diff --git a/prebuilts/api/28.0/private/app_neverallows.te b/prebuilts/api/28.0/private/app_neverallows.te
index 4628314f3c2a557687a6619b3c949504f59df0d1..8d9ccd6720730fe93db722c492c48505ddc2d4a7 100644
--- a/prebuilts/api/28.0/private/app_neverallows.te
+++ b/prebuilts/api/28.0/private/app_neverallows.te
@@ -93,9 +93,7 @@ neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_fil
# application un-installation.
neverallow { all_untrusted_apps -mediaprovider } {
fs_type
- -fuse # sdcard
- -sdcardfs # sdcard
- -vfat
+ -sdcard_type
file_type
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
diff --git a/prebuilts/api/28.0/private/bug_map b/prebuilts/api/28.0/private/bug_map
index 2727cd2d351e824e7cb6be3e100dab3f9869dceb..4020c03e2a1012730bde3e198fce51a956aa314c 100644
--- a/prebuilts/api/28.0/private/bug_map
+++ b/prebuilts/api/28.0/private/bug_map
@@ -1,7 +1,45 @@
+dexoptanalyzer apk_data_file file 77853712
+dexoptanalyzer app_data_file file 77853712
+dexoptanalyzer app_data_file lnk_file 77853712
+dexoptanalyzer system_data_file lnk_file 77853712
+dnsmasq netd fifo_file 77868789
+dnsmasq netd unix_stream_socket 77868789
+init app_data_file file 77873135
+init cache_file blk_file 77873135
+init logpersist file 77873135
+init nativetest_data_file dir 77873135
+init pstorefs dir 77873135
+init shell_data_file dir 77873135
+init shell_data_file file 77873135
+init shell_data_file lnk_file 77873135
+init shell_data_file sock_file 77873135
+init system_data_file chr_file 77873135
+mediaextractor app_data_file file 77923736
+mediaextractor radio_data_file file 77923736
+mediaprovider cache_file blk_file 77925342
+mediaprovider mnt_media_rw_file dir 77925342
+mediaprovider shell_data_file dir 77925342
+netd priv_app unix_stream_socket 77870037
+netd untrusted_app unix_stream_socket 77870037
+netd untrusted_app_25 unix_stream_socket 77870037
+netd untrusted_app_27 unix_stream_socket 77870037
+otapreopt_chroot postinstall_file lnk_file 75287236
platform_app nfc_data_file dir 74331887
+postinstall postinstall capability 77958490
+postinstall_dexopt postinstall_dexopt capability 77958490
+postinstall_dexopt user_profile_data_file file 77958490
priv_app system_data_file dir 72811052
+profman apk_data_file dir 77922323
+radio statsdw_socket sock_file 78456764
+statsd hal_health_default binder 77919007
+storaged storaged capability 77634061
+surfaceflinger mediacodec binder 77924251
system_server crash_dump process 73128755
+system_server logd_socket sock_file 64734187
+system_server sdcardfs file 77856826
+system_server zygote process 77856826
untrusted_app_25 system_data_file dir 72550646
untrusted_app_27 system_data_file dir 72550646
usbd usbd capability 72472544
system_server sysfs file 77816522
+zygote untrusted_app_25 process 77925912
diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
index 71c7a007445f8a5bb97ebf474085f6b7572c9c96..3d243d419795d191b96bf50e63d57a4bdeb4ba44 100644
--- a/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
+++ b/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
@@ -18,6 +18,7 @@
crossprofileapps_service
e2fs
e2fs_exec
+ exfat
exported_bluetooth_prop
exported_config_prop
exported_dalvik_prop
@@ -43,17 +44,20 @@
exported3_system_prop
fingerprint_vendor_data_file
fs_bpf
+ hal_audiocontrol_hwservice
hal_authsecret_hwservice
hal_broadcastradio_hwservice
hal_cas_hwservice
hal_codec2_hwservice
hal_confirmationui_hwservice
+ hal_evs_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_secure_element_hwservice
hal_tetheroffload_hwservice
hal_wifi_hostapd_hwservice
hal_usb_gadget_hwservice
+ hal_vehicle_hwservice
hal_wifi_offload_hwservice
incident_helper
incident_helper_exec
@@ -64,6 +68,8 @@
lowpan_service
mediaextractor_update_service
mediaprovider_tmpfs
+ metadata_file
+ mnt_vendor_file
netd_stable_secret_prop
network_watchlist_data_file
network_watchlist_service
@@ -86,6 +92,8 @@
statsd
statsd_exec
statsd_tmpfs
+ statsdw
+ statsdw_socket
statscompanion_service
storaged_data_file
sysfs_fs_ext4_features
@@ -105,6 +113,7 @@
traceur_app_tmpfs
traced
traced_consumer_socket
+ traced_enabled_prop
traced_exec
traced_probes
traced_probes_exec
@@ -114,6 +123,7 @@
untrusted_app_all_devpts
update_engine_log_data_file
vendor_default_prop
+ vendor_security_patch_level_prop
usbd
usbd_exec
usbd_tmpfs
diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
index 94c81d0cb8332f2a6915bdbe12a583a1a3dfbeda..dbb277bd984c430b5fd8b06c6493f194b3e8c1aa 100644
--- a/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
+++ b/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
@@ -14,6 +14,7 @@
bpfloader_exec
cgroup_bpf
crossprofileapps_service
+ exfat
exported2_config_prop
exported2_default_prop
exported2_radio_prop
@@ -39,12 +40,15 @@
exported_wifi_prop
fingerprint_vendor_data_file
fs_bpf
+ hal_audiocontrol_hwservice
hal_authsecret_hwservice
hal_codec2_hwservice
hal_confirmationui_hwservice
+ hal_evs_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
hal_usb_gadget_hwservice
+ hal_vehicle_hwservice
hal_wifi_hostapd_hwservice
incident_helper
incident_helper_exec
@@ -53,6 +57,8 @@
lowpan_prop
lowpan_service
mediaextractor_update_service
+ metadata_file
+ mnt_vendor_file
network_watchlist_data_file
network_watchlist_service
perfetto
@@ -74,6 +80,8 @@
statsd
statsd_exec
statsd_tmpfs
+ statsdw
+ statsdw_socket
storaged_data_file
system_boot_reason_prop
system_update_service
@@ -81,6 +89,7 @@
trace_data_file
traced
traced_consumer_socket
+ traced_enabled_prop
traced_exec
traced_probes
traced_probes_exec
@@ -96,6 +105,7 @@
usbd_tmpfs
vendor_default_prop
vendor_init
+ vendor_security_patch_level_prop
vendor_shell
vold_metadata_file
vold_prepare_subdirs
diff --git a/prebuilts/api/28.0/private/file.te b/prebuilts/api/28.0/private/file.te
index fda972b48f11e374048e78ade629a76df82db556..58ee0def82540ac88fbc049c5eef678f32235a95 100644
--- a/prebuilts/api/28.0/private/file.te
+++ b/prebuilts/api/28.0/private/file.te
@@ -4,6 +4,8 @@ type config_gz, fs_type, proc_type;
# /data/misc/stats-data, /data/misc/stats-service
type stats_data_file, file_type, data_file_type, core_data_file_type;
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/prebuilts/api/28.0/private/file_contexts b/prebuilts/api/28.0/private/file_contexts
index c5169ff60060848755275c267bbd59770e3c1027..71bff736572776b534a04644f3d4959f28cc128b 100644
--- a/prebuilts/api/28.0/private/file_contexts
+++ b/prebuilts/api/28.0/private/file_contexts
@@ -132,6 +132,7 @@
/dev/socket/logd u:object_r:logd_socket:s0
/dev/socket/logdr u:object_r:logdr_socket:s0
/dev/socket/logdw u:object_r:logdw_socket:s0
+/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
@@ -526,3 +527,7 @@
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
/mnt/runtime(/.*)? u:object_r:storage_file:s0
/storage(/.*)? u:object_r:storage_file:s0
+
+#############################
+# mount point for read-write vendor partitions
+/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0
diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
index c261afa9e8ad369e94184f52a0e316bcf7ea36cc..ce26d73a69efedc4663de19afb358d5d7d2b2444 100644
--- a/prebuilts/api/28.0/private/genfs_contexts
+++ b/prebuilts/api/28.0/private/genfs_contexts
@@ -229,6 +229,7 @@ genfscon debugfs /tracing/events/lowmemorykiller/
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
+genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
genfscon configfs / u:object_r:configfs:s0
diff --git a/prebuilts/api/28.0/private/hwservice_contexts b/prebuilts/api/28.0/private/hwservice_contexts
index 998bf2fea8f6d05994af19b334833a986f920c68..c75c0a57660e1f2f68dc6416809b94b7f9c39d39 100644
--- a/prebuilts/api/28.0/private/hwservice_contexts
+++ b/prebuilts/api/28.0/private/hwservice_contexts
@@ -4,6 +4,9 @@ android.frameworks.sensorservice::ISensorManager u:object_r:fwk_s
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
+android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
+android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
+android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
diff --git a/prebuilts/api/28.0/private/hwservicemanager.te b/prebuilts/api/28.0/private/hwservicemanager.te
index f56e0c61df3084de7bba55cadd0ae891b9514a26..45b62d075185c08f2c9d5a256757447e2d7b9612 100644
--- a/prebuilts/api/28.0/private/hwservicemanager.te
+++ b/prebuilts/api/28.0/private/hwservicemanager.te
@@ -6,3 +6,4 @@ add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
set_prop(hwservicemanager, ctl_default_prop)
+set_prop(hwservicemanager, ctl_dumpstate_prop)
diff --git a/prebuilts/api/28.0/private/platform_app.te b/prebuilts/api/28.0/private/platform_app.te
index 80b20e1454e0cb8cd5efba77de2c2ad9e3c2796c..f60597a7ef59918bbe2d4405781b6777b8e0bd82 100644
--- a/prebuilts/api/28.0/private/platform_app.te
+++ b/prebuilts/api/28.0/private/platform_app.te
@@ -34,8 +34,8 @@ allow platform_app cache_file:file create_file_perms;
# Direct access to vold-mounted storage under /mnt/media_rw
# This is a performance optimization that allows platform apps to bypass the FUSE layer
allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app vfat:dir create_dir_perms;
-allow platform_app vfat:file create_file_perms;
+allow platform_app sdcard_type:dir create_dir_perms;
+allow platform_app sdcard_type:file create_file_perms;
# com.android.systemui
allow platform_app rootfs:dir getattr;
diff --git a/prebuilts/api/28.0/private/priv_app.te b/prebuilts/api/28.0/private/priv_app.te
index 99397a5bc418448733678c4b1c56f813d9af4468..9ff8d0910cec206596f8ab2207b5ebc5c77a1fe3 100644
--- a/prebuilts/api/28.0/private/priv_app.te
+++ b/prebuilts/api/28.0/private/priv_app.te
@@ -140,6 +140,7 @@ unix_socket_connect(priv_app, traced_producer, traced)
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
+dontaudit priv_app fs_bpf:dir search;
dontaudit priv_app net_dns_prop:file read;
dontaudit priv_app proc:file read;
dontaudit priv_app proc_interrupts:file read;
diff --git a/prebuilts/api/28.0/private/property_contexts b/prebuilts/api/28.0/private/property_contexts
index ecde9d3ea43f9e0babbb2547d7d6c46edfa2c03a..eeb2b6582e7716a99b07072ee7b0d77818f0b340 100644
--- a/prebuilts/api/28.0/private/property_contexts
+++ b/prebuilts/api/28.0/private/property_contexts
@@ -59,6 +59,7 @@ persist.sys.audit_safemode u:object_r:safemode_prop:s0
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
+persist.traced.enable u:object_r:traced_enabled_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
@@ -93,6 +94,7 @@ ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
+ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
diff --git a/prebuilts/api/28.0/private/statsd.te b/prebuilts/api/28.0/private/statsd.te
index fec10a4b69aa8d35f7085fb59657da9341d56add..769b4e017cd1b9487283c115349e5d2627897464 100644
--- a/prebuilts/api/28.0/private/statsd.te
+++ b/prebuilts/api/28.0/private/statsd.te
@@ -1,4 +1,4 @@
-type statsd, domain;
+type statsd, domain, mlstrustedsubject;
typeattribute statsd coredomain;
init_daemon_domain(statsd)
@@ -73,6 +73,7 @@ binder_call(statsd, stats)
# Allow access to with hardware layer and process stats.
allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_health)
hal_client_domain(statsd, hal_power)
hal_client_domain(statsd, hal_thermal)
@@ -81,6 +82,13 @@ allow statsd adbd:fd use;
allow statsd adbd:unix_stream_socket { getattr read write };
allow statsd shell:fifo_file { getattr read };
+unix_socket_send(bluetooth, statsdw, statsd)
+unix_socket_send(bootstat, statsdw, statsd)
+unix_socket_send(platform_app, statsdw, statsd)
+unix_socket_send(radio, statsdw, statsd)
+unix_socket_send(statsd, statsdw, statsd)
+unix_socket_send(system_server, statsdw, statsd)
+
###
### neverallow rules
###
diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te
index 9830bd6a93ea1f62545f4bfe558d59a3d4e9a432..5c2335e7f1cc74be71ab0440825b278cea2ddfb7 100644
--- a/prebuilts/api/28.0/private/system_server.te
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -105,6 +105,7 @@ allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server mediacodec:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
@@ -113,6 +114,7 @@ allow system_server bootanim:process { getsched setsched };
# Allow system_server to write to /proc/<pid>/timerslack_ns
allow system_server appdomain:file w_file_perms;
allow system_server audioserver:file w_file_perms;
+allow system_server mediacodec:file w_file_perms;
allow system_server cameraserver:file w_file_perms;
allow system_server hal_audio_server:file w_file_perms;
diff --git a/prebuilts/api/28.0/private/vold_prepare_subdirs.te b/prebuilts/api/28.0/private/vold_prepare_subdirs.te
index f93057e608f6dc56d1312f7c03f8b1e886bec10f..0a115584acc3faf3997af7c075c67f8258be0a62 100644
--- a/prebuilts/api/28.0/private/vold_prepare_subdirs.te
+++ b/prebuilts/api/28.0/private/vold_prepare_subdirs.te
@@ -7,13 +7,20 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
system_data_file
vendor_data_file
-}:dir { open read write add_name remove_name };
-allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
-allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
-allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms;
-allow vold_prepare_subdirs fingerprint_vendor_data_file:dir create_dir_perms;
+}:dir { open read write add_name remove_name rmdir relabelfrom };
+allow vold_prepare_subdirs {
+ fingerprint_vendor_data_file
+ storaged_data_file
+ vold_data_file
+}:dir { create_dir_perms relabelto };
+allow vold_prepare_subdirs {
+ fingerprint_vendor_data_file
+ storaged_data_file
+ system_data_file
+ vold_data_file
+}:file { getattr unlink };
diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
index 5df558e398eea4ef9f7dce2c4acb7d0c9aa2fba6..ac11a3a108eeb4f449a1c21304752a2bdf5c07c1 100644
--- a/prebuilts/api/28.0/public/app.te
+++ b/prebuilts/api/28.0/public/app.te
@@ -260,19 +260,12 @@ allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
-
-# Access OBBs (vfat images) mounted by vold (b/17633509)
-# File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
diff --git a/prebuilts/api/28.0/public/attributes b/prebuilts/api/28.0/public/attributes
index 159d28e4e700c87694604a33a665b17eae5e1307..6c55c417977499858e024200fccf9bc3d8490389 100644
--- a/prebuilts/api/28.0/public/attributes
+++ b/prebuilts/api/28.0/public/attributes
@@ -240,6 +240,7 @@ expandattribute hal_cas_server false;
# HALs
hal_attribute(allocator);
+hal_attribute(audiocontrol);
hal_attribute(authsecret);
hal_attribute(bluetooth);
hal_attribute(broadcastradio);
@@ -247,6 +248,7 @@ hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
hal_attribute(dumpstate);
+hal_attribute(evs);
hal_attribute(fingerprint);
hal_attribute(gatekeeper);
hal_attribute(gnss);
@@ -271,6 +273,7 @@ hal_attribute(tv_cec);
hal_attribute(tv_input);
hal_attribute(usb);
hal_attribute(usb_gadget);
+hal_attribute(vehicle);
hal_attribute(vibrator);
hal_attribute(vr);
hal_attribute(weaver);
diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
index 1b7bbd4abf30f44bd89fd48c49205344feabc822..cccc651597a2359e6225bce171c7f38eec710bb8 100644
--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
@@ -363,6 +363,14 @@ neverallow {
-system_server
-ueventd
} hw_random_device:chr_file *;
+# b/78174219 b/64114943
+neverallow {
+ domain
+ -init
+ -shell # stat of /dev, getattr only
+ -vendor_init
+ -ueventd
+} keychord_device:chr_file *;
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
@@ -560,7 +568,7 @@ neverallow {
} serialno_prop:file r_file_perms;
# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
neverallow {
domain
@@ -600,6 +608,7 @@ neverallow {
-init
-uncrypt
-update_engine
+ -vendor_init
-vold
-recovery
-ueventd
@@ -834,13 +843,25 @@ full_treble_only(`
-appdomain # TODO(b/34980020) remove exemption for appdomain
-coredomain
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -vendor_init
} {
core_data_file_type
# libc includes functions like mktime and localtime which attempt to access
# files in /data/misc/zoneinfo/tzdata file. These functions are considered
# vndk-stable and thus must be allowed for all processes.
-zoneinfo_data_file
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write };
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -zoneinfo_data_file
+ }:file_class_set ~{ append getattr ioctl read write };
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
')
full_treble_only(`
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -849,12 +870,26 @@ full_treble_only(`
-appdomain # TODO(b/34980020) remove exemption for appdomain
-coredomain
-data_between_core_and_vendor_violators
- } {
- core_data_file_type
- -system_data_file # default label for files on /data. Covered below...
- -vendor_data_file
- -zoneinfo_data_file
- }:dir *;
+ -vendor_init
+ } {
+ core_data_file_type
+ -system_data_file # default label for files on /data. Covered below...
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -system_data_file
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:dir ~search;
')
full_treble_only(`
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -1121,6 +1156,7 @@ neverallow {
-system_app
-init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
+ -vold_prepare_subdirs # For unlink
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
@@ -1355,3 +1391,9 @@ userdebug_or_eng(`
dontaudit domain proc_type:file create;
dontaudit domain sysfs_type:file create;
')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+ coredomain
+ -init
+} mnt_vendor_file:dir *;
diff --git a/prebuilts/api/28.0/public/dumpstate.te b/prebuilts/api/28.0/public/dumpstate.te
index 8906f5dcf4c8431ec3aacc0a8fc502519fb29a85..f3cd8929624b61eb2ca3ee8d3e60d26fcd5cdd00 100644
--- a/prebuilts/api/28.0/public/dumpstate.te
+++ b/prebuilts/api/28.0/public/dumpstate.te
@@ -190,6 +190,10 @@ allow dumpstate cache_recovery_file:file r_file_perms;
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
+#Access /data/misc/update_engine_log
+allow dumpstate update_engine_log_data_file:dir r_dir_perms;
+allow dumpstate update_engine_log_data_file:file r_file_perms;
+
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
allow dumpstate user_profile_data_file:dir r_dir_perms;
@@ -233,16 +237,8 @@ set_prop(dumpstate, exported_dumpstate_prop)
# dumpstate_options_prop is used to pass extra command-line args.
set_prop(dumpstate, dumpstate_options_prop)
-# Read device's serial number from system properties
-get_prop(dumpstate, serialno_prop)
-
-# Read state of logging-related properties
-get_prop(dumpstate, device_logging_prop)
-
-# Read state of boot reason properties
-get_prop(dumpstate, bootloader_boot_reason_prop)
-get_prop(dumpstate, last_boot_reason_prop)
-get_prop(dumpstate, system_boot_reason_prop)
+# Read any system properties
+get_prop(dumpstate, property_type)
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
@@ -271,6 +267,9 @@ allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4) have a new class for sockets
allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
+# Allow dumpstate to kill vendor dumpstate service by init
+set_prop(dumpstate, ctl_dumpstate_prop)
+
###
### neverallow rules
###
diff --git a/prebuilts/api/28.0/public/file.te b/prebuilts/api/28.0/public/file.te
index 156fce141519249a0ef180f6f7870de867ed0f4a..ccfec1529b3e43a70e37b88a79b643b22b1a2c20 100644
--- a/prebuilts/api/28.0/public/file.te
+++ b/prebuilts/api/28.0/public/file.te
@@ -108,6 +108,7 @@ type mqueue, fs_type;
type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
+type exfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
@@ -149,7 +150,9 @@ type vendor_framework_file, vendor_file_type, file_type;
# Default type for everything in /vendor/overlay
type vendor_overlay_file, vendor_file_type, file_type;
-# /metadata subdirectories
+# /metadata partition itself
+type metadata_file, file_type;
+# Vold files within /metadata
type vold_metadata_file, file_type;
# Speedup access for trusted applications to the runtime event tags
@@ -224,6 +227,9 @@ type storage_file, file_type;
type mnt_media_rw_stub_file, file_type;
type storage_stub_file, file_type;
+# Mount location for read-write vendor partitions.
+type mnt_vendor_file, file_type;
+
# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
diff --git a/prebuilts/api/28.0/public/hal_audiocontrol.te b/prebuilts/api/28.0/public/hal_audiocontrol.te
new file mode 100644
index 0000000000000000000000000000000000000000..3e5a379f9734fdd8d8b743204d08445803b35e7e
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_audiocontrol.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
+binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
+
+add_hwservice(hal_audiocontrol_server, hal_audiocontrol_hwservice)
diff --git a/prebuilts/api/28.0/public/hal_configstore.te b/prebuilts/api/28.0/public/hal_configstore.te
index d5f2ef6fe440e7e8342ebd0703032b8efc4cc688..c8051e142f8f8e17439cc638ca7bc6f54b5107d1 100644
--- a/prebuilts/api/28.0/public/hal_configstore.te
+++ b/prebuilts/api/28.0/public/hal_configstore.te
@@ -49,7 +49,14 @@ neverallow hal_configstore_server {
}:{ file fifo_file sock_file } *;
# Should never need sdcard access
-neverallow hal_configstore_server { fuse sdcardfs vfat }:file *;
+neverallow hal_configstore_server {
+ sdcard_type
+ fuse sdcardfs vfat exfat # manual expansion for completeness
+}:dir ~getattr;
+neverallow hal_configstore_server {
+ sdcard_type
+ fuse sdcardfs vfat exfat # manual expansion for completeness
+}:file *;
# Do not permit access to service_manager and vndservice_manager
neverallow hal_configstore_server *:service_manager *;
diff --git a/prebuilts/api/28.0/public/hal_evs.te b/prebuilts/api/28.0/public/hal_evs.te
new file mode 100644
index 0000000000000000000000000000000000000000..710051eee7c5c109b215114708f4b6528b7af781
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_evs.te
@@ -0,0 +1,5 @@
+hwbinder_use(hal_evs_client)
+hwbinder_use(hal_evs_server)
+binder_call(hal_evs_client, hal_evs_server)
+binder_call(hal_evs_server, hal_evs_client)
+
diff --git a/prebuilts/api/28.0/public/hal_telephony.te b/prebuilts/api/28.0/public/hal_telephony.te
index 31859aa5179608b03c9d7687faf3b675a09e2a3f..5f8cc41ca10a3b1cba2db638ffce849b014a0933 100644
--- a/prebuilts/api/28.0/public/hal_telephony.te
+++ b/prebuilts/api/28.0/public/hal_telephony.te
@@ -21,7 +21,6 @@ allow hal_telephony_server efs_file:file create_file_perms;
allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
-allow hal_telephony_server sdcard_type:dir r_dir_perms;
# property service
set_prop(hal_telephony_server, radio_prop)
diff --git a/prebuilts/api/28.0/public/hal_vehicle.te b/prebuilts/api/28.0/public/hal_vehicle.te
new file mode 100644
index 0000000000000000000000000000000000000000..f49f5e678df8716763c22f6cf0e566c28478b94a
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_vehicle.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vehicle_client, hal_vehicle_server)
+binder_call(hal_vehicle_server, hal_vehicle_client)
+
+add_hwservice(hal_vehicle_server, hal_vehicle_hwservice)
diff --git a/prebuilts/api/28.0/public/hwservice.te b/prebuilts/api/28.0/public/hwservice.te
index ca2025870c4efc96d81aca9f35f59fe992017ed8..5fba86ac302d9cac9cb4420751d788ce3df7e4e0 100644
--- a/prebuilts/api/28.0/public/hwservice.te
+++ b/prebuilts/api/28.0/public/hwservice.te
@@ -2,6 +2,7 @@ type default_android_hwservice, hwservice_manager_type;
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_audiocontrol_hwservice, hwservice_manager_type;
type hal_audio_hwservice, hwservice_manager_type;
type hal_authsecret_hwservice, hwservice_manager_type;
type hal_bluetooth_hwservice, hwservice_manager_type;
@@ -15,6 +16,7 @@ type hal_contexthub_hwservice, hwservice_manager_type;
type hal_drm_hwservice, hwservice_manager_type;
type hal_cas_hwservice, hwservice_manager_type;
type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_evs_hwservice, hwservice_manager_type;
type hal_fingerprint_hwservice, hwservice_manager_type;
type hal_gatekeeper_hwservice, hwservice_manager_type;
type hal_gnss_hwservice, hwservice_manager_type;
@@ -42,6 +44,7 @@ type hal_tv_cec_hwservice, hwservice_manager_type;
type hal_tv_input_hwservice, hwservice_manager_type;
type hal_usb_hwservice, hwservice_manager_type;
type hal_usb_gadget_hwservice, hwservice_manager_type;
+type hal_vehicle_hwservice, hwservice_manager_type;
type hal_vibrator_hwservice, hwservice_manager_type;
type hal_vr_hwservice, hwservice_manager_type;
type hal_weaver_hwservice, hwservice_manager_type;
diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
index c34e02842d367d7d4b1b94772c35b73bfe4f7a59..735524e0c327097648a9bebf50eb6e36b8f38f72 100644
--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
@@ -98,6 +98,9 @@ allow init configfs:dir mounton;
allow init configfs:dir create_dir_perms;
allow init configfs:{ file lnk_file } create_file_perms;
+# /metadata
+allow init metadata_file:dir mounton;
+
# Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom;
diff --git a/prebuilts/api/28.0/public/keystore.te b/prebuilts/api/28.0/public/keystore.te
index ee5e6757456e4c9316d76316e0e8e1e2b4ba5cd0..49355bd952c64ea46ece62f579338f9f4b386954 100644
--- a/prebuilts/api/28.0/public/keystore.te
+++ b/prebuilts/api/28.0/public/keystore.te
@@ -13,6 +13,7 @@ allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
+allow keystore dropbox_service:service_manager find;
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/prebuilts/api/28.0/public/lmkd.te b/prebuilts/api/28.0/public/lmkd.te
index 5b6a7084bfa9839aa9f5a59b49d45feb88b74270..472946ece09291baa6b87e8afc086308a5e97e18 100644
--- a/prebuilts/api/28.0/public/lmkd.te
+++ b/prebuilts/api/28.0/public/lmkd.te
@@ -43,6 +43,9 @@ allow lmkd domain:file { open read };
# reboot because orderly shutdown may not be possible.
allow lmkd proc_sysrq:file rw_file_perms;
+# Read /proc/meminfo
+allow lmkd proc_meminfo:file r_file_perms;
+
### neverallow rules
# never honor LD_PRELOAD
diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te
index 0e9e08ca7f0772f62d97d17a0a87b9e8d7ecb082..18113e75662d686d79a4982211a5853b4288f70d 100644
--- a/prebuilts/api/28.0/public/netd.te
+++ b/prebuilts/api/28.0/public/netd.te
@@ -141,7 +141,7 @@ neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
-neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
+neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
diff --git a/prebuilts/api/28.0/public/property.te b/prebuilts/api/28.0/public/property.te
index f757936d7b669c1cbfb5546f9a948fa1e34cb9b6..5dd88dccbaafab4e0ae7790dbecba7eceade9ead 100644
--- a/prebuilts/api/28.0/public/property.te
+++ b/prebuilts/api/28.0/public/property.te
@@ -51,9 +51,11 @@ type shell_prop, property_type, core_property_type;
type system_boot_reason_prop, property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
+type traced_enabled_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
+type vendor_security_patch_level_prop, property_type;
# Properties for whitelisting
type exported_bluetooth_prop, property_type;
@@ -154,7 +156,6 @@ compatible_property_only(`
-coredomain
-appdomain
-hal_nfc_server
- -vendor_init
} {
nfc_prop
}:property_service set;
@@ -167,11 +168,57 @@ compatible_property_only(`
-vendor_init
} {
exported_radio_prop
- exported2_radio_prop
exported3_radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ exported2_radio_prop
radio_prop
}:property_service set;
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth
+ } {
+ bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth
+ -vendor_init
+ } {
+ exported_bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi
+ -wificond
+ } {
+ wifi_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi
+ -wificond
+ -vendor_init
+ } {
+ exported_wifi_prop
+ }:property_service set;
+
# Prevent properties from being read
neverallow {
domain
@@ -200,7 +247,6 @@ compatible_property_only(`
-coredomain
-appdomain
-hal_nfc_server
- -vendor_init
} {
nfc_prop
}:file no_rw_file_perms;
@@ -210,8 +256,25 @@ compatible_property_only(`
-coredomain
-appdomain
-hal_telephony_server
- -vendor_init
} {
radio_prop
}:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth
+ } {
+ bluetooth_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi
+ -wificond
+ } {
+ wifi_prop
+ }:file no_rw_file_perms;
')
diff --git a/prebuilts/api/28.0/public/property_contexts b/prebuilts/api/28.0/public/property_contexts
index 0156a47bb02d6a2ed4677eb597150fd882185461..c644181d1f5837c4d4bd13634fce35463bdb5aa7 100644
--- a/prebuilts/api/28.0/public/property_contexts
+++ b/prebuilts/api/28.0/public/property_contexts
@@ -63,7 +63,7 @@ drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
-persist.bluetooth.a2dp_offload.enable u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
@@ -71,14 +71,14 @@ persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
-persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact bool
-persist.vendor.bluetooth.a2dp_offload.enable u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
+ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
@@ -107,6 +107,7 @@ ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int
ro.url.legal u:object_r:exported3_default_prop:s0 exact string
ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
+ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
ro.zygote u:object_r:exported3_default_prop:s0 exact string
sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
diff --git a/prebuilts/api/28.0/public/shell.te b/prebuilts/api/28.0/public/shell.te
index 5e2745be4fecc556cead8337fad006378e17ef75..2c6ce4430d6e7066a2b5f31625871eb5036dae68 100644
--- a/prebuilts/api/28.0/public/shell.te
+++ b/prebuilts/api/28.0/public/shell.te
@@ -66,6 +66,9 @@ set_prop(shell, debug_prop)
set_prop(shell, powerctl_prop)
set_prop(shell, log_tag_prop)
set_prop(shell, wifi_log_prop)
+# Allow shell to start/stop traced via the persist.traced.enable
+# property (which also takes care of /data/misc initialization).
+set_prop(shell, traced_enabled_prop)
# adjust is_loggable properties
userdebug_or_eng(`set_prop(shell, log_prop)')
# logpersist script
@@ -81,6 +84,9 @@ userdebug_or_eng(`
# Read device's serial number from system properties
get_prop(shell, serialno_prop)
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
# Read state of logging-related properties
get_prop(shell, device_logging_prop)
diff --git a/prebuilts/api/28.0/public/tombstoned.te b/prebuilts/api/28.0/public/tombstoned.te
index cf3ddcba9b8dda8e37449f98793f097efb48d516..1dfcf504f081cf2e14587a3197f71ba9bd5d55b4 100644
--- a/prebuilts/api/28.0/public/tombstoned.te
+++ b/prebuilts/api/28.0/public/tombstoned.te
@@ -19,4 +19,4 @@ auditallow tombstoned anr_data_file:file { append write };
# Changes for the new stack dumping mechanism. Each trace goes into a
# separate file, and these files are managed by tombstoned.
allow tombstoned anr_data_file:dir rw_dir_perms;
-allow tombstoned anr_data_file:file { getattr open create };
+allow tombstoned anr_data_file:file { create getattr open unlink };
diff --git a/prebuilts/api/28.0/public/traced_probes.te b/prebuilts/api/28.0/public/traced_probes.te
index e77c811662278336ff1471be5a1fc58f05df0e9a..3e587c8efb8210d50a822854d939ae5a5cf7112d 100644
--- a/prebuilts/api/28.0/public/traced_probes.te
+++ b/prebuilts/api/28.0/public/traced_probes.te
@@ -1 +1 @@
-type traced_probes, domain, coredomain;
+type traced_probes, domain, coredomain, mlstrustedsubject;
diff --git a/prebuilts/api/28.0/public/vendor_init.te b/prebuilts/api/28.0/public/vendor_init.te
index 0237861a949ce133d04013280a9963e9c0df11ee..d079873252583e0c820de9920a8ef1a8106f3d0f 100644
--- a/prebuilts/api/28.0/public/vendor_init.te
+++ b/prebuilts/api/28.0/public/vendor_init.te
@@ -34,6 +34,12 @@ allow vendor_init self:global_capability_class_set dac_override;
# we just allow all file types except /system files here.
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
+allow vendor_init unencrypted_data_file:dir search;
+allow vendor_init unencrypted_data_file:file r_file_perms;
+
+allow vendor_init system_data_file:dir getattr;
+
allow vendor_init {
file_type
-core_data_file_type
@@ -146,6 +152,9 @@ allow vendor_init serialno_prop:file { getattr open read };
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
+# Raw writes to misc block device
+allow vendor_init misc_block_device:blk_file w_file_perms;
+
not_compatible_property(`
set_prop(vendor_init, {
property_type
@@ -181,6 +190,7 @@ set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
set_prop(vendor_init, serialno_prop)
set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, wifi_log_prop)
get_prop(vendor_init, exported2_radio_prop)
diff --git a/prebuilts/api/28.0/public/vold.te b/prebuilts/api/28.0/public/vold.te
index 95847cf648c8ad64d7f3537884a71431f4f7eb13..0b0c7663b641ed10a44c26226f22e3c5476c1dd4 100644
--- a/prebuilts/api/28.0/public/vold.te
+++ b/prebuilts/api/28.0/public/vold.te
@@ -17,6 +17,7 @@ allow vold sysfs_usb:file w_file_perms;
allow vold sysfs_zram_uevent:file w_file_perms;
r_dir_file(vold, rootfs)
+r_dir_file(vold, metadata_file)
allow vold {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_cmdline