_defines
│ │ ├── ioctl_macros
│ │ ├── isolated_app.te
│ │ ├── isolated_compute_app.te
│ │ ├── kernel.te
│ │ ├── keystore.te
│ │ ├── keystore_keys.te
│ │ ├── llkd.te
│ │ ├── lmkd.te
│ │ ├── logd.te
│ │ ├── logpersist.te
│ │ ├── mdnsd.te
│ │ ├── mediadrmserver.te
│ │ ├── mediaextractor.te
│ │ ├── mediametrics.te
│ │ ├── mediaprovider.te
│ │ ├── mediaserver.te
│ │ ├── mediaswcodec.te
│ │ ├── mediatranscoding.te
│ │ ├── modprobe.te
│ │ ├── mtp.te
│ │ ├── net.te
│ │ ├── netd.te
│ │ ├── netutils_wrapper.te
│ │ ├── network_stack.te
│ │ ├── neverallow_macros
│ │ ├── nfc.te
│ │ ├── otapreopt_chroot.te
│ │ ├── perfetto.te
│ │ ├── performanced.te
│ │ ├── platform_app.te
│ │ ├── postinstall.te
│ │ ├── ppp.te
│ │ ├── priv_app.te
│ │ ├── prng_seeder.te
│ │ ├── profman.te
│ │ ├── property.te
│ │ ├── radio.te
│ │ ├── recovery.te
│ │ ├── recovery_persist.te
│ │ ├── recovery_refresh.te
│ │ ├── remote_provisioning_service_server.te
│ │ ├── rkpd_app.te
│ │ ├── roles
│ │ ├── rootdisk_sysdev.te
│ │ ├── rs.te
│ │ ├── rss_hwm_reset.te
│ │ ├── runas.te
│ │ ├── runas_app.te
│ │ ├── scheduler_service_server.te
│ │ ├── sdcardd.te
│ │ ├── secure_element.te
│ │ ├── sensor_service_server.te
│ │ ├── service.te
│ │ ├── servicemanager.te
│ │ ├── sgdisk.te
│ │ ├── shared_relro.te
│ │ ├── shell.te
│ │ ├── simpleperf.te
│ │ ├── simpleperf_app_runner.te
│ │ ├── slideshow.te
│ │ ├── stats_service_server.te
│ │ ├── statsd.te
│ │ ├── su.te
│ │ ├── surfaceflinger.te
│ │ ├── system_app.te
│ │ ├── system_server.te
│ │ ├── system_suspend_internal_server.te
│ │ ├── system_suspend_server.te
│ │ ├── te_macros
│ │ ├── tee.te
│ │ ├── tombstoned.te
│ │ ├── toolbox.te
│ │ ├── traced.te
│ │ ├── traced_perf.te
│ │ ├── traced_probes.te
│ │ ├── traceur_app.te
│ │ ├── ueventd.te
│ │ ├── uncrypt.te
│ │ ├── untrusted_app.te
│ │ ├── update_engine.te
│ │ ├── update_engine_common.te
│ │ ├── update_verifier.te
│ │ ├── usbd.te
│ │ ├── userdata_sysdev.te
│ │ ├── vdc.te
│ │ ├── vendor_init.te
│ │ ├── vendor_misc_writer.te
│ │ ├── vendor_modprobe.te
│ │ ├── vendor_shell.te
│ │ ├── vendor_toolbox.te
│ │ ├── virtual_touchpad.te
│ │ ├── vndservice.te
│ │ ├── vndservicemanager.te
│ │ ├── vold.te
│ │ ├── vold_prepare_subdirs.te
│ │ ├── watchdogd.te
│ │ ├── webview_zygote.te
│ │ ├── wificond.te
│ │ └── zygote.te
│ ├── 29.0
│ ├── Android.bp
│ ├── private
│ │ ├── access_vectors
│ │ ├── adbd.te
│ │ ├── apex_test_prepostinstall.te
│ │ ├── apexd.te
│ │ ├── app.te
│ │ ├── app_neverallows.te
│ │ ├── app_zygote.te
│ │ ├── art_apex_boot_integrity.te
│ │ ├── art_apex_postinstall.te
│ │ ├── art_apex_preinstall.te
│ │ ├── asan_extract.te
│ │ ├── ashmemd.te
│ │ ├── atrace.te
│ │ ├── audioserver.te
│ │ ├── auditctl.te
│ │ ├── binder_in_vendor_violators.te
│ │ ├── binderservicedomain.te
│ │ ├── blank_screen.te
│ │ ├── blkid.te
│ │ ├── blkid_untrusted.te
│ │ ├── bluetooth.te
│ │ ├── bluetoothdomain.te
│ │ ├── bootanim.te
│ │ ├── bootstat.te
│ │ ├── bpfloader.te
│ │ ├── bufferhubd.te
│ │ ├── bug_map
│ │ ├── cameraserver.te
│ │ ├── charger.te
│ │ ├── clatd.te
│ │ ├── coredomain.te
│ │ ├── cppreopts.te
│ │ ├── crash_dump.te
│ │ ├── dex2oat.te
│ │ ├── dexoptanalyzer.te
│ │ ├── dhcp.te
│ │ ├── dnsmasq.te
│ │ ├── domain.te
│ │ ├── drmserver.te
│ │ ├── dumpstate.te
│ │ ├── ephemeral_app.te
│ │ ├── fastbootd.te
│ │ ├── file.te
│ │ ├── file_contexts
│ │ ├── file_contexts_asan
│ │ ├── file_contexts_overlayfs
│ │ ├── fingerprintd.te
│ │ ├── flags_health_check.te
│ │ ├── fs_use
│ │ ├── fsck.te
│ │ ├── fsck_untrusted.te
│ │ ├── fsverity_init.te
│ │ ├── fwk_bufferhub.te
│ │ ├── gatekeeperd.te
│ │ ├── genfs_contexts
│ │ ├── gpuservice.te
│ │ ├── gsid.te
│ │ ├── hal_allocator_default.te
│ │ ├── halclientdomain.te
│ │ ├── halserverdomain.te
│ │ ├── healthd.te
│ │ ├── heapprofd.te
│ │ ├── hwservice_contexts
│ │ ├── hwservicemanager.te
│ │ ├── idmap.te
│ │ ├── incident.te
│ │ ├── incident_helper.te
│ │ ├── incidentd.te
│ │ ├── init.te
│ │ ├── initial_sid_contexts
│ │ ├── initial_sids
│ │ ├── inputflinger.te
│ │ ├── install_recovery.te
│ │ ├── installd.te
│ │ ├── iorapd.te
│ │ ├── isolated_app.te
│ │ ├── iw.te
│ │ ├── kernel.te
│ │ ├── keys.conf
│ │ ├── keystore.te
│ │ ├── llkd.te
│ │ ├── lmkd.te
│ │ ├── logd.te
│ │ ├── logpersist.te
│ │ ├── lpdumpd.te
│ │ ├── mac_permissions.xml
│ │ ├── mdnsd.te
│ │ ├── mediadrmserver.te
│ │ ├── mediaextractor.te
│ │ ├── mediametrics.te
│ │ ├── mediaprovider.te
│ │ ├── mediaserver.te
│ │ ├── mediaswcodec.te
│ │ ├── migrate_legacy_obb_data.te
│ │ ├── mls
│ │ ├── mls_decl
│ │ ├── mls_macros
│ │ ├── modprobe.te
│ │ ├── mtp.te
│ │ ├── netd.te
│ │ ├── netutils_wrapper.te
│ │ ├── network_stack.te
│ │ ├── nfc.te
│ │ ├── notify_traceur.te
│ │ ├── otapreopt_chroot.te
│ │ ├── otapreopt_slot.te
│ │ ├── perfetto.te
│ │ ├── performanced.te
│ │ ├── perfprofd.te
│ │ ├── platform_app.te
│ │ ├── policy_capabilities
│ │ ├── port_contexts
│ │ ├── postinstall.te
│ │ ├── postinstall_dexopt.te
│ │ ├── ppp.te
│ │ ├── preloads_copy.te
│ │ ├── preopt2cachename.te
│ │ ├── priv_app.te
│ │ ├── profman.te
│ │ ├── property_contexts
│ │ ├── racoon.te
│ │ ├── radio.te
│ │ ├── recovery.te
│ │ ├── recovery_persist.te
│ │ ├── recovery_refresh.te
│ │ ├── roles_decl
│ │ ├── rs.te
│ │ ├── rss_hwm_reset.te
│ │ ├── runas.te
│ │ ├── runas_app.te
│ │ ├── sdcardd.te
│ │ ├── seapp_contexts
│ │ ├── secure_element.te
│ │ ├── security_classes
│ │ ├── service.te
│ │ ├── service_contexts
│ │ ├── servicemanager.te
│ │ ├── sgdisk.te
│ │ ├── shared_relro.te
│ │ ├── shell.te
│ │ ├── simpleperf_app_runner.te
│ │ ├── slideshow.te
│ │ ├── stats.te
│ │ ├── statsd.te
│ │ ├── storaged.te
│ │ ├── su.te
│ │ ├── surfaceflinger.te
│ │ ├── system_app.te
│ │ ├── system_server.te
│ │ ├── system_server_startup.te
│ │ ├── system_suspend.te
│ │ ├── technical_debt.cil
│ │ ├── tombstoned.te
│ │ ├── toolbox.te
│ │ ├── traced.te
│ │ ├── traced_probes.te
│ │ ├── traceur_app.te
│ │ ├── tzdatacheck.te
│ │ ├── ueventd.te
│ │ ├── uncrypt.te
│ │ ├── untrusted_app.te
│ │ ├── untrusted_app_25.te
│ │ ├── untrusted_app_27.te
│ │ ├── untrusted_app_all.te
│ │ ├── update_engine.te
│ │ ├── update_engine_common.te
│ │ ├── update_verifier.te
│ │ ├── usbd.te
│ │ ├── users
│ │ ├── vdc.te
│ │ ├── vendor_init.te
│ │ ├── viewcompiler.te
│ │ ├── virtual_touchpad.te
│ │ ├── vold.te
│ │ ├── vold_prepare_subdirs.te
│ │ ├── vr_hwc.te
│ │ ├── wait_for_keymaster.te
│ │ ├── watchdogd.te
│ │ ├── webview_zygote.te
│ │ ├── wificond.te
│ │ ├── wpantund.te
│ │ └── zygote.te
│ └── public
│ │ ├── adbd.te
│ │ ├── apexd.te
│ │ ├── app.te
│ │ ├── app_zygote.te
│ │ ├── asan_extract.te
│ │ ├── ashmemd.te
│ │ ├── attributes
│ │ ├── audioserver.te
│ │ ├── blkid.te
│ │ ├── blkid_untrusted.te
│ │ ├── bluetooth.te
│ │ ├── bootanim.te
│ │ ├── bootstat.te
│ │ ├── bufferhubd.te
│ │ ├── camera_service_server.te
│ │ ├── cameraserver.te
│ │ ├── charger.te
│ │ ├── clatd.te
│ │ ├── crash_dump.te
│ │ ├── device.te
│ │ ├── dhcp.te
│ │ ├── display_service_server.te
│ │ ├── dnsmasq.te
│ │ ├── domain.te
│ │ ├── drmserver.te
│ │ ├── dumpstate.te
│ │ ├── e2fs.te
│ │ ├── ephemeral_app.te
│ │ ├── fastbootd.te
│ │ ├── file.te
│ │ ├── fingerprintd.te
│ │ ├── flags_health_check.te
│ │ ├── fsck.te
│ │ ├── fsck_untrusted.te
│ │ ├── fwk_bufferhub.te
│ │ ├── gatekeeperd.te
│ │ ├── global_macros
│ │ ├── gpuservice.te
│ │ ├── hal_allocator.te
│ │ ├── hal_atrace.te
│ │ ├── hal_audio.te
│ │ ├── hal_audiocontrol.te
│ │ ├── hal_authsecret.te
│ │ ├── hal_bluetooth.te
│ │ ├── hal_bootctl.te
│ │ ├── hal_broadcastradio.te
│ │ ├── hal_camera.te
│ │ ├── hal_cas.te
│ │ ├── hal_codec2.te
│ │ ├── hal_configstore.te
│ │ ├── hal_confirmationui.te
│ │ ├── hal_contexthub.te
│ │ ├── hal_drm.te
│ │ ├── hal_dumpstate.te
│ │ ├── hal_evs.te
│ │ ├── hal_face.te
│ │ ├── hal_fingerprint.te
│ │ ├── hal_gatekeeper.te
│ │ ├── hal_gnss.te
│ │ ├── hal_graphics_allocator.te
│ │ ├── hal_graphics_composer.te
│ │ ├── hal_health.te
│ │ ├── hal_health_storage.te
│ │ ├── hal_input_classifier.te
│ │ ├── hal_ir.te
│ │ ├── hal_keymaster.te
│ │ ├── hal_light.te
│ │ ├── hal_lowpan.te
│ │ ├── hal_memtrack.te
│ │ ├── hal_neuralnetworks.te
│ │ ├── hal_neverallows.te
│ │ ├── hal_nfc.te
│ │ ├── hal_oemlock.te
│ │ ├── hal_omx.te
│ │ ├── hal_power.te
│ │ ├── hal_power_stats.te
│ │ ├── hal_secure_element.te
│ │ ├── hal_sensors.te
│ │ ├── hal_telephony.te
│ │ ├── hal_tetheroffload.te
│ │ ├── hal_thermal.te
│ │ ├── hal_tv_cec.te
│ │ ├── hal_tv_input.te
│ │ ├── hal_usb.te
│ │ ├── hal_usb_gadget.te
│ │ ├── hal_vehicle.te
│ │ ├── hal_vibrator.te
│ │ ├── hal_vr.te
│ │ ├── hal_weaver.te
│ │ ├── hal_wifi.te
│ │ ├── hal_wifi_hostapd.te
│ │ ├── hal_wifi_offload.te
│ │ ├── hal_wifi_supplicant.te
│ │ ├── healthd.te
│ │ ├── heapprofd.te
│ │ ├── hwservice.te
│ │ ├── hwservicemanager.te
│ │ ├── idmap.te
│ │ ├── incident.te
│ │ ├── incident_helper.te
│ │ ├── incidentd.te
│ │ ├── init.te
│ │ ├── inputflinger.te
│ │ ├── install_recovery.te
│ │ ├── installd.te
│ │ ├── ioctl_defines
│ │ ├── ioctl_macros
│ │ ├── iorapd.te
│ │ ├── isolated_app.te
│ │ ├── kernel.te
│ │ ├── keystore.te
│ │ ├── llkd.te
│ │ ├── lmkd.te
│ │ ├── logd.te
│ │ ├── logpersist.te
│ │ ├── mdnsd.te
│ │ ├── mediadrmserver.te
│ │ ├── mediaextractor.te
│ │ ├── mediametrics.te
│ │ ├── mediaprovider.te
│ │ ├── mediaserver.te
│ │ ├── mediaswcodec.te
│ │ ├── modprobe.te
│ │ ├── mtp.te
│ │ ├── net.te
│ │ ├── netd.te
│ │ ├── netutils_wrapper.te
│ │ ├── network_stack.te
│ │ ├── neverallow_macros
│ │ ├── nfc.te
│ │ ├── perfetto.te
│ │ ├── performanced.te
│ │ ├── perfprofd.te
│ │ ├── platform_app.te
│ │ ├── postinstall.te
│ │ ├── ppp.te
│ │ ├── priv_app.te
│ │ ├── profman.te
│ │ ├── property.te
│ │ ├── property_contexts
│ │ ├── racoon.te
│ │ ├── radio.te
│ │ ├── recovery.te
│ │ ├── recovery_persist.te
│ │ ├── recovery_refresh.te
│ │ ├── roles
│ │ ├── rs.te
│ │ ├── rss_hwm_reset.te
│ │ ├── runas.te
│ │ ├── runas_app.te
│ │ ├── scheduler_service_server.te
│ │ ├── sdcardd.te
│ │ ├── secure_element.te
│ │ ├── sensor_service_server.te
│ │ ├── service.te
│ │ ├── servicemanager.te
│ │ ├── sgdisk.te
│ │ ├── shared_relro.te
│ │ ├── shell.te
│ │ ├── simpleperf_app_runner.te
│ │ ├── slideshow.te
│ │ ├── stats_service_server.te
│ │ ├── statsd.te
│ │ ├── su.te
│ │ ├── surfaceflinger.te
│ │ ├── system_app.te
│ │ ├── system_server.te
│ │ ├── system_suspend_server.te
│ │ ├── te_macros
│ │ ├── tee.te
│ │ ├── tombstoned.te
│ │ ├── toolbox.te
│ │ ├── traced.te
│ │ ├── traced_probes.te
│ │ ├── traceur_app.te
│ │ ├── tzdatacheck.te
│ │ ├── ueventd.te
│ │ ├── uncrypt.te
│ │ ├── untrusted_app.te
│ │ ├── update_engine.te
│ │ ├── update_engine_common.te
│ │ ├── update_verifier.te
│ │ ├── usbd.te
│ │ ├── vdc.te
│ │ ├── vendor_init.te
│ │ ├── vendor_misc_writer.te
│ │ ├── vendor_shell.te
│ │ ├── vendor_toolbox.te
│ │ ├── virtual_touchpad.te
│ │ ├── vndservice.te
│ │ ├── vndservicemanager.te
│ │ ├── vold.te
│ │ ├── vold_prepare_subdirs.te
│ │ ├── vr_hwc.te
│ │ ├── watchdogd.te
│ │ ├── webview_zygote.te
│ │ ├── wificond.te
│ │ ├── wpantund.te
│ │ └── zygote.te
│ ├── 30.0
│ ├── Android.bp
│ ├── private
│ │ ├── access_vectors
│ │ ├── adbd.te
│ │ ├── aidl_lazy_test_server.te
│ │ ├── apex_test_prepostinstall.te
│ │ ├── apexd.te
│ │ ├── app.te
│ │ ├── app_neverallows.te
│ │ ├── app_zygote.te
│ │ ├── art_apex_boot_integrity.te
│ │ ├── art_apex_postinstall.te
│ │ ├── art_apex_preinstall.te
│ │ ├── asan_extract.te
│ │ ├── atrace.te
│ │ ├── attributes
│ │ ├── audioserver.te
│ │ ├── auditctl.te
│ │ ├── automotive_display_service.te
│ │ ├── binder_in_vendor_violators.te
│ │ ├── binderservicedomain.te
│ │ ├── blank_screen.te
│ │ ├── blkid.te
│ │ ├── blkid_untrusted.te
│ │ ├── bluetooth.te
│ │ ├── bluetoothdomain.te
│ │ ├── bootanim.te
│ │ ├── bootstat.te
│ │ ├── boringssl_self_test.te
│ │ ├── bpfloader.te
│ │ ├── bufferhubd.te
│ │ ├── bug_map
│ │ ├── cameraserver.te
│ │ ├── charger.te
│ │ ├── clatd.te
│ │ ├── compat
│ │ │ └── 29.0
│ │ │ │ ├── 29.0.cil
│ │ │ │ ├── 29.0.compat.cil
│ │ │ │ └── 29.0.ignore.cil
│ │ ├── coredomain.te
│ │ ├── cppreopts.te
│ │ ├── crash_dump.te
│ │ ├── credstore.te
│ │ ├── derive_sdk.te
│ │ ├── dex2oat.te
│ │ ├── dexoptanalyzer.te
│ │ ├── dhcp.te
│ │ ├── dnsmasq.te
│ │ ├── domain.te
│ │ ├── drmserver.te
│ │ ├── dumpstate.te
│ │ ├── ephemeral_app.te
│ │ ├── fastbootd.te
│ │ ├── file.te
│ │ ├── file_contexts
│ │ ├── file_contexts_asan
│ │ ├── file_contexts_overlayfs
│ │ ├── fingerprintd.te
│ │ ├── flags_health_check.te
│ │ ├── fs_use
│ │ ├── fsck.te
│ │ ├── fsck_untrusted.te
│ │ ├── fsverity_init.te
│ │ ├── fwk_bufferhub.te
│ │ ├── gatekeeperd.te
│ │ ├── genfs_contexts
│ │ ├── gmscore_app.te
│ │ ├── gpuservice.te
│ │ ├── gsid.te
│ │ ├── hal_allocator_default.te
│ │ ├── hal_lazy_test.te
│ │ ├── halclientdomain.te
│ │ ├── halserverdomain.te
│ │ ├── healthd.te
│ │ ├── heapprofd.te
│ │ ├── hidl_lazy_test_server.te
│ │ ├── hwservice.te
│ │ ├── hwservice_contexts
│ │ ├── hwservicemanager.te
│ │ ├── idmap.te
│ │ ├── incident.te
│ │ ├── incident_helper.te
│ │ ├── incidentd.te
│ │ ├── init.te
│ │ ├── initial_sid_contexts
│ │ ├── initial_sids
│ │ ├── inputflinger.te
│ │ ├── installd.te
│ │ ├── iorap_inode2filename.te
│ │ ├── iorap_prefecherd.te
│ │ ├── iorapd.te
│ │ ├── isolated_app.te
│ │ ├── iw.te
│ │ ├── kernel.te
│ │ ├── keys.conf
│ │ ├── keystore.te
│ │ ├── linkerconfig.te
│ │ ├── llkd.te
│ │ ├── lmkd.te
│ │ ├── logd.te
│ │ ├── logpersist.te
│ │ ├── lpdumpd.te
│ │ ├── mac_permissions.xml
│ │ ├── mdnsd.te
│ │ ├── mediadrmserver.te
│ │ ├── mediaextractor.te
│ │ ├── mediametrics.te
│ │ ├── mediaprovider.te
│ │ ├── mediaprovider_app.te
│ │ ├── mediaserver.te
│ │ ├── mediaswcodec.te
│ │ ├── mediatranscoding.te
│ │ ├── migrate_legacy_obb_data.te
│ │ ├── mls
│ │ ├── mls_decl
│ │ ├── mls_macros
│ │ ├── modprobe.te
│ │ ├── mtp.te
│ │ ├── netd.te
│ │ ├── netutils_wrapper.te
│ │ ├── network_stack.te
│ │ ├── nfc.te
│ │ ├── notify_traceur.te
│ │ ├── otapreopt_chroot.te
│ │ ├── otapreopt_slot.te
│ │ ├── perfetto.te
│ │ ├── performanced.te
│ │ ├── permissioncontroller_app.te
│ │ ├── platform_app.te
│ │ ├── policy_capabilities
│ │ ├── port_contexts
│ │ ├── postinstall.te
│ │ ├── postinstall_dexopt.te
│ │ ├── ppp.te
│ │ ├── preloads_copy.te
│ │ ├── preopt2cachename.te
│ │ ├── priv_app.te
│ │ ├── profman.te
│ │ ├── property_contexts
│ │ ├── racoon.te
│ │ ├── radio.te
│ │ ├── recovery.te
│ │ ├── recovery_persist.te
│ │ ├── recovery_refresh.te
│ │ ├── roles_decl
│ │ ├── rs.te
│ │ ├── rss_hwm_reset.te
│ │ ├── runas.te
│ │ ├── runas_app.te
│ │ ├── sdcardd.te
│ │ ├── seapp_contexts
│ │ ├── secure_element.te
│ │ ├── security_classes
│ │ ├── service.te
│ │ ├── service_contexts
│ │ ├── servicemanager.te
│ │ ├── sgdisk.te
│ │ ├── shared_relro.te
│ │ ├── shell.te
│ │ ├── simpleperf.te
│ │ ├── simpleperf_app_runner.te
│ │ ├── slideshow.te
│ │ ├── snapshotctl.te
│ │ ├── stats.te
│ │ ├── statsd.te
│ │ ├── storaged.te
│ │ ├── su.te
│ │ ├── surfaceflinger.te
│ │ ├── system_app.te
│ │ ├── system_server.te
│ │ ├── system_server_startup.te
│ │ ├── system_suspend.te
│ │ ├── technical_debt.cil
│ │ ├── tombstoned.te
│ │ ├── toolbox.te
│ │ ├── traced.te
│ │ ├── traced_perf.te
│ │ ├── traced_probes.te
│ │ ├── traceur_app.te
│ │ ├── tzdatacheck.te
│ │ ├── ueventd.te
│ │ ├── uncrypt.te
│ │ ├── untrusted_app.te
│ │ ├── untrusted_app_25.te
│ │ ├── untrusted_app_27.te
│ │ ├── untrusted_app_29.te
│ │ ├── untrusted_app_all.te
│ │ ├── update_engine.te
│ │ ├── update_engine_common.te
│ │ ├── update_verifier.te
│ │ ├── usbd.te
│ │ ├── users
│ │ ├── vdc.te
│ │ ├── vendor_init.te
│ │ ├── viewcompiler.te
│ │ ├── virtual_touchpad.te
│ │ ├── vold.te
│ │ ├── vold_prepare_subdirs.te
│ │ ├── vr_hwc.te
│ │ ├── vzwomatrigger_app.te
│ │ ├── wait_for_keymaster.te
│ │ ├── watchdogd.te
│ │ ├── webview_zygote.te
│ │ ├── wificond.te
│ │ ├── wpantund.te
│ │ └── zygote.te
│ └── public
│ │ ├── adbd.te
│ │ ├── aidl_lazy_test_server.te
│ │ ├── apexd.te
│ │ ├── app.te
│ │ ├── app_zygote.te
│ │ ├── asan_extract.te
│ │ ├── attributes
│ │ ├── audioserver.te
│ │ ├── blkid.te
│ │ ├── blkid_untrusted.te
│ │ ├── bluetooth.te
│ │ ├── bootanim.te
│ │ ├── bootstat.te
│ │ ├── bufferhubd.te
│ │ ├── camera_service_server.te
│ │ ├── cameraserver.te
│ │ ├── charger.te
│ │ ├── crash_dump.te
│ │ ├── credstore.te
│ │ ├── device.te
│ │ ├── dhcp.te
│ │ ├── display_service_server.te
│ │ ├── dnsmasq.te
│ │ ├── domain.te
│ │ ├── drmserver.te
│ │ ├── dumpstate.te
│ │ ├── e2fs.te
│ │ ├── ephemeral_app.te
│ │ ├── fastbootd.te
│ │ ├── file.te
│ │ ├── fingerprintd.te
│ │ ├── flags_health_check.te
│ │ ├── fsck.te
│ │ ├── fsck_untrusted.te
│ │ ├── fwk_bufferhub.te
│ │ ├── gatekeeperd.te
│ │ ├── global_macros
│ │ ├── gmscore_app.te
│ │ ├── gpuservice.te
│ │ ├── hal_allocator.te
│ │ ├── hal_atrace.te
│ │ ├── hal_audio.te
│ │ ├── hal_audiocontrol.te
│ │ ├── hal_authsecret.te
│ │ ├── hal_bluetooth.te
│ │ ├── hal_bootctl.te
│ │ ├── hal_broadcastradio.te
│ │ ├── hal_camera.te
│ │ ├── hal_can.te
│ │ ├── hal_cas.te
│ │ ├── hal_codec2.te
│ │ ├── hal_configstore.te
│ │ ├── hal_confirmationui.te
│ │ ├── hal_contexthub.te
│ │ ├── hal_drm.te
│ │ ├── hal_dumpstate.te
│ │ ├── hal_evs.te
│ │ ├── hal_face.te
│ │ ├── hal_fingerprint.te
│ │ ├── hal_gatekeeper.te
│ │ ├── hal_gnss.te
│ │ ├── hal_graphics_allocator.te
│ │ ├── hal_graphics_composer.te
│ │ ├── hal_health.te
│ │ ├── hal_health_storage.te
│ │ ├── hal_identity.te
│ │ ├── hal_input_classifier.te
│ │ ├── hal_ir.te
│ │ ├── hal_keymaster.te
│ │ ├── hal_light.te
│ │ ├── hal_lowpan.te
│ │ ├── hal_memtrack.te
│ │ ├── hal_neuralnetworks.te
│ │ ├── hal_neverallows.te
│ │ ├── hal_nfc.te
│ │ ├── hal_oemlock.te
│ │ ├── hal_omx.te
│ │ ├── hal_power.te
│ │ ├── hal_power_stats.te
│ │ ├── hal_rebootescrow.te
│ │ ├── hal_secure_element.te
│ │ ├── hal_sensors.te
│ │ ├── hal_telephony.te
│ │ ├── hal_tetheroffload.te
│ │ ├── hal_thermal.te
│ │ ├── hal_tv_cec.te
│ │ ├── hal_tv_input.te
│ │ ├── hal_tv_tuner.te
│ │ ├── hal_usb.te
│ │ ├── hal_usb_gadget.te
│ │ ├── hal_vehicle.te
│ │ ├── hal_vibrator.te
│ │ ├── hal_vr.te
│ │ ├── hal_weaver.te
│ │ ├── hal_wifi.te
│ │ ├── hal_wifi_hostapd.te
│ │ ├── hal_wifi_supplicant.te
│ │ ├── healthd.te
│ │ ├── heapprofd.te
│ │ ├── hwservice.te
│ │ ├── hwservicemanager.te
│ │ ├── idmap.te
│ │ ├── incident.te
│ │ ├── incident_helper.te
│ │ ├── incidentd.te
│ │ ├── init.te
│ │ ├── inputflinger.te
│ │ ├── installd.te
│ │ ├── ioctl_defines
│ │ ├── ioctl_macros
│ │ ├── iorap_inode2filename.te
│ │ ├── iorap_prefetcherd.te
│ │ ├── iorapd.te
│ │ ├── isolated_app.te
│ │ ├── kernel.te
│ │ ├── keystore.te
│ │ ├── llkd.te
│ │ ├── lmkd.te
│ │ ├── logd.te
│ │ ├── logpersist.te
│ │ ├── mdnsd.te
│ │ ├── mediadrmserver.te
│ │ ├── mediaextractor.te
│ │ ├── mediametrics.te
│ │ ├── mediaprovider.te
│ │ ├── mediaserver.te
│ │ ├── mediaswcodec.te
│ │ ├── mediatranscoding.te
│ │ ├── modprobe.te
│ │ ├── mtp.te
│ │ ├── net.te
│ │ ├── netd.te
│ │ ├── netutils_wrapper.te
│ │ ├── network_stack.te
│ │ ├── neverallow_macros
│ │ ├── nfc.te
│ │ ├── perfetto.te
│ │ ├── performanced.te
│ │ ├── platform_app.te
│ │ ├── postinstall.te
│ │ ├── ppp.te
│ │ ├── priv_app.te
│ │ ├── profman.te
│ │ ├── property.te
│ │ ├── property_contexts
│ │ ├── racoon.te
│ │ ├── radio.te
│ │ ├── recovery.te
│ │ ├── recovery_persist.te
│ │ ├── recovery_refresh.te
│ │ ├── roles
│ │ ├── rs.te
│ │ ├── rss_hwm_reset.te
│ │ ├── runas.te
│ │ ├── runas_app.te
│ │ ├── scheduler_service_server.te
│ │ ├── sdcardd.te
│ │ ├── secure_element.te
│ │ ├── sensor_service_server.te
│ │ ├── service.te
│ │ ├── servicemanager.te
│ │ ├── sgdisk.te
│ │ ├── shared_relro.te
│ │ ├── shell.te
│ │ ├── simpleperf.te
│ │ ├── simpleperf_app_runner.te
│ │ ├── slideshow.te
│ │ ├── stats_service_server.te
│ │ ├── statsd.te
│ │ ├── su.te
│ │ ├── surfaceflinger.te
│ │ ├── system_app.te
│ │ ├── system_server.te
│ │ ├── system_suspend_server.te
│ │ ├── te_macros
│ │ ├── tee.te
│ │ ├── tombstoned.te
│ │ ├── toolbox.te
│ │ ├── traced.te
│ │ ├── traced_perf.te
│ │ ├── traced_probes.te
│ │ ├── traceur_app.te
│ │ ├── tzdatacheck.te
│ │ ├── ueventd.te
│ │ ├── uncrypt.te
│ │ ├── untrusted_app.te
│ │ ├── update_engine.te
│ │ ├── update_engine_common.te
│ │ ├── update_verifier.te
│ │ ├── usbd.te
│ │ ├── vdc.te
│ │ ├── vendor_init.te
│ │ ├── vendor_misc_writer.te
│ │ ├── vendor_shell.te
│ │ ├── vendor_toolbox.te
│ │ ├── virtual_touchpad.te
│ │ ├── vndservice.te
│ │ ├── vndservicemanager.te
│ │ ├── vold.te
│ │ ├── vold_prepare_subdirs.te
│ │ ├── vr_hwc.te
│ │ ├── watchdogd.te
│ │ ├── webview_zygote.te
│ │ ├── wificond.te
│ │ ├── wpantund.te
│ │ └── zygote.te
│ ├── 31.0
│ ├── Android.bp
│ ├── private
│ │ ├── access_vectors
│ │ ├── adbd.te
│ │ ├── aidl_lazy_test_server.te
│ │ ├── apex_test_prepostinstall.te
│ │ ├── apexd.te
│ │ ├── app.te
│ │ ├── app_neverallows.te
│ │ ├── app_zygote.te
│ │ ├── asan_extract.te
│ │ ├── atrace.te
│ │ ├── attributes
│ │ ├── audioserver.te
│ │ ├── auditctl.te
│ │ ├── automotive_display_service.te
│ │ ├── binderservicedomain.te
│ │ ├── blank_screen.te
│ │ ├── blkid.te
│ │ ├── blkid_untrusted.te
│ │ ├── bluetooth.te
│ │ ├── bluetoothdomain.te
│ │ ├── bootanim.te
│ │ ├── bootstat.te
│ │ ├── boringssl_self_test.te
│ │ ├── bpfloader.te
│ │ ├── bufferhubd.te
│ │ ├── bug_map
│ │ ├── cameraserver.te
│ │ ├── canhalconfigurator.te
│ │ ├── charger.te
│ │ ├── clatd.te
│ │ ├── compat
│ │ │ ├── 29.0
│ │ │ │ ├── 29.0.cil
│ │ │ │ ├── 29.0.compat.cil
│ │ │ │ └── 29.0.ignore.cil
│ │ │ └── 30.0
│ │ │ │ ├── 30.0.cil
│ │ │ │ ├── 30.0.compat.cil
│ │ │ │ └── 30.0.ignore.cil
│ │ ├── coredomain.te
│ │ ├── cppreopts.te
│ │ ├── crash_dump.te
│ │ ├── credstore.te
│ │ ├── crosvm.te
│ │ ├── derive_classpath.te
│ │ ├── derive_sdk.te
│ │ ├── dex2oat.te
│ │ ├── dexoptanalyzer.te
│ │ ├── dhcp.te
│ │ ├── dnsmasq.te
│ │ ├── domain.te
│ │ ├── drmserver.te
│ │ ├── dumpstate.te
│ │ ├── ephemeral_app.te
│ │ ├── fastbootd.te
│ │ ├── file.te
│ │ ├── file_contexts
│ │ ├── file_contexts_asan
│ │ ├── file_contexts_overlayfs
│ │ ├── fingerprintd.te
│ │ ├── flags_health_check.te
│ │ ├── fs_use
│ │ ├── fsck.te
│ │ ├── fsck_untrusted.te
│ │ ├── fsverity_init.te
│ │ ├── fwk_bufferhub.te
│ │ ├── gatekeeperd.te
│ │ ├── genfs_contexts
│ │ ├── gki_apex_prepostinstall.te
│ │ ├── gmscore_app.te
│ │ ├── gpuservice.te
│ │ ├── gsid.te
│ │ ├── hal_allocator_default.te
│ │ ├── hal_lazy_test.te
│ │ ├── halclientdomain.te
│ │ ├── halserverdomain.te
│ │ ├── healthd.te
│ │ ├── heapprofd.te
│ │ ├── hidl_lazy_test_server.te
│ │ ├── hwservice.te
│ │ ├── hwservice_contexts
│ │ ├── hwservicemanager.te
│ │ ├── idmap.te
│ │ ├── incident.te
│ │ ├── incident_helper.te
│ │ ├── incidentd.te
│ │ ├── init.te
│ │ ├── initial_sid_contexts
│ │ ├── initial_sids
│ │ ├── inputflinger.te
│ │ ├── installd.te
│ │ ├── iorap_inode2filename.te
│ │ ├── iorap_prefecherd.te
│ │ ├── iorapd.te
│ │ ├── isolated_app.te
│ │ ├── iw.te
│ │ ├── kernel.te
│ │ ├── keys.conf
│ │ ├── keystore.te
│ │ ├── keystore2_key_contexts
│ │ ├── keystore_keys.te
│ │ ├── linkerconfig.te
│ │ ├── llkd.te
│ │ ├── lmkd.te
│ │ ├── logd.te
│ │ ├── logpersist.te
│ │ ├── lpdumpd.te
│ │ ├── mac_permissions.xml
│ │ ├── mdnsd.te
│ │ ├── mediadrmserver.te
│ │ ├── mediaextractor.te
│ │ ├── mediametrics.te
│ │ ├── mediaprovider.te
│ │ ├── mediaprovider_app.te
│ │ ├── mediaserver.te
│ │ ├── mediaswcodec.te
│ │ ├── mediatranscoding.te
│ │ ├── mediatuner.te
│ │ ├── migrate_legacy_obb_data.te
│ │ ├── mls
│ │ ├── mls_decl
│ │ ├── mls_macros
│ │ ├── mlstrustedsubject.te
│ │ ├── mm_events.te
│ │ ├── modprobe.te
│ │ ├── mtp.te
│ │ ├── netd.te
│ │ ├── netutils_wrapper.te
│ │ ├── network_stack.te
│ │ ├── nfc.te
│ │ ├── odrefresh.te
│ │ ├── odsign.te
│ │ ├── otapreopt_chroot.te
│ │ ├── otapreopt_slot.te
│ │ ├── perfetto.te
│ │ ├── performanced.te
│ │ ├── permissioncontroller_app.te
│ │ ├── platform_app.te
│ │ ├── policy_capabilities
│ │ ├── port_contexts
│ │ ├── postinstall.te
│ │ ├── postinstall_dexopt.te
│ │ ├── ppp.te
│ │ ├── preloads_copy.te
│ │ ├── preopt2cachename.te
│ │ ├── priv_app.te
│ │ ├── profcollectd.te
│ │ ├── profman.te
│ │ ├── property.te
│ │ ├── property_contexts
│ │ ├── racoon.te
│ │ ├── radio.te
│ │ ├── recovery.te
│ │ ├── recovery_persist.te
│ │ ├── recovery_refresh.te
│ │ ├── remote_prov_app.te
│ │ ├── roles_decl
│ │ ├── rs.te
│ │ ├── rss_hwm_reset.te
│ │ ├── runas.te
│ │ ├── runas_app.te
│ │ ├── sdcardd.te
│ │ ├── seapp_contexts
│ │ ├── secure_element.te
│ │ ├── security_classes
│ │ ├── service.te
│ │ ├── service_contexts
│ │ ├── servicemanager.te
│ │ ├── sgdisk.te
│ │ ├── shared_relro.te
│ │ ├── shell.te
│ │ ├── simpleperf.te
│ │ ├── simpleperf_app_runner.te
│ │ ├── slideshow.te
│ │ ├── snapshotctl.te
│ │ ├── snapuserd.te
│ │ ├── stats.te
│ │ ├── statsd.te
│ │ ├── storaged.te
│ │ ├── su.te
│ │ ├── surfaceflinger.te
│ │ ├── system_app.te
│ │ ├── system_server.te
│ │ ├── system_server_startup.te
│ │ ├── system_suspend.te
│ │ ├── technical_debt.cil
│ │ ├── tombstoned.te
│ │ ├── toolbox.te
│ │ ├── traced.te
│ │ ├── traced_perf.te
│ │ ├── traced_probes.te
│ │ ├── traceur_app.te
│ │ ├── tzdatacheck.te
│ │ ├── ueventd.te
│ │ ├── uncrypt.te
│ │ ├── untrusted_app.te
│ │ ├── untrusted_app_25.te
│ │ ├── untrusted_app_27.te
│ │ ├── untrusted_app_29.te
│ │ ├── untrusted_app_all.te
│ │ ├── update_engine.te
│ │ ├── update_engine_common.te
│ │ ├── update_verifier.te
│ │ ├── usbd.te
│ │ ├── users
│ │ ├── vdc.te
│ │ ├── vendor_init.te
│ │ ├── viewcompiler.te
│ │ ├── virtmanager.te
│ │ ├── virtual_touchpad.te
│ │ ├── vold.te
│ │ ├── vold_prepare_subdirs.te
│ │ ├── vr_hwc.te
│ │ ├── vzwomatrigger_app.te
│ │ ├── wait_for_keymaster.te
│ │ ├── watchdogd.te
│ │ ├── webview_zygote.te
│ │ ├── wificond.te
│ │ ├── wpantund.te
│ │ └── zygote.te
│ └── public
│ │ ├── adbd.te
│ │ ├── aidl_lazy_test_server.te
│ │ ├── apexd.te
│ │ ├── app.te
│ │ ├── app_zygote.te
│ │ ├── asan_extract.te
│ │ ├── atrace.te
│ │ ├── attributes
│ │ ├── audioserver.te
│ │ ├── blkid.te
│ │ ├── blkid_untrusted.te
│ │ ├── bluetooth.te
│ │ ├── bootanim.te
│ │ ├── bootstat.te
│ │ ├── bufferhubd.te
│ │ ├── camera_service_server.te
│ │ ├── cameraserver.te
│ │ ├── charger.te
│ │ ├── crash_dump.te
│ │ ├── credstore.te
│ │ ├── device.te
│ │ ├── dhcp.te
│ │ ├── display_service_server.te
│ │ ├── dnsmasq.te
│ │ ├── domain.te
│ │ ├── drmserver.te
│ │ ├── dumpstate.te
│ │ ├── e2fs.te
│ │ ├── ephemeral_app.te
│ │ ├── fastbootd.te
│ │ ├── file.te
│ │ ├── fingerprintd.te
│ │ ├── flags_health_check.te
│ │ ├── fsck.te
│ │ ├── fsck_untrusted.te
│ │ ├── fwk_bufferhub.te
│ │ ├── gatekeeperd.te
│ │ ├── global_macros
│ │ ├── gmscore_app.te
│ │ ├── gpuservice.te
│ │ ├── hal_allocator.te
│ │ ├── hal_atrace.te
│ │ ├── hal_audio.te
│ │ ├── hal_audiocontrol.te
│ │ ├── hal_authsecret.te
│ │ ├── hal_bluetooth.te
│ │ ├── hal_bootctl.te
│ │ ├── hal_broadcastradio.te
│ │ ├── hal_camera.te
│ │ ├── hal_can.te
│ │ ├── hal_cas.te
│ │ ├── hal_codec2.te
│ │ ├── hal_configstore.te
│ │ ├── hal_confirmationui.te
│ │ ├── hal_contexthub.te
│ │ ├── hal_drm.te
│ │ ├── hal_dumpstate.te
│ │ ├── hal_evs.te
│ │ ├── hal_face.te
│ │ ├── hal_fingerprint.te
│ │ ├── hal_gatekeeper.te
│ │ ├── hal_gnss.te
│ │ ├── hal_graphics_allocator.te
│ │ ├── hal_graphics_composer.te
│ │ ├── hal_health.te
│ │ ├── hal_health_storage.te
│ │ ├── hal_identity.te
│ │ ├── hal_input_classifier.te
│ │ ├── hal_ir.te
│ │ ├── hal_keymaster.te
│ │ ├── hal_keymint.te
│ │ ├── hal_light.te
│ │ ├── hal_lowpan.te
│ │ ├── hal_memtrack.te
│ │ ├── hal_neuralnetworks.te
│ │ ├── hal_neverallows.te
│ │ ├── hal_nfc.te
│ │ ├── hal_oemlock.te
│ │ ├── hal_omx.te
│ │ ├── hal_power.te
│ │ ├── hal_power_stats.te
│ │ ├── hal_rebootescrow.te
│ │ ├── hal_secure_element.te
│ │ ├── hal_sensors.te
│ │ ├── hal_telephony.te
│ │ ├── hal_tetheroffload.te
│ │ ├── hal_thermal.te
│ │ ├── hal_tv_cec.te
│ │ ├── hal_tv_input.te
│ │ ├── hal_tv_tuner.te
│ │ ├── hal_usb.te
│ │ ├── hal_usb_gadget.te
│ │ ├── hal_vehicle.te
│ │ ├── hal_vibrator.te
│ │ ├── hal_vr.te
│ │ ├── hal_weaver.te
│ │ ├── hal_wifi.te
│ │ ├── hal_wifi_hostapd.te
│ │ ├── hal_wifi_supplicant.te
│ │ ├── healthd.te
│ │ ├── heapprofd.te
│ │ ├── hwservice.te
│ │ ├── hwservicemanager.te
│ │ ├── idmap.te
│ │ ├── incident.te
│ │ ├── incident_helper.te
│ │ ├── incidentd.te
│ │ ├── init.te
│ │ ├── inputflinger.te
│ │ ├── installd.te
│ │ ├── ioctl_defines
│ │ ├── ioctl_macros
│ │ ├── iorap_inode2filename.te
│ │ ├── iorap_prefetcherd.te
│ │ ├── iorapd.te
│ │ ├── isolated_app.te
│ │ ├── kernel.te
│ │ ├── keystore.te
│ │ ├── keystore_keys.te
│ │ ├── llkd.te
│ │ ├── lmkd.te
│ │ ├── logd.te
│ │ ├── logpersist.te
│ │ ├── mdnsd.te
│ │ ├── mediadrmserver.te
│ │ ├── mediaextractor.te
│ │ ├── mediametrics.te
│ │ ├── mediaprovider.te
│ │ ├── mediaserver.te
│ │ ├── mediaswcodec.te
│ │ ├── modprobe.te
│ │ ├── mtp.te
│ │ ├── net.te
│ │ ├── netd.te
│ │ ├── netutils_wrapper.te
│ │ ├── network_stack.te
│ │ ├── neverallow_macros
│ │ ├── nfc.te
│ │ ├── otapreopt_chroot.te
│ │ ├── perfetto.te
│ │ ├── performanced.te
│ │ ├── platform_app.te
│ │ ├── postinstall.te
│ │ ├── ppp.te
│ │ ├── priv_app.te
│ │ ├── profman.te
│ │ ├── property.te
│ │ ├── racoon.te
│ │ ├── radio.te
│ │ ├── recovery.te
│ │ ├── recovery_persist.te
│ │ ├── recovery_refresh.te
│ │ ├── roles
│ │ ├── rs.te
│ │ ├── rss_hwm_reset.te
│ │ ├── runas.te
│ │ ├── runas_app.te
│ │ ├── scheduler_service_server.te
│ │ ├── sdcardd.te
│ │ ├── secure_element.te
│ │ ├── sensor_service_server.te
│ │ ├── service.te
│ │ ├── servicemanager.te
│ │ ├── sgdisk.te
│ │ ├── shared_relro.te
│ │ ├── shell.te
│ │ ├── simpleperf.te
│ │ ├── simpleperf_app_runner.te
│ │ ├── slideshow.te
│ │ ├── stats_service_server.te
│ │ ├── statsd.te
│ │ ├── su.te
│ │ ├── surfaceflinger.te
│ │ ├── system_app.te
│ │ ├── system_server.te
│ │ ├── system_suspend_internal_server.te
│ │ ├── system_suspend_server.te
│ │ ├── te_macros
│ │ ├── tee.te
│ │ ├── tombstoned.te
│ │ ├── toolbox.te
│ │ ├── traced.te
│ │ ├── traced_perf.te
│ │ ├── traced_probes.te
│ │ ├── traceur_app.te
│ │ ├── tzdatacheck.te
│ │ ├── ueventd.te
│ │ ├── uncrypt.te
│ │ ├── untrusted_app.te
│ │ ├── update_engine.te
│ │ ├── update_engine_common.te
│ │ ├── update_verifier.te
│ │ ├── usbd.te
│ │ ├── userdata_sysdev.te
│ │ ├── vdc.te
│ │ ├── vendor_init.te
│ │ ├── vendor_misc_writer.te
│ │ ├── vendor_modprobe.te
│ │ ├── vendor_shell.te
│ │ ├── vendor_toolbox.te
│ │ ├── virtual_touchpad.te
│ │ ├── vndservice.te
│ │ ├── vndservicemanager.te
│ │ ├── vold.te
│ │ ├── vold_prepare_subdirs.te
│ │ ├── vr_hwc.te
│ │ ├── watchdogd.te
│ │ ├── webview_zygote.te
│ │ ├── wificond.te
│ │ ├── wpantund.te
│ │ └── zygote.te
│ ├── 32.0
│ ├── Android.bp
│ ├── private
│ │ ├── access_vectors
│ │ ├── adbd.te
│ │ ├── aidl_lazy_test_server.te
│ │ ├── apex_test_prepostinstall.te
│ │ ├── apexd.te
│ │ ├── app.te
│ │ ├── app_neverallows.te
│ │ ├── app_zygote.te
│ │ ├── asan_extract.te
│ │ ├── atrace.te
│ │ ├── attributes
│ │ ├── audioserver.te
│ │ ├── auditctl.te
│ │ ├── automotive_display_service.te
│ │ ├── binderservicedomain.te
│ │ ├── blank_screen.te
│ │ ├── blkid.te
│ │ ├── blkid_untrusted.te
│ │ ├── bluetooth.te
│ │ ├── bluetoothdomain.te
│ │ ├── bootanim.te
│ │ ├── bootstat.te
│ │ ├── boringssl_self_test.te
│ │ ├── bpfloader.te
│ │ ├── bufferhubd.te
│ │ ├── bug_map
│ │ ├── cameraserver.te
│ │ ├── canhalconfigurator.te
│ │ ├── charger.te
│ │ ├── clatd.te
│ │ ├── compat
│ │ │ ├── 29.0
│ │ │ │ ├── 29.0.cil
│ │ │ │ ├── 29.0.compat.cil
│ │ │ │ └── 29.0.ignore.cil
│ │ │ ├── 30.0
│ │ │ │ ├── 30.0.cil
│ │ │ │ ├── 30.0.compat.cil
│ │ │ │ └── 30.0.ignore.cil
│ │ │ └── 31.0
│ │ │ │ ├── 31.0.cil
│ │ │ │ ├── 31.0.compat.cil
│ │ │ │ └── 31.0.ignore.cil
│ │ ├── coredomain.te
│ │ ├── cppreopts.te
│ │ ├── crash_dump.te
│ │ ├── credstore.te
│ │ ├── crosvm.te
│ │ ├── derive_classpath.te
│ │ ├── derive_sdk.te
│ │ ├── dex2oat.te
│ │ ├── dexoptanalyzer.te
│ │ ├── dhcp.te
│ │ ├── dnsmasq.te
│ │ ├── domain.te
│ │ ├── drmserver.te
│ │ ├── dumpstate.te
│ │ ├── ephemeral_app.te
│ │ ├── fastbootd.te
│ │ ├── file.te
│ │ ├── file_contexts
│ │ ├── file_contexts_asan
│ │ ├── file_contexts_overlayfs
│ │ ├── fingerprintd.te
│ │ ├── flags_health_check.te
│ │ ├── fs_use
│ │ ├── fsck.te
│ │ ├── fsck_untrusted.te
│ │ ├── fsverity_init.te
│ │ ├── fwk_bufferhub.te
│ │ ├── gatekeeperd.te
│ │ ├── genfs_contexts
│ │ ├── gki_apex_prepostinstall.te
│ │ ├── gmscore_app.te
│ │ ├── gpuservice.te
│ │ ├── gsid.te
│ │ ├── hal_allocator_default.te
│ │ ├── hal_lazy_test.te
│ │ ├── halclientdomain.te
│ │ ├── halserverdomain.te
│ │ ├── healthd.te
│ │ ├── heapprofd.te
│ │ ├── hidl_lazy_test_server.te
│ │ ├── hwservice.te
│ │ ├── hwservice_contexts
│ │ ├── hwservicemanager.te
│ │ ├── idmap.te
│ │ ├── incident.te
│ │ ├── incident_helper.te
│ │ ├── incidentd.te
│ │ ├── init.te
│ │ ├── initial_sid_contexts
│ │ ├── initial_sids
│ │ ├── inputflinger.te
│ │ ├── installd.te
│ │ ├── iorap_inode2filename.te
│ │ ├── iorap_prefecherd.te
│ │ ├── iorapd.te
│ │ ├── isolated_app.te
│ │ ├── iw.te
│ │ ├── kernel.te
│ │ ├── keys.conf
│ │ ├── keystore.te
│ │ ├── keystore2_key_contexts
│ │ ├── keystore_keys.te
│ │ ├── linkerconfig.te
│ │ ├── llkd.te
│ │ ├── lmkd.te
│ │ ├── logd.te
│ │ ├── logpersist.te
│ │ ├── lpdumpd.te
│ │ ├── mac_permissions.xml
│ │ ├── mdnsd.te
│ │ ├── mediadrmserver.te
│ │ ├── mediaextractor.te
│ │ ├── mediametrics.te
│ │ ├── mediaprovider.te
│ │ ├── mediaprovider_app.te
│ │ ├── mediaserver.te
│ │ ├── mediaswcodec.te
│ │ ├── mediatranscoding.te
│ │ ├── mediatuner.te
│ │ ├── migrate_legacy_obb_data.te
│ │ ├── mls
│ │ ├── mls_decl
│ │ ├── mls_macros
│ │ ├── mlstrustedsubject.te
│ │ ├── mm_events.te
│ │ ├── modprobe.te
│ │ ├── mtp.te
│ │ ├── netd.te
│ │ ├── netutils_wrapper.te
│ │ ├── network_stack.te
│ │ ├── nfc.te
│ │ ├── odrefresh.te
│ │ ├── odsign.te
│ │ ├── otapreopt_chroot.te
│ │ ├── otapreopt_slot.te
│ │ ├── perfetto.te
│ │ ├── performanced.te
│ │ ├── permissioncontroller_app.te
│ │ ├── platform_app.te
│ │ ├── policy_capabilities
│ │ ├── port_contexts
│ │ ├── postinstall.te
│ │ ├── postinstall_dexopt.te
│ │ ├── ppp.te
│ │ ├── preloads_copy.te
│ │ ├── preopt2cachename.te
│ │ ├── priv_app.te
│ │ ├── profcollectd.te
│ │ ├── profman.te
│ │ ├── property.te
│ │ ├── property_contexts
│ │ ├── racoon.te
│ │ ├── radio.te
│ │ ├── recovery.te
│ │ ├── recovery_persist.te
│ │ ├── recovery_refresh.te
│ │ ├── remote_prov_app.te
│ │ ├── roles_decl
│ │ ├── rs.te
│ │ ├── rss_hwm_reset.te
│ │ ├── runas.te
│ │ ├── runas_app.te
│ │ ├── sdcardd.te
│ │ ├── seapp_contexts
│ │ ├── secure_element.te
│ │ ├── security_classes
│ │ ├── service.te
│ │ ├── service_contexts
│ │ ├── servicemanager.te
│ │ ├── sgdisk.te
│ │ ├── shared_relro.te
│ │ ├── shell.te
│ │ ├── simpleperf.te
│ │ ├── simpleperf_app_runner.te
│ │ ├── slideshow.te
│ │ ├── snapshotctl.te
│ │ ├── snapuserd.te
│ │ ├── stats.te
│ │ ├── statsd.te
│ │ ├── storaged.te
│ │ ├── su.te
│ │ ├── surfaceflinger.te
│ │ ├── system_app.te
│ │ ├── system_server.te
│ │ ├── system_server_startup.te
│ │ ├── system_suspend.te
│ │ ├── technical_debt.cil
│ │ ├── tombstoned.te
│ │ ├── toolbox.te
│ │ ├── traced.te
│ │ ├── traced_perf.te
│ │ ├── traced_probes.te
│ │ ├── traceur_app.te
│ │ ├── tzdatacheck.te
│ │ ├── ueventd.te
│ │ ├── uncrypt.te
│ │ ├── untrusted_app.te
│ │ ├── untrusted_app_25.te
│ │ ├── untrusted_app_27.te
│ │ ├── untrusted_app_29.te
│ │ ├── untrusted_app_all.te
│ │ ├── update_engine.te
│ │ ├── update_engine_common.te
│ │ ├── update_verifier.te
│ │ ├── usbd.te
│ │ ├── users
│ │ ├── vdc.te
│ │ ├── vehicle_binding_util.te
│ │ ├── vendor_init.te
│ │ ├── viewcompiler.te
│ │ ├── virtmanager.te
│ │ ├── virtual_touchpad.te
│ │ ├── vold.te
│ │ ├── vold_prepare_subdirs.te
│ │ ├── vr_hwc.te
│ │ ├── vzwomatrigger_app.te
│ │ ├── wait_for_keymaster.te
│ │ ├── watchdogd.te
│ │ ├── webview_zygote.te
│ │ ├── wificond.te
│ │ ├── wpantund.te
│ │ └── zygote.te
│ └── public
│ │ ├── adbd.te
│ │ ├── aidl_lazy_test_server.te
│ │ ├── apexd.te
│ │ ├── app.te
│ │ ├── app_zygote.te
│ │ ├── asan_extract.te
│ │ ├── atrace.te
│ │ ├── attributes
│ │ ├── audioserver.te
│ │ ├── blkid.te
│ │ ├── blkid_untrusted.te
│ │ ├── bluetooth.te
│ │ ├── bootanim.te
│ │ ├── bootstat.te
│ │ ├── bufferhubd.te
│ │ ├── camera_service_server.te
│ │ ├── cameraserver.te
│ │ ├── charger.te
│ │ ├── crash_dump.te
│ │ ├── credstore.te
│ │ ├── device.te
│ │ ├── dhcp.te
│ │ ├── display_service_server.te
│ │ ├── dnsmasq.te
│ │ ├── domain.te
│ │ ├── drmserver.te
│ │ ├── dumpstate.te
│ │ ├── e2fs.te
│ │ ├── ephemeral_app.te
│ │ ├── fastbootd.te
│ │ ├── file.te
│ │ ├── fingerprintd.te
│ │ ├── flags_health_check.te
│ │ ├── fsck.te
│ │ ├── fsck_untrusted.te
│ │ ├── fwk_bufferhub.te
│ │ ├── gatekeeperd.te
│ │ ├── global_macros
│ │ ├── gmscore_app.te
│ │ ├── gpuservice.te
│ │ ├── hal_allocator.te
│ │ ├── hal_atrace.te
│ │ ├── hal_audio.te
│ │ ├── hal_audiocontrol.te
│ │ ├── hal_authsecret.te
│ │ ├── hal_bluetooth.te
│ │ ├── hal_bootctl.te
│ │ ├── hal_broadcastradio.te
│ │ ├── hal_camera.te
│ │ ├── hal_can.te
│ │ ├── hal_cas.te
│ │ ├── hal_codec2.te
│ │ ├── hal_configstore.te
│ │ ├── hal_confirmationui.te
│ │ ├── hal_contexthub.te
│ │ ├── hal_drm.te
│ │ ├── hal_dumpstate.te
│ │ ├── hal_evs.te
│ │ ├── hal_face.te
│ │ ├── hal_fingerprint.te
│ │ ├── hal_gatekeeper.te
│ │ ├── hal_gnss.te
│ │ ├── hal_graphics_allocator.te
│ │ ├── hal_graphics_composer.te
│ │ ├── hal_health.te
│ │ ├── hal_health_storage.te
│ │ ├── hal_identity.te
│ │ ├── hal_input_classifier.te
│ │ ├── hal_ir.te
│ │ ├── hal_keymaster.te
│ │ ├── hal_keymint.te
│ │ ├── hal_light.te
│ │ ├── hal_lowpan.te
│ │ ├── hal_memtrack.te
│ │ ├── hal_neuralnetworks.te
│ │ ├── hal_neverallows.te
│ │ ├── hal_nfc.te
│ │ ├── hal_oemlock.te
│ │ ├── hal_omx.te
│ │ ├── hal_power.te
│ │ ├── hal_power_stats.te
│ │ ├── hal_rebootescrow.te
│ │ ├── hal_secure_element.te
│ │ ├── hal_sensors.te
│ │ ├── hal_telephony.te
│ │ ├── hal_tetheroffload.te
│ │ ├── hal_thermal.te
│ │ ├── hal_tv_cec.te
│ │ ├── hal_tv_input.te
│ │ ├── hal_tv_tuner.te
│ │ ├── hal_usb.te
│ │ ├── hal_usb_gadget.te
│ │ ├── hal_vehicle.te
│ │ ├── hal_vibrator.te
│ │ ├── hal_vr.te
│ │ ├── hal_weaver.te
│ │ ├── hal_wifi.te
│ │ ├── hal_wifi_hostapd.te
│ │ ├── hal_wifi_supplicant.te
│ │ ├── healthd.te
│ │ ├── heapprofd.te
│ │ ├── hwservice.te
│ │ ├── hwservicemanager.te
│ │ ├── idmap.te
│ │ ├── incident.te
│ │ ├── incident_helper.te
│ │ ├── incidentd.te
│ │ ├── init.te
│ │ ├── inputflinger.te
│ │ ├── installd.te
│ │ ├── ioctl_defines
│ │ ├── ioctl_macros
│ │ ├── iorap_inode2filename.te
│ │ ├── iorap_prefetcherd.te
│ │ ├── iorapd.te
│ │ ├── isolated_app.te
│ │ ├── kernel.te
│ │ ├── keystore.te
│ │ ├── keystore_keys.te
│ │ ├── llkd.te
│ │ ├── lmkd.te
│ │ ├── logd.te
│ │ ├── logpersist.te
│ │ ├── mdnsd.te
│ │ ├── mediadrmserver.te
│ │ ├── mediaextractor.te
│ │ ├── mediametrics.te
│ │ ├── mediaprovider.te
│ │ ├── mediaserver.te
│ │ ├── mediaswcodec.te
│ │ ├── modprobe.te
│ │ ├── mtp.te
│ │ ├── net.te
│ │ ├── netd.te
│ │ ├── netutils_wrapper.te
│ │ ├── network_stack.te
│ │ ├── neverallow_macros
│ │ ├── nfc.te
│ │ ├── otapreopt_chroot.te
│ │ ├── perfetto.te
│ │ ├── performanced.te
│ │ ├── platform_app.te
│ │ ├── postinstall.te
│ │ ├── ppp.te
│ │ ├── priv_app.te
│ │ ├── profman.te
│ │ ├── property.te
│ │ ├── racoon.te
│ │ ├── radio.te
│ │ ├── recovery.te
│ │ ├── recovery_persist.te
│ │ ├── recovery_refresh.te
│ │ ├── roles
│ │ ├── rs.te
│ │ ├── rss_hwm_reset.te
│ │ ├── runas.te
│ │ ├── runas_app.te
│ │ ├── scheduler_service_server.te
│ │ ├── sdcardd.te
│ │ ├── secure_element.te
│ │ ├── sensor_service_server.te
│ │ ├── service.te
│ │ ├── servicemanager.te
│ │ ├── sgdisk.te
│ │ ├── shared_relro.te
│ │ ├── shell.te
│ │ ├── simpleperf.te
│ │ ├── simpleperf_app_runner.te
│ │ ├── slideshow.te
│ │ ├── stats_service_server.te
│ │ ├── statsd.te
│ │ ├── su.te
│ │ ├── surfaceflinger.te
│ │ ├── system_app.te
│ │ ├── system_server.te
│ │ ├── system_suspend_internal_server.te
│ │ ├── system_suspend_server.te
│ │ ├── te_macros
│ │ ├── tee.te
│ │ ├── tombstoned.te
│ │ ├── toolbox.te
│ │ ├── traced.te
│ │ ├── traced_perf.te
│ │ ├── traced_probes.te
│ │ ├── traceur_app.te
│ │ ├── tzdatacheck.te
│ │ ├── ueventd.te
│ │ ├── uncrypt.te
│ │ ├── untrusted_app.te
│ │ ├── update_engine.te
│ │ ├── update_engine_common.te
│ │ ├── update_verifier.te
│ │ ├── usbd.te
│ │ ├── userdata_sysdev.te
│ │ ├── vdc.te
│ │ ├── vendor_init.te
│ │ ├── vendor_misc_writer.te
│ │ ├── vendor_modprobe.te
│ │ ├── vendor_shell.te
│ │ ├── vendor_toolbox.te
│ │ ├── virtual_touchpad.te
│ │ ├── vndservice.te
│ │ ├── vndservicemanager.te
│ │ ├── vold.te
│ │ ├── vold_prepare_subdirs.te
│ │ ├── vr_hwc.te
│ │ ├── watchdogd.te
│ │ ├── webview_zygote.te
│ │ ├── wificond.te
│ │ ├── wpantund.te
│ │ └── zygote.te
│ ├── 33.0
│ ├── Android.bp
│ ├── private
│ │ ├── access_vectors
│ │ ├── adbd.te
│ │ ├── aidl_lazy_test_server.te
│ │ ├── apex_test_prepostinstall.te
│ │ ├── apexd.te
│ │ ├── apexd_derive_classpath.te
│ │ ├── app.te
│ │ ├── app_neverallows.te
│ │ ├── app_zygote.te
│ │ ├── artd.te
│ │ ├── asan_extract.te
│ │ ├── atrace.te
│ │ ├── attributes
│ │ ├── audioserver.te
│ │ ├── auditctl.te
│ │ ├── automotive_display_service.te
│ │ ├── binderservicedomain.te
│ │ ├── blank_screen.te
│ │ ├── blkid.te
│ │ ├── blkid_untrusted.te
│ │ ├── bluetooth.te
│ │ ├── bluetoothdomain.te
│ │ ├── bootanim.te
│ │ ├── bootstat.te
│ │ ├── boringssl_self_test.te
│ │ ├── bpfdomain.te
│ │ ├── bpfloader.te
│ │ ├── bufferhubd.te
│ │ ├── bug_map
│ │ ├── cameraserver.te
│ │ ├── canhalconfigurator.te
│ │ ├── charger.te
│ │ ├── charger_type.te
│ │ ├── clatd.te
│ │ ├── compat
│ │ │ ├── 29.0
│ │ │ │ ├── 29.0.cil
│ │ │ │ ├── 29.0.compat.cil
│ │ │ │ └── 29.0.ignore.cil
│ │ │ ├── 30.0
│ │ │ │ ├── 30.0.cil
│ │ │ │ ├── 30.0.compat.cil
│ │ │ │ └── 30.0.ignore.cil
│ │ │ ├── 31.0
│ │ │ │ ├── 31.0.cil
│ │ │ │ ├── 31.0.compat.cil
│ │ │ │ └── 31.0.ignore.cil
│ │ │ └── 32.0
│ │ │ │ ├── 32.0.cil
│ │ │ │ ├── 32.0.compat.cil
│ │ │ │ └── 32.0.ignore.cil
│ │ ├── compos_fd_server.te
│ │ ├── compos_verify.te
│ │ ├── composd.te
│ │ ├── coredomain.te
│ │ ├── cppreopts.te
│ │ ├── crash_dump.te
│ │ ├── credstore.te
│ │ ├── crosvm.te
│ │ ├── derive_classpath.te
│ │ ├── derive_sdk.te
│ │ ├── dex2oat.te
│ │ ├── dexoptanalyzer.te
│ │ ├── dhcp.te
│ │ ├── diced.te
│ │ ├── dmesgd.te
│ │ ├── dnsmasq.te
│ │ ├── domain.te
│ │ ├── drmserver.te
│ │ ├── dumpstate.te
│ │ ├── ephemeral_app.te
│ │ ├── evsmanagerd.te
│ │ ├── extra_free_kbytes.te
│ │ ├── fastbootd.te
│ │ ├── file.te
│ │ ├── file_contexts
│ │ ├── file_contexts_asan
│ │ ├── file_contexts_overlayfs
│ │ ├── fingerprintd.te
│ │ ├── flags_health_check.te
│ │ ├── fs_use
│ │ ├── fsck.te
│ │ ├── fsck_untrusted.te
│ │ ├── fsverity_init.te
│ │ ├── fwk_bufferhub.te
│ │ ├── gatekeeperd.te
│ │ ├── genfs_contexts
│ │ ├── gki_apex_prepostinstall.te
│ │ ├── gmscore_app.te
│ │ ├── gpuservice.te
│ │ ├── gsid.te
│ │ ├── hal_allocator_default.te
│ │ ├── hal_lazy_test.te
│ │ ├── halclientdomain.te
│ │ ├── halserverdomain.te
│ │ ├── healthd.te
│ │ ├── heapprofd.te
│ │ ├── hidl_lazy_test_server.te
│ │ ├── hwservice.te
│ │ ├── hwservice_contexts
│ │ ├── hwservicemanager.te
│ │ ├── idmap.te
│ │ ├── incident.te
│ │ ├── incident_helper.te
│ │ ├── incidentd.te
│ │ ├── init.te
│ │ ├── initial_sid_contexts
│ │ ├── initial_sids
│ │ ├── inputflinger.te
│ │ ├── installd.te
│ │ ├── iorap_inode2filename.te
│ │ ├── iorap_prefecherd.te
│ │ ├── iorapd.te
│ │ ├── isolated_app.te
│ │ ├── iw.te
│ │ ├── kernel.te
│ │ ├── keys.conf
│ │ ├── keystore.te
│ │ ├── keystore2_key_contexts
│ │ ├── keystore_keys.te
│ │ ├── linkerconfig.te
│ │ ├── llkd.te
│ │ ├── lmkd.te
│ │ ├── logd.te
│ │ ├── logpersist.te
│ │ ├── lpdumpd.te
│ │ ├── mac_permissions.xml
│ │ ├── mdnsd.te
│ │ ├── mediadrmserver.te
│ │ ├── mediaextractor.te
│ │ ├── mediametrics.te
│ │ ├── mediaprovider.te
│ │ ├── mediaprovider_app.te
│ │ ├── mediaserver.te
│ │ ├── mediaswcodec.te
│ │ ├── mediatranscoding.te
│ │ ├── mediatuner.te
│ │ ├── migrate_legacy_obb_data.te
│ │ ├── mls
│ │ ├── mls_decl
│ │ ├── mls_macros
│ │ ├── mlstrustedsubject.te
│ │ ├── mm_events.te
│ │ ├── modprobe.te
│ │ ├── mtectrl.te
│ │ ├── mtp.te
│ │ ├── net.te
│ │ ├── netd.te
│ │ ├── netutils_wrapper.te
│ │ ├── network_stack.te
│ │ ├── nfc.te
│ │ ├── odrefresh.te
│ │ ├── odsign.te
│ │ ├── otapreopt_chroot.te
│ │ ├── otapreopt_slot.te
│ │ ├── perfetto.te
│ │ ├── performanced.te
│ │ ├── permissioncontroller_app.te
│ │ ├── platform_app.te
│ │ ├── policy_capabilities
│ │ ├── port_contexts
│ │ ├── postinstall.te
│ │ ├── postinstall_dexopt.te
│ │ ├── ppp.te
│ │ ├── preloads_copy.te
│ │ ├── preopt2cachename.te
│ │ ├── priv_app.te
│ │ ├── prng_seeder.te
│ │ ├── profcollectd.te
│ │ ├── profman.te
│ │ ├── property.te
│ │ ├── property_contexts
│ │ ├── racoon.te
│ │ ├── radio.te
│ │ ├── recovery.te
│ │ ├── recovery_persist.te
│ │ ├── recovery_refresh.te
│ │ ├── remote_prov_app.te
│ │ ├── remount.te
│ │ ├── roles_decl
│ │ ├── rs.te
│ │ ├── rss_hwm_reset.te
│ │ ├── runas.te
│ │ ├── runas_app.te
│ │ ├── sdcardd.te
│ │ ├── sdk_sandbox.te
│ │ ├── seapp_contexts
│ │ ├── secure_element.te
│ │ ├── security_classes
│ │ ├── service.te
│ │ ├── service_contexts
│ │ ├── servicemanager.te
│ │ ├── sgdisk.te
│ │ ├── shared_relro.te
│ │ ├── shell.te
│ │ ├── simpleperf.te
│ │ ├── simpleperf_app_runner.te
│ │ ├── simpleperf_boot.te
│ │ ├── slideshow.te
│ │ ├── snapshotctl.te
│ │ ├── snapuserd.te
│ │ ├── stats.te
│ │ ├── statsd.te
│ │ ├── storaged.te
│ │ ├── su.te
│ │ ├── surfaceflinger.te
│ │ ├── system_app.te
│ │ ├── system_server.te
│ │ ├── system_server_startup.te
│ │ ├── system_suspend.te
│ │ ├── technical_debt.cil
│ │ ├── tombstoned.te
│ │ ├── toolbox.te
│ │ ├── traced.te
│ │ ├── traced_perf.te
│ │ ├── traced_probes.te
│ │ ├── traceur_app.te
│ │ ├── tzdatacheck.te
│ │ ├── ueventd.te
│ │ ├── uncrypt.te
│ │ ├── untrusted_app.te
│ │ ├── untrusted_app_25.te
│ │ ├── untrusted_app_27.te
│ │ ├── untrusted_app_29.te
│ │ ├── untrusted_app_30.te
│ │ ├── untrusted_app_all.te
│ │ ├── update_engine.te
│ │ ├── update_engine_common.te
│ │ ├── update_verifier.te
│ │ ├── usbd.te
│ │ ├── users
│ │ ├── vdc.te
│ │ ├── vehicle_binding_util.te
│ │ ├── vendor_init.te
│ │ ├── viewcompiler.te
│ │ ├── virtual_touchpad.te
│ │ ├── virtualizationservice.te
│ │ ├── vold.te
│ │ ├── vold_prepare_subdirs.te
│ │ ├── vzwomatrigger_app.te
│ │ ├── wait_for_keymaster.te
│ │ ├── watchdogd.te
│ │ ├── webview_zygote.te
│ │ ├── wificond.te
│ │ ├── wpantund.te
│ │ └── zygote.te
│ └── public
│ │ ├── adbd.te
│ │ ├── aidl_lazy_test_server.te
│ │ ├── apexd.te
│ │ ├── app.te
│ │ ├── app_zygote.te
│ │ ├── asan_extract.te
│ │ ├── atrace.te
│ │ ├── attributes
│ │ ├── audioserver.te
│ │ ├── blkid.te
│ │ ├── blkid_untrusted.te
│ │ ├── bluetooth.te
│ │ ├── bootanim.te
│ │ ├── bootstat.te
│ │ ├── bpfloader.te
│ │ ├── bufferhubd.te
│ │ ├── camera_service_server.te
│ │ ├── cameraserver.te
│ │ ├── charger.te
│ │ ├── charger_type.te
│ │ ├── charger_vendor.te
│ │ ├── crash_dump.te
│ │ ├── credstore.te
│ │ ├── device.te
│ │ ├── dhcp.te
│ │ ├── diced.te
│ │ ├── display_service_server.te
│ │ ├── dnsmasq.te
│ │ ├── domain.te
│ │ ├── drmserver.te
│ │ ├── dumpstate.te
│ │ ├── e2fs.te
│ │ ├── ephemeral_app.te
│ │ ├── evsmanagerd.te
│ │ ├── extra_free_kbytes.te
│ │ ├── fastbootd.te
│ │ ├── file.te
│ │ ├── fingerprintd.te
│ │ ├── flags_health_check.te
│ │ ├── fsck.te
│ │ ├── fsck_untrusted.te
│ │ ├── gatekeeperd.te
│ │ ├── global_macros
│ │ ├── gmscore_app.te
│ │ ├── gpuservice.te
│ │ ├── hal_allocator.te
│ │ ├── hal_atrace.te
│ │ ├── hal_audio.te
│ │ ├── hal_audiocontrol.te
│ │ ├── hal_authsecret.te
│ │ ├── hal_bluetooth.te
│ │ ├── hal_bootctl.te
│ │ ├── hal_broadcastradio.te
│ │ ├── hal_camera.te
│ │ ├── hal_can.te
│ │ ├── hal_cas.te
│ │ ├── hal_codec2.te
│ │ ├── hal_configstore.te
│ │ ├── hal_confirmationui.te
│ │ ├── hal_contexthub.te
│ │ ├── hal_dice.te
│ │ ├── hal_drm.te
│ │ ├── hal_dumpstate.te
│ │ ├── hal_evs.te
│ │ ├── hal_face.te
│ │ ├── hal_fingerprint.te
│ │ ├── hal_gatekeeper.te
│ │ ├── hal_gnss.te
│ │ ├── hal_graphics_allocator.te
│ │ ├── hal_graphics_composer.te
│ │ ├── hal_health.te
│ │ ├── hal_health_storage.te
│ │ ├── hal_identity.te
│ │ ├── hal_input_classifier.te
│ │ ├── hal_input_processor.te
│ │ ├── hal_ir.te
│ │ ├── hal_keymaster.te
│ │ ├── hal_keymint.te
│ │ ├── hal_light.te
│ │ ├── hal_lowpan.te
│ │ ├── hal_memtrack.te
│ │ ├── hal_neuralnetworks.te
│ │ ├── hal_neverallows.te
│ │ ├── hal_nfc.te
│ │ ├── hal_nlinterceptor.te
│ │ ├── hal_oemlock.te
│ │ ├── hal_omx.te
│ │ ├── hal_power.te
│ │ ├── hal_power_stats.te
│ │ ├── hal_rebootescrow.te
│ │ ├── hal_secure_element.te
│ │ ├── hal_sensors.te
│ │ ├── hal_telephony.te
│ │ ├── hal_tetheroffload.te
│ │ ├── hal_thermal.te
│ │ ├── hal_tv_cec.te
│ │ ├── hal_tv_input.te
│ │ ├── hal_tv_tuner.te
│ │ ├── hal_usb.te
│ │ ├── hal_usb_gadget.te
│ │ ├── hal_uwb.te
│ │ ├── hal_vehicle.te
│ │ ├── hal_vibrator.te
│ │ ├── hal_vr.te
│ │ ├── hal_weaver.te
│ │ ├── hal_wifi.te
│ │ ├── hal_wifi_hostapd.te
│ │ ├── hal_wifi_supplicant.te
│ │ ├── healthd.te
│ │ ├── heapprofd.te
│ │ ├── hwservice.te
│ │ ├── hwservicemanager.te
│ │ ├── idmap.te
│ │ ├── incident.te
│ │ ├── incident_helper.te
│ │ ├── incidentd.te
│ │ ├── init.te
│ │ ├── inputflinger.te
│ │ ├── installd.te
│ │ ├── ioctl_defines
│ │ ├── ioctl_macros
│ │ ├── iorap_inode2filename.te
│ │ ├── iorap_prefetcherd.te
│ │ ├── iorapd.te
│ │ ├── isolated_app.te
│ │ ├── kernel.te
│ │ ├── keystore.te
│ │ ├── keystore_keys.te
│ │ ├── llkd.te
│ │ ├── lmkd.te
│ │ ├── logd.te
│ │ ├── logpersist.te
│ │ ├── mdnsd.te
│ │ ├── mediadrmserver.te
│ │ ├── mediaextractor.te
│ │ ├── mediametrics.te
│ │ ├── mediaprovider.te
│ │ ├── mediaserver.te
│ │ ├── mediaswcodec.te
│ │ ├── mediatranscoding.te
│ │ ├── modprobe.te
│ │ ├── mtp.te
│ │ ├── net.te
│ │ ├── netd.te
│ │ ├── netutils_wrapper.te
│ │ ├── network_stack.te
│ │ ├── neverallow_macros
│ │ ├── nfc.te
│ │ ├── otapreopt_chroot.te
│ │ ├── perfetto.te
│ │ ├── performanced.te
│ │ ├── platform_app.te
│ │ ├── postinstall.te
│ │ ├── ppp.te
│ │ ├── priv_app.te
│ │ ├── prng_seeder.te
│ │ ├── profman.te
│ │ ├── property.te
│ │ ├── racoon.te
│ │ ├── radio.te
│ │ ├── recovery.te
│ │ ├── recovery_persist.te
│ │ ├── recovery_refresh.te
│ │ ├── roles
│ │ ├── rootdisk_sysdev.te
│ │ ├── rs.te
│ │ ├── rss_hwm_reset.te
│ │ ├── runas.te
│ │ ├── runas_app.te
│ │ ├── scheduler_service_server.te
│ │ ├── sdcardd.te
│ │ ├── secure_element.te
│ │ ├── sensor_service_server.te
│ │ ├── service.te
│ │ ├── servicemanager.te
│ │ ├── sgdisk.te
│ │ ├── shared_relro.te
│ │ ├── shell.te
│ │ ├── simpleperf.te
│ │ ├── simpleperf_app_runner.te
│ │ ├── slideshow.te
│ │ ├── stats_service_server.te
│ │ ├── statsd.te
│ │ ├── su.te
│ │ ├── surfaceflinger.te
│ │ ├── system_app.te
│ │ ├── system_server.te
│ │ ├── system_suspend_internal_server.te
│ │ ├── system_suspend_server.te
│ │ ├── te_macros
│ │ ├── tee.te
│ │ ├── tombstoned.te
│ │ ├── toolbox.te
│ │ ├── traced.te
│ │ ├── traced_perf.te
│ │ ├── traced_probes.te
│ │ ├── traceur_app.te
│ │ ├── tzdatacheck.te
│ │ ├── ueventd.te
│ │ ├── uncrypt.te
│ │ ├── untrusted_app.te
│ │ ├── update_engine.te
│ │ ├── update_engine_common.te
│ │ ├── update_verifier.te
│ │ ├── usbd.te
│ │ ├── userdata_sysdev.te
│ │ ├── vdc.te
│ │ ├── vendor_init.te
│ │ ├── vendor_misc_writer.te
│ │ ├── vendor_modprobe.te
│ │ ├── vendor_shell.te
│ │ ├── vendor_toolbox.te
│ │ ├── virtual_touchpad.te
│ │ ├── vndservice.te
│ │ ├── vndservicemanager.te
│ │ ├── vold.te
│ │ ├── vold_prepare_subdirs.te
│ │ ├── watchdogd.te
│ │ ├── webview_zygote.te
│ │ ├── wificond.te
│ │ ├── wpantund.te
│ │ └── zygote.te
│ └── 34.0
│ ├── Android.bp
│ ├── private
│ ├── access_vectors
│ ├── adbd.te
│ ├── aidl_lazy_test_server.te
│ ├── apex_test_prepostinstall.te
│ ├── apexd.te
│ ├── apexd_derive_classpath.te
│ ├── app.te
│ ├── app_neverallows.te
│ ├── app_zygote.te
│ ├── art_boot.te
│ ├── artd.te
│ ├── asan_extract.te
│ ├── atrace.te
│ ├── attributes
│ ├── audioserver.te
│ ├── auditctl.te
│ ├── automotive_display_service.te
│ ├── binderservicedomain.te
│ ├── blank_screen.te
│ ├── blkid.te
│ ├── blkid_untrusted.te
│ ├── bluetooth.te
│ ├── bluetoothdomain.te
│ ├── bootanim.te
│ ├── bootstat.te
│ ├── boringssl_self_test.te
│ ├── bpfdomain.te
│ ├── bpfloader.te
│ ├── bufferhubd.te
│ ├── bug_map
│ ├── cameraserver.te
│ ├── canhalconfigurator.te
│ ├── charger.te
│ ├── charger_type.te
│ ├── clatd.te
│ ├── compat
│ │ ├── 29.0
│ │ │ ├── 29.0.cil
│ │ │ ├── 29.0.compat.cil
│ │ │ └── 29.0.ignore.cil
│ │ ├── 30.0
│ │ │ ├── 30.0.cil
│ │ │ ├── 30.0.compat.cil
│ │ │ └── 30.0.ignore.cil
│ │ ├── 31.0
│ │ │ ├── 31.0.cil
│ │ │ ├── 31.0.compat.cil
│ │ │ └── 31.0.ignore.cil
│ │ ├── 32.0
│ │ │ ├── 32.0.cil
│ │ │ ├── 32.0.compat.cil
│ │ │ └── 32.0.ignore.cil
│ │ └── 33.0
│ │ │ ├── 33.0.cil
│ │ │ ├── 33.0.compat.cil
│ │ │ └── 33.0.ignore.cil
│ ├── compos_fd_server.te
│ ├── compos_verify.te
│ ├── composd.te
│ ├── coredomain.te
│ ├── cppreopts.te
│ ├── crash_dump.te
│ ├── credstore.te
│ ├── crosvm.te
│ ├── derive_classpath.te
│ ├── derive_sdk.te
│ ├── device_as_webcam.te
│ ├── dex2oat.te
│ ├── dexoptanalyzer.te
│ ├── dhcp.te
│ ├── dmesgd.te
│ ├── dnsmasq.te
│ ├── domain.te
│ ├── drmserver.te
│ ├── dumpstate.te
│ ├── ephemeral_app.te
│ ├── evsmanagerd.te
│ ├── extra_free_kbytes.te
│ ├── fastbootd.te
│ ├── file.te
│ ├── file_contexts
│ ├── file_contexts_asan
│ ├── file_contexts_overlayfs
│ ├── fingerprintd.te
│ ├── flags_health_check.te
│ ├── fs_use
│ ├── fsck.te
│ ├── fsck_untrusted.te
│ ├── fsverity_init.te
│ ├── fuseblkd.te
│ ├── fuseblkd_untrusted.te
│ ├── fwk_bufferhub.te
│ ├── gatekeeperd.te
│ ├── genfs_contexts
│ ├── gki_apex_prepostinstall.te
│ ├── gmscore_app.te
│ ├── gpuservice.te
│ ├── gsid.te
│ ├── hal_allocator_default.te
│ ├── hal_lazy_test.te
│ ├── halclientdomain.te
│ ├── halserverdomain.te
│ ├── healthd.te
│ ├── heapprofd.te
│ ├── hidl_lazy_test_server.te
│ ├── hwservice.te
│ ├── hwservice_contexts
│ ├── hwservicemanager.te
│ ├── idmap.te
│ ├── incident.te
│ ├── incident_helper.te
│ ├── incidentd.te
│ ├── init.te
│ ├── initial_sid_contexts
│ ├── initial_sids
│ ├── inputflinger.te
│ ├── installd.te
│ ├── isolated_app.te
│ ├── isolated_app_all.te
│ ├── isolated_compute_app.te
│ ├── iw.te
│ ├── kernel.te
│ ├── keys.conf
│ ├── keystore.te
│ ├── keystore2_key_contexts
│ ├── keystore_keys.te
│ ├── linkerconfig.te
│ ├── llkd.te
│ ├── lmkd.te
│ ├── logd.te
│ ├── logpersist.te
│ ├── lpdumpd.te
│ ├── mac_permissions.xml
│ ├── mdnsd.te
│ ├── mediadrmserver.te
│ ├── mediaextractor.te
│ ├── mediametrics.te
│ ├── mediaprovider.te
│ ├── mediaprovider_app.te
│ ├── mediaserver.te
│ ├── mediaswcodec.te
│ ├── mediatranscoding.te
│ ├── mediatuner.te
│ ├── migrate_legacy_obb_data.te
│ ├── mls
│ ├── mls_decl
│ ├── mls_macros
│ ├── mlstrustedsubject.te
│ ├── mm_events.te
│ ├── modprobe.te
│ ├── mtectrl.te
│ ├── mtp.te
│ ├── net.te
│ ├── netd.te
│ ├── netutils_wrapper.te
│ ├── network_stack.te
│ ├── nfc.te
│ ├── odrefresh.te
│ ├── odsign.te
│ ├── otapreopt_chroot.te
│ ├── otapreopt_slot.te
│ ├── perfetto.te
│ ├── performanced.te
│ ├── permissioncontroller_app.te
│ ├── platform_app.te
│ ├── policy_capabilities
│ ├── port_contexts
│ ├── postinstall.te
│ ├── postinstall_dexopt.te
│ ├── ppp.te
│ ├── preloads_copy.te
│ ├── preopt2cachename.te
│ ├── priv_app.te
│ ├── prng_seeder.te
│ ├── profcollectd.te
│ ├── profman.te
│ ├── property.te
│ ├── property_contexts
│ ├── racoon.te
│ ├── radio.te
│ ├── recovery.te
│ ├── recovery_persist.te
│ ├── recovery_refresh.te
│ ├── remount.te
│ ├── rkpd.te
│ ├── rkpd_app.te
│ ├── roles_decl
│ ├── rs.te
│ ├── rss_hwm_reset.te
│ ├── runas.te
│ ├── runas_app.te
│ ├── sdcardd.te
│ ├── sdk_sandbox_34.te
│ ├── sdk_sandbox_all.te
│ ├── sdk_sandbox_audit.te
│ ├── sdk_sandbox_current.te
│ ├── sdk_sandbox_next.te
│ ├── seapp_contexts
│ ├── secure_element.te
│ ├── security_classes
│ ├── service.te
│ ├── service_contexts
│ ├── servicemanager.te
│ ├── sgdisk.te
│ ├── shared_relro.te
│ ├── shell.te
│ ├── simpleperf.te
│ ├── simpleperf_app_runner.te
│ ├── simpleperf_boot.te
│ ├── slideshow.te
│ ├── snapshotctl.te
│ ├── snapuserd.te
│ ├── stats.te
│ ├── statsd.te
│ ├── storaged.te
│ ├── su.te
│ ├── surfaceflinger.te
│ ├── system_app.te
│ ├── system_server.te
│ ├── system_server_startup.te
│ ├── system_suspend.te
│ ├── technical_debt.cil
│ ├── tombstoned.te
│ ├── toolbox.te
│ ├── traced.te
│ ├── traced_perf.te
│ ├── traced_probes.te
│ ├── traceur_app.te
│ ├── ueventd.te
│ ├── uncrypt.te
│ ├── untrusted_app.te
│ ├── untrusted_app_25.te
│ ├── untrusted_app_27.te
│ ├── untrusted_app_29.te
│ ├── untrusted_app_30.te
│ ├── untrusted_app_32.te
│ ├── untrusted_app_all.te
│ ├── update_engine.te
│ ├── update_engine_common.te
│ ├── update_verifier.te
│ ├── usbd.te
│ ├── users
│ ├── vdc.te
│ ├── vehicle_binding_util.te
│ ├── vendor_init.te
│ ├── viewcompiler.te
│ ├── virtual_touchpad.te
│ ├── virtualizationmanager.te
│ ├── virtualizationservice.te
│ ├── vold.te
│ ├── vold_prepare_subdirs.te
│ ├── vzwomatrigger_app.te
│ ├── wait_for_keymaster.te
│ ├── watchdogd.te
│ ├── webview_zygote.te
│ ├── wificond.te
│ └── zygote.te
│ └── public
│ ├── adbd.te
│ ├── aidl_lazy_test_server.te
│ ├── apexd.te
│ ├── app.te
│ ├── app_zygote.te
│ ├── artd.te
│ ├── asan_extract.te
│ ├── atrace.te
│ ├── attributes
│ ├── audioserver.te
│ ├── blkid.te
│ ├── blkid_untrusted.te
│ ├── bluetooth.te
│ ├── bootanim.te
│ ├── bootstat.te
│ ├── bpfloader.te
│ ├── bufferhubd.te
│ ├── camera_service_server.te
│ ├── cameraserver.te
│ ├── charger.te
│ ├── charger_type.te
│ ├── charger_vendor.te
│ ├── crash_dump.te
│ ├── credstore.te
│ ├── device.te
│ ├── dhcp.te
│ ├── display_service_server.te
│ ├── dnsmasq.te
│ ├── domain.te
│ ├── drmserver.te
│ ├── dumpstate.te
│ ├── e2fs.te
│ ├── ephemeral_app.te
│ ├── evsmanagerd.te
│ ├── extra_free_kbytes.te
│ ├── fastbootd.te
│ ├── file.te
│ ├── fingerprintd.te
│ ├── flags_health_check.te
│ ├── fsck.te
│ ├── fsck_untrusted.te
│ ├── gatekeeperd.te
│ ├── global_macros
│ ├── gmscore_app.te
│ ├── gpuservice.te
│ ├── hal_allocator.te
│ ├── hal_atrace.te
│ ├── hal_audio.te
│ ├── hal_audiocontrol.te
│ ├── hal_authsecret.te
│ ├── hal_bluetooth.te
│ ├── hal_bootctl.te
│ ├── hal_broadcastradio.te
│ ├── hal_camera.te
│ ├── hal_can.te
│ ├── hal_cas.te
│ ├── hal_codec2.te
│ ├── hal_configstore.te
│ ├── hal_confirmationui.te
│ ├── hal_contexthub.te
│ ├── hal_drm.te
│ ├── hal_dumpstate.te
│ ├── hal_evs.te
│ ├── hal_face.te
│ ├── hal_fastboot.te
│ ├── hal_fingerprint.te
│ ├── hal_gatekeeper.te
│ ├── hal_gnss.te
│ ├── hal_graphics_allocator.te
│ ├── hal_graphics_composer.te
│ ├── hal_health.te
│ ├── hal_health_storage.te
│ ├── hal_identity.te
│ ├── hal_input_classifier.te
│ ├── hal_input_processor.te
│ ├── hal_ir.te
│ ├── hal_ivn.te
│ ├── hal_keymaster.te
│ ├── hal_keymint.te
│ ├── hal_light.te
│ ├── hal_lowpan.te
│ ├── hal_memtrack.te
│ ├── hal_neuralnetworks.te
│ ├── hal_neverallows.te
│ ├── hal_nfc.te
│ ├── hal_nlinterceptor.te
│ ├── hal_oemlock.te
│ ├── hal_omx.te
│ ├── hal_power.te
│ ├── hal_power_stats.te
│ ├── hal_rebootescrow.te
│ ├── hal_remoteaccess.te
│ ├── hal_secure_element.te
│ ├── hal_sensors.te
│ ├── hal_telephony.te
│ ├── hal_tetheroffload.te
│ ├── hal_thermal.te
│ ├── hal_tv_cec.te
│ ├── hal_tv_hdmi_cec.te
│ ├── hal_tv_hdmi_connection.te
│ ├── hal_tv_hdmi_earc.te
│ ├── hal_tv_input.te
│ ├── hal_tv_tuner.te
│ ├── hal_usb.te
│ ├── hal_usb_gadget.te
│ ├── hal_uwb.te
│ ├── hal_vehicle.te
│ ├── hal_vibrator.te
│ ├── hal_vr.te
│ ├── hal_weaver.te
│ ├── hal_wifi.te
│ ├── hal_wifi_hostapd.te
│ ├── hal_wifi_supplicant.te
│ ├── healthd.te
│ ├── heapprofd.te
│ ├── hwservice.te
│ ├── hwservicemanager.te
│ ├── idmap.te
│ ├── incident.te
│ ├── incident_helper.te
│ ├── incidentd.te
│ ├── init.te
│ ├── inputflinger.te
│ ├── installd.te
│ ├── ioctl_defines
│ ├── ioctl_macros
│ ├── isolated_app.te
│ ├── isolated_compute_app.te
│ ├── kernel.te
│ ├── keystore.te
│ ├── keystore_keys.te
│ ├── llkd.te
│ ├── lmkd.te
│ ├── logd.te
│ ├── logpersist.te
│ ├── mdnsd.te
│ ├── mediadrmserver.te
│ ├── mediaextractor.te
│ ├── mediametrics.te
│ ├── mediaprovider.te
│ ├── mediaserver.te
│ ├── mediaswcodec.te
│ ├── mediatranscoding.te
│ ├── modprobe.te
│ ├── mtp.te
│ ├── net.te
│ ├── netd.te
│ ├── netutils_wrapper.te
│ ├── network_stack.te
│ ├── neverallow_macros
│ ├── nfc.te
│ ├── otapreopt_chroot.te
│ ├── perfetto.te
│ ├── performanced.te
│ ├── platform_app.te
│ ├── postinstall.te
│ ├── ppp.te
│ ├── priv_app.te
│ ├── prng_seeder.te
│ ├── profman.te
│ ├── property.te
│ ├── racoon.te
│ ├── radio.te
│ ├── recovery.te
│ ├── recovery_persist.te
│ ├── recovery_refresh.te
│ ├── remote_provisioning_service_server.te
│ ├── rkpd_app.te
│ ├── roles
│ ├── rootdisk_sysdev.te
│ ├── rs.te
│ ├── rss_hwm_reset.te
│ ├── runas.te
│ ├── runas_app.te
│ ├── scheduler_service_server.te
│ ├── sdcardd.te
│ ├── secure_element.te
│ ├── sensor_service_server.te
│ ├── service.te
│ ├── servicemanager.te
│ ├── sgdisk.te
│ ├── shared_relro.te
│ ├── shell.te
│ ├── simpleperf.te
│ ├── simpleperf_app_runner.te
│ ├── slideshow.te
│ ├── stats_service_server.te
│ ├── statsd.te
│ ├── su.te
│ ├── surfaceflinger.te
│ ├── system_app.te
│ ├── system_server.te
│ ├── system_suspend_internal_server.te
│ ├── system_suspend_server.te
│ ├── te_macros
│ ├── tee.te
│ ├── tombstoned.te
│ ├── toolbox.te
│ ├── traced.te
│ ├── traced_perf.te
│ ├── traced_probes.te
│ ├── traceur_app.te
│ ├── ueventd.te
│ ├── uncrypt.te
│ ├── untrusted_app.te
│ ├── update_engine.te
│ ├── update_engine_common.te
│ ├── update_verifier.te
│ ├── usbd.te
│ ├── userdata_sysdev.te
│ ├── vdc.te
│ ├── vendor_init.te
│ ├── vendor_misc_writer.te
│ ├── vendor_modprobe.te
│ ├── vendor_shell.te
│ ├── vendor_toolbox.te
│ ├── virtual_touchpad.te
│ ├── vndservice.te
│ ├── vndservicemanager.te
│ ├── vold.te
│ ├── vold_prepare_subdirs.te
│ ├── watchdogd.te
│ ├── webview_zygote.te
│ ├── wificond.te
│ └── zygote.te
├── private
├── access_vectors
├── aconfigd.te
├── aconfigd_mainline.te
├── adbd.te
├── adbd_common.te
├── adbd_tradeinmode.te
├── aidl_lazy_test_server.te
├── apex_test_prepostinstall.te
├── apexd.te
├── apexd_derive_classpath.te
├── app.te
├── app_neverallows.te
├── app_zygote.te
├── art_boot.te
├── art_exec.te
├── artd.te
├── asan_extract.te
├── atrace.te
├── attributes
├── audioserver.te
├── auditctl.te
├── automotive_display_service.te
├── bert_collector.te
├── binderservicedomain.te
├── blank_screen.te
├── blkid.te
├── blkid_untrusted.te
├── bluetooth.te
├── bluetoothdomain.te
├── bootanim.te
├── bootstat.te
├── boringssl_self_test.te
├── bpfdomain.te
├── bpfloader.te
├── bufferhubd.te
├── bug_map
├── camera_service_server.te
├── cameraserver.te
├── canhalconfigurator.te
├── charger.te
├── charger_type.te
├── charger_vendor.te
├── clatd.te
├── compat
│ ├── 202404
│ │ ├── 202404.cil
│ │ ├── 202404.compat.cil
│ │ └── 202404.ignore.cil
│ ├── 29.0
│ │ ├── 29.0.cil
│ │ ├── 29.0.compat.cil
│ │ └── 29.0.ignore.cil
│ ├── 30.0
│ │ ├── 30.0.cil
│ │ ├── 30.0.compat.cil
│ │ └── 30.0.ignore.cil
│ ├── 31.0
│ │ ├── 31.0.cil
│ │ ├── 31.0.compat.cil
│ │ └── 31.0.ignore.cil
│ ├── 32.0
│ │ ├── 32.0.cil
│ │ ├── 32.0.compat.cil
│ │ └── 32.0.ignore.cil
│ ├── 33.0
│ │ ├── 33.0.cil
│ │ ├── 33.0.compat.cil
│ │ └── 33.0.ignore.cil
│ └── 34.0
│ │ ├── 34.0.cil
│ │ ├── 34.0.compat.cil
│ │ └── 34.0.ignore.cil
├── compos_fd_server.te
├── compos_verify.te
├── composd.te
├── coredomain.te
├── cppreopts.te
├── crash_dump.te
├── credstore.te
├── crosvm.te
├── derive_classpath.te
├── derive_sdk.te
├── device_as_webcam.te
├── dex2oat.te
├── dexopt_chroot_setup.te
├── dexoptanalyzer.te
├── dhcp.te
├── display_service_server.te
├── dmesgd.te
├── dnsmasq.te
├── domain.te
├── drmserver.te
├── dumpstate.te
├── e2fs.te
├── early_virtmgr.te
├── ephemeral_app.te
├── evsmanagerd.te
├── extra_free_kbytes.te
├── fastbootd.te
├── file.te
├── file_contexts
├── file_contexts_asan
├── file_contexts_overlayfs
├── fingerprintd.te
├── flags_health_check.te
├── fs_use
├── fsck.te
├── fsck_untrusted.te
├── fsverity_init.te
├── fuseblkd.te
├── fuseblkd_untrusted.te
├── fwk_bufferhub.te
├── gatekeeperd.te
├── genfs_contexts
├── gki_apex_prepostinstall.te
├── gmscore_app.te
├── gpuservice.te
├── gsid.te
├── hal_allocator.te
├── hal_allocator_default.te
├── hal_atrace.te
├── hal_audio.te
├── hal_audiocontrol.te
├── hal_authgraph.te
├── hal_authsecret.te
├── hal_bluetooth.te
├── hal_bootctl.te
├── hal_broadcastradio.te
├── hal_camera.te
├── hal_can.te
├── hal_cas.te
├── hal_codec2.te
├── hal_configstore.te
├── hal_confirmationui.te
├── hal_contexthub.te
├── hal_drm.te
├── hal_dumpstate.te
├── hal_evs.te
├── hal_face.te
├── hal_fastboot.te
├── hal_fingerprint.te
├── hal_gatekeeper.te
├── hal_gnss.te
├── hal_graphics_allocator.te
├── hal_graphics_composer.te
├── hal_health.te
├── hal_health_storage.te
├── hal_identity.te
├── hal_input_classifier.te
├── hal_input_processor.te
├── hal_ir.te
├── hal_ivn.te
├── hal_keymaster.te
├── hal_keymint.te
├── hal_keymint_system.te
├── hal_lazy_test.te
├── hal_light.te
├── hal_lowpan.te
├── hal_macsec.te
├── hal_mediaquality.te
├── hal_memtrack.te
├── hal_neuralnetworks.te
├── hal_neverallows.te
├── hal_nfc.te
├── hal_nlinterceptor.te
├── hal_oemlock.te
├── hal_omx.te
├── hal_power.te
├── hal_power_stats.te
├── hal_rebootescrow.te
├── hal_remoteaccess.te
├── hal_remotelyprovisionedcomponent_avf.te
├── hal_secretkeeper.te
├── hal_secure_element.te
├── hal_sensors.te
├── hal_telephony.te
├── hal_tetheroffload.te
├── hal_thermal.te
├── hal_threadnetwork.te
├── hal_tv_cec.te
├── hal_tv_hdmi_cec.te
├── hal_tv_hdmi_connection.te
├── hal_tv_hdmi_earc.te
├── hal_tv_input.te
├── hal_tv_tuner.te
├── hal_usb.te
├── hal_usb_gadget.te
├── hal_uwb.te
├── hal_vehicle.te
├── hal_vibrator.te
├── hal_vr.te
├── hal_weaver.te
├── hal_wifi.te
├── hal_wifi_hostapd.te
├── hal_wifi_supplicant.te
├── halclientdomain.te
├── halserverdomain.te
├── healthd.te
├── heapprofd.te
├── hidl_lazy_test_server.te
├── hwservice.te
├── hwservice_contexts
├── hwservicemanager.te
├── idmap.te
├── incident.te
├── incident_helper.te
├── incidentd.te
├── init.te
├── initial_sid_contexts
├── initial_sids
├── inputflinger.te
├── installd.te
├── isolated_app.te
├── isolated_app_all.te
├── isolated_compute_app.te
├── iw.te
├── kcmdlinectrl.te
├── kernel.te
├── keys.conf
├── keystore.te
├── keystore2_key_contexts
├── keystore_keys.te
├── linkerconfig.te
├── linux_vm_setup.te
├── llkd.te
├── lmkd.te
├── logd.te
├── logpersist.te
├── lpdumpd.te
├── mac_permissions.xml
├── mdnsd.te
├── mediadrmserver.te
├── mediaextractor.te
├── mediametrics.te
├── mediaprovider.te
├── mediaprovider_app.te
├── mediaserver.te
├── mediaswcodec.te
├── mediatranscoding.te
├── mediatuner.te
├── microfuchsiad.te
├── migrate_legacy_obb_data.te
├── misctrl.te
├── mls
├── mls_decl
├── mls_macros
├── mlstrustedsubject.te
├── mm_events.te
├── mmd.te
├── modprobe.te
├── mtectrl.te
├── net.te
├── netd.te
├── netutils_wrapper.te
├── network_stack.te
├── nfc.te
├── odrefresh.te
├── odsign.te
├── ot_ctl.te
├── ot_daemon.te
├── otapreopt_chroot.te
├── otapreopt_slot.te
├── perfetto.te
├── performanced.te
├── permissioncontroller_app.te
├── platform_app.te
├── policy_capabilities
├── port_contexts
├── postinstall.te
├── postinstall_dexopt.te
├── prefetch.te
├── preloads_copy.te
├── preopt2cachename.te
├── priv_app.te
├── prng_seeder.te
├── profcollectd.te
├── profman.te
├── property.te
├── property_contexts
├── radio.te
├── recovery.te
├── recovery_persist.te
├── recovery_refresh.te
├── remote_provisioning_service_server.te
├── remount.te
├── rkp_cert_processor.te
├── rkpd.te
├── rkpd_app.te
├── roles_decl
├── rootdisk_sysdev.te
├── rs.te
├── rss_hwm_reset.te
├── runas.te
├── runas_app.te
├── scheduler_service_server.te
├── sdcardd.te
├── sdk_sandbox_34.te
├── sdk_sandbox_all.te
├── sdk_sandbox_audit.te
├── sdk_sandbox_current.te
├── sdk_sandbox_next.te
├── seapp_contexts
├── secure_element.te
├── security_classes
├── sensor_service_server.te
├── service.te
├── service_contexts
├── servicemanager.te
├── sgdisk.te
├── shared_relro.te
├── shell.te
├── simpleperf.te
├── simpleperf_app_runner.te
├── simpleperf_boot.te
├── slideshow.te
├── snapshotctl.te
├── snapuserd.te
├── stats.te
├── stats_service_server.te
├── statsd.te
├── storaged.te
├── su.te
├── surfaceflinger.te
├── system_app.te
├── system_server.te
├── system_server_startup.te
├── system_suspend.te
├── system_suspend_internal_server.te
├── system_suspend_server.te
├── technical_debt.cil
├── tee.te
├── tee_service_contexts
├── tee_services.te
├── tombstoned.te
├── toolbox.te
├── trace_redactor.te
├── traced.te
├── traced_perf.te
├── traced_probes.te
├── traceur_app.te
├── tradeinmode.te
├── ueventd.te
├── uncrypt.te
├── untrusted_app.te
├── untrusted_app_25.te
├── untrusted_app_27.te
├── untrusted_app_29.te
├── untrusted_app_30.te
├── untrusted_app_32.te
├── untrusted_app_all.te
├── update_engine.te
├── update_engine_common.te
├── update_verifier.te
├── uprobestats.te
├── usbd.te
├── userdata_sysdev.te
├── users
├── vdc.te
├── vehicle_binding_util.te
├── vendor_init.te
├── vendor_misc_writer.te
├── vendor_shell.te
├── vendor_toolbox.te
├── vfio_handler.te
├── virtual_camera.te
├── virtual_face.te
├── virtual_fingerprint.te
├── virtual_touchpad.te
├── virtualizationmanager.te
├── virtualizationservice.te
├── vmlauncher_app.te
├── vmnic.te
├── vold.te
├── vold_prepare_subdirs.te
├── vzwomatrigger_app.te
├── wait_for_keymaster.te
├── watchdogd.te
├── webview_zygote.te
├── wifi_mainline_supplicant.te
├── wificond.te
└── zygote.te
├── public
├── adbd.te
├── aidl_lazy_test_server.te
├── apexd.te
├── app.te
├── app_zygote.te
├── artd.te
├── asan_extract.te
├── atrace.te
├── attributes
├── audioserver.te
├── blkid.te
├── blkid_untrusted.te
├── bluetooth.te
├── bootanim.te
├── bootstat.te
├── bpfloader.te
├── bufferhubd.te
├── cameraserver.te
├── charger.te
├── charger_vendor.te
├── crash_dump.te
├── credstore.te
├── device.te
├── dhcp.te
├── dnsmasq.te
├── drmserver.te
├── dumpstate.te
├── e2fs.te
├── ephemeral_app.te
├── evsmanagerd.te
├── extra_free_kbytes.te
├── fastbootd.te
├── file.te
├── fingerprintd.te
├── flags_health_check.te
├── fsck.te
├── fsck_untrusted.te
├── gatekeeperd.te
├── global_macros
├── gmscore_app.te
├── gpuservice.te
├── hal_graphics_composer.te
├── healthd.te
├── heapprofd.te
├── hwservice.te
├── hwservicemanager.te
├── idmap.te
├── incident.te
├── incident_helper.te
├── incidentd.te
├── init.te
├── inputflinger.te
├── installd.te
├── ioctl_defines
├── ioctl_macros
├── isolated_app.te
├── isolated_compute_app.te
├── kernel.te
├── keystore.te
├── keystore_keys.te
├── llkd.te
├── lmkd.te
├── logd.te
├── logpersist.te
├── mdnsd.te
├── mediadrmserver.te
├── mediaextractor.te
├── mediametrics.te
├── mediaprovider.te
├── mediaserver.te
├── mediaswcodec.te
├── mediatranscoding.te
├── modprobe.te
├── mtp.te
├── net.te
├── netd.te
├── netutils_wrapper.te
├── network_stack.te
├── neverallow_macros
├── nfc.te
├── otapreopt_chroot.te
├── perfetto.te
├── performanced.te
├── platform_app.te
├── postinstall.te
├── ppp.te
├── priv_app.te
├── prng_seeder.te
├── profman.te
├── property.te
├── radio.te
├── recovery.te
├── recovery_persist.te
├── recovery_refresh.te
├── rkpd_app.te
├── roles
├── rs.te
├── rss_hwm_reset.te
├── runas.te
├── runas_app.te
├── sdcardd.te
├── secure_element.te
├── service.te
├── servicemanager.te
├── sgdisk.te
├── shared_relro.te
├── shell.te
├── simpleperf.te
├── simpleperf_app_runner.te
├── slideshow.te
├── statsd.te
├── su.te
├── surfaceflinger.te
├── system_app.te
├── system_server.te
├── te_macros
├── tee.te
├── tombstoned.te
├── toolbox.te
├── traced.te
├── traced_perf.te
├── traced_probes.te
├── traceur_app.te
├── ueventd.te
├── uncrypt.te
├── untrusted_app.te
├── update_engine.te
├── update_verifier.te
├── usbd.te
├── vdc.te
├── vendor_init.te
├── vendor_misc_writer.te
├── vendor_modprobe.te
├── vendor_shell.te
├── vendor_toolbox.te
├── virtual_touchpad.te
├── vndservice.te
├── vndservicemanager.te
├── vold.te
├── vold_prepare_subdirs.te
├── watchdogd.te
├── webview_zygote.te
├── wificond.te
└── zygote.te
├── reqd_mask
├── access_vectors
├── initial_sid_contexts
├── initial_sids
├── keys.conf
├── mac_permissions.xml
├── mls
├── mls_decl
├── mls_macros
├── property_contexts
├── reqd_mask.te
├── roles
├── roles_decl
├── seapp_contexts
├── security_classes
├── service_contexts
└── users
├── tests
├── Android.bp
├── apex_sepolicy_tests.py
├── apex_sepolicy_tests_test.py
├── check_prop_prefix.py
├── combine_maps.py
├── fc_sort.py
├── fc_sort_test.py
├── fix_policies.sh
├── include
│ └── sepol_wrap.h
├── mini_parser.py
├── policy.py
├── policy_test.py
├── searchpolicy.py
├── sepol_wrap.cpp
├── sepolicy_freeze_test.py
├── sepolicy_tests.py
└── treble_sepolicy_tests.py
├── tools
├── Android.bp
├── README
├── build_policies.sh
├── check_seapp.c
├── checkfc.c
├── finalize-vintf-resources.sh
├── fuzzer_bindings_check.py
├── insertkeys.py
├── policy_version_check.sh
├── post_process_mac_perms
├── seamendc.c
├── sepolicy-analyze
│ ├── Android.bp
│ ├── README
│ ├── attribute.c
│ ├── attribute.h
│ ├── booleans.c
│ ├── booleans.h
│ ├── dups.c
│ ├── dups.h
│ ├── neverallow.c
│ ├── neverallow.h
│ ├── perm.c
│ ├── perm.h
│ ├── sepolicy-analyze.c
│ ├── typecmp.c
│ ├── typecmp.h
│ ├── utils.c
│ └── utils.h
├── sepolicy-check.c
├── sepolicy_cleanup_check.sh
├── sepolicy_generate_compat.py
├── version_policy.c
└── whitespace.sh
├── treble_sepolicy_tests_for_release
└── Android.bp
└── vendor
├── file.te
├── file_contexts
├── hal_atrace_default.te
├── hal_audio_default.te
├── hal_audiocontrol_default.te
├── hal_authgraph_default.te
├── hal_authsecret_default.te
├── hal_bluetooth_btlinux.te
├── hal_bluetooth_default.te
├── hal_bootctl_default.te
├── hal_broadcastradio_default.te
├── hal_camera_default.te
├── hal_can_socketcan.te
├── hal_cas_default.te
├── hal_configstore_default.te
├── hal_confirmationui_default.te
├── hal_contexthub_default.te
├── hal_drm_clearkey.te
├── hal_drm_default.te
├── hal_dumpstate_default.te
├── hal_evs_default.te
├── hal_face_default.te
├── hal_fastboot_default.te
├── hal_fingerprint_default.te
├── hal_gatekeeper_default.te
├── hal_gnss_default.te
├── hal_graphics_allocator_default.te
├── hal_graphics_composer_default.te
├── hal_health_default.te
├── hal_health_storage_default.te
├── hal_identity_default.te
├── hal_input_classifier_default.te
├── hal_input_processor_default.te
├── hal_ir_default.te
├── hal_ivn_default.te
├── hal_keymaster_default.te
├── hal_keymint_default.te
├── hal_light_default.te
├── hal_lowpan_default.te
├── hal_macsec_default.te
├── hal_mediaquality_default.te
├── hal_memtrack_default.te
├── hal_nfc_default.te
├── hal_oemlock_default.te
├── hal_power_default.te
├── hal_power_stats_default.te
├── hal_radio_config_default.te
├── hal_radio_default.te
├── hal_rebootescrow_default.te
├── hal_remoteaccess_default.te
├── hal_secretkeeper_default.te
├── hal_secure_element_default.te
├── hal_sensors_default.te
├── hal_tetheroffload_default.te
├── hal_thermal_default.te
├── hal_threadnetwork_default.te
├── hal_tv_cec_default.te
├── hal_tv_hdmi_cec_default.te
├── hal_tv_hdmi_connection_default.te
├── hal_tv_hdmi_earc_default.te
├── hal_tv_input_default.te
├── hal_tv_tuner_default.te
├── hal_usb_default.te
├── hal_usb_gadget_default.te
├── hal_uwb_default.te
├── hal_vehicle_default.te
├── hal_vibrator_default.te
├── hal_vr_default.te
├── hal_weaver_default.te
├── hal_wifi_default.te
├── hal_wifi_hostapd_default.te
├── hal_wifi_supplicant_default.te
├── keys.conf
├── mac_permissions.xml
├── mediacodec.te
├── ot_rcp.te
├── rild.te
├── tee.te
├── vendor_install_recovery.te
├── vendor_misc_writer.te
├── vendor_modprobe.te
├── vndservice_contexts
├── vndservicemanager.te
└── wpa_supplicant_macsec.te
/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | *.*~
3 |
--------------------------------------------------------------------------------
/METADATA:
--------------------------------------------------------------------------------
1 | third_party {
2 | license_note: "would be UNENCUMBERED save for: tests/combine_maps.py and build/soong/"
3 | license_type: NOTICE
4 | }
5 |
--------------------------------------------------------------------------------
/MODULE_LICENSE_PUBLIC_DOMAIN:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LineageOS/android_system_sepolicy/8d7c6f6a4ec8d1502e1f146c4f1e46af78832bce/MODULE_LICENSE_PUBLIC_DOMAIN
--------------------------------------------------------------------------------
/apex/apex.test-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.adbd-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /bin/adbd u:object_r:adbd_exec:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.adservices-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.appsearch-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.biometrics.virtual.fingerprint-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:virtual_fingerprint_exec:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.bluetooth-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*) u:object_r:system_lib_file:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.bootanimation-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.btservices-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*) u:object_r:system_lib_file:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.car.framework-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*)? u:object_r:system_lib_file:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.cellbroadcast-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.configinfrastructure-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /bin/aconfigd-mainline u:object_r:aconfigd_mainline_exec:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.crashrecovery-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.devicelock-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.documentsuibundle-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*) u:object_r:system_lib_file:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.extservices-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.federatedcompute-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.geotz-file_contexts:
--------------------------------------------------------------------------------
1 | #############################
2 | # System files
3 | #
4 | (/.*)? u:object_r:system_file:s0
5 |
--------------------------------------------------------------------------------
/apex/com.android.gki-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /bin/(.*)? u:object_r:gki_apex_prepostinstall_exec:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.healthfitness-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.i18n-file_contexts:
--------------------------------------------------------------------------------
1 | #############################
2 | # System files
3 | #
4 | (/.*)? u:object_r:system_file:s0
5 | /lib(64)?(/.*)? u:object_r:system_lib_file:s0
6 |
--------------------------------------------------------------------------------
/apex/com.android.ipsec-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*)? u:object_r:system_lib_file:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.media-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*) u:object_r:system_lib_file:s0
3 | /bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
4 |
--------------------------------------------------------------------------------
/apex/com.android.media.swcodec-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*) u:object_r:system_lib_file:s0
3 | /bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
4 |
--------------------------------------------------------------------------------
/apex/com.android.mediaprovider-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*) u:object_r:system_lib_file:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.neuralnetworks-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*) u:object_r:system_lib_file:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.nfcservices-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*) u:object_r:system_lib_file:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.ondevicepersonalization-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.os.statsd-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*) u:object_r:system_lib_file:s0
3 | /bin/statsd u:object_r:statsd_exec:s0
4 |
--------------------------------------------------------------------------------
/apex/com.android.permission-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.profiling-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /bin/trace_redactor u:object_r:trace_redactor_exec:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.resolv-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*) u:object_r:system_lib_file:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.rkpd-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /bin/rkpd u:object_r:rkpd_exec:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.scheduling-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.sdkext-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /bin/derive_classpath u:object_r:derive_classpath_exec:s0
3 | /bin/derive_sdk u:object_r:derive_sdk_exec:s0
4 |
--------------------------------------------------------------------------------
/apex/com.android.telephonymodules-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.tzdata-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /etc(/.*)? u:object_r:system_zoneinfo_file:s0
3 |
4 |
--------------------------------------------------------------------------------
/apex/com.android.uprobestats-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /bin/uprobestats u:object_r:uprobestats_exec:s0
3 | /bin/uprobestatsbpfload u:object_r:bpfloader_exec:s0
4 |
--------------------------------------------------------------------------------
/apex/com.android.uwb-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*) u:object_r:system_lib_file:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.vndk-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /lib(64)?(/.*) u:object_r:system_lib_file:s0
3 |
--------------------------------------------------------------------------------
/apex/com.android.webview.bootstrap-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 |
--------------------------------------------------------------------------------
/apex/com.android.wifi-file_contexts:
--------------------------------------------------------------------------------
1 | (/.*)? u:object_r:system_file:s0
2 | /bin/wpa_supplicant_mainline u:object_r:wifi_mainline_supplicant_exec:s0
3 |
--------------------------------------------------------------------------------
/build/soong/go.sum:
--------------------------------------------------------------------------------
1 | golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0=
2 | golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
3 |
--------------------------------------------------------------------------------
/compat/plat_sepolicy_genfs_202504.cil:
--------------------------------------------------------------------------------
1 | (genfscon sysfs "/class/udc" (u object_r sysfs_udc ((s0) (s0))))
2 |
--------------------------------------------------------------------------------
/microdroid/TEST_MAPPING:
--------------------------------------------------------------------------------
1 | {
2 | "imports": [
3 | {
4 | "path": "packages/modules/Virtualization"
5 | }
6 | ]
7 | }
8 |
--------------------------------------------------------------------------------
/microdroid/reqd_mask/access_vectors:
--------------------------------------------------------------------------------
1 | ../system/private/access_vectors
--------------------------------------------------------------------------------
/microdroid/reqd_mask/initial_sid_contexts:
--------------------------------------------------------------------------------
1 | sid reqd_mask u:r:reqd_mask_type:s0
2 |
--------------------------------------------------------------------------------
/microdroid/reqd_mask/initial_sids:
--------------------------------------------------------------------------------
1 | sid reqd_mask
2 |
3 | # FLASK
4 |
--------------------------------------------------------------------------------
/microdroid/reqd_mask/keys.conf:
--------------------------------------------------------------------------------
1 | # empty keys.conf file - used to generate an empty nonplat_mac_permissions.xml
2 | # on devices without any keys.conf or mac_permissions additions.
3 |
--------------------------------------------------------------------------------
/microdroid/reqd_mask/mac_permissions.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/microdroid/reqd_mask/mls:
--------------------------------------------------------------------------------
1 | mlsconstrain binder { set_context_mgr } (l1 eq l2);
2 |
--------------------------------------------------------------------------------
/microdroid/reqd_mask/property_contexts:
--------------------------------------------------------------------------------
1 | # empty property_contexts file - this file is used to generate an empty
2 | # non-platform property context for devices without any property_contexts
3 | # customizations.
4 |
--------------------------------------------------------------------------------
/microdroid/reqd_mask/reqd_mask.te:
--------------------------------------------------------------------------------
1 | type reqd_mask_type;
2 |
--------------------------------------------------------------------------------
/microdroid/reqd_mask/roles:
--------------------------------------------------------------------------------
1 | role r types reqd_mask_type;
2 |
--------------------------------------------------------------------------------
/microdroid/reqd_mask/roles_decl:
--------------------------------------------------------------------------------
1 | role r;
2 |
--------------------------------------------------------------------------------
/microdroid/reqd_mask/seapp_contexts:
--------------------------------------------------------------------------------
1 | # empty seapp_contexts file - used to generate an empty seapp_contexts for
2 | # devices without any non-platform seapp_contexts customizations.
3 |
--------------------------------------------------------------------------------
/microdroid/reqd_mask/security_classes:
--------------------------------------------------------------------------------
1 | ../system/private/security_classes
--------------------------------------------------------------------------------
/microdroid/reqd_mask/service_contexts:
--------------------------------------------------------------------------------
1 | # empty service_contexts file - this file is used to generate an empty
2 | # non-platform service_context for devices without any service_contexts
3 | # customizations.
4 |
--------------------------------------------------------------------------------
/microdroid/reqd_mask/users:
--------------------------------------------------------------------------------
1 | user u roles { r } level s0 range s0 - mls_systemhigh;
2 |
--------------------------------------------------------------------------------
/microdroid/system/private/access_vectors:
--------------------------------------------------------------------------------
1 | ../../../private/access_vectors
--------------------------------------------------------------------------------
/microdroid/system/private/attributes:
--------------------------------------------------------------------------------
1 | #
2 |
--------------------------------------------------------------------------------
/microdroid/system/private/bug_map:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LineageOS/android_system_sepolicy/8d7c6f6a4ec8d1502e1f146c4f1e46af78832bce/microdroid/system/private/bug_map
--------------------------------------------------------------------------------
/microdroid/system/private/derive_classpath.te:
--------------------------------------------------------------------------------
1 | type derive_classpath_exec, system_file_type, exec_type, file_type;
2 |
--------------------------------------------------------------------------------
/microdroid/system/private/fs_use:
--------------------------------------------------------------------------------
1 | ../../../private/fs_use
--------------------------------------------------------------------------------
/microdroid/system/private/initial_sid_contexts:
--------------------------------------------------------------------------------
1 | ../../../private/initial_sid_contexts
--------------------------------------------------------------------------------
/microdroid/system/private/initial_sids:
--------------------------------------------------------------------------------
1 | ../../../private/initial_sids
--------------------------------------------------------------------------------
/microdroid/system/private/net.te:
--------------------------------------------------------------------------------
1 | ## Network types
2 | type node, node_type;
3 | type netif, netif_type;
4 | type port, port_type;
5 |
--------------------------------------------------------------------------------
/microdroid/system/private/policy_capabilities:
--------------------------------------------------------------------------------
1 | ../../../private/policy_capabilities
--------------------------------------------------------------------------------
/microdroid/system/private/port_contexts:
--------------------------------------------------------------------------------
1 | # This file can't be empty, but is unused on microdroid
2 |
--------------------------------------------------------------------------------
/microdroid/system/private/roles_decl:
--------------------------------------------------------------------------------
1 | ../../../private/roles_decl
--------------------------------------------------------------------------------
/microdroid/system/private/seapp_contexts:
--------------------------------------------------------------------------------
1 | # This file can't be empty, but is unused on microdroid
2 |
--------------------------------------------------------------------------------
/microdroid/system/private/security_classes:
--------------------------------------------------------------------------------
1 | ../../../private/security_classes
--------------------------------------------------------------------------------
/microdroid/system/private/toolbox.te:
--------------------------------------------------------------------------------
1 | typeattribute toolbox coredomain;
2 |
3 | init_daemon_domain(toolbox)
4 |
--------------------------------------------------------------------------------
/microdroid/system/private/users:
--------------------------------------------------------------------------------
1 | ../../../private/users
--------------------------------------------------------------------------------
/microdroid/system/public/ioctl_defines:
--------------------------------------------------------------------------------
1 | ../../../public/ioctl_defines
--------------------------------------------------------------------------------
/microdroid/system/public/ioctl_macros:
--------------------------------------------------------------------------------
1 | ../../../public/ioctl_macros
--------------------------------------------------------------------------------
/microdroid/system/public/roles:
--------------------------------------------------------------------------------
1 | ../../../public/roles
--------------------------------------------------------------------------------
/microdroid/vendor/file_contexts:
--------------------------------------------------------------------------------
1 | #############################
2 | # Vendor files
3 | #
4 | (/.*)? u:object_r:vendor_file:s0
5 | /etc(/.*)? u:object_r:vendor_configs_file:s0
6 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/aidl_lazy_test_server.te:
--------------------------------------------------------------------------------
1 | userdebug_or_eng(`
2 | typeattribute aidl_lazy_test_server coredomain;
3 |
4 | init_daemon_domain(aidl_lazy_test_server)
5 | ')
6 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/bluetoothdomain.te:
--------------------------------------------------------------------------------
1 | # Allow clients to use a socket provided by the bluetooth app.
2 | allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/bufferhubd.te:
--------------------------------------------------------------------------------
1 | typeattribute bufferhubd coredomain;
2 |
3 | init_daemon_domain(bufferhubd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/compat/31.0/31.0.compat.cil:
--------------------------------------------------------------------------------
1 | ;; complement CIL file for compatibility between ToT policy and 31.0 vendors.
2 | ;; will be compiled along with other normal policy files, on 31.0 vendors.
3 | ;;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/compat/32.0/32.0.compat.cil:
--------------------------------------------------------------------------------
1 | ;; complement CIL file for compatibility between ToT policy and 32.0 vendors.
2 | ;; will be compiled along with other normal policy files, on 32.0 vendors.
3 | ;;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/compat/33.0/33.0.compat.cil:
--------------------------------------------------------------------------------
1 | ;; complement CIL file for compatibility between ToT policy and 33.0 vendors.
2 | ;; will be compiled along with other normal policy files, on 33.0 vendors.
3 | ;;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/compat/34.0/34.0.compat.cil:
--------------------------------------------------------------------------------
1 | ;; complement CIL file for compatibility between ToT policy and 34.0 vendors.
2 | ;; will be compiled along with other normal policy files, on 34.0 vendors.
3 | ;;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/dhcp.te:
--------------------------------------------------------------------------------
1 | typeattribute dhcp coredomain;
2 |
3 | init_daemon_domain(dhcp)
4 | type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
5 |
6 | set_prop(dhcp, dhcp_prop)
7 | set_prop(dhcp, pan_result_prop)
8 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/dnsmasq.te:
--------------------------------------------------------------------------------
1 | typeattribute dnsmasq coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/fingerprintd.te:
--------------------------------------------------------------------------------
1 | typeattribute fingerprintd coredomain;
2 |
3 | init_daemon_domain(fingerprintd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/fsck.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck coredomain;
2 |
3 | init_daemon_domain(fsck)
4 |
5 | allow fsck metadata_block_device:blk_file rw_file_perms;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/fsck_untrusted.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck_untrusted coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/gatekeeperd.te:
--------------------------------------------------------------------------------
1 | typeattribute gatekeeperd coredomain;
2 |
3 | init_daemon_domain(gatekeeperd)
4 |
5 | # For checking whether GSI is running
6 | get_prop(gatekeeperd, gsid_prop)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/hal_lazy_test.te:
--------------------------------------------------------------------------------
1 | userdebug_or_eng(`
2 | hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice)
3 | ')
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/healthd.te:
--------------------------------------------------------------------------------
1 | typeattribute healthd coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/hwservice.te:
--------------------------------------------------------------------------------
1 | type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/idmap.te:
--------------------------------------------------------------------------------
1 | typeattribute idmap coredomain;
2 |
3 | init_daemon_domain(idmap)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/inputflinger.te:
--------------------------------------------------------------------------------
1 | typeattribute inputflinger coredomain;
2 |
3 | init_daemon_domain(inputflinger)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/iw.te:
--------------------------------------------------------------------------------
1 | type iw, domain, coredomain;
2 | type iw_exec, system_file_type, exec_type, file_type;
3 |
4 | init_daemon_domain(iw)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/modprobe.te:
--------------------------------------------------------------------------------
1 | typeattribute modprobe coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/performanced.te:
--------------------------------------------------------------------------------
1 | typeattribute performanced coredomain;
2 |
3 | init_daemon_domain(performanced)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/port_contexts:
--------------------------------------------------------------------------------
1 | # portcon statements go here, e.g.
2 | # portcon tcp 80 u:object_r:http_port:s0
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/roles_decl:
--------------------------------------------------------------------------------
1 | role r;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/runas.te:
--------------------------------------------------------------------------------
1 | typeattribute runas coredomain;
2 |
3 | # ndk-gdb invokes adb shell run-as.
4 | domain_auto_trans(shell, runas_exec, runas)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/sdcardd.te:
--------------------------------------------------------------------------------
1 | typeattribute sdcardd coredomain;
2 |
3 | type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/sgdisk.te:
--------------------------------------------------------------------------------
1 | typeattribute sgdisk coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/slideshow.te:
--------------------------------------------------------------------------------
1 | typeattribute slideshow coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/uncrypt.te:
--------------------------------------------------------------------------------
1 | typeattribute uncrypt coredomain;
2 |
3 | init_daemon_domain(uncrypt)
4 |
5 | # Set a property to reboot the device.
6 | set_prop(uncrypt, powerctl_prop)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/users:
--------------------------------------------------------------------------------
1 | user u roles { r } level s0 range s0 - mls_systemhigh;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/vdc.te:
--------------------------------------------------------------------------------
1 | typeattribute vdc coredomain;
2 |
3 | init_daemon_domain(vdc)
4 |
5 | # Allow stdin/out back to vehicle_binding_util
6 | allow vdc vehicle_binding_util:fd use;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/virtual_touchpad.te:
--------------------------------------------------------------------------------
1 | typeattribute virtual_touchpad coredomain;
2 |
3 | init_daemon_domain(virtual_touchpad)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/vzwomatrigger_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing the VzwOmaTrigger app.
3 | ###
4 | type vzwomatrigger_app, domain;
5 |
6 | app_domain(vzwomatrigger_app)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/private/watchdogd.te:
--------------------------------------------------------------------------------
1 | typeattribute watchdogd coredomain;
2 |
3 | init_daemon_domain(watchdogd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/artd.te:
--------------------------------------------------------------------------------
1 | # ART service daemon.
2 | type artd, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/atrace.te:
--------------------------------------------------------------------------------
1 | type atrace, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/blkid.te:
--------------------------------------------------------------------------------
1 | # blkid called from vold
2 | type blkid, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/blkid_untrusted.te:
--------------------------------------------------------------------------------
1 | # blkid for untrusted block devices
2 | type blkid_untrusted, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/bluetooth.te:
--------------------------------------------------------------------------------
1 | # bluetooth subsystem
2 | type bluetooth, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/bpfloader.te:
--------------------------------------------------------------------------------
1 | type bpfloader, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/camera_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(camera_service_server, fwk_camera_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/charger.te:
--------------------------------------------------------------------------------
1 | type charger, charger_type, domain;
2 | type charger_exec, system_file_type, exec_type, file_type;
3 |
4 | # The system charger is a client of HIDL health HAL.
5 | hal_client_domain(charger, hal_health)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/charger_vendor.te:
--------------------------------------------------------------------------------
1 | # Context when health HAL runs charger mode
2 |
3 | type charger_vendor, charger_type, domain;
4 | hal_server_domain(charger_vendor, hal_health)
5 |
6 | typeattribute charger_vendor bpfdomain;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/display_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(display_service_server, fwk_display_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/evsmanagerd.te:
--------------------------------------------------------------------------------
1 | # evsmanager daemon
2 | type evsmanagerd, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/gmscore_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing the PrebuiltGMSCore app.
3 | ###
4 |
5 | type gmscore_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/gpuservice.te:
--------------------------------------------------------------------------------
1 | # gpuservice - server for gpu stats and other gpu related services
2 | type gpuservice, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/hal_atrace.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_atrace_client, hal_atrace_server)
3 |
4 | hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/hal_ivn.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_ivn_client, hal_ivn_server)
3 |
4 | hal_attribute_service(hal_ivn, hal_ivn_service)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/hal_vr.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_vr_client, hal_vr_server)
3 | binder_call(hal_vr_server, hal_vr_client)
4 |
5 | hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/healthd.te:
--------------------------------------------------------------------------------
1 | # healthd - battery/charger monitoring service daemon
2 | # healthd is removed. The type is kept for backwards compatibility.
3 |
4 | type healthd, domain;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/heapprofd.te:
--------------------------------------------------------------------------------
1 | type heapprofd, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/incident_helper.te:
--------------------------------------------------------------------------------
1 | # The incident_helper is called by incidentd and
2 | # can only read/write data from/to incidentd
3 |
4 | # incident_helper
5 | type incident_helper, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/incidentd.te:
--------------------------------------------------------------------------------
1 | # incidentd
2 | type incidentd, domain;
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/isolated_compute_app.te:
--------------------------------------------------------------------------------
1 | type isolated_compute_app, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/keystore_keys.te:
--------------------------------------------------------------------------------
1 | # A keystore2 namespace for WI-FI.
2 | type wifi_key, keystore2_key_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/llkd.te:
--------------------------------------------------------------------------------
1 | # llkd Live LocK Daemon
2 | type llkd, domain, mlstrustedsubject;
3 | type llkd_exec, system_file_type, exec_type, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/mdnsd.te:
--------------------------------------------------------------------------------
1 | # mdns daemon
2 | type mdnsd, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/mediaprovider.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for android.process.media, which contains both
3 | ### MediaProvider and DownloadProvider and associated services.
4 | ###
5 |
6 | type mediaprovider, domain;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/mediatranscoding.te:
--------------------------------------------------------------------------------
1 | type mediatranscoding, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/mtp.te:
--------------------------------------------------------------------------------
1 | # vpn tunneling protocol manager
2 | type mtp, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/netutils_wrapper.te:
--------------------------------------------------------------------------------
1 | type netutils_wrapper, domain;
2 | type netutils_wrapper_exec, system_file_type, exec_type, file_type;
3 |
4 | neverallow domain netutils_wrapper_exec:file execute_no_trans;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/network_stack.te:
--------------------------------------------------------------------------------
1 | # Network stack service app
2 | type network_stack, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/nfc.te:
--------------------------------------------------------------------------------
1 | # nfc subsystem
2 | type nfc, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/otapreopt_chroot.te:
--------------------------------------------------------------------------------
1 | # otapreopt_chroot seclabel
2 |
3 | # TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
4 | type otapreopt_chroot, domain;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/perfetto.te:
--------------------------------------------------------------------------------
1 | type perfetto, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/platform_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### Apps signed with the platform key.
3 | ###
4 |
5 | type platform_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/ppp.te:
--------------------------------------------------------------------------------
1 | # Point to Point Protocol daemon
2 | type ppp, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/priv_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing privileged apps.
3 | ###
4 |
5 | type priv_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/prng_seeder.te:
--------------------------------------------------------------------------------
1 | # PRNG seeder daemon
2 | type prng_seeder, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/rkpd_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for sandboxing the remote key provisioning daemon
3 | ### app that is shipped via mainline.
4 | ###
5 |
6 | type rkpdapp, domain;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/roles:
--------------------------------------------------------------------------------
1 | role r types domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/rootdisk_sysdev.te:
--------------------------------------------------------------------------------
1 | allow rootdisk_sysdev sysfs:filesystem associate;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/rs.te:
--------------------------------------------------------------------------------
1 | type rs, domain, coredomain;
2 | type rs_exec, system_file_type, exec_type, file_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/rss_hwm_reset.te:
--------------------------------------------------------------------------------
1 | # rss_hwm_reset resets RSS high-water mark counters for all procesess.
2 | type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/runas_app.te:
--------------------------------------------------------------------------------
1 | type runas_app, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/scheduler_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/secure_element.te:
--------------------------------------------------------------------------------
1 | # secure_element subsystem
2 | type secure_element, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/sensor_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(sensor_service_server, fwk_sensor_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/shared_relro.te:
--------------------------------------------------------------------------------
1 | # Process which creates/updates shared RELRO files to be used by other apps.
2 | type shared_relro, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/simpleperf.te:
--------------------------------------------------------------------------------
1 | type simpleperf, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/simpleperf_app_runner.te:
--------------------------------------------------------------------------------
1 | type simpleperf_app_runner, domain, mlstrustedsubject;
2 | type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/stats_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(stats_service_server, fwk_stats_hwservice)
2 | add_service(stats_service_server, fwk_stats_service)
3 |
4 | binder_use(stats_service_server)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/surfaceflinger.te:
--------------------------------------------------------------------------------
1 | # surfaceflinger - display compositor service
2 | type surfaceflinger, domain;
3 | type surfaceflinger_tmpfs, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/traced.te:
--------------------------------------------------------------------------------
1 | type traced, domain, coredomain, mlstrustedsubject;
2 | type traced_tmpfs, file_type;
3 |
4 |
5 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/traced_perf.te:
--------------------------------------------------------------------------------
1 | type traced_perf, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/traced_probes.te:
--------------------------------------------------------------------------------
1 | type traced_probes, domain, coredomain, mlstrustedsubject;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/usbd.te:
--------------------------------------------------------------------------------
1 | type usbd, domain;
2 | type usbd_exec, system_file_type, exec_type, file_type;
3 |
4 | binder_call(usbd, servicemanager)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/userdata_sysdev.te:
--------------------------------------------------------------------------------
1 | allow userdata_sysdev sysfs:filesystem associate;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/vendor_modprobe.te:
--------------------------------------------------------------------------------
1 | type vendor_modprobe, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/vndservice.te:
--------------------------------------------------------------------------------
1 | type service_manager_vndservice, vndservice_manager_type;
2 | type default_android_vndservice, vndservice_manager_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/vndservicemanager.te:
--------------------------------------------------------------------------------
1 | # vndservicemanager - the Binder context manager for vendor processes
2 | type vndservicemanager, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/202404/public/zygote.te:
--------------------------------------------------------------------------------
1 | # zygote
2 | type zygote, domain;
3 | type zygote_tmpfs, file_type;
4 | type zygote_exec, system_file_type, exec_type, file_type;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/binder_in_vendor_violators.te:
--------------------------------------------------------------------------------
1 | allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/blank_screen.te:
--------------------------------------------------------------------------------
1 | type blank_screen, domain, coredomain;
2 | type blank_screen_exec, exec_type, file_type, system_file_type;
3 |
4 | init_daemon_domain(blank_screen)
5 |
6 | hal_client_domain(blank_screen, hal_light)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/bluetoothdomain.te:
--------------------------------------------------------------------------------
1 | # Allow clients to use a socket provided by the bluetooth app.
2 | allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
3 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/bootanim.te:
--------------------------------------------------------------------------------
1 | typeattribute bootanim coredomain;
2 |
3 | init_daemon_domain(bootanim)
4 |
5 | # b/68864350
6 | dontaudit bootanim unlabeled:dir search;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/bootstat.te:
--------------------------------------------------------------------------------
1 | typeattribute bootstat coredomain;
2 |
3 | init_daemon_domain(bootstat)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/bufferhubd.te:
--------------------------------------------------------------------------------
1 | typeattribute bufferhubd coredomain;
2 |
3 | init_daemon_domain(bufferhubd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/cameraserver.te:
--------------------------------------------------------------------------------
1 | typeattribute cameraserver coredomain;
2 |
3 | typeattribute cameraserver camera_service_server;
4 |
5 | init_daemon_domain(cameraserver)
6 | tmpfs_domain(cameraserver)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/charger.te:
--------------------------------------------------------------------------------
1 | typeattribute charger coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/clatd.te:
--------------------------------------------------------------------------------
1 | typeattribute clatd coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/dhcp.te:
--------------------------------------------------------------------------------
1 | typeattribute dhcp coredomain;
2 |
3 | init_daemon_domain(dhcp)
4 | type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/dnsmasq.te:
--------------------------------------------------------------------------------
1 | typeattribute dnsmasq coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/fastbootd.te:
--------------------------------------------------------------------------------
1 | typeattribute fastbootd coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/fingerprintd.te:
--------------------------------------------------------------------------------
1 | typeattribute fingerprintd coredomain;
2 |
3 | init_daemon_domain(fingerprintd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/flags_health_check.te:
--------------------------------------------------------------------------------
1 | typeattribute flags_health_check coredomain;
2 |
3 | init_daemon_domain(flags_health_check)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/fsck.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck coredomain;
2 |
3 | init_daemon_domain(fsck)
4 |
5 | allow fsck metadata_block_device:blk_file rw_file_perms;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/fsck_untrusted.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck_untrusted coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/gatekeeperd.te:
--------------------------------------------------------------------------------
1 | typeattribute gatekeeperd coredomain;
2 |
3 | init_daemon_domain(gatekeeperd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/healthd.te:
--------------------------------------------------------------------------------
1 | typeattribute healthd coredomain;
2 |
3 | init_daemon_domain(healthd)
4 |
5 | # Allow healthd to serve health HAL
6 | hal_server_domain(healthd, hal_health)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/idmap.te:
--------------------------------------------------------------------------------
1 | typeattribute idmap coredomain;
2 |
3 | init_daemon_domain(idmap)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/inputflinger.te:
--------------------------------------------------------------------------------
1 | typeattribute inputflinger coredomain;
2 |
3 | init_daemon_domain(inputflinger)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/install_recovery.te:
--------------------------------------------------------------------------------
1 | typeattribute install_recovery coredomain;
2 |
3 | init_daemon_domain(install_recovery)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/iorapd.te:
--------------------------------------------------------------------------------
1 | typeattribute iorapd coredomain;
2 |
3 | init_daemon_domain(iorapd)
4 | tmpfs_domain(iorapd)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/iw.te:
--------------------------------------------------------------------------------
1 | type iw, domain, coredomain;
2 | type iw_exec, system_file_type, exec_type, file_type;
3 |
4 | init_daemon_domain(iw)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/lmkd.te:
--------------------------------------------------------------------------------
1 | typeattribute lmkd coredomain;
2 |
3 | init_daemon_domain(lmkd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/mediametrics.te:
--------------------------------------------------------------------------------
1 | typeattribute mediametrics coredomain;
2 |
3 | init_daemon_domain(mediametrics)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/mediaswcodec.te:
--------------------------------------------------------------------------------
1 | typeattribute mediaswcodec coredomain;
2 |
3 | init_daemon_domain(mediaswcodec)
4 |
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/modprobe.te:
--------------------------------------------------------------------------------
1 | typeattribute modprobe coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/mtp.te:
--------------------------------------------------------------------------------
1 | typeattribute mtp coredomain;
2 |
3 | init_daemon_domain(mtp)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/performanced.te:
--------------------------------------------------------------------------------
1 | typeattribute performanced coredomain;
2 |
3 | init_daemon_domain(performanced)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/port_contexts:
--------------------------------------------------------------------------------
1 | # portcon statements go here, e.g.
2 | # portcon tcp 80 u:object_r:http_port:s0
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/postinstall.te:
--------------------------------------------------------------------------------
1 | typeattribute postinstall coredomain;
2 |
3 | domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/ppp.te:
--------------------------------------------------------------------------------
1 | typeattribute ppp coredomain;
2 |
3 | domain_auto_trans(mtp, ppp_exec, ppp)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/profman.te:
--------------------------------------------------------------------------------
1 | typeattribute profman coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/racoon.te:
--------------------------------------------------------------------------------
1 | typeattribute racoon coredomain;
2 |
3 | init_daemon_domain(racoon)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/recovery.te:
--------------------------------------------------------------------------------
1 | typeattribute recovery coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/roles_decl:
--------------------------------------------------------------------------------
1 | role r;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/runas.te:
--------------------------------------------------------------------------------
1 | typeattribute runas coredomain;
2 |
3 | # ndk-gdb invokes adb shell run-as.
4 | domain_auto_trans(shell, runas_exec, runas)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/sdcardd.te:
--------------------------------------------------------------------------------
1 | typeattribute sdcardd coredomain;
2 |
3 | type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/servicemanager.te:
--------------------------------------------------------------------------------
1 | typeattribute servicemanager coredomain;
2 |
3 | init_daemon_domain(servicemanager)
4 |
5 | read_runtime_log_tags(servicemanager)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/sgdisk.te:
--------------------------------------------------------------------------------
1 | typeattribute sgdisk coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/simpleperf_app_runner.te:
--------------------------------------------------------------------------------
1 | typeattribute simpleperf_app_runner coredomain;
2 |
3 | domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/slideshow.te:
--------------------------------------------------------------------------------
1 | typeattribute slideshow coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/tombstoned.te:
--------------------------------------------------------------------------------
1 | typeattribute tombstoned coredomain;
2 |
3 | init_daemon_domain(tombstoned)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/toolbox.te:
--------------------------------------------------------------------------------
1 | typeattribute toolbox coredomain;
2 |
3 | init_daemon_domain(toolbox)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/tzdatacheck.te:
--------------------------------------------------------------------------------
1 | typeattribute tzdatacheck coredomain;
2 |
3 | init_daemon_domain(tzdatacheck)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/ueventd.te:
--------------------------------------------------------------------------------
1 | typeattribute ueventd coredomain;
2 |
3 | tmpfs_domain(ueventd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/uncrypt.te:
--------------------------------------------------------------------------------
1 | typeattribute uncrypt coredomain;
2 |
3 | init_daemon_domain(uncrypt)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/update_engine.te:
--------------------------------------------------------------------------------
1 | typeattribute update_engine coredomain;
2 |
3 | init_daemon_domain(update_engine);
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/update_verifier.te:
--------------------------------------------------------------------------------
1 | typeattribute update_verifier coredomain;
2 |
3 | init_daemon_domain(update_verifier)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/users:
--------------------------------------------------------------------------------
1 | user u roles { r } level s0 range s0 - mls_systemhigh;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/vdc.te:
--------------------------------------------------------------------------------
1 | typeattribute vdc coredomain;
2 |
3 | init_daemon_domain(vdc)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/virtual_touchpad.te:
--------------------------------------------------------------------------------
1 | typeattribute virtual_touchpad coredomain;
2 |
3 | init_daemon_domain(virtual_touchpad)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/vr_hwc.te:
--------------------------------------------------------------------------------
1 | typeattribute vr_hwc coredomain;
2 |
3 | # Daemon started by init.
4 | init_daemon_domain(vr_hwc)
5 |
6 | hal_server_domain(vr_hwc, hal_graphics_composer)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/watchdogd.te:
--------------------------------------------------------------------------------
1 | typeattribute watchdogd coredomain;
2 |
3 | init_daemon_domain(watchdogd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/wificond.te:
--------------------------------------------------------------------------------
1 | typeattribute wificond coredomain;
2 |
3 | init_daemon_domain(wificond)
4 | hal_client_domain(wificond, hal_wifi_offload)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/private/wpantund.te:
--------------------------------------------------------------------------------
1 | typeattribute wpantund coredomain;
2 |
3 | init_daemon_domain(wpantund)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/ashmemd.te:
--------------------------------------------------------------------------------
1 | type ashmemd, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/audioserver.te:
--------------------------------------------------------------------------------
1 | # audioserver - audio services daemon
2 | type audioserver, domain;
3 | type audioserver_tmpfs, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/blkid.te:
--------------------------------------------------------------------------------
1 | # blkid called from vold
2 | type blkid, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/blkid_untrusted.te:
--------------------------------------------------------------------------------
1 | # blkid for untrusted block devices
2 | type blkid_untrusted, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/bluetooth.te:
--------------------------------------------------------------------------------
1 | # bluetooth subsystem
2 | type bluetooth, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/camera_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(camera_service_server, fwk_camera_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/display_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(display_service_server, fwk_display_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/fwk_bufferhub.te:
--------------------------------------------------------------------------------
1 | binder_call(hal_bufferhub_client, hal_bufferhub_server)
2 | binder_call(hal_bufferhub_server, hal_bufferhub_client)
3 |
4 | hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/gpuservice.te:
--------------------------------------------------------------------------------
1 | # gpuservice - server for gpu stats and other gpu related services
2 | type gpuservice, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/hal_atrace.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_atrace_client, hal_atrace_server)
3 |
4 | hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/hal_authsecret.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_authsecret_client, hal_authsecret_server)
3 |
4 | hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/hal_confirmationui.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_confirmationui_client, hal_confirmationui_server)
3 |
4 | hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/hal_ir.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_ir_client, hal_ir_server)
3 | binder_call(hal_ir_server, hal_ir_client)
4 |
5 | hal_attribute_hwservice(hal_ir, hal_ir_hwservice)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/hal_memtrack.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_memtrack_client, hal_memtrack_server)
3 |
4 | hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/hal_oemlock.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_oemlock_client, hal_oemlock_server)
3 |
4 | hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/hal_vr.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_vr_client, hal_vr_server)
3 | binder_call(hal_vr_server, hal_vr_client)
4 |
5 | hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/hal_weaver.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_weaver_client, hal_weaver_server)
3 |
4 | hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/heapprofd.te:
--------------------------------------------------------------------------------
1 | type heapprofd, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/incident_helper.te:
--------------------------------------------------------------------------------
1 | # The incident_helper is called by incidentd and
2 | # can only read/write data from/to incidentd
3 |
4 | # incident_helper
5 | type incident_helper, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/incidentd.te:
--------------------------------------------------------------------------------
1 | # incidentd
2 | type incidentd, domain;
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/llkd.te:
--------------------------------------------------------------------------------
1 | # llkd Live LocK Daemon
2 | type llkd, domain, mlstrustedsubject;
3 | type llkd_exec, system_file_type, exec_type, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/mdnsd.te:
--------------------------------------------------------------------------------
1 | # mdns daemon
2 | type mdnsd, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/mediaprovider.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for android.process.media, which contains both
3 | ### MediaProvider and DownloadProvider and associated services.
4 | ###
5 |
6 | type mediaprovider, domain;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/netutils_wrapper.te:
--------------------------------------------------------------------------------
1 | type netutils_wrapper, domain;
2 | type netutils_wrapper_exec, system_file_type, exec_type, file_type;
3 |
4 | neverallow domain netutils_wrapper_exec:file execute_no_trans;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/network_stack.te:
--------------------------------------------------------------------------------
1 | # Network stack service app
2 | type network_stack, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/nfc.te:
--------------------------------------------------------------------------------
1 | # nfc subsystem
2 | type nfc, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/perfetto.te:
--------------------------------------------------------------------------------
1 | type perfetto, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/platform_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### Apps signed with the platform key.
3 | ###
4 |
5 | type platform_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/priv_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing privileged apps.
3 | ###
4 |
5 | type priv_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/roles:
--------------------------------------------------------------------------------
1 | role r types domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/rs.te:
--------------------------------------------------------------------------------
1 | type rs, domain, coredomain;
2 | type rs_exec, system_file_type, exec_type, file_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/rss_hwm_reset.te:
--------------------------------------------------------------------------------
1 | # rss_hwm_reset resets RSS high-water mark counters for all procesess.
2 | type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/runas_app.te:
--------------------------------------------------------------------------------
1 | type runas_app, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/scheduler_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/secure_element.te:
--------------------------------------------------------------------------------
1 | # secure_element subsystem
2 | type secure_element, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/sensor_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(sensor_service_server, fwk_sensor_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/stats_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(stats_service_server, fwk_stats_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/surfaceflinger.te:
--------------------------------------------------------------------------------
1 | # surfaceflinger - display compositor service
2 | type surfaceflinger, domain;
3 | type surfaceflinger_tmpfs, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/traced.te:
--------------------------------------------------------------------------------
1 | type traced, domain, coredomain, mlstrustedsubject;
2 |
3 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/traced_probes.te:
--------------------------------------------------------------------------------
1 | type traced_probes, domain, coredomain, mlstrustedsubject;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/usbd.te:
--------------------------------------------------------------------------------
1 | type usbd, domain;
2 | type usbd_exec, system_file_type, exec_type, file_type;
3 |
4 | # Start/stop adbd via ctl.start adbd
5 | set_prop(usbd, ctl_adbd_prop)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/vndservice.te:
--------------------------------------------------------------------------------
1 | type default_android_vndservice, vndservice_manager_type;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/vndservicemanager.te:
--------------------------------------------------------------------------------
1 | # vndservicemanager - the Binder context manager for vendor processes
2 | type vndservicemanager, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/29.0/public/zygote.te:
--------------------------------------------------------------------------------
1 | # zygote
2 | type zygote, domain;
3 | type zygote_tmpfs, file_type;
4 | type zygote_exec, system_file_type, exec_type, file_type;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/aidl_lazy_test_server.te:
--------------------------------------------------------------------------------
1 | userdebug_or_eng(`
2 | typeattribute aidl_lazy_test_server coredomain;
3 |
4 | init_daemon_domain(aidl_lazy_test_server)
5 | ')
6 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/attributes:
--------------------------------------------------------------------------------
1 | hal_attribute(lazy_test);
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/binder_in_vendor_violators.te:
--------------------------------------------------------------------------------
1 | allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/blank_screen.te:
--------------------------------------------------------------------------------
1 | type blank_screen, domain, coredomain;
2 | type blank_screen_exec, exec_type, file_type, system_file_type;
3 |
4 | init_daemon_domain(blank_screen)
5 |
6 | hal_client_domain(blank_screen, hal_light)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/bluetoothdomain.te:
--------------------------------------------------------------------------------
1 | # Allow clients to use a socket provided by the bluetooth app.
2 | allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/bootstat.te:
--------------------------------------------------------------------------------
1 | typeattribute bootstat coredomain;
2 |
3 | init_daemon_domain(bootstat)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/bufferhubd.te:
--------------------------------------------------------------------------------
1 | typeattribute bufferhubd coredomain;
2 |
3 | init_daemon_domain(bufferhubd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/cameraserver.te:
--------------------------------------------------------------------------------
1 | typeattribute cameraserver coredomain;
2 |
3 | typeattribute cameraserver camera_service_server;
4 |
5 | init_daemon_domain(cameraserver)
6 | tmpfs_domain(cameraserver)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/charger.te:
--------------------------------------------------------------------------------
1 | typeattribute charger coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/compat/29.0/29.0.compat.cil:
--------------------------------------------------------------------------------
1 | (typeattribute vendordomain)
2 | (typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
3 | (allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/credstore.te:
--------------------------------------------------------------------------------
1 | typeattribute credstore coredomain;
2 |
3 | init_daemon_domain(credstore)
4 |
5 | # talk to Identity Credential
6 | hal_client_domain(credstore, hal_identity)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/dhcp.te:
--------------------------------------------------------------------------------
1 | typeattribute dhcp coredomain;
2 |
3 | init_daemon_domain(dhcp)
4 | type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/dnsmasq.te:
--------------------------------------------------------------------------------
1 | typeattribute dnsmasq coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/fastbootd.te:
--------------------------------------------------------------------------------
1 | typeattribute fastbootd coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/fingerprintd.te:
--------------------------------------------------------------------------------
1 | typeattribute fingerprintd coredomain;
2 |
3 | init_daemon_domain(fingerprintd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/flags_health_check.te:
--------------------------------------------------------------------------------
1 | typeattribute flags_health_check coredomain;
2 |
3 | init_daemon_domain(flags_health_check)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/fsck.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck coredomain;
2 |
3 | init_daemon_domain(fsck)
4 |
5 | allow fsck metadata_block_device:blk_file rw_file_perms;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/fsck_untrusted.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck_untrusted coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/gatekeeperd.te:
--------------------------------------------------------------------------------
1 | typeattribute gatekeeperd coredomain;
2 |
3 | init_daemon_domain(gatekeeperd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/hal_lazy_test.te:
--------------------------------------------------------------------------------
1 | userdebug_or_eng(`
2 | hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice)
3 | ')
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/healthd.te:
--------------------------------------------------------------------------------
1 | typeattribute healthd coredomain;
2 |
3 | init_daemon_domain(healthd)
4 |
5 | # Allow healthd to serve health HAL
6 | hal_server_domain(healthd, hal_health)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/hwservice.te:
--------------------------------------------------------------------------------
1 | type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/idmap.te:
--------------------------------------------------------------------------------
1 | typeattribute idmap coredomain;
2 |
3 | init_daemon_domain(idmap)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/inputflinger.te:
--------------------------------------------------------------------------------
1 | typeattribute inputflinger coredomain;
2 |
3 | init_daemon_domain(inputflinger)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/iorap_prefecherd.te:
--------------------------------------------------------------------------------
1 | typeattribute iorap_prefetcherd coredomain;
2 |
3 | init_daemon_domain(iorap_prefetcherd)
4 | tmpfs_domain(iorap_prefetcherd)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/iw.te:
--------------------------------------------------------------------------------
1 | type iw, domain, coredomain;
2 | type iw_exec, system_file_type, exec_type, file_type;
3 |
4 | init_daemon_domain(iw)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/lmkd.te:
--------------------------------------------------------------------------------
1 | typeattribute lmkd coredomain;
2 |
3 | init_daemon_domain(lmkd)
4 |
5 | # Set lmkd.* properties.
6 | set_prop(lmkd, lmkd_prop)
7 |
8 | neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
9 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/mediametrics.te:
--------------------------------------------------------------------------------
1 | typeattribute mediametrics coredomain;
2 |
3 | init_daemon_domain(mediametrics)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/mediaswcodec.te:
--------------------------------------------------------------------------------
1 | typeattribute mediaswcodec coredomain;
2 |
3 | init_daemon_domain(mediaswcodec)
4 |
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/mediatranscoding.te:
--------------------------------------------------------------------------------
1 | typeattribute mediatranscoding coredomain;
2 |
3 | init_daemon_domain(mediatranscoding)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/modprobe.te:
--------------------------------------------------------------------------------
1 | typeattribute modprobe coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/mtp.te:
--------------------------------------------------------------------------------
1 | typeattribute mtp coredomain;
2 |
3 | init_daemon_domain(mtp)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/performanced.te:
--------------------------------------------------------------------------------
1 | typeattribute performanced coredomain;
2 |
3 | init_daemon_domain(performanced)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/port_contexts:
--------------------------------------------------------------------------------
1 | # portcon statements go here, e.g.
2 | # portcon tcp 80 u:object_r:http_port:s0
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/postinstall.te:
--------------------------------------------------------------------------------
1 | typeattribute postinstall coredomain;
2 |
3 | domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/ppp.te:
--------------------------------------------------------------------------------
1 | typeattribute ppp coredomain;
2 |
3 | domain_auto_trans(mtp, ppp_exec, ppp)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/profman.te:
--------------------------------------------------------------------------------
1 | typeattribute profman coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/racoon.te:
--------------------------------------------------------------------------------
1 | typeattribute racoon coredomain;
2 |
3 | init_daemon_domain(racoon)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/recovery.te:
--------------------------------------------------------------------------------
1 | typeattribute recovery coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/roles_decl:
--------------------------------------------------------------------------------
1 | role r;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/runas.te:
--------------------------------------------------------------------------------
1 | typeattribute runas coredomain;
2 |
3 | # ndk-gdb invokes adb shell run-as.
4 | domain_auto_trans(shell, runas_exec, runas)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/sdcardd.te:
--------------------------------------------------------------------------------
1 | typeattribute sdcardd coredomain;
2 |
3 | type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/servicemanager.te:
--------------------------------------------------------------------------------
1 | typeattribute servicemanager coredomain;
2 |
3 | init_daemon_domain(servicemanager)
4 |
5 | read_runtime_log_tags(servicemanager)
6 |
7 | set_prop(servicemanager, ctl_interface_start_prop)
8 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/sgdisk.te:
--------------------------------------------------------------------------------
1 | typeattribute sgdisk coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/simpleperf_app_runner.te:
--------------------------------------------------------------------------------
1 | typeattribute simpleperf_app_runner coredomain;
2 |
3 | domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/slideshow.te:
--------------------------------------------------------------------------------
1 | typeattribute slideshow coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/tombstoned.te:
--------------------------------------------------------------------------------
1 | typeattribute tombstoned coredomain;
2 |
3 | init_daemon_domain(tombstoned)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/toolbox.te:
--------------------------------------------------------------------------------
1 | typeattribute toolbox coredomain;
2 |
3 | init_daemon_domain(toolbox)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/tzdatacheck.te:
--------------------------------------------------------------------------------
1 | typeattribute tzdatacheck coredomain;
2 |
3 | init_daemon_domain(tzdatacheck)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/ueventd.te:
--------------------------------------------------------------------------------
1 | typeattribute ueventd coredomain;
2 |
3 | tmpfs_domain(ueventd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/uncrypt.te:
--------------------------------------------------------------------------------
1 | typeattribute uncrypt coredomain;
2 |
3 | init_daemon_domain(uncrypt)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/update_verifier.te:
--------------------------------------------------------------------------------
1 | typeattribute update_verifier coredomain;
2 |
3 | init_daemon_domain(update_verifier)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/users:
--------------------------------------------------------------------------------
1 | user u roles { r } level s0 range s0 - mls_systemhigh;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/vdc.te:
--------------------------------------------------------------------------------
1 | typeattribute vdc coredomain;
2 |
3 | init_daemon_domain(vdc)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/virtual_touchpad.te:
--------------------------------------------------------------------------------
1 | typeattribute virtual_touchpad coredomain;
2 |
3 | init_daemon_domain(virtual_touchpad)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/vr_hwc.te:
--------------------------------------------------------------------------------
1 | typeattribute vr_hwc coredomain;
2 |
3 | # Daemon started by init.
4 | init_daemon_domain(vr_hwc)
5 |
6 | hal_server_domain(vr_hwc, hal_graphics_composer)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/vzwomatrigger_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing the VzwOmaTrigger app.
3 | ###
4 | type vzwomatrigger_app, domain;
5 |
6 | app_domain(vzwomatrigger_app)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/watchdogd.te:
--------------------------------------------------------------------------------
1 | typeattribute watchdogd coredomain;
2 |
3 | init_daemon_domain(watchdogd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/wificond.te:
--------------------------------------------------------------------------------
1 | typeattribute wificond coredomain;
2 |
3 | init_daemon_domain(wificond)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/private/wpantund.te:
--------------------------------------------------------------------------------
1 | typeattribute wpantund coredomain;
2 |
3 | init_daemon_domain(wpantund)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/blkid.te:
--------------------------------------------------------------------------------
1 | # blkid called from vold
2 | type blkid, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/blkid_untrusted.te:
--------------------------------------------------------------------------------
1 | # blkid for untrusted block devices
2 | type blkid_untrusted, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/bluetooth.te:
--------------------------------------------------------------------------------
1 | # bluetooth subsystem
2 | type bluetooth, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/camera_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(camera_service_server, fwk_camera_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/display_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(display_service_server, fwk_display_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/fwk_bufferhub.te:
--------------------------------------------------------------------------------
1 | binder_call(hal_bufferhub_client, hal_bufferhub_server)
2 | binder_call(hal_bufferhub_server, hal_bufferhub_client)
3 |
4 | hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/gmscore_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing the PrebuiltGMSCore app.
3 | ###
4 |
5 | type gmscore_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/gpuservice.te:
--------------------------------------------------------------------------------
1 | # gpuservice - server for gpu stats and other gpu related services
2 | type gpuservice, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/hal_atrace.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_atrace_client, hal_atrace_server)
3 |
4 | hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/hal_authsecret.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_authsecret_client, hal_authsecret_server)
3 |
4 | hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/hal_confirmationui.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_confirmationui_client, hal_confirmationui_server)
3 |
4 | hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/hal_ir.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_ir_client, hal_ir_server)
3 | binder_call(hal_ir_server, hal_ir_client)
4 |
5 | hal_attribute_hwservice(hal_ir, hal_ir_hwservice)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/hal_memtrack.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_memtrack_client, hal_memtrack_server)
3 |
4 | hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/hal_oemlock.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_oemlock_client, hal_oemlock_server)
3 |
4 | hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/hal_tv_tuner.te:
--------------------------------------------------------------------------------
1 | binder_call(hal_tv_tuner_client, hal_tv_tuner_server)
2 | binder_call(hal_tv_tuner_server, hal_tv_tuner_client)
3 |
4 | hal_attribute_hwservice(hal_tv_tuner, hal_tv_tuner_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/hal_vr.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_vr_client, hal_vr_server)
3 | binder_call(hal_vr_server, hal_vr_client)
4 |
5 | hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/hal_weaver.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_weaver_client, hal_weaver_server)
3 |
4 | hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/heapprofd.te:
--------------------------------------------------------------------------------
1 | type heapprofd, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/incident_helper.te:
--------------------------------------------------------------------------------
1 | # The incident_helper is called by incidentd and
2 | # can only read/write data from/to incidentd
3 |
4 | # incident_helper
5 | type incident_helper, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/incidentd.te:
--------------------------------------------------------------------------------
1 | # incidentd
2 | type incidentd, domain;
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/llkd.te:
--------------------------------------------------------------------------------
1 | # llkd Live LocK Daemon
2 | type llkd, domain, mlstrustedsubject;
3 | type llkd_exec, system_file_type, exec_type, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/mdnsd.te:
--------------------------------------------------------------------------------
1 | # mdns daemon
2 | type mdnsd, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/mediaprovider.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for android.process.media, which contains both
3 | ### MediaProvider and DownloadProvider and associated services.
4 | ###
5 |
6 | type mediaprovider, domain;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/netutils_wrapper.te:
--------------------------------------------------------------------------------
1 | type netutils_wrapper, domain;
2 | type netutils_wrapper_exec, system_file_type, exec_type, file_type;
3 |
4 | neverallow domain netutils_wrapper_exec:file execute_no_trans;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/network_stack.te:
--------------------------------------------------------------------------------
1 | # Network stack service app
2 | type network_stack, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/nfc.te:
--------------------------------------------------------------------------------
1 | # nfc subsystem
2 | type nfc, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/perfetto.te:
--------------------------------------------------------------------------------
1 | type perfetto, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/platform_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### Apps signed with the platform key.
3 | ###
4 |
5 | type platform_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/priv_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing privileged apps.
3 | ###
4 |
5 | type priv_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/roles:
--------------------------------------------------------------------------------
1 | role r types domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/rs.te:
--------------------------------------------------------------------------------
1 | type rs, domain, coredomain;
2 | type rs_exec, system_file_type, exec_type, file_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/rss_hwm_reset.te:
--------------------------------------------------------------------------------
1 | # rss_hwm_reset resets RSS high-water mark counters for all procesess.
2 | type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/runas_app.te:
--------------------------------------------------------------------------------
1 | type runas_app, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/scheduler_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/secure_element.te:
--------------------------------------------------------------------------------
1 | # secure_element subsystem
2 | type secure_element, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/sensor_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(sensor_service_server, fwk_sensor_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/simpleperf.te:
--------------------------------------------------------------------------------
1 | type simpleperf, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/stats_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(stats_service_server, fwk_stats_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/surfaceflinger.te:
--------------------------------------------------------------------------------
1 | # surfaceflinger - display compositor service
2 | type surfaceflinger, domain;
3 | type surfaceflinger_tmpfs, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/traced.te:
--------------------------------------------------------------------------------
1 | type traced, domain, coredomain, mlstrustedsubject;
2 |
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/traced_perf.te:
--------------------------------------------------------------------------------
1 | type traced_perf, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/traced_probes.te:
--------------------------------------------------------------------------------
1 | type traced_probes, domain, coredomain, mlstrustedsubject;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/usbd.te:
--------------------------------------------------------------------------------
1 | type usbd, domain;
2 | type usbd_exec, system_file_type, exec_type, file_type;
3 |
4 | # Start/stop adbd via ctl.start adbd
5 | set_prop(usbd, ctl_adbd_prop)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/vndservice.te:
--------------------------------------------------------------------------------
1 | type service_manager_vndservice, vndservice_manager_type;
2 | type default_android_vndservice, vndservice_manager_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/vndservicemanager.te:
--------------------------------------------------------------------------------
1 | # vndservicemanager - the Binder context manager for vendor processes
2 | type vndservicemanager, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/30.0/public/zygote.te:
--------------------------------------------------------------------------------
1 | # zygote
2 | type zygote, domain;
3 | type zygote_tmpfs, file_type;
4 | type zygote_exec, system_file_type, exec_type, file_type;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/aidl_lazy_test_server.te:
--------------------------------------------------------------------------------
1 | userdebug_or_eng(`
2 | typeattribute aidl_lazy_test_server coredomain;
3 |
4 | init_daemon_domain(aidl_lazy_test_server)
5 | ')
6 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/bluetoothdomain.te:
--------------------------------------------------------------------------------
1 | # Allow clients to use a socket provided by the bluetooth app.
2 | allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/bufferhubd.te:
--------------------------------------------------------------------------------
1 | typeattribute bufferhubd coredomain;
2 |
3 | init_daemon_domain(bufferhubd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/cameraserver.te:
--------------------------------------------------------------------------------
1 | typeattribute cameraserver coredomain;
2 |
3 | typeattribute cameraserver camera_service_server;
4 |
5 | init_daemon_domain(cameraserver)
6 | tmpfs_domain(cameraserver)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/credstore.te:
--------------------------------------------------------------------------------
1 | typeattribute credstore coredomain;
2 |
3 | init_daemon_domain(credstore)
4 |
5 | # talk to Identity Credential
6 | hal_client_domain(credstore, hal_identity)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/dhcp.te:
--------------------------------------------------------------------------------
1 | typeattribute dhcp coredomain;
2 |
3 | init_daemon_domain(dhcp)
4 | type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
5 |
6 | set_prop(dhcp, dhcp_prop)
7 | set_prop(dhcp, pan_result_prop)
8 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/dnsmasq.te:
--------------------------------------------------------------------------------
1 | typeattribute dnsmasq coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/fingerprintd.te:
--------------------------------------------------------------------------------
1 | typeattribute fingerprintd coredomain;
2 |
3 | init_daemon_domain(fingerprintd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/fsck.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck coredomain;
2 |
3 | init_daemon_domain(fsck)
4 |
5 | allow fsck metadata_block_device:blk_file rw_file_perms;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/fsck_untrusted.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck_untrusted coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/gatekeeperd.te:
--------------------------------------------------------------------------------
1 | typeattribute gatekeeperd coredomain;
2 |
3 | init_daemon_domain(gatekeeperd)
4 |
5 | # For checking whether GSI is running
6 | get_prop(gatekeeperd, gsid_prop)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/hal_lazy_test.te:
--------------------------------------------------------------------------------
1 | userdebug_or_eng(`
2 | hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice)
3 | ')
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/hwservice.te:
--------------------------------------------------------------------------------
1 | type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/idmap.te:
--------------------------------------------------------------------------------
1 | typeattribute idmap coredomain;
2 |
3 | init_daemon_domain(idmap)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/inputflinger.te:
--------------------------------------------------------------------------------
1 | typeattribute inputflinger coredomain;
2 |
3 | init_daemon_domain(inputflinger)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/iorap_prefecherd.te:
--------------------------------------------------------------------------------
1 | typeattribute iorap_prefetcherd coredomain;
2 |
3 | init_daemon_domain(iorap_prefetcherd)
4 | tmpfs_domain(iorap_prefetcherd)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/iw.te:
--------------------------------------------------------------------------------
1 | type iw, domain, coredomain;
2 | type iw_exec, system_file_type, exec_type, file_type;
3 |
4 | init_daemon_domain(iw)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/modprobe.te:
--------------------------------------------------------------------------------
1 | typeattribute modprobe coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/mtp.te:
--------------------------------------------------------------------------------
1 | typeattribute mtp coredomain;
2 |
3 | init_daemon_domain(mtp)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/performanced.te:
--------------------------------------------------------------------------------
1 | typeattribute performanced coredomain;
2 |
3 | init_daemon_domain(performanced)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/port_contexts:
--------------------------------------------------------------------------------
1 | # portcon statements go here, e.g.
2 | # portcon tcp 80 u:object_r:http_port:s0
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/ppp.te:
--------------------------------------------------------------------------------
1 | typeattribute ppp coredomain;
2 |
3 | domain_auto_trans(mtp, ppp_exec, ppp)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/profman.te:
--------------------------------------------------------------------------------
1 | typeattribute profman coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/racoon.te:
--------------------------------------------------------------------------------
1 | typeattribute racoon coredomain;
2 |
3 | init_daemon_domain(racoon)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/roles_decl:
--------------------------------------------------------------------------------
1 | role r;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/runas.te:
--------------------------------------------------------------------------------
1 | typeattribute runas coredomain;
2 |
3 | # ndk-gdb invokes adb shell run-as.
4 | domain_auto_trans(shell, runas_exec, runas)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/sdcardd.te:
--------------------------------------------------------------------------------
1 | typeattribute sdcardd coredomain;
2 |
3 | type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/servicemanager.te:
--------------------------------------------------------------------------------
1 | typeattribute servicemanager coredomain;
2 |
3 | init_daemon_domain(servicemanager)
4 |
5 | read_runtime_log_tags(servicemanager)
6 |
7 | set_prop(servicemanager, ctl_interface_start_prop)
8 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/sgdisk.te:
--------------------------------------------------------------------------------
1 | typeattribute sgdisk coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/simpleperf_app_runner.te:
--------------------------------------------------------------------------------
1 | typeattribute simpleperf_app_runner coredomain;
2 |
3 | domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/slideshow.te:
--------------------------------------------------------------------------------
1 | typeattribute slideshow coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/toolbox.te:
--------------------------------------------------------------------------------
1 | typeattribute toolbox coredomain;
2 |
3 | init_daemon_domain(toolbox)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/tzdatacheck.te:
--------------------------------------------------------------------------------
1 | typeattribute tzdatacheck coredomain;
2 |
3 | init_daemon_domain(tzdatacheck)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/uncrypt.te:
--------------------------------------------------------------------------------
1 | typeattribute uncrypt coredomain;
2 |
3 | init_daemon_domain(uncrypt)
4 |
5 | # Set a property to reboot the device.
6 | set_prop(uncrypt, powerctl_prop)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/users:
--------------------------------------------------------------------------------
1 | user u roles { r } level s0 range s0 - mls_systemhigh;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/vdc.te:
--------------------------------------------------------------------------------
1 | typeattribute vdc coredomain;
2 |
3 | init_daemon_domain(vdc)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/virtual_touchpad.te:
--------------------------------------------------------------------------------
1 | typeattribute virtual_touchpad coredomain;
2 |
3 | init_daemon_domain(virtual_touchpad)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/vr_hwc.te:
--------------------------------------------------------------------------------
1 | typeattribute vr_hwc coredomain;
2 |
3 | # Daemon started by init.
4 | init_daemon_domain(vr_hwc)
5 |
6 | hal_server_domain(vr_hwc, hal_graphics_composer)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/vzwomatrigger_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing the VzwOmaTrigger app.
3 | ###
4 | type vzwomatrigger_app, domain;
5 |
6 | app_domain(vzwomatrigger_app)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/watchdogd.te:
--------------------------------------------------------------------------------
1 | typeattribute watchdogd coredomain;
2 |
3 | init_daemon_domain(watchdogd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/private/wpantund.te:
--------------------------------------------------------------------------------
1 | typeattribute wpantund coredomain;
2 |
3 | init_daemon_domain(wpantund)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/atrace.te:
--------------------------------------------------------------------------------
1 | type atrace, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/blkid.te:
--------------------------------------------------------------------------------
1 | # blkid called from vold
2 | type blkid, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/blkid_untrusted.te:
--------------------------------------------------------------------------------
1 | # blkid for untrusted block devices
2 | type blkid_untrusted, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/bluetooth.te:
--------------------------------------------------------------------------------
1 | # bluetooth subsystem
2 | type bluetooth, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/camera_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(camera_service_server, fwk_camera_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/display_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(display_service_server, fwk_display_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/fwk_bufferhub.te:
--------------------------------------------------------------------------------
1 | binder_call(hal_bufferhub_client, hal_bufferhub_server)
2 | binder_call(hal_bufferhub_server, hal_bufferhub_client)
3 |
4 | hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/gmscore_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing the PrebuiltGMSCore app.
3 | ###
4 |
5 | type gmscore_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/gpuservice.te:
--------------------------------------------------------------------------------
1 | # gpuservice - server for gpu stats and other gpu related services
2 | type gpuservice, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/hal_atrace.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_atrace_client, hal_atrace_server)
3 |
4 | hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/hal_confirmationui.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_confirmationui_client, hal_confirmationui_server)
3 |
4 | hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/hal_ir.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_ir_client, hal_ir_server)
3 | binder_call(hal_ir_server, hal_ir_client)
4 |
5 | hal_attribute_hwservice(hal_ir, hal_ir_hwservice)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/hal_tv_tuner.te:
--------------------------------------------------------------------------------
1 | binder_call(hal_tv_tuner_client, hal_tv_tuner_server)
2 | binder_call(hal_tv_tuner_server, hal_tv_tuner_client)
3 |
4 | hal_attribute_hwservice(hal_tv_tuner, hal_tv_tuner_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/hal_vr.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_vr_client, hal_vr_server)
3 | binder_call(hal_vr_server, hal_vr_client)
4 |
5 | hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/heapprofd.te:
--------------------------------------------------------------------------------
1 | type heapprofd, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/incident_helper.te:
--------------------------------------------------------------------------------
1 | # The incident_helper is called by incidentd and
2 | # can only read/write data from/to incidentd
3 |
4 | # incident_helper
5 | type incident_helper, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/incidentd.te:
--------------------------------------------------------------------------------
1 | # incidentd
2 | type incidentd, domain;
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/keystore_keys.te:
--------------------------------------------------------------------------------
1 | # A keystore2 namespace for WI-FI.
2 | type wifi_key, keystore2_key_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/llkd.te:
--------------------------------------------------------------------------------
1 | # llkd Live LocK Daemon
2 | type llkd, domain, mlstrustedsubject;
3 | type llkd_exec, system_file_type, exec_type, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/mdnsd.te:
--------------------------------------------------------------------------------
1 | # mdns daemon
2 | type mdnsd, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/mediaprovider.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for android.process.media, which contains both
3 | ### MediaProvider and DownloadProvider and associated services.
4 | ###
5 |
6 | type mediaprovider, domain;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/netutils_wrapper.te:
--------------------------------------------------------------------------------
1 | type netutils_wrapper, domain;
2 | type netutils_wrapper_exec, system_file_type, exec_type, file_type;
3 |
4 | neverallow domain netutils_wrapper_exec:file execute_no_trans;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/network_stack.te:
--------------------------------------------------------------------------------
1 | # Network stack service app
2 | type network_stack, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/nfc.te:
--------------------------------------------------------------------------------
1 | # nfc subsystem
2 | type nfc, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/otapreopt_chroot.te:
--------------------------------------------------------------------------------
1 | # otapreopt_chroot seclabel
2 |
3 | # TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
4 | type otapreopt_chroot, domain;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/perfetto.te:
--------------------------------------------------------------------------------
1 | type perfetto, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/platform_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### Apps signed with the platform key.
3 | ###
4 |
5 | type platform_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/priv_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing privileged apps.
3 | ###
4 |
5 | type priv_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/roles:
--------------------------------------------------------------------------------
1 | role r types domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/rs.te:
--------------------------------------------------------------------------------
1 | type rs, domain, coredomain;
2 | type rs_exec, system_file_type, exec_type, file_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/rss_hwm_reset.te:
--------------------------------------------------------------------------------
1 | # rss_hwm_reset resets RSS high-water mark counters for all procesess.
2 | type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/runas_app.te:
--------------------------------------------------------------------------------
1 | type runas_app, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/scheduler_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/secure_element.te:
--------------------------------------------------------------------------------
1 | # secure_element subsystem
2 | type secure_element, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/sensor_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(sensor_service_server, fwk_sensor_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/shared_relro.te:
--------------------------------------------------------------------------------
1 | # Process which creates/updates shared RELRO files to be used by other apps.
2 | type shared_relro, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/simpleperf.te:
--------------------------------------------------------------------------------
1 | type simpleperf, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/stats_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(stats_service_server, fwk_stats_hwservice)
2 | add_service(stats_service_server, fwk_stats_service)
3 |
4 | binder_use(stats_service_server)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/surfaceflinger.te:
--------------------------------------------------------------------------------
1 | # surfaceflinger - display compositor service
2 | type surfaceflinger, domain;
3 | type surfaceflinger_tmpfs, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/traced.te:
--------------------------------------------------------------------------------
1 | type traced, domain, coredomain, mlstrustedsubject;
2 | type traced_tmpfs, file_type;
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/traced_perf.te:
--------------------------------------------------------------------------------
1 | type traced_perf, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/traced_probes.te:
--------------------------------------------------------------------------------
1 | type traced_probes, domain, coredomain, mlstrustedsubject;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/usbd.te:
--------------------------------------------------------------------------------
1 | type usbd, domain;
2 | type usbd_exec, system_file_type, exec_type, file_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/userdata_sysdev.te:
--------------------------------------------------------------------------------
1 | allow userdata_sysdev sysfs:filesystem associate;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/vendor_modprobe.te:
--------------------------------------------------------------------------------
1 | type vendor_modprobe, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/vndservice.te:
--------------------------------------------------------------------------------
1 | type service_manager_vndservice, vndservice_manager_type;
2 | type default_android_vndservice, vndservice_manager_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/vndservicemanager.te:
--------------------------------------------------------------------------------
1 | # vndservicemanager - the Binder context manager for vendor processes
2 | type vndservicemanager, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/31.0/public/zygote.te:
--------------------------------------------------------------------------------
1 | # zygote
2 | type zygote, domain;
3 | type zygote_tmpfs, file_type;
4 | type zygote_exec, system_file_type, exec_type, file_type;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/aidl_lazy_test_server.te:
--------------------------------------------------------------------------------
1 | userdebug_or_eng(`
2 | typeattribute aidl_lazy_test_server coredomain;
3 |
4 | init_daemon_domain(aidl_lazy_test_server)
5 | ')
6 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/bluetoothdomain.te:
--------------------------------------------------------------------------------
1 | # Allow clients to use a socket provided by the bluetooth app.
2 | allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/bufferhubd.te:
--------------------------------------------------------------------------------
1 | typeattribute bufferhubd coredomain;
2 |
3 | init_daemon_domain(bufferhubd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/cameraserver.te:
--------------------------------------------------------------------------------
1 | typeattribute cameraserver coredomain;
2 |
3 | typeattribute cameraserver camera_service_server;
4 |
5 | init_daemon_domain(cameraserver)
6 | tmpfs_domain(cameraserver)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/compat/31.0/31.0.compat.cil:
--------------------------------------------------------------------------------
1 | ;; This file can't be empty.
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/credstore.te:
--------------------------------------------------------------------------------
1 | typeattribute credstore coredomain;
2 |
3 | init_daemon_domain(credstore)
4 |
5 | # talk to Identity Credential
6 | hal_client_domain(credstore, hal_identity)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/dhcp.te:
--------------------------------------------------------------------------------
1 | typeattribute dhcp coredomain;
2 |
3 | init_daemon_domain(dhcp)
4 | type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
5 |
6 | set_prop(dhcp, dhcp_prop)
7 | set_prop(dhcp, pan_result_prop)
8 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/dnsmasq.te:
--------------------------------------------------------------------------------
1 | typeattribute dnsmasq coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/fingerprintd.te:
--------------------------------------------------------------------------------
1 | typeattribute fingerprintd coredomain;
2 |
3 | init_daemon_domain(fingerprintd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/fsck.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck coredomain;
2 |
3 | init_daemon_domain(fsck)
4 |
5 | allow fsck metadata_block_device:blk_file rw_file_perms;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/fsck_untrusted.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck_untrusted coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/gatekeeperd.te:
--------------------------------------------------------------------------------
1 | typeattribute gatekeeperd coredomain;
2 |
3 | init_daemon_domain(gatekeeperd)
4 |
5 | # For checking whether GSI is running
6 | get_prop(gatekeeperd, gsid_prop)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/hal_lazy_test.te:
--------------------------------------------------------------------------------
1 | userdebug_or_eng(`
2 | hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice)
3 | ')
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/hwservice.te:
--------------------------------------------------------------------------------
1 | type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/idmap.te:
--------------------------------------------------------------------------------
1 | typeattribute idmap coredomain;
2 |
3 | init_daemon_domain(idmap)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/inputflinger.te:
--------------------------------------------------------------------------------
1 | typeattribute inputflinger coredomain;
2 |
3 | init_daemon_domain(inputflinger)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/iorap_prefecherd.te:
--------------------------------------------------------------------------------
1 | typeattribute iorap_prefetcherd coredomain;
2 |
3 | init_daemon_domain(iorap_prefetcherd)
4 | tmpfs_domain(iorap_prefetcherd)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/iw.te:
--------------------------------------------------------------------------------
1 | type iw, domain, coredomain;
2 | type iw_exec, system_file_type, exec_type, file_type;
3 |
4 | init_daemon_domain(iw)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/modprobe.te:
--------------------------------------------------------------------------------
1 | typeattribute modprobe coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/mtp.te:
--------------------------------------------------------------------------------
1 | typeattribute mtp coredomain;
2 |
3 | init_daemon_domain(mtp)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/performanced.te:
--------------------------------------------------------------------------------
1 | typeattribute performanced coredomain;
2 |
3 | init_daemon_domain(performanced)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/port_contexts:
--------------------------------------------------------------------------------
1 | # portcon statements go here, e.g.
2 | # portcon tcp 80 u:object_r:http_port:s0
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/ppp.te:
--------------------------------------------------------------------------------
1 | typeattribute ppp coredomain;
2 |
3 | domain_auto_trans(mtp, ppp_exec, ppp)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/profman.te:
--------------------------------------------------------------------------------
1 | typeattribute profman coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/racoon.te:
--------------------------------------------------------------------------------
1 | typeattribute racoon coredomain;
2 |
3 | init_daemon_domain(racoon)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/roles_decl:
--------------------------------------------------------------------------------
1 | role r;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/runas.te:
--------------------------------------------------------------------------------
1 | typeattribute runas coredomain;
2 |
3 | # ndk-gdb invokes adb shell run-as.
4 | domain_auto_trans(shell, runas_exec, runas)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/sdcardd.te:
--------------------------------------------------------------------------------
1 | typeattribute sdcardd coredomain;
2 |
3 | type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/servicemanager.te:
--------------------------------------------------------------------------------
1 | typeattribute servicemanager coredomain;
2 |
3 | init_daemon_domain(servicemanager)
4 |
5 | read_runtime_log_tags(servicemanager)
6 |
7 | set_prop(servicemanager, ctl_interface_start_prop)
8 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/sgdisk.te:
--------------------------------------------------------------------------------
1 | typeattribute sgdisk coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/simpleperf_app_runner.te:
--------------------------------------------------------------------------------
1 | typeattribute simpleperf_app_runner coredomain;
2 |
3 | domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/slideshow.te:
--------------------------------------------------------------------------------
1 | typeattribute slideshow coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/toolbox.te:
--------------------------------------------------------------------------------
1 | typeattribute toolbox coredomain;
2 |
3 | init_daemon_domain(toolbox)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/tzdatacheck.te:
--------------------------------------------------------------------------------
1 | typeattribute tzdatacheck coredomain;
2 |
3 | init_daemon_domain(tzdatacheck)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/uncrypt.te:
--------------------------------------------------------------------------------
1 | typeattribute uncrypt coredomain;
2 |
3 | init_daemon_domain(uncrypt)
4 |
5 | # Set a property to reboot the device.
6 | set_prop(uncrypt, powerctl_prop)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/users:
--------------------------------------------------------------------------------
1 | user u roles { r } level s0 range s0 - mls_systemhigh;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/vdc.te:
--------------------------------------------------------------------------------
1 | typeattribute vdc coredomain;
2 |
3 | init_daemon_domain(vdc)
4 |
5 | # Allow stdin/out back to vehicle_binding_util
6 | allow vdc vehicle_binding_util:fd use;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/virtual_touchpad.te:
--------------------------------------------------------------------------------
1 | typeattribute virtual_touchpad coredomain;
2 |
3 | init_daemon_domain(virtual_touchpad)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/vr_hwc.te:
--------------------------------------------------------------------------------
1 | typeattribute vr_hwc coredomain;
2 |
3 | # Daemon started by init.
4 | init_daemon_domain(vr_hwc)
5 |
6 | hal_server_domain(vr_hwc, hal_graphics_composer)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/vzwomatrigger_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing the VzwOmaTrigger app.
3 | ###
4 | type vzwomatrigger_app, domain;
5 |
6 | app_domain(vzwomatrigger_app)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/watchdogd.te:
--------------------------------------------------------------------------------
1 | typeattribute watchdogd coredomain;
2 |
3 | init_daemon_domain(watchdogd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/private/wpantund.te:
--------------------------------------------------------------------------------
1 | typeattribute wpantund coredomain;
2 |
3 | init_daemon_domain(wpantund)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/atrace.te:
--------------------------------------------------------------------------------
1 | type atrace, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/blkid.te:
--------------------------------------------------------------------------------
1 | # blkid called from vold
2 | type blkid, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/blkid_untrusted.te:
--------------------------------------------------------------------------------
1 | # blkid for untrusted block devices
2 | type blkid_untrusted, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/bluetooth.te:
--------------------------------------------------------------------------------
1 | # bluetooth subsystem
2 | type bluetooth, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/camera_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(camera_service_server, fwk_camera_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/display_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(display_service_server, fwk_display_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/fwk_bufferhub.te:
--------------------------------------------------------------------------------
1 | binder_call(hal_bufferhub_client, hal_bufferhub_server)
2 | binder_call(hal_bufferhub_server, hal_bufferhub_client)
3 |
4 | hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/gmscore_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing the PrebuiltGMSCore app.
3 | ###
4 |
5 | type gmscore_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/gpuservice.te:
--------------------------------------------------------------------------------
1 | # gpuservice - server for gpu stats and other gpu related services
2 | type gpuservice, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/hal_atrace.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_atrace_client, hal_atrace_server)
3 |
4 | hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/hal_confirmationui.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_confirmationui_client, hal_confirmationui_server)
3 |
4 | hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/hal_ir.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_ir_client, hal_ir_server)
3 | binder_call(hal_ir_server, hal_ir_client)
4 |
5 | hal_attribute_hwservice(hal_ir, hal_ir_hwservice)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/hal_tv_tuner.te:
--------------------------------------------------------------------------------
1 | binder_call(hal_tv_tuner_client, hal_tv_tuner_server)
2 | binder_call(hal_tv_tuner_server, hal_tv_tuner_client)
3 |
4 | hal_attribute_hwservice(hal_tv_tuner, hal_tv_tuner_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/hal_vr.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_vr_client, hal_vr_server)
3 | binder_call(hal_vr_server, hal_vr_client)
4 |
5 | hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/heapprofd.te:
--------------------------------------------------------------------------------
1 | type heapprofd, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/incident_helper.te:
--------------------------------------------------------------------------------
1 | # The incident_helper is called by incidentd and
2 | # can only read/write data from/to incidentd
3 |
4 | # incident_helper
5 | type incident_helper, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/incidentd.te:
--------------------------------------------------------------------------------
1 | # incidentd
2 | type incidentd, domain;
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/keystore_keys.te:
--------------------------------------------------------------------------------
1 | # A keystore2 namespace for WI-FI.
2 | type wifi_key, keystore2_key_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/llkd.te:
--------------------------------------------------------------------------------
1 | # llkd Live LocK Daemon
2 | type llkd, domain, mlstrustedsubject;
3 | type llkd_exec, system_file_type, exec_type, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/mdnsd.te:
--------------------------------------------------------------------------------
1 | # mdns daemon
2 | type mdnsd, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/mediaprovider.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for android.process.media, which contains both
3 | ### MediaProvider and DownloadProvider and associated services.
4 | ###
5 |
6 | type mediaprovider, domain;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/netutils_wrapper.te:
--------------------------------------------------------------------------------
1 | type netutils_wrapper, domain;
2 | type netutils_wrapper_exec, system_file_type, exec_type, file_type;
3 |
4 | neverallow domain netutils_wrapper_exec:file execute_no_trans;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/network_stack.te:
--------------------------------------------------------------------------------
1 | # Network stack service app
2 | type network_stack, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/nfc.te:
--------------------------------------------------------------------------------
1 | # nfc subsystem
2 | type nfc, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/otapreopt_chroot.te:
--------------------------------------------------------------------------------
1 | # otapreopt_chroot seclabel
2 |
3 | # TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
4 | type otapreopt_chroot, domain;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/perfetto.te:
--------------------------------------------------------------------------------
1 | type perfetto, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/platform_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### Apps signed with the platform key.
3 | ###
4 |
5 | type platform_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/priv_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing privileged apps.
3 | ###
4 |
5 | type priv_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/roles:
--------------------------------------------------------------------------------
1 | role r types domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/rs.te:
--------------------------------------------------------------------------------
1 | type rs, domain, coredomain;
2 | type rs_exec, system_file_type, exec_type, file_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/rss_hwm_reset.te:
--------------------------------------------------------------------------------
1 | # rss_hwm_reset resets RSS high-water mark counters for all procesess.
2 | type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/runas_app.te:
--------------------------------------------------------------------------------
1 | type runas_app, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/scheduler_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/secure_element.te:
--------------------------------------------------------------------------------
1 | # secure_element subsystem
2 | type secure_element, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/sensor_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(sensor_service_server, fwk_sensor_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/shared_relro.te:
--------------------------------------------------------------------------------
1 | # Process which creates/updates shared RELRO files to be used by other apps.
2 | type shared_relro, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/simpleperf.te:
--------------------------------------------------------------------------------
1 | type simpleperf, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/stats_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(stats_service_server, fwk_stats_hwservice)
2 | add_service(stats_service_server, fwk_stats_service)
3 |
4 | binder_use(stats_service_server)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/surfaceflinger.te:
--------------------------------------------------------------------------------
1 | # surfaceflinger - display compositor service
2 | type surfaceflinger, domain;
3 | type surfaceflinger_tmpfs, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/traced.te:
--------------------------------------------------------------------------------
1 | type traced, domain, coredomain, mlstrustedsubject;
2 | type traced_tmpfs, file_type;
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/traced_perf.te:
--------------------------------------------------------------------------------
1 | type traced_perf, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/traced_probes.te:
--------------------------------------------------------------------------------
1 | type traced_probes, domain, coredomain, mlstrustedsubject;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/usbd.te:
--------------------------------------------------------------------------------
1 | type usbd, domain;
2 | type usbd_exec, system_file_type, exec_type, file_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/userdata_sysdev.te:
--------------------------------------------------------------------------------
1 | allow userdata_sysdev sysfs:filesystem associate;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/vendor_modprobe.te:
--------------------------------------------------------------------------------
1 | type vendor_modprobe, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/vndservice.te:
--------------------------------------------------------------------------------
1 | type service_manager_vndservice, vndservice_manager_type;
2 | type default_android_vndservice, vndservice_manager_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/vndservicemanager.te:
--------------------------------------------------------------------------------
1 | # vndservicemanager - the Binder context manager for vendor processes
2 | type vndservicemanager, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/32.0/public/zygote.te:
--------------------------------------------------------------------------------
1 | # zygote
2 | type zygote, domain;
3 | type zygote_tmpfs, file_type;
4 | type zygote_exec, system_file_type, exec_type, file_type;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/aidl_lazy_test_server.te:
--------------------------------------------------------------------------------
1 | userdebug_or_eng(`
2 | typeattribute aidl_lazy_test_server coredomain;
3 |
4 | init_daemon_domain(aidl_lazy_test_server)
5 | ')
6 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/bluetoothdomain.te:
--------------------------------------------------------------------------------
1 | # Allow clients to use a socket provided by the bluetooth app.
2 | allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/bufferhubd.te:
--------------------------------------------------------------------------------
1 | typeattribute bufferhubd coredomain;
2 |
3 | init_daemon_domain(bufferhubd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/compat/31.0/31.0.compat.cil:
--------------------------------------------------------------------------------
1 | ;; This file can't be empty.
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/compat/32.0/32.0.compat.cil:
--------------------------------------------------------------------------------
1 | ;; This file can't be empty.
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/dhcp.te:
--------------------------------------------------------------------------------
1 | typeattribute dhcp coredomain;
2 |
3 | init_daemon_domain(dhcp)
4 | type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
5 |
6 | set_prop(dhcp, dhcp_prop)
7 | set_prop(dhcp, pan_result_prop)
8 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/diced.te:
--------------------------------------------------------------------------------
1 | typeattribute diced coredomain;
2 |
3 | init_daemon_domain(diced)
4 |
5 | # Talk to dice HAL.
6 | hal_client_domain(diced, hal_dice)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/dnsmasq.te:
--------------------------------------------------------------------------------
1 | typeattribute dnsmasq coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/extra_free_kbytes.te:
--------------------------------------------------------------------------------
1 | typeattribute extra_free_kbytes coredomain;
2 |
3 | init_daemon_domain(extra_free_kbytes)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/fingerprintd.te:
--------------------------------------------------------------------------------
1 | typeattribute fingerprintd coredomain;
2 |
3 | init_daemon_domain(fingerprintd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/fsck.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck coredomain;
2 |
3 | init_daemon_domain(fsck)
4 |
5 | allow fsck metadata_block_device:blk_file rw_file_perms;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/fsck_untrusted.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck_untrusted coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/gatekeeperd.te:
--------------------------------------------------------------------------------
1 | typeattribute gatekeeperd coredomain;
2 |
3 | init_daemon_domain(gatekeeperd)
4 |
5 | # For checking whether GSI is running
6 | get_prop(gatekeeperd, gsid_prop)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/hal_lazy_test.te:
--------------------------------------------------------------------------------
1 | userdebug_or_eng(`
2 | hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice)
3 | ')
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/healthd.te:
--------------------------------------------------------------------------------
1 | typeattribute healthd coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/hwservice.te:
--------------------------------------------------------------------------------
1 | type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/idmap.te:
--------------------------------------------------------------------------------
1 | typeattribute idmap coredomain;
2 |
3 | init_daemon_domain(idmap)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/inputflinger.te:
--------------------------------------------------------------------------------
1 | typeattribute inputflinger coredomain;
2 |
3 | init_daemon_domain(inputflinger)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/iorap_prefecherd.te:
--------------------------------------------------------------------------------
1 | typeattribute iorap_prefetcherd coredomain;
2 |
3 | init_daemon_domain(iorap_prefetcherd)
4 | tmpfs_domain(iorap_prefetcherd)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/iw.te:
--------------------------------------------------------------------------------
1 | type iw, domain, coredomain;
2 | type iw_exec, system_file_type, exec_type, file_type;
3 |
4 | init_daemon_domain(iw)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/modprobe.te:
--------------------------------------------------------------------------------
1 | typeattribute modprobe coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/mtp.te:
--------------------------------------------------------------------------------
1 | typeattribute mtp coredomain;
2 |
3 | init_daemon_domain(mtp)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/performanced.te:
--------------------------------------------------------------------------------
1 | typeattribute performanced coredomain;
2 |
3 | init_daemon_domain(performanced)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/port_contexts:
--------------------------------------------------------------------------------
1 | # portcon statements go here, e.g.
2 | # portcon tcp 80 u:object_r:http_port:s0
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/ppp.te:
--------------------------------------------------------------------------------
1 | typeattribute ppp coredomain;
2 |
3 | domain_auto_trans(mtp, ppp_exec, ppp)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/profman.te:
--------------------------------------------------------------------------------
1 | typeattribute profman coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/racoon.te:
--------------------------------------------------------------------------------
1 | typeattribute racoon coredomain;
2 |
3 | init_daemon_domain(racoon)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/roles_decl:
--------------------------------------------------------------------------------
1 | role r;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/runas.te:
--------------------------------------------------------------------------------
1 | typeattribute runas coredomain;
2 |
3 | # ndk-gdb invokes adb shell run-as.
4 | domain_auto_trans(shell, runas_exec, runas)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/sdcardd.te:
--------------------------------------------------------------------------------
1 | typeattribute sdcardd coredomain;
2 |
3 | type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/servicemanager.te:
--------------------------------------------------------------------------------
1 | typeattribute servicemanager coredomain;
2 |
3 | init_daemon_domain(servicemanager)
4 |
5 | read_runtime_log_tags(servicemanager)
6 |
7 | set_prop(servicemanager, ctl_interface_start_prop)
8 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/sgdisk.te:
--------------------------------------------------------------------------------
1 | typeattribute sgdisk coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/slideshow.te:
--------------------------------------------------------------------------------
1 | typeattribute slideshow coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/toolbox.te:
--------------------------------------------------------------------------------
1 | typeattribute toolbox coredomain;
2 |
3 | init_daemon_domain(toolbox)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/tzdatacheck.te:
--------------------------------------------------------------------------------
1 | typeattribute tzdatacheck coredomain;
2 |
3 | init_daemon_domain(tzdatacheck)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/uncrypt.te:
--------------------------------------------------------------------------------
1 | typeattribute uncrypt coredomain;
2 |
3 | init_daemon_domain(uncrypt)
4 |
5 | # Set a property to reboot the device.
6 | set_prop(uncrypt, powerctl_prop)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/users:
--------------------------------------------------------------------------------
1 | user u roles { r } level s0 range s0 - mls_systemhigh;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/vdc.te:
--------------------------------------------------------------------------------
1 | typeattribute vdc coredomain;
2 |
3 | init_daemon_domain(vdc)
4 |
5 | # Allow stdin/out back to vehicle_binding_util
6 | allow vdc vehicle_binding_util:fd use;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/virtual_touchpad.te:
--------------------------------------------------------------------------------
1 | typeattribute virtual_touchpad coredomain;
2 |
3 | init_daemon_domain(virtual_touchpad)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/vzwomatrigger_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing the VzwOmaTrigger app.
3 | ###
4 | type vzwomatrigger_app, domain;
5 |
6 | app_domain(vzwomatrigger_app)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/watchdogd.te:
--------------------------------------------------------------------------------
1 | typeattribute watchdogd coredomain;
2 |
3 | init_daemon_domain(watchdogd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/private/wpantund.te:
--------------------------------------------------------------------------------
1 | typeattribute wpantund coredomain;
2 |
3 | init_daemon_domain(wpantund)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/atrace.te:
--------------------------------------------------------------------------------
1 | type atrace, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/blkid.te:
--------------------------------------------------------------------------------
1 | # blkid called from vold
2 | type blkid, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/blkid_untrusted.te:
--------------------------------------------------------------------------------
1 | # blkid for untrusted block devices
2 | type blkid_untrusted, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/bluetooth.te:
--------------------------------------------------------------------------------
1 | # bluetooth subsystem
2 | type bluetooth, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/bpfloader.te:
--------------------------------------------------------------------------------
1 | type bpfloader, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/camera_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(camera_service_server, fwk_camera_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/charger.te:
--------------------------------------------------------------------------------
1 | type charger, charger_type, domain;
2 | type charger_exec, system_file_type, exec_type, file_type;
3 |
4 | # The system charger is a client of HIDL health HAL.
5 | hal_client_domain(charger, hal_health)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/charger_vendor.te:
--------------------------------------------------------------------------------
1 | # Context when health HAL runs charger mode
2 |
3 | type charger_vendor, charger_type, domain;
4 | hal_server_domain(charger_vendor, hal_health)
5 |
6 | typeattribute charger_vendor bpfdomain;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/display_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(display_service_server, fwk_display_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/evsmanagerd.te:
--------------------------------------------------------------------------------
1 | # evsmanager daemon
2 | type evsmanagerd, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/gmscore_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing the PrebuiltGMSCore app.
3 | ###
4 |
5 | type gmscore_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/gpuservice.te:
--------------------------------------------------------------------------------
1 | # gpuservice - server for gpu stats and other gpu related services
2 | type gpuservice, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/hal_atrace.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_atrace_client, hal_atrace_server)
3 |
4 | hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/hal_confirmationui.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_confirmationui_client, hal_confirmationui_server)
3 |
4 | hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/hal_dice.te:
--------------------------------------------------------------------------------
1 | binder_call(hal_dice_client, hal_dice_server)
2 |
3 | hal_attribute_service(hal_dice, hal_dice_service)
4 | binder_call(hal_dice_server, servicemanager)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/hal_vr.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_vr_client, hal_vr_server)
3 | binder_call(hal_vr_server, hal_vr_client)
4 |
5 | hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/healthd.te:
--------------------------------------------------------------------------------
1 | # healthd - battery/charger monitoring service daemon
2 | # healthd is removed. The type is kept for backwards compatibility.
3 |
4 | type healthd, domain;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/heapprofd.te:
--------------------------------------------------------------------------------
1 | type heapprofd, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/incident_helper.te:
--------------------------------------------------------------------------------
1 | # The incident_helper is called by incidentd and
2 | # can only read/write data from/to incidentd
3 |
4 | # incident_helper
5 | type incident_helper, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/incidentd.te:
--------------------------------------------------------------------------------
1 | # incidentd
2 | type incidentd, domain;
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/keystore_keys.te:
--------------------------------------------------------------------------------
1 | # A keystore2 namespace for WI-FI.
2 | type wifi_key, keystore2_key_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/llkd.te:
--------------------------------------------------------------------------------
1 | # llkd Live LocK Daemon
2 | type llkd, domain, mlstrustedsubject;
3 | type llkd_exec, system_file_type, exec_type, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/mdnsd.te:
--------------------------------------------------------------------------------
1 | # mdns daemon
2 | type mdnsd, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/mediaprovider.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for android.process.media, which contains both
3 | ### MediaProvider and DownloadProvider and associated services.
4 | ###
5 |
6 | type mediaprovider, domain;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/mediatranscoding.te:
--------------------------------------------------------------------------------
1 | type mediatranscoding, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/netutils_wrapper.te:
--------------------------------------------------------------------------------
1 | type netutils_wrapper, domain;
2 | type netutils_wrapper_exec, system_file_type, exec_type, file_type;
3 |
4 | neverallow domain netutils_wrapper_exec:file execute_no_trans;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/network_stack.te:
--------------------------------------------------------------------------------
1 | # Network stack service app
2 | type network_stack, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/nfc.te:
--------------------------------------------------------------------------------
1 | # nfc subsystem
2 | type nfc, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/otapreopt_chroot.te:
--------------------------------------------------------------------------------
1 | # otapreopt_chroot seclabel
2 |
3 | # TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
4 | type otapreopt_chroot, domain;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/perfetto.te:
--------------------------------------------------------------------------------
1 | type perfetto, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/platform_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### Apps signed with the platform key.
3 | ###
4 |
5 | type platform_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/priv_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing privileged apps.
3 | ###
4 |
5 | type priv_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/prng_seeder.te:
--------------------------------------------------------------------------------
1 | # PRNG seeder daemon
2 | type prng_seeder, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/roles:
--------------------------------------------------------------------------------
1 | role r types domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/rootdisk_sysdev.te:
--------------------------------------------------------------------------------
1 | allow rootdisk_sysdev sysfs:filesystem associate;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/rs.te:
--------------------------------------------------------------------------------
1 | type rs, domain, coredomain;
2 | type rs_exec, system_file_type, exec_type, file_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/rss_hwm_reset.te:
--------------------------------------------------------------------------------
1 | # rss_hwm_reset resets RSS high-water mark counters for all procesess.
2 | type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/runas_app.te:
--------------------------------------------------------------------------------
1 | type runas_app, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/scheduler_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/secure_element.te:
--------------------------------------------------------------------------------
1 | # secure_element subsystem
2 | type secure_element, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/sensor_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(sensor_service_server, fwk_sensor_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/shared_relro.te:
--------------------------------------------------------------------------------
1 | # Process which creates/updates shared RELRO files to be used by other apps.
2 | type shared_relro, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/simpleperf.te:
--------------------------------------------------------------------------------
1 | type simpleperf, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/simpleperf_app_runner.te:
--------------------------------------------------------------------------------
1 | type simpleperf_app_runner, domain, mlstrustedsubject;
2 | type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/stats_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(stats_service_server, fwk_stats_hwservice)
2 | add_service(stats_service_server, fwk_stats_service)
3 |
4 | binder_use(stats_service_server)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/surfaceflinger.te:
--------------------------------------------------------------------------------
1 | # surfaceflinger - display compositor service
2 | type surfaceflinger, domain;
3 | type surfaceflinger_tmpfs, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/traced.te:
--------------------------------------------------------------------------------
1 | type traced, domain, coredomain, mlstrustedsubject;
2 | type traced_tmpfs, file_type;
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/traced_perf.te:
--------------------------------------------------------------------------------
1 | type traced_perf, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/traced_probes.te:
--------------------------------------------------------------------------------
1 | type traced_probes, domain, coredomain, mlstrustedsubject;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/usbd.te:
--------------------------------------------------------------------------------
1 | type usbd, domain;
2 | type usbd_exec, system_file_type, exec_type, file_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/userdata_sysdev.te:
--------------------------------------------------------------------------------
1 | allow userdata_sysdev sysfs:filesystem associate;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/vendor_modprobe.te:
--------------------------------------------------------------------------------
1 | type vendor_modprobe, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/vndservice.te:
--------------------------------------------------------------------------------
1 | type service_manager_vndservice, vndservice_manager_type;
2 | type default_android_vndservice, vndservice_manager_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/vndservicemanager.te:
--------------------------------------------------------------------------------
1 | # vndservicemanager - the Binder context manager for vendor processes
2 | type vndservicemanager, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/33.0/public/zygote.te:
--------------------------------------------------------------------------------
1 | # zygote
2 | type zygote, domain;
3 | type zygote_tmpfs, file_type;
4 | type zygote_exec, system_file_type, exec_type, file_type;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/aidl_lazy_test_server.te:
--------------------------------------------------------------------------------
1 | userdebug_or_eng(`
2 | typeattribute aidl_lazy_test_server coredomain;
3 |
4 | init_daemon_domain(aidl_lazy_test_server)
5 | ')
6 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/bluetoothdomain.te:
--------------------------------------------------------------------------------
1 | # Allow clients to use a socket provided by the bluetooth app.
2 | allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/bufferhubd.te:
--------------------------------------------------------------------------------
1 | typeattribute bufferhubd coredomain;
2 |
3 | init_daemon_domain(bufferhubd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/compat/31.0/31.0.compat.cil:
--------------------------------------------------------------------------------
1 | ;; complement CIL file for compatibility between ToT policy and 31.0 vendors.
2 | ;; will be compiled along with other normal policy files, on 31.0 vendors.
3 | ;;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/compat/32.0/32.0.compat.cil:
--------------------------------------------------------------------------------
1 | ;; complement CIL file for compatibility between ToT policy and 32.0 vendors.
2 | ;; will be compiled along with other normal policy files, on 32.0 vendors.
3 | ;;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/compat/33.0/33.0.compat.cil:
--------------------------------------------------------------------------------
1 | ;; complement CIL file for compatibility between ToT policy and 33.0 vendors.
2 | ;; will be compiled along with other normal policy files, on 33.0 vendors.
3 | ;;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/dhcp.te:
--------------------------------------------------------------------------------
1 | typeattribute dhcp coredomain;
2 |
3 | init_daemon_domain(dhcp)
4 | type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
5 |
6 | set_prop(dhcp, dhcp_prop)
7 | set_prop(dhcp, pan_result_prop)
8 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/dnsmasq.te:
--------------------------------------------------------------------------------
1 | typeattribute dnsmasq coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/fingerprintd.te:
--------------------------------------------------------------------------------
1 | typeattribute fingerprintd coredomain;
2 |
3 | init_daemon_domain(fingerprintd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/fsck.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck coredomain;
2 |
3 | init_daemon_domain(fsck)
4 |
5 | allow fsck metadata_block_device:blk_file rw_file_perms;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/fsck_untrusted.te:
--------------------------------------------------------------------------------
1 | typeattribute fsck_untrusted coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/gatekeeperd.te:
--------------------------------------------------------------------------------
1 | typeattribute gatekeeperd coredomain;
2 |
3 | init_daemon_domain(gatekeeperd)
4 |
5 | # For checking whether GSI is running
6 | get_prop(gatekeeperd, gsid_prop)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/hal_lazy_test.te:
--------------------------------------------------------------------------------
1 | userdebug_or_eng(`
2 | hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice)
3 | ')
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/healthd.te:
--------------------------------------------------------------------------------
1 | typeattribute healthd coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/hwservice.te:
--------------------------------------------------------------------------------
1 | type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/idmap.te:
--------------------------------------------------------------------------------
1 | typeattribute idmap coredomain;
2 |
3 | init_daemon_domain(idmap)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/inputflinger.te:
--------------------------------------------------------------------------------
1 | typeattribute inputflinger coredomain;
2 |
3 | init_daemon_domain(inputflinger)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/iw.te:
--------------------------------------------------------------------------------
1 | type iw, domain, coredomain;
2 | type iw_exec, system_file_type, exec_type, file_type;
3 |
4 | init_daemon_domain(iw)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/modprobe.te:
--------------------------------------------------------------------------------
1 | typeattribute modprobe coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/mtp.te:
--------------------------------------------------------------------------------
1 | typeattribute mtp coredomain;
2 |
3 | init_daemon_domain(mtp)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/performanced.te:
--------------------------------------------------------------------------------
1 | typeattribute performanced coredomain;
2 |
3 | init_daemon_domain(performanced)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/port_contexts:
--------------------------------------------------------------------------------
1 | # portcon statements go here, e.g.
2 | # portcon tcp 80 u:object_r:http_port:s0
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/ppp.te:
--------------------------------------------------------------------------------
1 | typeattribute ppp coredomain;
2 |
3 | domain_auto_trans(mtp, ppp_exec, ppp)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/racoon.te:
--------------------------------------------------------------------------------
1 | typeattribute racoon coredomain;
2 |
3 | init_daemon_domain(racoon)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/roles_decl:
--------------------------------------------------------------------------------
1 | role r;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/runas.te:
--------------------------------------------------------------------------------
1 | typeattribute runas coredomain;
2 |
3 | # ndk-gdb invokes adb shell run-as.
4 | domain_auto_trans(shell, runas_exec, runas)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/sdcardd.te:
--------------------------------------------------------------------------------
1 | typeattribute sdcardd coredomain;
2 |
3 | type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/sgdisk.te:
--------------------------------------------------------------------------------
1 | typeattribute sgdisk coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/slideshow.te:
--------------------------------------------------------------------------------
1 | typeattribute slideshow coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/uncrypt.te:
--------------------------------------------------------------------------------
1 | typeattribute uncrypt coredomain;
2 |
3 | init_daemon_domain(uncrypt)
4 |
5 | # Set a property to reboot the device.
6 | set_prop(uncrypt, powerctl_prop)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/users:
--------------------------------------------------------------------------------
1 | user u roles { r } level s0 range s0 - mls_systemhigh;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/vdc.te:
--------------------------------------------------------------------------------
1 | typeattribute vdc coredomain;
2 |
3 | init_daemon_domain(vdc)
4 |
5 | # Allow stdin/out back to vehicle_binding_util
6 | allow vdc vehicle_binding_util:fd use;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/virtual_touchpad.te:
--------------------------------------------------------------------------------
1 | typeattribute virtual_touchpad coredomain;
2 |
3 | init_daemon_domain(virtual_touchpad)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/vzwomatrigger_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing the VzwOmaTrigger app.
3 | ###
4 | type vzwomatrigger_app, domain;
5 |
6 | app_domain(vzwomatrigger_app)
7 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/private/watchdogd.te:
--------------------------------------------------------------------------------
1 | typeattribute watchdogd coredomain;
2 |
3 | init_daemon_domain(watchdogd)
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/artd.te:
--------------------------------------------------------------------------------
1 | # ART service daemon.
2 | type artd, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/atrace.te:
--------------------------------------------------------------------------------
1 | type atrace, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/blkid.te:
--------------------------------------------------------------------------------
1 | # blkid called from vold
2 | type blkid, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/blkid_untrusted.te:
--------------------------------------------------------------------------------
1 | # blkid for untrusted block devices
2 | type blkid_untrusted, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/bluetooth.te:
--------------------------------------------------------------------------------
1 | # bluetooth subsystem
2 | type bluetooth, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/bpfloader.te:
--------------------------------------------------------------------------------
1 | type bpfloader, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/camera_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(camera_service_server, fwk_camera_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/charger.te:
--------------------------------------------------------------------------------
1 | type charger, charger_type, domain;
2 | type charger_exec, system_file_type, exec_type, file_type;
3 |
4 | # The system charger is a client of HIDL health HAL.
5 | hal_client_domain(charger, hal_health)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/charger_vendor.te:
--------------------------------------------------------------------------------
1 | # Context when health HAL runs charger mode
2 |
3 | type charger_vendor, charger_type, domain;
4 | hal_server_domain(charger_vendor, hal_health)
5 |
6 | typeattribute charger_vendor bpfdomain;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/display_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(display_service_server, fwk_display_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/evsmanagerd.te:
--------------------------------------------------------------------------------
1 | # evsmanager daemon
2 | type evsmanagerd, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/gmscore_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing the PrebuiltGMSCore app.
3 | ###
4 |
5 | type gmscore_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/gpuservice.te:
--------------------------------------------------------------------------------
1 | # gpuservice - server for gpu stats and other gpu related services
2 | type gpuservice, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/hal_atrace.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_atrace_client, hal_atrace_server)
3 |
4 | hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/hal_ivn.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_ivn_client, hal_ivn_server)
3 |
4 | hal_attribute_service(hal_ivn, hal_ivn_service)
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/hal_vr.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_vr_client, hal_vr_server)
3 | binder_call(hal_vr_server, hal_vr_client)
4 |
5 | hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
6 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/healthd.te:
--------------------------------------------------------------------------------
1 | # healthd - battery/charger monitoring service daemon
2 | # healthd is removed. The type is kept for backwards compatibility.
3 |
4 | type healthd, domain;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/heapprofd.te:
--------------------------------------------------------------------------------
1 | type heapprofd, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/incident_helper.te:
--------------------------------------------------------------------------------
1 | # The incident_helper is called by incidentd and
2 | # can only read/write data from/to incidentd
3 |
4 | # incident_helper
5 | type incident_helper, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/incidentd.te:
--------------------------------------------------------------------------------
1 | # incidentd
2 | type incidentd, domain;
3 |
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/isolated_compute_app.te:
--------------------------------------------------------------------------------
1 | type isolated_compute_app, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/keystore_keys.te:
--------------------------------------------------------------------------------
1 | # A keystore2 namespace for WI-FI.
2 | type wifi_key, keystore2_key_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/llkd.te:
--------------------------------------------------------------------------------
1 | # llkd Live LocK Daemon
2 | type llkd, domain, mlstrustedsubject;
3 | type llkd_exec, system_file_type, exec_type, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/mdnsd.te:
--------------------------------------------------------------------------------
1 | # mdns daemon
2 | type mdnsd, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/mediaprovider.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for android.process.media, which contains both
3 | ### MediaProvider and DownloadProvider and associated services.
4 | ###
5 |
6 | type mediaprovider, domain;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/mediatranscoding.te:
--------------------------------------------------------------------------------
1 | type mediatranscoding, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/netutils_wrapper.te:
--------------------------------------------------------------------------------
1 | type netutils_wrapper, domain;
2 | type netutils_wrapper_exec, system_file_type, exec_type, file_type;
3 |
4 | neverallow domain netutils_wrapper_exec:file execute_no_trans;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/network_stack.te:
--------------------------------------------------------------------------------
1 | # Network stack service app
2 | type network_stack, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/nfc.te:
--------------------------------------------------------------------------------
1 | # nfc subsystem
2 | type nfc, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/otapreopt_chroot.te:
--------------------------------------------------------------------------------
1 | # otapreopt_chroot seclabel
2 |
3 | # TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
4 | type otapreopt_chroot, domain;
5 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/perfetto.te:
--------------------------------------------------------------------------------
1 | type perfetto, domain, coredomain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/platform_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### Apps signed with the platform key.
3 | ###
4 |
5 | type platform_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/priv_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing privileged apps.
3 | ###
4 |
5 | type priv_app, domain;
6 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/prng_seeder.te:
--------------------------------------------------------------------------------
1 | # PRNG seeder daemon
2 | type prng_seeder, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/rkpd_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for sandboxing the remote key provisioning daemon
3 | ### app that is shipped via mainline.
4 | ###
5 |
6 | type rkpdapp, domain;
7 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/roles:
--------------------------------------------------------------------------------
1 | role r types domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/rootdisk_sysdev.te:
--------------------------------------------------------------------------------
1 | allow rootdisk_sysdev sysfs:filesystem associate;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/rs.te:
--------------------------------------------------------------------------------
1 | type rs, domain, coredomain;
2 | type rs_exec, system_file_type, exec_type, file_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/rss_hwm_reset.te:
--------------------------------------------------------------------------------
1 | # rss_hwm_reset resets RSS high-water mark counters for all procesess.
2 | type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/runas_app.te:
--------------------------------------------------------------------------------
1 | type runas_app, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/scheduler_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/secure_element.te:
--------------------------------------------------------------------------------
1 | # secure_element subsystem
2 | type secure_element, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/sensor_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(sensor_service_server, fwk_sensor_hwservice)
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/shared_relro.te:
--------------------------------------------------------------------------------
1 | # Process which creates/updates shared RELRO files to be used by other apps.
2 | type shared_relro, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/simpleperf.te:
--------------------------------------------------------------------------------
1 | type simpleperf, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/simpleperf_app_runner.te:
--------------------------------------------------------------------------------
1 | type simpleperf_app_runner, domain, mlstrustedsubject;
2 | type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/stats_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(stats_service_server, fwk_stats_hwservice)
2 | add_service(stats_service_server, fwk_stats_service)
3 |
4 | binder_use(stats_service_server)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/surfaceflinger.te:
--------------------------------------------------------------------------------
1 | # surfaceflinger - display compositor service
2 | type surfaceflinger, domain;
3 | type surfaceflinger_tmpfs, file_type;
4 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/traced.te:
--------------------------------------------------------------------------------
1 | type traced, domain, coredomain, mlstrustedsubject;
2 | type traced_tmpfs, file_type;
3 |
4 |
5 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/traced_perf.te:
--------------------------------------------------------------------------------
1 | type traced_perf, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/traced_probes.te:
--------------------------------------------------------------------------------
1 | type traced_probes, domain, coredomain, mlstrustedsubject;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/usbd.te:
--------------------------------------------------------------------------------
1 | type usbd, domain;
2 | type usbd_exec, system_file_type, exec_type, file_type;
3 |
4 | binder_call(usbd, servicemanager)
5 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/userdata_sysdev.te:
--------------------------------------------------------------------------------
1 | allow userdata_sysdev sysfs:filesystem associate;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/vendor_modprobe.te:
--------------------------------------------------------------------------------
1 | type vendor_modprobe, domain;
2 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/vndservice.te:
--------------------------------------------------------------------------------
1 | type service_manager_vndservice, vndservice_manager_type;
2 | type default_android_vndservice, vndservice_manager_type;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/vndservicemanager.te:
--------------------------------------------------------------------------------
1 | # vndservicemanager - the Binder context manager for vendor processes
2 | type vndservicemanager, domain;
3 |
--------------------------------------------------------------------------------
/prebuilts/api/34.0/public/zygote.te:
--------------------------------------------------------------------------------
1 | # zygote
2 | type zygote, domain;
3 | type zygote_tmpfs, file_type;
4 | type zygote_exec, system_file_type, exec_type, file_type;
5 |
--------------------------------------------------------------------------------
/private/bluetoothdomain.te:
--------------------------------------------------------------------------------
1 | # Allow clients to use a socket provided by the bluetooth app.
2 | allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
3 |
--------------------------------------------------------------------------------
/private/camera_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(camera_service_server, fwk_camera_hwservice)
2 |
--------------------------------------------------------------------------------
/private/charger_vendor.te:
--------------------------------------------------------------------------------
1 | hal_server_domain(charger_vendor, hal_health)
2 |
3 | typeattribute charger_vendor bpfdomain;
4 |
--------------------------------------------------------------------------------
/private/compat/202404/202404.compat.cil:
--------------------------------------------------------------------------------
1 | ;; complement CIL file for compatibility between ToT policy and 202404 vendors.
2 | ;; will be compiled along with other normal policy files, on 202404 vendors.
3 | ;;
4 |
--------------------------------------------------------------------------------
/private/compat/31.0/31.0.compat.cil:
--------------------------------------------------------------------------------
1 | ;; complement CIL file for compatibility between ToT policy and 31.0 vendors.
2 | ;; will be compiled along with other normal policy files, on 31.0 vendors.
3 | ;;
4 |
--------------------------------------------------------------------------------
/private/compat/32.0/32.0.compat.cil:
--------------------------------------------------------------------------------
1 | ;; complement CIL file for compatibility between ToT policy and 32.0 vendors.
2 | ;; will be compiled along with other normal policy files, on 32.0 vendors.
3 | ;;
4 |
--------------------------------------------------------------------------------
/private/display_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(display_service_server, fwk_display_hwservice)
2 |
--------------------------------------------------------------------------------
/private/hal_atrace.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_atrace_client, hal_atrace_server)
3 |
4 | hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
5 |
--------------------------------------------------------------------------------
/private/hal_input_classifier.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_input_classifier_client, hal_input_classifier_server)
3 |
4 | hal_attribute_hwservice(hal_input_classifier, hal_input_classifier_hwservice)
5 |
--------------------------------------------------------------------------------
/private/hal_ivn.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_ivn_client, hal_ivn_server)
3 |
4 | hal_attribute_service(hal_ivn, hal_ivn_service)
5 |
--------------------------------------------------------------------------------
/private/hal_lazy_test.te:
--------------------------------------------------------------------------------
1 | userdebug_or_eng(`
2 | hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice)
3 | ')
4 |
--------------------------------------------------------------------------------
/private/hal_vr.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server, and callbacks
2 | binder_call(hal_vr_client, hal_vr_server)
3 | binder_call(hal_vr_server, hal_vr_client)
4 |
5 | hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
6 |
--------------------------------------------------------------------------------
/private/healthd.te:
--------------------------------------------------------------------------------
1 | typeattribute healthd coredomain;
2 |
--------------------------------------------------------------------------------
/private/iw.te:
--------------------------------------------------------------------------------
1 | type iw, domain, coredomain;
2 | type iw_exec, system_file_type, exec_type, file_type;
3 |
4 | init_daemon_domain(iw)
5 |
--------------------------------------------------------------------------------
/private/port_contexts:
--------------------------------------------------------------------------------
1 | # portcon statements go here, e.g.
2 | # portcon tcp 80 u:object_r:http_port:s0
3 |
4 |
--------------------------------------------------------------------------------
/private/roles_decl:
--------------------------------------------------------------------------------
1 | role r;
2 |
--------------------------------------------------------------------------------
/private/rootdisk_sysdev.te:
--------------------------------------------------------------------------------
1 | allow rootdisk_sysdev sysfs:filesystem associate;
2 |
--------------------------------------------------------------------------------
/private/scheduler_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
2 |
--------------------------------------------------------------------------------
/private/sensor_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(sensor_service_server, fwk_sensor_hwservice)
2 |
--------------------------------------------------------------------------------
/private/stats_service_server.te:
--------------------------------------------------------------------------------
1 | add_hwservice(stats_service_server, fwk_stats_hwservice)
2 | add_service(stats_service_server, fwk_stats_service)
3 |
4 | binder_use(stats_service_server)
5 |
--------------------------------------------------------------------------------
/private/tee.te:
--------------------------------------------------------------------------------
1 | allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
2 | allow tee fingerprint_vendor_data_file:file create_file_perms;
3 |
--------------------------------------------------------------------------------
/private/userdata_sysdev.te:
--------------------------------------------------------------------------------
1 | allow userdata_sysdev sysfs:filesystem associate;
2 |
--------------------------------------------------------------------------------
/private/users:
--------------------------------------------------------------------------------
1 | user u roles { r } level s0 range s0 - mls_systemhigh;
2 |
--------------------------------------------------------------------------------
/private/vzwomatrigger_app.te:
--------------------------------------------------------------------------------
1 | ###
2 | ### A domain for further sandboxing the VzwOmaTrigger app.
3 | ###
4 | type vzwomatrigger_app, domain;
5 |
6 | app_domain(vzwomatrigger_app)
7 |
--------------------------------------------------------------------------------
/private/watchdogd.te:
--------------------------------------------------------------------------------
1 | typeattribute watchdogd coredomain;
2 |
3 | init_daemon_domain(watchdogd)
4 |
5 | allow watchdogd watchdog_device:chr_file rw_file_perms;
6 | allow watchdogd kmsg_device:chr_file rw_file_perms;
7 |
--------------------------------------------------------------------------------
/public/blkid_untrusted.te:
--------------------------------------------------------------------------------
1 | # blkid for untrusted block devices
2 | type blkid_untrusted, domain;
3 |
--------------------------------------------------------------------------------
/public/roles:
--------------------------------------------------------------------------------
1 | role r types domain;
2 |
--------------------------------------------------------------------------------
/reqd_mask/access_vectors:
--------------------------------------------------------------------------------
1 | ../private/access_vectors
--------------------------------------------------------------------------------
/reqd_mask/initial_sid_contexts:
--------------------------------------------------------------------------------
1 | sid reqd_mask u:r:reqd_mask_type:s0
2 |
--------------------------------------------------------------------------------
/reqd_mask/initial_sids:
--------------------------------------------------------------------------------
1 | sid reqd_mask
2 |
3 | # FLASK
4 |
--------------------------------------------------------------------------------
/reqd_mask/keys.conf:
--------------------------------------------------------------------------------
1 | # empty keys.conf file - used to generate an empty nonplat_mac_permissions.xml
2 | # on devices without any keys.conf or mac_permissions additions.
3 |
--------------------------------------------------------------------------------
/reqd_mask/mac_permissions.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/reqd_mask/mls:
--------------------------------------------------------------------------------
1 | mlsconstrain binder { set_context_mgr } (l1 eq l2);
2 |
--------------------------------------------------------------------------------
/reqd_mask/mls_decl:
--------------------------------------------------------------------------------
1 | ../private/mls_decl
--------------------------------------------------------------------------------
/reqd_mask/mls_macros:
--------------------------------------------------------------------------------
1 | ../private/mls_macros
--------------------------------------------------------------------------------
/reqd_mask/property_contexts:
--------------------------------------------------------------------------------
1 | # empty property_contexts file - this file is used to generate an empty
2 | # non-platform property context for devices without any property_contexts
3 | # customizations.
4 |
--------------------------------------------------------------------------------
/reqd_mask/reqd_mask.te:
--------------------------------------------------------------------------------
1 | type reqd_mask_type;
2 |
--------------------------------------------------------------------------------
/reqd_mask/roles:
--------------------------------------------------------------------------------
1 | role r types reqd_mask_type;
2 |
--------------------------------------------------------------------------------
/reqd_mask/roles_decl:
--------------------------------------------------------------------------------
1 | role r;
2 |
--------------------------------------------------------------------------------
/reqd_mask/seapp_contexts:
--------------------------------------------------------------------------------
1 | # empty seapp_contexts file - used to generate an empty seapp_contexts for
2 | # devices without any non-platform seapp_contexts customizations.
3 |
--------------------------------------------------------------------------------
/reqd_mask/security_classes:
--------------------------------------------------------------------------------
1 | ../private/security_classes
--------------------------------------------------------------------------------
/reqd_mask/service_contexts:
--------------------------------------------------------------------------------
1 | # empty service_contexts file - this file is used to generate an empty
2 | # non-platform service_context for devices without any service_contexts
3 | # customizations.
4 |
--------------------------------------------------------------------------------
/reqd_mask/users:
--------------------------------------------------------------------------------
1 | user u roles { r } level s0 range s0 - mls_systemhigh;
2 |
--------------------------------------------------------------------------------
/vendor/file.te:
--------------------------------------------------------------------------------
1 | type hostapd_data_file, file_type, data_file_type;
2 | type wpa_data_file, file_type, data_file_type;
3 |
--------------------------------------------------------------------------------
/vendor/hal_ir_default.te:
--------------------------------------------------------------------------------
1 | type hal_ir_default, domain;
2 | hal_server_domain(hal_ir_default, hal_ir)
3 |
4 | type hal_ir_default_exec, exec_type, vendor_file_type, file_type;
5 | init_daemon_domain(hal_ir_default)
6 |
--------------------------------------------------------------------------------
/vendor/hal_light_default.te:
--------------------------------------------------------------------------------
1 | type hal_light_default, domain;
2 | hal_server_domain(hal_light_default, hal_light)
3 |
4 | type hal_light_default_exec, exec_type, vendor_file_type, file_type;
5 | init_daemon_domain(hal_light_default)
6 |
--------------------------------------------------------------------------------
/vendor/hal_lowpan_default.te:
--------------------------------------------------------------------------------
1 | type hal_lowpan_default, domain;
2 | type hal_lowpan_default_exec, exec_type, vendor_file_type, file_type;
3 |
4 | hal_server_domain(hal_lowpan_default, hal_lowpan)
5 | init_daemon_domain(hal_lowpan_default)
6 |
--------------------------------------------------------------------------------
/vendor/hal_nfc_default.te:
--------------------------------------------------------------------------------
1 | type hal_nfc_default, domain;
2 | hal_server_domain(hal_nfc_default, hal_nfc)
3 |
4 | type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
5 | init_daemon_domain(hal_nfc_default)
6 |
--------------------------------------------------------------------------------
/vendor/hal_power_default.te:
--------------------------------------------------------------------------------
1 | type hal_power_default, domain;
2 | hal_server_domain(hal_power_default, hal_power)
3 |
4 | type hal_power_default_exec, exec_type, vendor_file_type, file_type;
5 | init_daemon_domain(hal_power_default)
6 |
--------------------------------------------------------------------------------
/vendor/hal_tv_cec_default.te:
--------------------------------------------------------------------------------
1 | type hal_tv_cec_default, domain;
2 | hal_server_domain(hal_tv_cec_default, hal_tv_cec)
3 |
4 | type hal_tv_cec_default_exec, exec_type, vendor_file_type, file_type;
5 | init_daemon_domain(hal_tv_cec_default)
6 |
--------------------------------------------------------------------------------
/vendor/hal_usb_default.te:
--------------------------------------------------------------------------------
1 | type hal_usb_default, domain;
2 | hal_server_domain(hal_usb_default, hal_usb)
3 |
4 | type hal_usb_default_exec, exec_type, vendor_file_type, file_type;
5 | init_daemon_domain(hal_usb_default)
6 |
--------------------------------------------------------------------------------
/vendor/hal_uwb_default.te:
--------------------------------------------------------------------------------
1 | type hal_uwb_default, domain;
2 | hal_server_domain(hal_uwb_default, hal_uwb)
3 |
4 | type hal_uwb_default_exec, exec_type, vendor_file_type, file_type;
5 | init_daemon_domain(hal_uwb_default)
6 |
--------------------------------------------------------------------------------
/vendor/hal_vr_default.te:
--------------------------------------------------------------------------------
1 | type hal_vr_default, domain;
2 | hal_server_domain(hal_vr_default, hal_vr)
3 |
4 | type hal_vr_default_exec, exec_type, vendor_file_type, file_type;
5 | init_daemon_domain(hal_vr_default)
6 |
--------------------------------------------------------------------------------
/vendor/hal_weaver_default.te:
--------------------------------------------------------------------------------
1 | type hal_weaver_default, domain;
2 | hal_server_domain(hal_weaver_default, hal_weaver)
3 |
4 | type hal_weaver_default_exec, exec_type, vendor_file_type, file_type;
5 | init_daemon_domain(hal_weaver_default)
6 |
--------------------------------------------------------------------------------
/vendor/hal_wifi_default.te:
--------------------------------------------------------------------------------
1 | type hal_wifi_default, domain;
2 | hal_server_domain(hal_wifi_default, hal_wifi)
3 |
4 | type hal_wifi_default_exec, exec_type, vendor_file_type, file_type;
5 | init_daemon_domain(hal_wifi_default)
6 |
--------------------------------------------------------------------------------
/vendor/vendor_misc_writer.te:
--------------------------------------------------------------------------------
1 | init_daemon_domain(vendor_misc_writer)
2 |
--------------------------------------------------------------------------------
/vendor/vndservice_contexts:
--------------------------------------------------------------------------------
1 | manager u:object_r:service_manager_vndservice:s0
2 | * u:object_r:default_android_vndservice:s0
3 |
--------------------------------------------------------------------------------