Android-SEAndroid權限問題指南
Android SELinux開發多場景實戰指南目錄:
Android SELinux開發入門指南之SELinux基礎知識
Android SEAndroid權限問題指南
Android SELinux開發入門指南之如何增加Java Binder Service權限
Android SELinux開發入門指南之權限解決萬能規則
Android SELinux開發入門指南之如何增加Native Binder Service權限
Android SELinux開發入門指南之正确姿勢解決通路data目錄權限問題
正确姿勢臨時和永久關閉Android的SELinux
前言
SEAndroid是在Android系統中基于SELinux推出的強制通路控制模型,來完善自主通路模型中隻要取得root權限就可以為所欲為的情況。
SELinux是一種基于域-類型(domain-type)模型的強制通路控制(MAC)安全系統,其原則是任何程序想在SELinux系統中幹任何事,都必須先在安全政策的配置檔案中賦予權限。凡是沒有在安全政策中配置的權限,程序就沒有該項操作的權限。在SELinux出現之前,Linux的安全模型是DAC(DiscretionaryAccess Control),譯為自主通路控制。其核心思想是程序理論上所擁有的權限與運作它的使用者權限相同。比如,以root使用者啟動shell,那麼shell就有root使用者的權限,在Linux系統上能幹任何事。這種管理顯然比較松散。在SELinux中,如果需要通路資源,系統會先進行DAC檢查,不通過則通路失敗,然後再進行MAC權限檢查。
一.SELinux知識點分析
1.1.SEAndroid app分類和其他
SELinux(或SEAndroid)将app劃分為主要三種類型(根據user不同,也有其他的domain類型):
1.untrusted_app 第三方app,沒有Android平台簽名,沒有system權限
2.platform_app 有android平台簽名,沒有system權限
3.system_app 有android平台簽名和system權限
4.untrusted_app_25 第三方app,沒有Android平台簽名,沒有system權限,其定義如下This file defines the rules for untrusted apps running with targetSdkVersion <= 25.
從上面劃分,權限等級,理論上:untrusted_app < platform_app < system_app按照這個進行排序
property_contexts(系統屬性)主要描述系統屬性相關
1.2.seapp_contexts定義
system/sepolicy/seapp_contexts資料檔案
isSystemServer=true domain=system_server
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app domain=untrusted_app type=app_data_file levelFrom=user
從上面可以看出,domain和type由user和seinfo兩個參數決定。
比如:
user=system seinfo=platform,domain才是system_app
user=_app,可以是untrusted_app或platform_app,如果seinfo=platform,則是platform_app。
1.3.user和seinfo判定方式
首先看user,user可以了解為UID,例如ps -Z結果如下:
u:r:system_app:s0 system 2414 1172 com.android.keychain
u:r:platform_app:s0 u0_a6 2439 1172 com.android.managedprovisioning
u:r:untrusted_app:s0 u0_a8 2460 1172 com.android.onetimeinitializer
u:r:system_app:s0 system 2480 1172 com.android.tv.settings
u:r:untrusted_app:s0 u0_a27 2504 1172 com.android.email
u:r:untrusted_app:s0 u0_a28 2523 1172 com.android.exchange
u:r:untrusted_app:s0 u0_a7 2567 1172 com.android.musicfx
第一列是SContext,第二列是UID,隻要UID是system的基本都是system_app,反過來一樣。
其他的U0_XXX要麼屬于platform_app或untrusted_app
seinfo由external\sepolicy\mac_permissions.xml決定,内容如下:
<!-- Platform dev key in AOSP -->
<signer signature="@PLATFORM" >
<seinfo value="platform" />
</signer>
<!-- All other keys -->
<default>
<seinfo value="default" />
</default>
即如果簽名是platform,seinfo就是platform,其他的比如shared等,seinfo是default。
比如上面ps -Z的結果裡面,OneTimeInitializer.apk是untrusted_app,ManagedProvisioning.apk是platform_app。
分别檢視這兩個app的Android.mk
packages\apps\OneTimeInitializer\Android.mk 沒有定義LOCAL_CERTIFICATE,預設是shared
packages\apps\ManagedProvisioning\Android.mk 有定義LOCAL_CERTIFICATE := platform
因為ManagedProvisioning.apk有platform簽名,是以seinfo是platform。
1.4.RBAC和constrain
由前文可知,.te檔案内部包含各種allow, type等語句,這些都是TEAC(type enforcement access control),屬于SELinux MAC中的核心組成部分。
在TEAC之上,SELinux還有一種基于Role的安全政策,也就是RBAC(role based access control)。
e.g.
constrain file write (u1 == u2 and r1 == r2)
這句話表示隻有source和targe的user相同,并且role也相同,才允許write file
1.5.mlsconstrain語句
1.5.1.MLS限制
SELinux支援兩個MLS限制語句:mlsconstrain 和mlsvalidatetrans。它們兩個一起讓我們可以指定可選的MLS通路強制規則,除了它們允許你基于安全上下文的安全級别表示限制外,這兩個語句在無MLS的副本中是等同的。你可能隻能在開啟了MLS特性的政策中使用MLS限制,你可以在任何政策類型中使用無MLS的限制語句。
1.5.2.mlsconstrain語句
mlsconstrain語句是以constrain語句為基礎的,我們可以使用第7章"限制"中讨論的constrain語句的所有文法,為了描述基于源(l1 和 h1)和目标(l2 和 H2)的低和高安全級别的限制,mlsconstrain語句添加了新的關鍵詞。下面是mlsconstrain語句的完整文法:
| mlsconstrain語句文法 mlsconstrain語句允許你限制特定客體類别指定的許可,通過基于源和目标安全上下文之間的關系定義限制,源和目标安全上下文包括了MLS特性(即高和低安全級别),完整的mlsconstrain語句文法如下: mlsconstrain 類别集 許可集 表達式; 類别集 一個或多個客體類别。多個客體類别必須使用空格分隔,并用一對大括号将它們括起來,如{file lnk_file},在這個語句中,類别集不接受*,~和-特殊操作符。 許可集 一個或多個許可。所有的許可對類别集中指定的客體類别都要有效,多個許可必須使用空格分隔,并用一對大括号将它們括起來,如{read create},在這個語句中,類别集不接受*,~和-特殊操作符。 表達式 一個布爾表達式。 布爾表達式文法支援下列關鍵字: t1, r1, u1, l1, h1 分别表示源類型、源角色、源使用者、源低級别和源進階别。 t2, r2, u2, l2, H2 分别表示目标類型、目标角色、目标使用者、目标低級别和目标進階别。 限制表達式文法也支援下列特殊操作符: == 是…的一個成員或等于。 != 不是…的成員或不等于。 eq (隻用于角色和安全級别)等于。 dom (隻用于角色和安全級别)優先于 domby (隻用于角色和安全級别)被…優先 incomp (隻用于角色和安全級别)不可比 這些操作符完整的語義含義和它們可接受的參數放在表8-1中了,表8-1是根據表7-1制作的。 mlsconstrain語句僅在非強制MLS政策中受到支援。 mlsconstrain語句僅在單個政策和基礎載入子產品中有效,在條件語句和非基礎載入子產品中無效。 |
為了解釋mlsconstrain語句,我們來看一個将MLS應用給普通檔案系統對象的例子,因為是一個簡單示例,我們假設那個檔案對象隻有一個安全級别,即高和低安全級别是相同的,我們可以使用下面這樣一條限制語句來實作這個限制:
| mlsconstrain file { create relabelto } ( l2 eq h2 ); |
假設create和relabelto是為設定檔案客體安全級别需要的file許可,這個限制足以要求所有的檔案高安全級别等于低安全級别。接下來我們來看一看更核心的MLS政策限制,回顧一下第2章中關于MLS的基礎前提,即阻止資訊從高安全級别滑向低安全級别或無法比較的安全級别,我們通過在所有客體上執行"不能讀就不能寫"的規則來實作這個要求,在SELinux中,低安全級别通常表示程序或客體的目前安全級别,是以,對于檔案我們使用以下MLS限制:
| mlsconstrain file write ( l1 domby l2 ); |
在這個語句中,我們對file客體類别限制了write許可,要求客體安全級别(l2)優先源安全級别(l1),換句話說就是程序僅在它目前的安全級别上可以寫檔案。遺憾的是這個限制太簡單而不能保證MLS政策對檔案客體有效,首先,我們考慮一下檔案客體類别許可,除了write外還有許多許可允許向檔案寫入資訊,如append許可也允許往檔案中寫入資訊(追加在檔案末尾),還有rename許可,為了充分了解,我們需要擴充我們的限制,覆寫所有的"有能力寫"檔案許可:
| mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ( l1 domby l2 ); |
在這個語句中除了write許可外,還列出了一系列的許可,它們都可以以某種形式往客體寫入資訊,限制表達式仍然相同。這個限制語句仍然相當簡單,我們需要指出受信任的域類型在何處,并且要給它提供特殊的許可,以跳過"不能寫"規則,即使你應該避免使用這種受信任的域,但實際上,幾乎所有的MLS系統應用程式都會使用它們,為了适應這個原理,我們需要擴充這些限制語句讓它們接受這些受信任的域。
為了實作這些受信任的降級域,可以建立一個類型屬性,叫做mlsfilewritedown,它可以識别出所有受信任的域,現在,我們的限制語句如下:
| mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ( ( l1 domby l2 ) or ( t1 == mlsfilewritedown ) ); |
這個限制語句允許一個例外,就是任何屬性為mlsfilewritedown的源域(t1),這就是所謂就信任的域了。對于一個完整的MLS政策,我們也需要限制讀權限,和寫權限一樣,除了read許可外,也有大量的許可是允許"讀"通路權的,如execute許可肯定會允許程序讀取可執行檔案的内容的,下面是一個對檔案客體的MLS讀限制:
| mlsconstrain file { read getattr execute } ( ( l1 dom l2 ) or ( t1 == mlsfilewritedown ) ); |
在這個限制語句中,它允許讀取那些有特權的屬性包含有mlsfilereadup的域類型的特權。在編寫一個完整的MLS政策時,你需要檢查所有的客體類别和它們的許可,確定讀和寫限制是正确限制的。如在前面的讀限制語句中,我們可能想在單條語句中标出所有的檔案系統客體,如:
| mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } ( ( l1 dom l2 ) or ( t1 == mlsfilereadup ) ); |
對于一個給定的SELinux政策,你會發現MLS限制通常是在一個源政策檔案中的,一般都叫做mls,除了這一章外,我們不打算過多地談及SELinux的MLS特性,如果你對這方面的東西感興趣,你可以直接打開這個檔案研究研究。
表8-1. Mlsconstrain表達式接受的參數對應的語義含義(參考表7-1)
| 操作符 | 左邊 | 右邊 | 語義含義 |
| == | l1 | l2,H1,H2 | 源的低安全級别(目前安全級别)等于目标的低安全級别l2,源的高安全級别(H1)或目标的高安全級别(H2) |
| l2 | h2 | 目标的低安全(目前)級别等于目标的高安全級别 | |
| h1 | l2,h2 | 源的高安全級别等于目标的低安全級别或高安全級别 | |
| != | l1 | l2, h1, H2 | 源的低安全(目前)級别不等于目标的低安全級别l2,源的高安全級别(H1)或目标的高安全級别(H2) |
| l2 | H2 | 目标的低安全(目前)級别不等于目标的高安全級别 | |
| h1 | l2,h2 | 源的高安全級别不等于目标的低安全級别或高安全級别 | |
| eq | l1 | l2, H1, H2 | 和==的語義完全一樣 |
| l2 | h2 | 和==的語義完全一樣 | |
| h1 | l2,h2 | 和==的語義完全一樣 | |
| dom | l1 | l2, H1, H2 | 源的低安全級别(目前安全級别)優先于目标的低安全級别l2,源的高安全級别(H1)或目标的高安全級别(H2) |
| l2 | h2 | 目标的低安全(目前)級别優先于目标的高安全級别 | |
| h1 | l2,h2 | 源的高安全級别優先于目标的低安全級别或高安全級别 | |
| domby | l1 | l2, H1, H2 | 目标的低安全級别(目前安全級别)優先于源的低安全級别l2,源的高安全級别(H1)或目标的高安全級别(H2) |
| l2 | h2 | 目标的高安全級别優先于目标的低(目前)安全級别 | |
| h1 | l2,h2 | 目标的低安全級别或高安全級别優先于源的高安全級别 | |
| incomp | l1 | l2, H1, H2 | 源的低安全級别(目前安全級别)與目标的低安全級别l2,源的高安全級别(H1)或目标的高安全級别(H2)不可比 |
| l2 | h2 | 目标的低安全(目前)級别與目标的高安全級别不可比 | |
| h1 | l2,h2 | 目标的低安全級别或高安全級别與源的高安全級别不可比 |
1.6.小技巧
使用allow語句的時候,可以使用下面的一些小技巧來簡化指令書寫;
”~”号,表示除了”~”以外;
”-”号,表示去除某項内容;
”*”号,表示所有内容
1.7.SELinux 政策建構和客制化
在Android8.0中,SELinux政策分離成平台(platform)和非平台(non-platform)兩部分,而平台政策為了給非平台作者導出特定的類型和屬性,又分為平台私有(platform private)和平台公有(platform public)部分。
1.7.1.平台公有政策(platform public seoplicy)
平台共有政策全部定義在/system/sepolicy/public下,public下的type和attribute可以被non-platform中的政策所使用,也就是說,裝置制造商的sepolicy作者在non-platform下可以對platform public sepolicy的政策進行擴充。
1.7.2.平台私有政策(platform private seoplicy)
與公有政策相反,被聲明為私有政策的type或attribute對non-platform的政策作者是不可見的,這裡有些費解,我們舉例來說,這裡以8.0版本的aosp源代碼中的/system/sepolicy/private/目錄下的atrace.te檔案為例;
- 8.0版本的aosp中的/system/sepolicy/private/file_contexts定義了“/system/bin/atrace u:object_r:atrace_exec:s0”
- 然後在/system/sepolicy/private/atrace.te中定義atrace相關的規則;
- 我們在device/qcom/sepolicy/common目錄下新增一個atrace.te檔案,并添加規則 "allow atrace sdcardfs:file read;"
當我們make進行編譯時會在校驗的時候失敗,提示我們“device/qcom/sepolicy/common/atrace.te:2:ERROR 'unknown type atrace' at token ';' on line 23355”,那麼也就是說private政策中的type和attribute對我們是不可見的。
1.7.3.平台私有映射
映射主要針對舊版本的映射,應用比較少,這裡不作研究;
二、實際案例分析
Android 5.x開始,引入了非常嚴格的SELinux權限管理機制,我們經常會遇到因為SELinux權限問題造成的各種avc denied困擾。
本文結合具體案例,講解如何根據log來快速解決90%的權限問題。
遇到權限問題,在logcat或者kernel的log中一定會列印avc denied提示缺少什麼權限,
Command:
cat /proc/kmsg | grep avc 或 dmesg | grep avc
解決原則是:缺什麼補什麼,一步一步補到沒有avc denied為止。
下面給出幾個具體案例:
2.1.案例分析一 
Android-SEAndroid權限問題指南 Android-SEAndroid權限問題指南
分析過程:
缺少什麼權限: { write }權限,
誰缺少權限: scontext=u:r:kernel:s0,
對哪個檔案缺少權限:tcontext=u:object_r:block_device
什麼類型的檔案: tclass=blk_file
解決方法:kernel.te
allow kernel block_device:blk_file write;
2.2.案例分析二 
Android-SEAndroid權限問題指南 Android-SEAndroid權限問題指南
解決方法 :platform_app.te
allow platform_app app_data_file:file execute;
2.3.案例分析三
解決方法 :engsetmacaddr.te
allow engsetmacaddr vfat:dir { search write add_name create }; 或者
allow engsetmacaddr vfat:dir create_dir_perms;
2.4.案例分析四 Android-SEAndroid權限問題指南 Android-SEAndroid權限問題指南
解決方法 :sdcardd.te
allow sdcardd system_data_file:dir read; 或者
allow sdcardd system_data_file:dir rw_dir_perms
(rw_dir_perms包含read write,可以參考external/sepolicy/global_macros的定義聲明)
通過這四個案例,我們可以總結出一般規律,
以第4個為例,允許某個scontext對某個tcontext擁有某個權限
我們的log重新排列一下,
scontext=u:r:sdcardd
tcontext=u:object_r:system_data_file:s0
tclass=dir
avc: denied { read }
得到萬能套用公式如下:
在scontext所指的te檔案中加入類似如下内容:
以上以.te為字尾的檔案都在external/sepolicy/或者device/softwinner/xxxx-commm/sepolicy/下,修改之後,都要重刷boot.img。(重點,在Android7和Android 8上面.te字尾的檔案都在system/sepolicy或者device/softwinner/xxxx-commm/sepolicy/下面這個需要注意,且此時需要燒錄system.img或者vendor.img)
補充說明:
1. 有時候avc denied的log不是一次性顯示所有問題,要等你解決一個權限問題之後,才會提示另外一個權限問題。比如提示确實某個目錄的read權限,你加入read之後,再顯示缺少write權限,要你一次次一次試,一次一次加。這時你可以簡單粗暴寫個rw_dir_perms,這個權限包含了{open search write ...}等等很多權限。可以檢視external/sepolicy/global_macros來了解更多權限聲明(相對應的在Android 7和Android 8對應的就是external/sepolicy/global_macros,如果有定義的話);
2. 要加入的權限很多時,可以用中括号,比如
allow engsetmacaddr vfat:dir { search write add_name create};
3. 遇到問題不确定是否由于selinux問題造成,可先在adb shell 下,輸入setenforce 0,讓selinux失效,看是否問題還出現。以此可以澄清是非selinux造成的問題。
2.5.後話
有一個開源的工具audit2allow,沒有具體使用過,網上流程如下而對于如何解決該類權限問題,一般的做法是,缺少什麼就補什麼,先介紹一下簡化方法:
簡化方法:
1、 提取所有的avc LOG. 如 adb shell "cat /proc/kmsg | grepavc" > avc_log.txt
2、 使用 audit2allow tool 直接生成policy. audit2allow -i avc_log.txt 即可自動輸出生成的policy
還是建議不要使用這個工具,最好自己手動編寫相關的政策。因為上面這個工具知識機械的轉化,不一定符合具體的要求
三、特殊案例分析
3.1.android系統增加native本地服務
上述就以E/SELinux ( 261): avc: denied { add } for service=XxxApiService scontext=u:r:init:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager為例說明,這個錯誤主要是添加ServiceManager添加Native Service沒有配置SELinux權限導緻,由于現在SELinux的啟用是在展訊平台,是以這裡就以以展訊平台來說明,步驟如下:
1.vi編輯device/sprd/sharkle/common/plat_sepolicy/private/service_contexts在其最後添加
#add for XxxApiService
XxxApiService u:object_r:XxxApiService_service:s0
2.vi編輯device/sprd/sharkle/common/plat_sepolicy/public/service.te在其最後添加
#type for XxxApiService
type XxxApiService_service, service_manager_type;
3.vi編輯device/sprd/sharkle/common/sepolicy/system_server.te在其最後添加
#add for XxxApiService
allow system_server XxxApiService_service:service_manager { add find };
4.vi編輯device/sprd/sharkle/common/sepolicy/platform_app.te在其最後添加
#add for XxxService
allow platform_app XxxApiService_service:service_manager { find };
5.最後根據在使用中報什麼avc的錯誤,然後再按照規則添加相關規則
3.2.android系統增加java層服務
上述就以E/SELinux ( 261): avc: denied { add } for service=XxxSystemUtil scontext=u:r:system_app:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager,這個錯誤主要是添加ServiceManager添加Native Service沒有配置SELinux權限導緻,由于現在SELinux的啟用是在展訊平台,是以這裡就以以展訊平台來說明,步驟如下:
1.vi編輯device/sprd/sharkle/common/plat_sepolicy/private/service_contexts在其最後添加
#add for XxxSystemUtil
XxxSystemUtil u:object_r:XxxSystemUtil_service:s0
2.vi編輯device/sprd/sharkle/common/plat_sepolicy/public/service.te在其最後添加
#type for XxxSystemUtil
type XxxSystemUtil_service, service_manager_type;
3.vi編輯device/sprd/sharkle/common/sepolicy/system_server.te在其最後添加
#add for XxxSystemUtil
allow system_server XxxSystemUtil_service:service_manager { add find };
4.vi編輯device/sprd/sharkle/common/sepolicy/platform_app.te在其最後添加
#add for XxxSystemUtil
allow platform_app XxxSystemUtil_service:service_manager { find };
四、新增權重限檔案
4.1.建立.te安全政策檔案方法
以上基本是對已經存在的程序增權重限,但對第三方程序改如何新增一個全新的te檔案并賦予權限呢?
以寫mac位址的setmacaddr執行檔案為例(這個執行檔android原生不存在,自行添加的),這個案例可以擴充到我們的xxxservice添加在init腳本自運作啟動的的案例,且由于xxxservice是運作在/system/bin裡面情況更加的特殊
1. 在device/sprd/sharkle/common/sepolicy/file_contexts中,參考其他程序聲明一個:
/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat u:object_r:dex2oat_exec:s0
/system/bin/patchoat u:object_r:dex2oat_exec:s0
/system/bin/setmacaddr u:object_r:engsetmacaddr_exec:s0
/system/bin/xxxservice u:object_r:pxxxservice_exec:s0
指定setmacaddr和xxxservice的路徑,并指定一個名字,一定要以_exec結尾
2.參考其他檔案在device/sprd/sharkle/common/sepolicy/ 建立engsetmacaddr.te檔案,内容如下:
type engsetmacaddr, domain;
type engsetmacaddr_exec, exec_type, file_type;
init_daemon_domain(engsetmacaddr)
allow engsetmacaddr vfat:dir { search write add_name create};
allow engsetmacaddr vfat:file { create read write open };
allow engsetmacaddr engsetmacaddr:capability dac_override;
allow engsetmacaddr shell_exec:file { execute read open execute_no_trans};
allow engsetmacaddr system_data_file:dir { write add_name remove_name };
allow engsetmacaddr system_data_file:file { create execute_no_trans write open setattr};
allow engsetmacaddr system_file:file { execute_no_trans};
以上賦予的權限全部是根據avc denied的log缺什麼一步一步補什麼來的。
3.
3.1針對xxxservice在device/sprd/sharkle/common/plat_sepolicy/private/ 建立xxxservice.te檔案,内容如下:
typeattribute xxxservice coredomain;
init_daemon_domain(xxxservice)
3.2在device/sprd/sharkle/common/plat_sepolicy/public建立xxxservice.te檔案,添加如下内容:
type xxxservice, domain, mlstrustedsubject;
type xxxservice_exec, exec_type,file_type;
3.3在device/sprd/sharkle/common/sepolicy/建立xxxservice.te檔案,添加如下内容:
allow xxxservice servicemanager:binder { call }; #call "dumpsys"
allow xxxservice system_server:binder { call }; #call "dumpsys"
allow servicemanager xxxservice:dir { search };
allow servicemanager xxxservice:file { read };
4.2.新裝置節點增加通路權限
驅動建立了一個新的裝置節點,即使權限是777,android層也是沒有通路權限的。
下面以一個/dev/wifi_bt節點為示範,讓此節點被使用者空間的system_server程序通路。
1. 由于我們的SELinux的啟動是在展訊平台上面,是以編輯編輯device/sprd/sharkle/common/sepolicy/device.te,仿照這個檔案裡的寫法,定義一個dev_type類型的wifi_bt_device裝置:
type misc_block_device, dev_type;
type private_block_device, dev_type;
……
type wf_bt_device, dev_type;
2. 編輯file_contexts.te,将/dev/wf_bt節點聲明為第1步定義的wf_bt_device:
/dev/block/by-name/misc u:object_r:misc_block_device:0
/dev/block/by-name/alog u:object_r:log_block_device:s0
/dev/block/by-name/private u:object_r:private_block_device:s0
# We add here
/dev/wf_bt u:object_r:wf_bt_device:s0
3. 在system_server.te,根據dmesg | grep avc允許system_server對wf_bt_device這個節點可讀可寫:
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.allow system_server qtaguid_proc:file rw_file_perms;
allow system_server qtaguid_device:chr_file rw_file_perms;
……
allow system_server wf_bt_device:chr_file rw_file_perms;
其他程序如需通路/dev/wf_bt節點,依樣畫葫蘆,增加對wf_bt_device的權限即可。
4.3.常見錯誤
01-02 10:01:37.596 238 300 W YLOG : [01-02 10:01:37.596] ylog<critical> android cacheline write wrong 4317 -> 1008
01-02 10:01:37.598 217 217 E SELinux : avc: denied { add } for service=XxxSystemUtil pid=4311 uid=1000 scontext=u:r:system_app:s0 tcontext=u:object_r:XxxSystemUtil_service:s0 tclass=service_manager permissive=0
01-02 10:01:37.599 217 217 E ServiceManager: add_service('XxxSystemUtil',91) uid=1000 - PERMISSION DENIED
libsepol.report_failure: neverallow on line 554 of system/sepolicy/private/system_server.te (or line 31144 of policy.conf) violated by allow system_app SettingsManagerService_service:service_manager { add };
Caused by: java.lang.RuntimeException: failed to set system property
01-01 11:11:39.434 E/SELinux ( 218): avc: denied { add } for service=XxxApiService pid=2021 uid=0 scontext=u:r:xxxservice:s0 tcontext=u:object_r:XxxApiService_service:s0 tclass=service_manager permissive=0
01-01 11:11:39.435 E/ServiceManager( 218): add_service('XxxApiService',92) uid=0 - PERMISSION DENIED
調試技巧:
由于SELinux的問題,而且由于adb連接配接比較慢,必須借序列槽抓相關的日志,現在通過屬性控制xxxsservice的啟動
on post-fs-data
on property:xxx.ctrl.xxxservice=1
start xxxservice
service xxxservice /system/bin/xxxservice
class core
user root
group root
disabled
4.4.程序無法通路直接通路data 目錄的說明
[Description]
[SELinux] Android M 版本後程序無法通路直接通路data 目錄的說明
[Keyword]
SELinux, data, 拒絕, permission denied, 安全 , security
[Version]
android >= 6.0
[Solution]
Google 在android M 版本後, 通過SELinux 的neverallow 文法強制性限制了普通程序通路data 目錄的權限. 嚴禁除init system_server installd system_app 之外的其他程序直接操作/data 目錄比如在data 目錄下面建立檔案,寫檔案,重命名檔案等等.
有很多客戶都會在data 目錄下建立檔案, 儲存資訊, 在M 版本上這個操作會被SELinux 直接攔截下來,并且沒法直接添加通路system_data_file 的權限, 需要按下面的流程操作。
(1). 在init.rc 或者 其他的init.xxx.rc 的on post-fs-data 段 添加:
mkdir /data/xxxx 0770 root system
(2). 在/device/mediatek/common/sepolicy/file.te 裡面添加:
type xxxx_data_file, file_type, data_file_type;
(3). /device/mediatek/common/sepolicy/file_contexts 裡面添加:
/data/xxxx(/.*)? u:object_r:xxxx_data_file:s0
(4). 給你的程序添權重限, 比如你的程序的SELinux domain 是 yyyy
allow yyyy xxxx_data_file:dir create dir_perms;
allow yyyy xxxx_data_file:file create_file_perms;
這樣你才能繞過Google 的設定. 這個xxxx 目錄随你定義.
下面是一個完整的添加過程:
出于曆史原因,項目需要對/data/resource目錄下面的目錄檔案進行通路,在沒有開啟SELinux檢測之前,隻需要對目錄開啟相應的讀寫通路權限即可,可是開啟SELinux之後就不同了。通過SELinux 的neverallow 文法強制性限制了普通程序通路data 目錄的權限. 嚴禁除init system_server installd system_app 之外的其他程序直接操作/data 目錄比如在data 目錄下面建立檔案,寫檔案,重命名檔案等等.在O版本上面有很多客戶都會在data 目錄下建立檔案, 儲存資訊, 這個操作會被SELinux 直接攔截下來,并且沒法直接添加通路system_data_file 和data_file_type的權限, 需要按下面的流程操作。
1.在system/sepolicy/public/file.te和system/sepolicy/prebuilts/api/26.0/public/file.te添加
type xxxdroid_share_file, file_type, data_file_type, mlstrustedobject;#其中mlstrustedobject這個很重要後面會重點強調
2.system/sepolicy/prebuilts/api/26.0/private/file_contexts和system/sepolicy/private/file_contexts添加
/data/resource(/.*)? u:object_r:xxxdroid_share_file:s0
3.在system/sepolicy/prebuilts/api/26.0/private/app_neverallows.te和system/seplicy/private/app_neverallows.te下面做如下修改
#neverallow all_untrusted_apps file_type:file link;
#不允許all_untrusted_apps對file_type進行通路,除開xxxdroid_share_file
neverallow {all_untrusted_apps} {file_type -xxxdroid_share_file}:file link;
#同上
neverallow { all_untrusted_apps -mediaprovider } {
fs_type
-fuse # sdcard
-sdcardfs # sdcard
-vfat
file_type
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only
')
-xxxdroid_share_file
}:dir_file_class_set { create unlink };
4.然後在device/sprd/sharkle/common/sepolicy/xxxdroid_share_file.te增加該檔案,然後增加相關的權限
allow system_app xxxdroid_share_file:file {create write setattr relabelfrom relabelto append unlink link rename open getattr read lock };
allow untrusted_app xxxdroid_share_file:dir { search write create add_name remove_name setattr relabelfrom relabelto append unlink link rename getattr};
allow untrusted_app xxxdroid_share_file:file {create write setattr relabelfrom relabelto append unlink link rename open getattr read lock };
allow untrusted_app_25 xxxdroid_share_file:dir {search write create add_name remove_name setattr relabelfrom relabelto append unlink link rename getattr};
allow untrusted_app_25 xxxdroid_share_file:file {create write setattr relabelfrom relabelto append unlink link rename open getattr read lock };
allow platform_app xxxdroid_share_file:dir { search write create add_name remove_name setattr relabelfrom relabelto append unlink link rename getattr};
allow platform_app xxxdroid_share_file:file { create write setattr relabelfrom relabelto append rename open getattr read lock };
allow xxxservice xxxdroid_share_file:dir { search write create add_name remove_name setattr relabelfrom relabelto append unlink link rename getattr};
allow xxxservice xxxdroid_share_file:file { create write setattr relabelfrom relabelto append rename open getattr read lock };
5..重點來了,後面發現怎麼修改都untrusted_app_25都不能對該檔案進行修改,後面發現了是由于mls規則導緻,錯誤類似如下:
type=1400 avc: denied { connectto } for pid=6884 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket permissive=0
在system/sepolicy/private/mls存在如下的規則,是以就需要對xxxdroid_share_file加上mlstrustedobject才可以
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
(t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
(t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
具體可以參考如下的部落格文章:SELinux中的MLC規則限制
4.5.添加屬性通路權限
由于曆史原因,前面的開發過程中使用了很多的property屬性,但是由于現在平台開啟了SELinux的控制,在移植以前代碼的過程中經常會出現Caused by: java.lang.RuntimeException: failed to set system property的錯誤,這就需要我們制定相關的政策來滿足對特定屬性的通路需求,具體的制定流程如下:
1.在device/sprd/sharkle/common/plat_sepolicy/private/property_contexts最後添加如下定義
# add property contexts for xxx
xxx.ctrl. u:object_r:xxx_ctrl_prop:s0
xxx.soc. u:object_r:xxx_ctrl_prop:s0
com.xxx. u:object_r:xxx_ctrl_prop:s0
xxx.sp. u:object_r:xxx_ctrl_prop:s0
persist.xxx. u:object_r:xxx_ctrl_prop:s0
ro.epay.serial u:object_r:xxx_ctrl_prop:s0
ro.xxx.manufacturer.info u:object_r:xxx_ctrl_prop:s0
xxx.sys. u:object_r:xxx_ctrl_prop:s0
xxx.sdk. u:object_r:xxx_ctrl_prop:s0
xxx.persist. u:object_r:xxx_ctrl_prop:s0
xxx.param. u:object_r:xxx_ctrl_prop:s0
ro.xxx. u:object_r:xxx_ctrl_prop:s0
2.在device/sprd/sharkle/common/plat_sepolicy/public/property.te最後添加如下的定義,具體如下
#add for xxx.ctrl property
type xxx_ctrl_prop, property_type;
3.最後就是對定義的屬性通路,添加相應的通路規則了,由于太多就不一一表述出來,可以參見下面的截圖
4.6 增加NTFS格式外接U盤通路權限
由于Android原生隻支援VFAT格式的U盤挂載,現在需要增加NTFS格式的U盤挂載,今天的重點不是怎麼增加NTFS格式的支援,重點是怎麼在SELinux增加NTFS格式U盤的挂載。原來以為非常的簡單隻需要參照VFAT格式的做就ok了,但是發現就是一個坑根本行不懂,嘗試了很多辦法,最好通過核心列印發現了如下的資訊:
sdcardfs: mounted on top of /mnt/media_rw/exsdcard0 type fuseblk
sdcardfs: mounted on top of /mnt/media_rw/exsdcard0 type vfat
驅動的小哥哥根本挂載的不是把U盤挂載稱為ntfs格式的而是fuseblk類型的,是以發現了這個點問題就迎刃而解了,隻需要參照VFAT格式的添加SELinux權限就ok了,這裡需要注意地是虛拟檔案系統的安全上下文和關鍵詞genfscon。
commit 478da44c4f219cba7870ef8755875ce8b4970d0d
Date: Fri May 15 14:41:53 2020 +0800
SELinux:n
tfs format U disk can be used normally
diff --git a/device/qcom/sepolicy/private/xxx_ntfs.te b/device/qcom/sepolicy/private/xxx_ntfs.te
new file mode 100644
index 0000000..3ccdf57
--- /dev/null
+++ b/device/qcom/sepolicy/private/xxx_ntfs.te
@@ -0,0 +1,16 @@
+allow vold mnt_media_rw_stub_file:dir {rw_dir_perms};
+
+#add ntfs udisk
+allow mediaprovider unlabeled:dir {getattr read open write search};
+allow mediaprovider unlabeled:file {getattr read open write setattr};
+allow untrusted_app_all unlabeled:file {read open write getattr};
+allow platform_app unlabeled:filesystem {getattr};
+allow platform_app unlabeled:dir {getattr write read open search};
+allow platform_app unlabeled:file {getattr write read open setattr};
+allow vold vold:capability {setgid setuid};
+allow vold unlabeled:dir {mounton write};
+allow vold unlabeled:filesystem {unmount};
+allow priv_app unlabeled:dir { search getattr read open };
+allow priv_app unlabeled:file {getattr read };
+allow vold {cache_block_device block_device}:blk_file {rw_file_perms};
+
diff --git a/system/sepolicy/prebuilts/api/26.0/nonplat_sepolicy.cil b/system/sepolicy/prebuilts/api/26.0/nonplat_sepolicy.cil
old mode 100644
new mode 100755
index 2ed4efa..ab1c668
--- a/system/sepolicy/prebuilts/api/26.0/nonplat_sepolicy.cil
+++ b/system/sepolicy/prebuilts/api/26.0/nonplat_sepolicy.cil
@@ -1,7 +1,7 @@
(roletype r domain)
(typeattributeset dev_type (device_26_0 alarm_device_26_0 ashmem_device_26_0 audio_device_26_0 audio_timer_device_26_0 audio_seq_device_26_0 binder_device_26_0 hwbinder_device_26_0 vndbinder_device_26_0 block_device_26_0 camera_device_26_0 dm_device_26_0 keychord_device_26_0 loop_control_device_26_0 loop_device_26_0 pmsg_device_26_0 radio_device_26_0 ram_device_26_0 rtc_device_26_0 vold_device_26_0 console_device_26_0 cpuctl_device_26_0 fscklogs_26_0 full_device_26_0 gpu_device_26_0 graphics_device_26_0 hw_random_device_26_0 input_device_26_0 kmem_device_26_0 port_device_26_0 log_device_26_0 mtd_device_26_0 mtp_device_26_0 nfc_device_26_0 ptmx_device_26_0 kmsg_device_26_0 null_device_26_0 random_device_26_0 sensors_device_26_0 serial_device_26_0 socket_device_26_0 owntty_device_26_0 tty_device_26_0 video_device_26_0 vcs_device_26_0 zero_device_26_0 fuse_device_26_0 iio_device_26_0 ion_device_26_0 qtaguid_device_26_0 watchdog_device_26_0 uhid_device_26_0 uio_device_26_0 tun_device_26_0 usbaccessory_device_26_0 usb_device_26_0 properties_device_26_0 properties_serial_26_0 i2c_device_26_0 hci_attach_dev_26_0 rpmsg_device_26_0 root_block_device_26_0 frp_block_device_26_0 system_block_device_26_0 recovery_block_device_26_0 boot_block_device_26_0 userdata_block_device_26_0 cache_block_device_26_0 swap_block_device_26_0 metadata_block_device_26_0 misc_block_device_26_0 ppp_device_26_0 tee_device_26_0))
(typeattributeset domain (adbd_26_0 audioserver_26_0 blkid_26_0 blkid_untrusted_26_0 bluetooth_26_0 bootanim_26_0 bootstat_26_0 bufferhubd_26_0 cameraserver_26_0 charger_26_0 clatd_26_0 cppreopts_26_0 crash_dump_26_0 dex2oat_26_0 dhcp_26_0 dnsmasq_26_0 drmserver_26_0 dumpstate_26_0 ephemeral_app_26_0 fingerprintd_26_0 fsck_26_0 fsck_untrusted_26_0 gatekeeperd_26_0 healthd_26_0 hwservicemanager_26_0 idmap_26_0 incident_26_0 incidentd_26_0 init_26_0 inputflinger_26_0 install_recovery_26_0 installd_26_0 isolated_app_26_0 kernel_26_0 keystore_26_0 lmkd_26_0 logd_26_0 logpersist_26_0 mdnsd_26_0 mediacodec_26_0 mediadrmserver_26_0 mediaextractor_26_0 mediametrics_26_0 mediaserver_26_0 modprobe_26_0 mtp_26_0 netd_26_0 netutils_wrapper_26_0 nfc_26_0 otapreopt_chroot_26_0 otapreopt_slot_26_0 performanced_26_0 perfprofd_26_0 platform_app_26_0 postinstall_26_0 postinstall_dexopt_26_0 ppp_26_0 preopt2cachename_26_0 priv_app_26_0 profman_26_0 racoon_26_0 radio_26_0 recovery_26_0 recovery_persist_26_0 recovery_refresh_26_0 rild_26_0 runas_26_0 sdcardd_26_0 servicemanager_26_0 sgdisk_26_0 shared_relro_26_0 shell_26_0 slideshow_26_0 su_26_0 surfaceflinger_26_0 system_app_26_0 system_server_26_0 tee_26_0 tombstoned_26_0 toolbox_26_0 tzdatacheck_26_0 ueventd_26_0 uncrypt_26_0 untrusted_app_26_0 untrusted_app_25_26_0 untrusted_v2_app_26_0 update_engine_26_0 update_verifier_26_0 vdc_26_0 virtual_touchpad_26_0 vndservicemanager_26_0 vold_26_0 vr_hwc_26_0 watchdogd_26_0 webview_zygote_26_0 wificond_26_0 zygote_26_0 hal_audio_default hal_bluetooth_default hal_bootctl_default hal_camera_default hal_configstore_default hal_contexthub_default hal_drm_default hal_dumpstate_default hal_fingerprint_default hal_gatekeeper_default hal_gnss_default hal_graphics_allocator_default hal_graphics_composer_default hal_health_default hal_ir_default hal_keymaster_default hal_light_default hal_memtrack_default hal_nfc_default hal_power_default hal_sensors_default hal_thermal_default hal_tv_cec_default hal_tv_input_default hal_usb_default hal_vibrator_default hal_vr_default hal_wifi_default hal_wifi_offload_default hal_wifi_supplicant_default hostapd vendor_modprobe))
-(typeattributeset fs_type (device_26_0 labeledfs_26_0 pipefs_26_0 sockfs_26_0 rootfs_26_0 proc_26_0 proc_security_26_0 proc_drop_caches_26_0 proc_overcommit_memory_26_0 usermodehelper_26_0 qtaguid_proc_26_0 proc_bluetooth_writable_26_0 proc_cpuinfo_26_0 proc_interrupts_26_0 proc_iomem_26_0 proc_meminfo_26_0 proc_misc_26_0 proc_modules_26_0 proc_net_26_0 proc_perf_26_0 proc_stat_26_0 proc_sysrq_26_0 proc_timer_26_0 proc_tty_drivers_26_0 proc_uid_cputime_showstat_26_0 proc_uid_cputime_removeuid_26_0 proc_uid_io_stats_26_0 proc_uid_procstat_set_26_0 proc_zoneinfo_26_0 selinuxfs_26_0 cgroup_26_0 sysfs_26_0 sysfs_uio_26_0 sysfs_batteryinfo_26_0 sysfs_bluetooth_writable_26_0 sysfs_leds_26_0 sysfs_hwrandom_26_0 sysfs_nfc_power_writable_26_0 sysfs_wake_lock_26_0 sysfs_mac_address_26_0 configfs_26_0 sysfs_devices_system_cpu_26_0 sysfs_lowmemorykiller_26_0 sysfs_wlan_fwpath_26_0 sysfs_vibrator_26_0 sysfs_thermal_26_0 sysfs_zram_26_0 sysfs_zram_uevent_26_0 inotify_26_0 devpts_26_0 tmpfs_26_0 shm_26_0 mqueue_26_0 fuse_26_0 sdcardfs_26_0 vfat_26_0 debugfs_26_0 debugfs_mmc_26_0 debugfs_trace_marker_26_0 debugfs_tracing_26_0 debugfs_tracing_instances_26_0 debugfs_wifi_tracing_26_0 tracing_shell_writable_26_0 tracing_shell_writable_debug_26_0 pstorefs_26_0 functionfs_26_0 oemfs_26_0 usbfs_26_0 binfmt_miscfs_26_0 app_fusefs_26_0))
+(typeattributeset fs_type (device_26_0 labeledfs_26_0 pipefs_26_0 sockfs_26_0 rootfs_26_0 proc_26_0 proc_security_26_0 proc_drop_caches_26_0 proc_overcommit_memory_26_0 usermodehelper_26_0 qtaguid_proc_26_0 proc_bluetooth_writable_26_0 proc_cpuinfo_26_0 proc_interrupts_26_0 proc_iomem_26_0 proc_meminfo_26_0 proc_misc_26_0 proc_modules_26_0 proc_net_26_0 proc_perf_26_0 proc_stat_26_0 proc_sysrq_26_0 proc_timer_26_0 proc_tty_drivers_26_0 proc_uid_cputime_showstat_26_0 proc_uid_cputime_removeuid_26_0 proc_uid_io_stats_26_0 proc_uid_procstat_set_26_0 proc_zoneinfo_26_0 selinuxfs_26_0 cgroup_26_0 sysfs_26_0 sysfs_uio_26_0 sysfs_batteryinfo_26_0 sysfs_bluetooth_writable_26_0 sysfs_leds_26_0 sysfs_hwrandom_26_0 sysfs_nfc_power_writable_26_0 sysfs_wake_lock_26_0 sysfs_mac_address_26_0 configfs_26_0 sysfs_devices_system_cpu_26_0 sysfs_lowmemorykiller_26_0 sysfs_wlan_fwpath_26_0 sysfs_vibrator_26_0 sysfs_thermal_26_0 sysfs_zram_26_0 sysfs_zram_uevent_26_0 inotify_26_0 devpts_26_0 tmpfs_26_0 shm_26_0 mqueue_26_0 fuse_26_0 sdcardfs_26_0 vfat_26_0 fuseblk_26_0 debugfs_26_0 debugfs_mmc_26_0 debugfs_trace_marker_26_0 debugfs_tracing_26_0 debugfs_tracing_instances_26_0 debugfs_wifi_tracing_26_0 tracing_shell_writable_26_0 tracing_shell_writable_debug_26_0 pstorefs_26_0 functionfs_26_0 oemfs_26_0 usbfs_26_0 binfmt_miscfs_26_0 app_fusefs_26_0))
(typeattributeset contextmount_type (oemfs_26_0 app_fusefs_26_0))
(typeattributeset file_type (bootanim_exec_26_0 bootstat_exec_26_0 bufferhubd_exec_26_0 cameraserver_exec_26_0 clatd_exec_26_0 cppreopts_exec_26_0 crash_dump_exec_26_0 dex2oat_exec_26_0 dhcp_exec_26_0 dnsmasq_exec_26_0 drmserver_exec_26_0 drmserver_socket_26_0 dumpstate_exec_26_0 sysfs_usb_26_0 unlabeled_26_0 system_file_26_0 vendor_hal_file_26_0 vendor_file_26_0 vendor_app_file_26_0 vendor_configs_file_26_0 same_process_hal_file_26_0 vndk_sp_file_26_0 vendor_framework_file_26_0 vendor_overlay_file_26_0 runtime_event_log_tags_file_26_0 logcat_exec_26_0 coredump_file_26_0 system_data_file_26_0 unencrypted_data_file_26_0 install_data_file_26_0 drm_data_file_26_0 adb_data_file_26_0 anr_data_file_26_0 tombstone_data_file_26_0 apk_data_file_26_0 apk_tmp_file_26_0 apk_private_data_file_26_0 apk_private_tmp_file_26_0 dalvikcache_data_file_26_0 ota_data_file_26_0 ota_package_file_26_0 user_profile_data_file_26_0 profman_dump_data_file_26_0 resourcecache_data_file_26_0 shell_data_file_26_0 property_data_file_26_0 bootchart_data_file_26_0 heapdump_data_file_26_0 nativetest_data_file_26_0 ringtone_file_26_0 preloads_data_file_26_0 preloads_media_file_26_0 dhcp_data_file_26_0 mnt_media_rw_file_26_0 mnt_user_file_26_0 mnt_expand_file_26_0 storage_file_26_0 mnt_media_rw_stub_file_26_0 storage_stub_file_26_0 postinstall_mnt_dir_26_0 postinstall_file_26_0 adb_keys_file_26_0 audio_data_file_26_0 audiohal_data_file_26_0 audioserver_data_file_26_0 bluetooth_data_file_26_0 bluetooth_logs_data_file_26_0 bootstat_data_file_26_0 boottrace_data_file_26_0 camera_data_file_26_0 gatekeeper_data_file_26_0 incident_data_file_26_0 keychain_data_file_26_0 keystore_data_file_26_0 media_data_file_26_0 media_rw_data_file_26_0 misc_user_data_file_26_0 net_data_file_26_0 nfc_data_file_26_0 radio_data_file_26_0 reboot_data_file_26_0 recovery_data_file_26_0 shared_relro_file_26_0 systemkeys_data_file_26_0 textclassifier_data_file_26_0 vpn_data_file_26_0 wifi_data_file_26_0 zoneinfo_data_file_26_0 vold_data_file_26_0 perfprofd_data_file_26_0 tee_data_file_26_0 update_engine_data_file_26_0 method_trace_data_file_26_0 app_data_file_26_0 system_app_data_file_26_0 cache_file_26_0 cache_backup_file_26_0 cache_private_backup_file_26_0 cache_recovery_file_26_0 efs_file_26_0 wallpaper_file_26_0 shortcut_manager_icons_26_0 icon_file_26_0 asec_apk_file_26_0 asec_public_file_26_0 asec_image_file_26_0 backup_data_file_26_0 bluetooth_efs_file_26_0 fingerprintd_data_file_26_0 app_fuse_file_26_0 adbd_socket_26_0 bluetooth_socket_26_0 dnsproxyd_socket_26_0 dumpstate_socket_26_0 fwmarkd_socket_26_0 lmkd_socket_26_0 logd_socket_26_0 logdr_socket_26_0 logdw_socket_26_0 mdns_socket_26_0 mdnsd_socket_26_0 misc_logd_file_26_0 mtpd_socket_26_0 netd_socket_26_0 property_socket_26_0 racoon_socket_26_0 rild_socket_26_0 rild_debug_socket_26_0 system_wpa_socket_26_0 system_ndebug_socket_26_0 tombstoned_crash_socket_26_0 tombstoned_intercept_socket_26_0 uncrypt_socket_26_0 vold_socket_26_0 webview_zygote_socket_26_0 wpa_socket_26_0 zygote_socket_26_0 gps_control_26_0 pdx_display_dir_26_0 pdx_performance_dir_26_0 pdx_bufferhub_dir_26_0 pdx_display_client_endpoint_socket_26_0 pdx_display_manager_endpoint_socket_26_0 pdx_display_screenshot_endpoint_socket_26_0 pdx_display_vsync_endpoint_socket_26_0 pdx_performance_client_endpoint_socket_26_0 pdx_bufferhub_client_endpoint_socket_26_0 file_contexts_file_26_0 mac_perms_file_26_0 property_contexts_file_26_0 seapp_contexts_file_26_0 sepolicy_file_26_0 service_contexts_file_26_0 hwservice_contexts_file_26_0 vndservice_contexts_file_26_0 fingerprintd_exec_26_0 fsck_exec_26_0 gatekeeperd_exec_26_0 healthd_exec_26_0 hwservicemanager_exec_26_0 idmap_exec_26_0 init_exec_26_0 inputflinger_exec_26_0 install_recovery_exec_26_0 installd_exec_26_0 keystore_exec_26_0 lmkd_exec_26_0 logd_exec_26_0 mediacodec_exec_26_0 mediadrmserver_exec_26_0 mediaextractor_exec_26_0 mediametrics_exec_26_0 mediaserver_exec_26_0 mtp_exec_26_0 netd_exec_26_0 netutils_wrapper_exec_26_0 otapreopt_chroot_exec_26_0 otapreopt_slot_exec_26_0 performanced_exec_26_0 perfprofd_exec_26_0 ppp_exec_26_0 preopt2cachename_exec_26_0 profman_exec_26_0 racoon_exec_26_0 recovery_persist_exec_26_0 recovery_refresh_exec_26_0 runas_exec_26_0 sdcardd_exec_26_0 servicemanager_exec_26_0 sgdisk_exec_26_0 shell_exec_26_0 su_exec_26_0 tombstoned_exec_26_0 toolbox_exec_26_0 tzdatacheck_exec_26_0 uncrypt_exec_26_0 update_engine_exec_26_0 update_verifier_exec_26_0 vdc_exec_26_0 vendor_shell_exec_26_0 vendor_toolbox_exec_26_0 virtual_touchpad_exec_26_0 vold_exec_26_0 vr_hwc_exec_26_0 webview_zygote_exec_26_0 wificond_exec_26_0 zygote_exec_26_0 hostapd_socket hal_audio_default_exec hal_audio_default_tmpfs hal_bluetooth_default_exec hal_bluetooth_default_tmpfs hal_bootctl_default_exec hal_bootctl_default_tmpfs hal_camera_default_exec hal_camera_default_tmpfs hal_configstore_default_exec hal_configstore_default_tmpfs hal_contexthub_default_exec hal_contexthub_default_tmpfs hal_drm_default_exec hal_drm_default_tmpfs hal_dumpstate_default_exec hal_dumpstate_default_tmpfs hal_fingerprint_default_exec hal_fingerprint_default_tmpfs hal_gatekeeper_default_exec hal_gatekeeper_default_tmpfs hal_gnss_default_exec hal_gnss_default_tmpfs hal_graphics_allocator_default_exec hal_graphics_allocator_default_tmpfs hal_graphics_composer_default_exec hal_graphics_composer_default_tmpfs hal_health_default_exec hal_health_default_tmpfs hal_ir_default_exec hal_ir_default_tmpfs hal_keymaster_default_exec hal_keymaster_default_tmpfs hal_light_default_exec hal_light_default_tmpfs hal_memtrack_default_exec hal_memtrack_default_tmpfs hal_nfc_default_exec hal_nfc_default_tmpfs mediacodec_tmpfs hal_power_default_exec hal_power_default_tmpfs hal_sensors_default_exec hal_sensors_default_tmpfs hal_thermal_default_exec hal_thermal_default_tmpfs hal_tv_cec_default_exec hal_tv_cec_default_tmpfs hal_tv_input_default_exec hal_tv_input_default_tmpfs hal_usb_default_exec hal_usb_default_tmpfs hal_vibrator_default_exec hal_vibrator_default_tmpfs hal_vr_default_exec hal_vr_default_tmpfs hal_wifi_default_exec hal_wifi_default_tmpfs hal_wifi_offload_default_exec hal_wifi_offload_default_tmpfs hal_wifi_supplicant_default_exec hal_wifi_supplicant_default_tmpfs hostapd_exec hostapd_tmpfs rild_exec rild_tmpfs tee_exec tee_tmpfs vndservicemanager_exec vndservicemanager_tmpfs))
(typeattributeset exec_type (bootanim_exec_26_0 bootstat_exec_26_0 bufferhubd_exec_26_0 cameraserver_exec_26_0 clatd_exec_26_0 cppreopts_exec_26_0 crash_dump_exec_26_0 dex2oat_exec_26_0 dhcp_exec_26_0 dnsmasq_exec_26_0 drmserver_exec_26_0 dumpstate_exec_26_0 logcat_exec_26_0 fingerprintd_exec_26_0 fsck_exec_26_0 gatekeeperd_exec_26_0 healthd_exec_26_0 hwservicemanager_exec_26_0 idmap_exec_26_0 init_exec_26_0 inputflinger_exec_26_0 install_recovery_exec_26_0 installd_exec_26_0 keystore_exec_26_0 lmkd_exec_26_0 logd_exec_26_0 mediacodec_exec_26_0 mediadrmserver_exec_26_0 mediaextractor_exec_26_0 mediametrics_exec_26_0 mediaserver_exec_26_0 mtp_exec_26_0 netd_exec_26_0 netutils_wrapper_exec_26_0 otapreopt_chroot_exec_26_0 otapreopt_slot_exec_26_0 performanced_exec_26_0 perfprofd_exec_26_0 ppp_exec_26_0 preopt2cachename_exec_26_0 profman_exec_26_0 racoon_exec_26_0 recovery_persist_exec_26_0 recovery_refresh_exec_26_0 runas_exec_26_0 sdcardd_exec_26_0 servicemanager_exec_26_0 sgdisk_exec_26_0 shell_exec_26_0 su_exec_26_0 tombstoned_exec_26_0 toolbox_exec_26_0 tzdatacheck_exec_26_0 uncrypt_exec_26_0 update_engine_exec_26_0 update_verifier_exec_26_0 vdc_exec_26_0 vendor_shell_exec_26_0 vendor_toolbox_exec_26_0 virtual_touchpad_exec_26_0 vold_exec_26_0 vr_hwc_exec_26_0 webview_zygote_exec_26_0 wificond_exec_26_0 zygote_exec_26_0 hal_audio_default_exec hal_bluetooth_default_exec hal_bootctl_default_exec hal_camera_default_exec hal_configstore_default_exec hal_contexthub_default_exec hal_drm_default_exec hal_dumpstate_default_exec hal_fingerprint_default_exec hal_gatekeeper_default_exec hal_gnss_default_exec hal_graphics_allocator_default_exec hal_graphics_composer_default_exec hal_health_default_exec hal_ir_default_exec hal_keymaster_default_exec hal_light_default_exec hal_memtrack_default_exec hal_nfc_default_exec hal_power_default_exec hal_sensors_default_exec hal_thermal_default_exec hal_tv_cec_default_exec hal_tv_input_default_exec hal_usb_default_exec hal_vibrator_default_exec hal_vr_default_exec hal_wifi_default_exec hal_wifi_offload_default_exec hal_wifi_supplicant_default_exec hostapd_exec rild_exec tee_exec vndservicemanager_exec))
@@ -11,6 +11,7 @@
(typeattributeset sysfs_type (usermodehelper_26_0 sysfs_26_0 sysfs_uio_26_0 sysfs_batteryinfo_26_0 sysfs_bluetooth_writable_26_0 sysfs_leds_26_0 sysfs_hwrandom_26_0 sysfs_nfc_power_writable_26_0 sysfs_wake_lock_26_0 sysfs_mac_address_26_0 sysfs_usb_26_0 sysfs_devices_system_cpu_26_0 sysfs_lowmemorykiller_26_0 sysfs_wlan_fwpath_26_0 sysfs_vibrator_26_0 sysfs_thermal_26_0 sysfs_zram_26_0 sysfs_zram_uevent_26_0))
(typeattributeset debugfs_type (debugfs_mmc_26_0 debugfs_trace_marker_26_0 debugfs_tracing_26_0 debugfs_tracing_instances_26_0 debugfs_wifi_tracing_26_0 tracing_shell_writable_26_0 tracing_shell_writable_debug_26_0))
(typeattributeset sdcard_type (fuse_26_0 sdcardfs_26_0 vfat_26_0))
+(typeattributeset sdcard_type (fuse_26_0 sdcardfs_26_0 fuseblk_26_0))
(typeattributeset node_type (node_26_0))
(typeattributeset netif_type (netif_26_0))
(typeattributeset port_type (port_26_0))
@@ -27,7 +28,7 @@
(typeattributeset coredomain_hwservice (fwk_display_hwservice_26_0 fwk_scheduler_hwservice_26_0 fwk_sensor_hwservice_26_0 hidl_allocator_hwservice_26_0 hidl_manager_hwservice_26_0 hidl_memory_hwservice_26_0 hidl_token_hwservice_26_0 system_wifi_keystore_hwservice_26_0))
(typeattributeset vndservice_manager_type (default_android_vndservice_26_0))
(typeattributeset mlstrustedsubject (bufferhubd_26_0 cppreopts_26_0 drmserver_26_0 dumpstate_26_0 pdx_display_client_endpoint_socket_26_0 pdx_display_manager_endpoint_socket_26_0 pdx_display_screenshot_endpoint_socket_26_0 pdx_display_vsync_endpoint_socket_26_0 pdx_performance_client_endpoint_socket_26_0 pdx_bufferhub_client_endpoint_socket_26_0 hwservicemanager_26_0 init_26_0 installd_26_0 kernel_26_0 keystore_26_0 lmkd_26_0 logd_26_0 mediacodec_26_0 mediadrmserver_26_0 mediaextractor_26_0 mediaserver_26_0 netd_26_0 otapreopt_slot_26_0 performanced_26_0 perfprofd_26_0 racoon_26_0 radio_26_0 runas_26_0 servicemanager_26_0 shell_26_0 su_26_0 tombstoned_26_0 uncrypt_26_0 vold_26_0))
-(typeattributeset mlstrustedobject (alarm_device_26_0 ashmem_device_26_0 binder_device_26_0 hwbinder_device_26_0 pmsg_device_26_0 gpu_device_26_0 log_device_26_0 mtp_device_26_0 ptmx_device_26_0 null_device_26_0 random_device_26_0 owntty_device_26_0 zero_device_26_0 fuse_device_26_0 ion_device_26_0 tun_device_26_0 usbaccessory_device_26_0 usb_device_26_0 qtaguid_proc_26_0 selinuxfs_26_0 cgroup_26_0 sysfs_26_0 sysfs_bluetooth_writable_26_0 sysfs_nfc_power_writable_26_0 sysfs_usb_26_0 inotify_26_0 devpts_26_0 fuse_26_0 sdcardfs_26_0 vfat_26_0 debugfs_trace_marker_26_0 functionfs_26_0 anr_data_file_26_0 tombstone_data_file_26_0 apk_tmp_file_26_0 apk_private_tmp_file_26_0 ota_package_file_26_0 user_profile_data_file_26_0 shell_data_file_26_0 heapdump_data_file_26_0 ringtone_file_26_0 media_rw_data_file_26_0 radio_data_file_26_0 perfprofd_data_file_26_0 method_trace_data_file_26_0 system_app_data_file_26_0 cache_file_26_0 cache_backup_file_26_0 cache_recovery_file_26_0 wallpaper_file_26_0 shortcut_manager_icons_26_0 asec_apk_file_26_0 backup_data_file_26_0 app_fuse_file_26_0 dnsproxyd_socket_26_0 fwmarkd_socket_26_0 logd_socket_26_0 logdr_socket_26_0 logdw_socket_26_0 mdnsd_socket_26_0 property_socket_26_0 system_ndebug_socket_26_0 tombstoned_crash_socket_26_0 pdx_display_client_endpoint_socket_26_0 pdx_display_manager_endpoint_socket_26_0 pdx_display_screenshot_endpoint_socket_26_0 pdx_display_vsync_endpoint_socket_26_0 pdx_performance_client_endpoint_socket_26_0 pdx_bufferhub_client_endpoint_socket_26_0))
+(typeattributeset mlstrustedobject (alarm_device_26_0 ashmem_device_26_0 binder_device_26_0 hwbinder_device_26_0 pmsg_device_26_0 gpu_device_26_0 log_device_26_0 mtp_device_26_0 ptmx_device_26_0 null_device_26_0 random_device_26_0 owntty_device_26_0 zero_device_26_0 fuse_device_26_0 ion_device_26_0 tun_device_26_0 usbaccessory_device_26_0 usb_device_26_0 qtaguid_proc_26_0 selinuxfs_26_0 cgroup_26_0 sysfs_26_0 sysfs_bluetooth_writable_26_0 sysfs_nfc_power_writable_26_0 sysfs_usb_26_0 inotify_26_0 devpts_26_0 fuse_26_0 sdcardfs_26_0 vfat_26_0 fuseblk_26_0 debugfs_trace_marker_26_0 functionfs_26_0 anr_data_file_26_0 tombstone_data_file_26_0 apk_tmp_file_26_0 apk_private_tmp_file_26_0 ota_package_file_26_0 user_profile_data_file_26_0 shell_data_file_26_0 heapdump_data_file_26_0 ringtone_file_26_0 media_rw_data_file_26_0 radio_data_file_26_0 perfprofd_data_file_26_0 method_trace_data_file_26_0 system_app_data_file_26_0 cache_file_26_0 cache_backup_file_26_0 cache_recovery_file_26_0 wallpaper_file_26_0 shortcut_manager_icons_26_0 asec_apk_file_26_0 backup_data_file_26_0 app_fuse_file_26_0 dnsproxyd_socket_26_0 fwmarkd_socket_26_0 logd_socket_26_0 logdr_socket_26_0 logdw_socket_26_0 mdnsd_socket_26_0 property_socket_26_0 system_ndebug_socket_26_0 tombstoned_crash_socket_26_0 pdx_display_client_endpoint_socket_26_0 pdx_display_manager_endpoint_socket_26_0 pdx_display_screenshot_endpoint_socket_26_0 pdx_display_vsync_endpoint_socket_26_0 pdx_performance_client_endpoint_socket_26_0 pdx_bufferhub_client_endpoint_socket_26_0))
(typeattributeset netdomain (clatd_26_0 dhcp_26_0 dnsmasq_26_0 drmserver_26_0 dumpstate_26_0 mediadrmserver_26_0 mediaserver_26_0 mtp_26_0 netd_26_0 ppp_26_0 racoon_26_0 radio_26_0 rild_26_0 shell_26_0 su_26_0 update_engine_26_0 hal_wifi_supplicant_default hostapd))
(typeattributeset bluetoothdomain (radio_26_0))
(typeattributeset binderservicedomain (cameraserver_26_0 drmserver_26_0 gatekeeperd_26_0 healthd_26_0 inputflinger_26_0 keystore_26_0 mediadrmserver_26_0 mediaextractor_26_0 mediametrics_26_0 mediaserver_26_0 radio_26_0 virtual_touchpad_26_0 vr_hwc_26_0))
@@ -450,7 +451,9 @@
(typeattribute sdcardfs_26_0)
(roletype object_r sdcardfs_26_0)
(typeattribute vfat_26_0)
+(typeattribute fuseblk_26_0)
(roletype object_r vfat_26_0)
+(roletype object_r fuseblk_26_0)
(typeattribute debugfs_26_0)
(roletype object_r debugfs_26_0)
(typeattribute debugfs_mmc_26_0)
diff --git a/system/sepolicy/prebuilts/api/26.0/private/app.te b/system/sepolicy/prebuilts/api/26.0/private/app.te
old mode 100644
new mode 100755
index 6f2b820..2584f5c
--- a/system/sepolicy/prebuilts/api/26.0/private/app.te
+++ b/system/sepolicy/prebuilts/api/26.0/private/app.te
@@ -226,12 +226,16 @@ allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file fuseblk }:file create_file_perms;
allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file fuseblk }:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuseblk:dir r_dir_perms;
allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuseblk:file rw_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
diff --git a/system/sepolicy/prebuilts/api/26.0/private/app_neverallows.te b/system/sepolicy/prebuilts/api/26.0/private/app_neverallows.te
old mode 100644
new mode 100755
index 3a1b292..d9630d7
--- a/system/sepolicy/prebuilts/api/26.0/private/app_neverallows.te
+++ b/system/sepolicy/prebuilts/api/26.0/private/app_neverallows.te
@@ -80,6 +80,7 @@ neverallow all_untrusted_apps {
-fuse # sdcard
-sdcardfs # sdcard
-vfat
+ -fuseblk
file_type
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
diff --git a/system/sepolicy/prebuilts/api/26.0/private/genfs_contexts b/system/sepolicy/prebuilts/api/26.0/private/genfs_contexts
old mode 100644
new mode 100755
index a2d9b89..99ed7e5
--- a/system/sepolicy/prebuilts/api/26.0/private/genfs_contexts
+++ b/system/sepolicy/prebuilts/api/26.0/private/genfs_contexts
@@ -50,6 +50,7 @@ genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
+genfscon fuseblk / u:object_r:fuseblk:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon tracefs / u:object_r:debugfs_tracing:s0
genfscon fuse / u:object_r:fuse:s0
diff --git a/system/sepolicy/prebuilts/api/26.0/private/platform_app.te b/system/sepolicy/prebuilts/api/26.0/private/platform_app.te
old mode 100644
new mode 100755
index fd4634a..a047b0b
--- a/system/sepolicy/prebuilts/api/26.0/private/platform_app.te
+++ b/system/sepolicy/prebuilts/api/26.0/private/platform_app.te
@@ -36,7 +36,9 @@ allow platform_app cache_file:file create_file_perms;
# This is a performance optimization that allows platform apps to bypass the FUSE layer
allow platform_app mnt_media_rw_file:dir r_dir_perms;
allow platform_app vfat:dir create_dir_perms;
+allow platform_app fuseblk:dir create_dir_perms;
allow platform_app vfat:file create_file_perms;
+allow platform_app fuseblk:file create_file_perms;
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
diff --git a/system/sepolicy/prebuilts/api/26.0/public/file.te b/system/sepolicy/prebuilts/api/26.0/public/file.te
old mode 100644
new mode 100755
index 6716c69..456fbd2
--- a/system/sepolicy/prebuilts/api/26.0/public/file.te
+++ b/system/sepolicy/prebuilts/api/26.0/public/file.te
@@ -62,6 +62,7 @@ type mqueue, fs_type;
type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
+type fuseblk, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
diff --git a/system/sepolicy/prebuilts/api/27.0/nonplat_sepolicy.cil b/system/sepolicy/prebuilts/api/27.0/nonplat_sepolicy.cil
old mode 100644
new mode 100755
index da550c1..6738d3e
--- a/system/sepolicy/prebuilts/api/27.0/nonplat_sepolicy.cil
+++ b/system/sepolicy/prebuilts/api/27.0/nonplat_sepolicy.cil
@@ -1,7 +1,7 @@
(roletype r domain)
(typeattributeset dev_type (device_27_0 alarm_device_27_0 ashmem_device_27_0 audio_device_27_0 audio_timer_device_27_0 audio_seq_device_27_0 binder_device_27_0 hwbinder_device_27_0 vndbinder_device_27_0 block_device_27_0 camera_device_27_0 dm_device_27_0 keychord_device_27_0 loop_control_device_27_0 loop_device_27_0 pmsg_device_27_0 radio_device_27_0 ram_device_27_0 rtc_device_27_0 vold_device_27_0 console_device_27_0 cpuctl_device_27_0 fscklogs_27_0 full_device_27_0 gpu_device_27_0 graphics_device_27_0 hw_random_device_27_0 input_device_27_0 kmem_device_27_0 port_device_27_0 mtd_device_27_0 mtp_device_27_0 nfc_device_27_0 ptmx_device_27_0 kmsg_device_27_0 kmsg_debug_device_27_0 null_device_27_0 random_device_27_0 sensors_device_27_0 serial_device_27_0 socket_device_27_0 owntty_device_27_0 tty_device_27_0 video_device_27_0 vcs_device_27_0 zero_device_27_0 fuse_device_27_0 iio_device_27_0 ion_device_27_0 qtaguid_device_27_0 watchdog_device_27_0 uhid_device_27_0 uio_device_27_0 tun_device_27_0 usbaccessory_device_27_0 usb_device_27_0 properties_device_27_0 properties_serial_27_0 i2c_device_27_0 hci_attach_dev_27_0 rpmsg_device_27_0 root_block_device_27_0 frp_block_device_27_0 system_block_device_27_0 recovery_block_device_27_0 boot_block_device_27_0 userdata_block_device_27_0 cache_block_device_27_0 swap_block_device_27_0 metadata_block_device_27_0 misc_block_device_27_0 ppp_device_27_0 tee_device_27_0 qemu_device))
(typeattributeset domain (adbd_27_0 audioserver_27_0 blkid_27_0 blkid_untrusted_27_0 bluetooth_27_0 bootanim_27_0 bootstat_27_0 bufferhubd_27_0 cameraserver_27_0 charger_27_0 clatd_27_0 cppreopts_27_0 crash_dump_27_0 dex2oat_27_0 dhcp_27_0 dnsmasq_27_0 drmserver_27_0 dumpstate_27_0 e2fs_27_0 ephemeral_app_27_0 fingerprintd_27_0 fsck_27_0 fsck_untrusted_27_0 gatekeeperd_27_0 healthd_27_0 hwservicemanager_27_0 idmap_27_0 incident_27_0 incidentd_27_0 init_27_0 inputflinger_27_0 install_recovery_27_0 installd_27_0 isolated_app_27_0 kernel_27_0 keystore_27_0 lmkd_27_0 logd_27_0 logpersist_27_0 mdnsd_27_0 mediacodec_27_0 mediadrmserver_27_0 mediaextractor_27_0 mediametrics_27_0 mediaprovider_27_0 mediaserver_27_0 modprobe_27_0 mtp_27_0 netd_27_0 netutils_wrapper_27_0 nfc_27_0 otapreopt_chroot_27_0 otapreopt_slot_27_0 performanced_27_0 perfprofd_27_0 platform_app_27_0 postinstall_27_0 postinstall_dexopt_27_0 ppp_27_0 preopt2cachename_27_0 priv_app_27_0 profman_27_0 racoon_27_0 radio_27_0 recovery_27_0 recovery_persist_27_0 recovery_refresh_27_0 rild_27_0 runas_27_0 sdcardd_27_0 servicemanager_27_0 sgdisk_27_0 shared_relro_27_0 shell_27_0 slideshow_27_0 su_27_0 surfaceflinger_27_0 system_app_27_0 system_server_27_0 tee_27_0 thermalserviced_27_0 tombstoned_27_0 toolbox_27_0 tzdatacheck_27_0 ueventd_27_0 uncrypt_27_0 untrusted_app_27_0 untrusted_app_25_27_0 untrusted_v2_app_27_0 update_engine_27_0 update_verifier_27_0 vdc_27_0 virtual_touchpad_27_0 vndservicemanager_27_0 vold_27_0 vr_hwc_27_0 watchdogd_27_0 webview_zygote_27_0 wificond_27_0 zygote_27_0 hal_audio_default hal_bluetooth_default hal_bootctl_default hal_broadcastradio_default hal_camera_default hal_cas_default hal_configstore_default hal_contexthub_default hal_drm_default hal_dumpstate_default hal_fingerprint_default hal_gatekeeper_default hal_gnss_default hal_graphics_allocator_default hal_graphics_composer_default hal_health_default hal_ir_default hal_keymaster_default hal_light_default hal_memtrack_default hal_nfc_default hal_power_default hal_sensors_default hal_tetheroffload_default hal_thermal_default hal_tv_cec_default hal_tv_input_default hal_usb_default hal_vibrator_default hal_vr_default hal_wifi_default hal_wifi_offload_default hal_wifi_supplicant_default hostapd vendor_modprobe goldfish_setup hal_drm_widevine qemu_props))
-(typeattributeset fs_type (device_27_0 labeledfs_27_0 pipefs_27_0 sockfs_27_0 rootfs_27_0 proc_27_0 proc_security_27_0 proc_drop_caches_27_0 proc_overcommit_memory_27_0 usermodehelper_27_0 sysfs_usermodehelper_27_0 qtaguid_proc_27_0 proc_bluetooth_writable_27_0 proc_cpuinfo_27_0 proc_interrupts_27_0 proc_iomem_27_0 proc_meminfo_27_0 proc_misc_27_0 proc_modules_27_0 proc_net_27_0 proc_perf_27_0 proc_stat_27_0 proc_sysrq_27_0 proc_timer_27_0 proc_tty_drivers_27_0 proc_uid_cputime_showstat_27_0 proc_uid_cputime_removeuid_27_0 proc_uid_io_stats_27_0 proc_uid_procstat_set_27_0 proc_uid_time_in_state_27_0 proc_zoneinfo_27_0 selinuxfs_27_0 cgroup_27_0 sysfs_27_0 sysfs_uio_27_0 sysfs_batteryinfo_27_0 sysfs_bluetooth_writable_27_0 sysfs_leds_27_0 sysfs_hwrandom_27_0 sysfs_nfc_power_writable_27_0 sysfs_wake_lock_27_0 sysfs_mac_address_27_0 sysfs_fs_ext4_features_27_0 configfs_27_0 sysfs_devices_system_cpu_27_0 sysfs_lowmemorykiller_27_0 sysfs_wlan_fwpath_27_0 sysfs_vibrator_27_0 sysfs_thermal_27_0 sysfs_zram_27_0 sysfs_zram_uevent_27_0 inotify_27_0 devpts_27_0 tmpfs_27_0 shm_27_0 mqueue_27_0 fuse_27_0 sdcardfs_27_0 vfat_27_0 debugfs_27_0 debugfs_mmc_27_0 debugfs_trace_marker_27_0 debugfs_tracing_27_0 debugfs_tracing_debug_27_0 debugfs_tracing_instances_27_0 debugfs_wifi_tracing_27_0 pstorefs_27_0 functionfs_27_0 oemfs_27_0 usbfs_27_0 binfmt_miscfs_27_0 app_fusefs_27_0 sysfs_writable))
+(typeattributeset fs_type (device_27_0 labeledfs_27_0 pipefs_27_0 sockfs_27_0 rootfs_27_0 proc_27_0 proc_security_27_0 proc_drop_caches_27_0 proc_overcommit_memory_27_0 usermodehelper_27_0 sysfs_usermodehelper_27_0 qtaguid_proc_27_0 proc_bluetooth_writable_27_0 proc_cpuinfo_27_0 proc_interrupts_27_0 proc_iomem_27_0 proc_meminfo_27_0 proc_misc_27_0 proc_modules_27_0 proc_net_27_0 proc_perf_27_0 proc_stat_27_0 proc_sysrq_27_0 proc_timer_27_0 proc_tty_drivers_27_0 proc_uid_cputime_showstat_27_0 proc_uid_cputime_removeuid_27_0 proc_uid_io_stats_27_0 proc_uid_procstat_set_27_0 proc_uid_time_in_state_27_0 proc_zoneinfo_27_0 selinuxfs_27_0 cgroup_27_0 sysfs_27_0 sysfs_uio_27_0 sysfs_batteryinfo_27_0 sysfs_bluetooth_writable_27_0 sysfs_leds_27_0 sysfs_hwrandom_27_0 sysfs_nfc_power_writable_27_0 sysfs_wake_lock_27_0 sysfs_mac_address_27_0 sysfs_fs_ext4_features_27_0 configfs_27_0 sysfs_devices_system_cpu_27_0 sysfs_lowmemorykiller_27_0 sysfs_wlan_fwpath_27_0 sysfs_vibrator_27_0 sysfs_thermal_27_0 sysfs_zram_27_0 sysfs_zram_uevent_27_0 inotify_27_0 devpts_27_0 tmpfs_27_0 shm_27_0 mqueue_27_0 fuse_27_0 sdcardfs_27_0 vfat_27_0 fuseblk_27_0 debugfs_27_0 debugfs_mmc_27_0 debugfs_trace_marker_27_0 debugfs_tracing_27_0 debugfs_tracing_debug_27_0 debugfs_tracing_instances_27_0 debugfs_wifi_tracing_27_0 pstorefs_27_0 functionfs_27_0 oemfs_27_0 usbfs_27_0 binfmt_miscfs_27_0 app_fusefs_27_0 sysfs_writable))
(typeattributeset contextmount_type (oemfs_27_0 app_fusefs_27_0))
(typeattributeset file_type (adbd_exec_27_0 bootanim_exec_27_0 bootstat_exec_27_0 bufferhubd_exec_27_0 cameraserver_exec_27_0 clatd_exec_27_0 cppreopts_exec_27_0 crash_dump_exec_27_0 dex2oat_exec_27_0 dhcp_exec_27_0 dnsmasq_exec_27_0 drmserver_exec_27_0 drmserver_socket_27_0 dumpstate_exec_27_0 e2fs_exec_27_0 sysfs_usb_27_0 unlabeled_27_0 system_file_27_0 vendor_hal_file_27_0 vendor_file_27_0 vendor_app_file_27_0 vendor_configs_file_27_0 same_process_hal_file_27_0 vndk_sp_file_27_0 vendor_framework_file_27_0 vendor_overlay_file_27_0 runtime_event_log_tags_file_27_0 logcat_exec_27_0 coredump_file_27_0 system_data_file_27_0 unencrypted_data_file_27_0 install_data_file_27_0 drm_data_file_27_0 adb_data_file_27_0 anr_data_file_27_0 tombstone_data_file_27_0 apk_data_file_27_0 apk_tmp_file_27_0 apk_private_data_file_27_0 apk_private_tmp_file_27_0 dalvikcache_data_file_27_0 ota_data_file_27_0 ota_package_file_27_0 user_profile_data_file_27_0 profman_dump_data_file_27_0 resourcecache_data_file_27_0 shell_data_file_27_0 property_data_file_27_0 bootchart_data_file_27_0 heapdump_data_file_27_0 nativetest_data_file_27_0 ringtone_file_27_0 preloads_data_file_27_0 preloads_media_file_27_0 dhcp_data_file_27_0 mnt_media_rw_file_27_0 mnt_user_file_27_0 mnt_expand_file_27_0 storage_file_27_0 mnt_media_rw_stub_file_27_0 storage_stub_file_27_0 postinstall_mnt_dir_27_0 postinstall_file_27_0 adb_keys_file_27_0 audio_data_file_27_0 audiohal_data_file_27_0 audioserver_data_file_27_0 bluetooth_data_file_27_0 bluetooth_logs_data_file_27_0 bootstat_data_file_27_0 boottrace_data_file_27_0 camera_data_file_27_0 gatekeeper_data_file_27_0 incident_data_file_27_0 keychain_data_file_27_0 keystore_data_file_27_0 media_data_file_27_0 media_rw_data_file_27_0 misc_user_data_file_27_0 net_data_file_27_0 nfc_data_file_27_0 radio_data_file_27_0 reboot_data_file_27_0 recovery_data_file_27_0 shared_relro_file_27_0 systemkeys_data_file_27_0 textclassifier_data_file_27_0 vpn_data_file_27_0 wifi_data_file_27_0 zoneinfo_data_file_27_0 vold_data_file_27_0 perfprofd_data_file_27_0 tee_data_file_27_0 update_engine_data_file_27_0 method_trace_data_file_27_0 app_data_file_27_0 system_app_data_file_27_0 cache_file_27_0 cache_backup_file_27_0 cache_private_backup_file_27_0 cache_recovery_file_27_0 efs_file_27_0 wallpaper_file_27_0 shortcut_manager_icons_27_0 icon_file_27_0 asec_apk_file_27_0 asec_public_file_27_0 asec_image_file_27_0 backup_data_file_27_0 bluetooth_efs_file_27_0 fingerprintd_data_file_27_0 app_fuse_file_27_0 adbd_socket_27_0 bluetooth_socket_27_0 dnsproxyd_socket_27_0 dumpstate_socket_27_0 fwmarkd_socket_27_0 lmkd_socket_27_0 logd_socket_27_0 logdr_socket_27_0 logdw_socket_27_0 mdns_socket_27_0 mdnsd_socket_27_0 misc_logd_file_27_0 mtpd_socket_27_0 netd_socket_27_0 property_socket_27_0 racoon_socket_27_0 rild_socket_27_0 rild_debug_socket_27_0 system_wpa_socket_27_0 system_ndebug_socket_27_0 tombstoned_crash_socket_27_0 tombstoned_java_trace_socket_27_0 tombstoned_intercept_socket_27_0 uncrypt_socket_27_0 vold_socket_27_0 webview_zygote_socket_27_0 wpa_socket_27_0 zygote_socket_27_0 gps_control_27_0 pdx_display_dir_27_0 pdx_performance_dir_27_0 pdx_bufferhub_dir_27_0 pdx_display_client_endpoint_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0 file_contexts_file_27_0 mac_perms_file_27_0 property_contexts_file_27_0 seapp_contexts_file_27_0 sepolicy_file_27_0 service_contexts_file_27_0 nonplat_service_contexts_file_27_0 hwservice_contexts_file_27_0 vndservice_contexts_file_27_0 fingerprintd_exec_27_0 fsck_exec_27_0 gatekeeperd_exec_27_0 healthd_exec_27_0 hwservicemanager_exec_27_0 idmap_exec_27_0 init_exec_27_0 inputflinger_exec_27_0 install_recovery_exec_27_0 installd_exec_27_0 keystore_exec_27_0 lmkd_exec_27_0 logd_exec_27_0 mediacodec_exec_27_0 mediadrmserver_exec_27_0 mediaextractor_exec_27_0 mediametrics_exec_27_0 mediaserver_exec_27_0 mtp_exec_27_0 netd_exec_27_0 netutils_wrapper_exec_27_0 otapreopt_chroot_exec_27_0 otapreopt_slot_exec_27_0 performanced_exec_27_0 perfprofd_exec_27_0 ppp_exec_27_0 preopt2cachename_exec_27_0 profman_exec_27_0 racoon_exec_27_0 recovery_persist_exec_27_0 recovery_refresh_exec_27_0 runas_exec_27_0 sdcardd_exec_27_0 servicemanager_exec_27_0 sgdisk_exec_27_0 shell_exec_27_0 su_exec_27_0 thermalserviced_exec_27_0 tombstoned_exec_27_0 toolbox_exec_27_0 tzdatacheck_exec_27_0 uncrypt_exec_27_0 update_engine_exec_27_0 update_verifier_exec_27_0 vdc_exec_27_0 vendor_shell_exec_27_0 vendor_toolbox_exec_27_0 virtual_touchpad_exec_27_0 vold_exec_27_0 vr_hwc_exec_27_0 webview_zygote_exec_27_0 wificond_exec_27_0 zygote_exec_27_0 hostapd_socket hal_audio_default_exec hal_audio_default_tmpfs hal_bluetooth_default_exec hal_bluetooth_default_tmpfs hal_bootctl_default_exec hal_bootctl_default_tmpfs hal_broadcastradio_default_exec hal_broadcastradio_default_tmpfs hal_camera_default_exec hal_camera_default_tmpfs hal_cas_default_exec hal_cas_default_tmpfs hal_configstore_default_exec hal_configstore_default_tmpfs hal_contexthub_default_exec hal_contexthub_default_tmpfs hal_drm_default_exec hal_drm_default_tmpfs hal_dumpstate_default_exec hal_dumpstate_default_tmpfs hal_fingerprint_default_exec hal_fingerprint_default_tmpfs hal_gatekeeper_default_exec hal_gatekeeper_default_tmpfs hal_gnss_default_exec hal_gnss_default_tmpfs hal_graphics_allocator_default_exec hal_graphics_allocator_default_tmpfs hal_graphics_composer_default_exec hal_graphics_composer_default_tmpfs hal_health_default_exec hal_health_default_tmpfs hal_ir_default_exec hal_ir_default_tmpfs hal_keymaster_default_exec hal_keymaster_default_tmpfs hal_light_default_exec hal_light_default_tmpfs hal_memtrack_default_exec hal_memtrack_default_tmpfs hal_nfc_default_exec hal_nfc_default_tmpfs mediacodec_tmpfs hal_power_default_exec hal_power_default_tmpfs hal_sensors_default_exec hal_sensors_default_tmpfs hal_tetheroffload_default_exec hal_tetheroffload_default_tmpfs hal_thermal_default_exec hal_thermal_default_tmpfs hal_tv_cec_default_exec hal_tv_cec_default_tmpfs hal_tv_input_default_exec hal_tv_input_default_tmpfs hal_usb_default_exec hal_usb_default_tmpfs hal_vibrator_default_exec hal_vibrator_default_tmpfs hal_vr_default_exec hal_vr_default_tmpfs hal_wifi_default_exec hal_wifi_default_tmpfs hal_wifi_offload_default_exec hal_wifi_offload_default_tmpfs hal_wifi_supplicant_default_exec hal_wifi_supplicant_default_tmpfs hostapd_exec hostapd_tmpfs rild_exec rild_tmpfs tee_exec tee_tmpfs vndservicemanager_exec vndservicemanager_tmpfs goldfish_setup_exec goldfish_setup_tmpfs hal_drm_widevine_exec hal_drm_widevine_tmpfs qemu_props_exec qemu_props_tmpfs))
(typeattributeset exec_type (adbd_exec_27_0 bootanim_exec_27_0 bootstat_exec_27_0 bufferhubd_exec_27_0 cameraserver_exec_27_0 clatd_exec_27_0 cppreopts_exec_27_0 crash_dump_exec_27_0 dex2oat_exec_27_0 dhcp_exec_27_0 dnsmasq_exec_27_0 drmserver_exec_27_0 dumpstate_exec_27_0 e2fs_exec_27_0 logcat_exec_27_0 fingerprintd_exec_27_0 fsck_exec_27_0 gatekeeperd_exec_27_0 healthd_exec_27_0 hwservicemanager_exec_27_0 idmap_exec_27_0 init_exec_27_0 inputflinger_exec_27_0 install_recovery_exec_27_0 installd_exec_27_0 keystore_exec_27_0 lmkd_exec_27_0 logd_exec_27_0 mediacodec_exec_27_0 mediadrmserver_exec_27_0 mediaextractor_exec_27_0 mediametrics_exec_27_0 mediaserver_exec_27_0 mtp_exec_27_0 netd_exec_27_0 netutils_wrapper_exec_27_0 otapreopt_chroot_exec_27_0 otapreopt_slot_exec_27_0 performanced_exec_27_0 perfprofd_exec_27_0 ppp_exec_27_0 preopt2cachename_exec_27_0 profman_exec_27_0 racoon_exec_27_0 recovery_persist_exec_27_0 recovery_refresh_exec_27_0 runas_exec_27_0 sdcardd_exec_27_0 servicemanager_exec_27_0 sgdisk_exec_27_0 shell_exec_27_0 su_exec_27_0 thermalserviced_exec_27_0 tombstoned_exec_27_0 toolbox_exec_27_0 tzdatacheck_exec_27_0 uncrypt_exec_27_0 update_engine_exec_27_0 update_verifier_exec_27_0 vdc_exec_27_0 vendor_shell_exec_27_0 vendor_toolbox_exec_27_0 virtual_touchpad_exec_27_0 vold_exec_27_0 vr_hwc_exec_27_0 webview_zygote_exec_27_0 wificond_exec_27_0 zygote_exec_27_0 hal_audio_default_exec hal_bluetooth_default_exec hal_bootctl_default_exec hal_broadcastradio_default_exec hal_camera_default_exec hal_cas_default_exec hal_configstore_default_exec hal_contexthub_default_exec hal_drm_default_exec hal_dumpstate_default_exec hal_fingerprint_default_exec hal_gatekeeper_default_exec hal_gnss_default_exec hal_graphics_allocator_default_exec hal_graphics_composer_default_exec hal_health_default_exec hal_ir_default_exec hal_keymaster_default_exec hal_light_default_exec hal_memtrack_default_exec hal_nfc_default_exec hal_power_default_exec hal_sensors_default_exec hal_tetheroffload_default_exec hal_thermal_default_exec hal_tv_cec_default_exec hal_tv_input_default_exec hal_usb_default_exec hal_vibrator_default_exec hal_vr_default_exec hal_wifi_default_exec hal_wifi_offload_default_exec hal_wifi_supplicant_default_exec hostapd_exec rild_exec tee_exec vndservicemanager_exec goldfish_setup_exec hal_drm_widevine_exec qemu_props_exec))
@@ -12,6 +12,7 @@
(typeattributeset sysfs_type (sysfs_usermodehelper_27_0 sysfs_27_0 sysfs_uio_27_0 sysfs_batteryinfo_27_0 sysfs_bluetooth_writable_27_0 sysfs_leds_27_0 sysfs_hwrandom_27_0 sysfs_nfc_power_writable_27_0 sysfs_wake_lock_27_0 sysfs_mac_address_27_0 sysfs_usb_27_0 sysfs_fs_ext4_features_27_0 sysfs_devices_system_cpu_27_0 sysfs_lowmemorykiller_27_0 sysfs_wlan_fwpath_27_0 sysfs_vibrator_27_0 sysfs_thermal_27_0 sysfs_zram_27_0 sysfs_zram_uevent_27_0 sysfs_writable))
(typeattributeset debugfs_type (debugfs_27_0 debugfs_mmc_27_0 debugfs_trace_marker_27_0 debugfs_tracing_27_0 debugfs_tracing_debug_27_0 debugfs_tracing_instances_27_0 debugfs_wifi_tracing_27_0))
(typeattributeset sdcard_type (fuse_27_0 sdcardfs_27_0 vfat_27_0))
+(typeattributeset sdcard_type (fuse_27_0 sdcardfs_27_0 fuseblk_27_0))
(typeattributeset node_type (node_27_0))
(typeattributeset netif_type (netif_27_0))
(typeattributeset port_type (port_27_0))
@@ -28,7 +29,7 @@
(typeattributeset coredomain_hwservice (fwk_display_hwservice_27_0 fwk_scheduler_hwservice_27_0 fwk_sensor_hwservice_27_0 hidl_allocator_hwservice_27_0 hidl_manager_hwservice_27_0 hidl_memory_hwservice_27_0 hidl_token_hwservice_27_0 system_net_netd_hwservice_27_0 system_wifi_keystore_hwservice_27_0))
(typeattributeset vndservice_manager_type (default_android_vndservice_27_0))
(typeattributeset mlstrustedsubject (bufferhubd_27_0 cppreopts_27_0 drmserver_27_0 dumpstate_27_0 pdx_display_client_endpoint_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0 hwservicemanager_27_0 init_27_0 installd_27_0 kernel_27_0 keystore_27_0 lmkd_27_0 logd_27_0 mediacodec_27_0 mediadrmserver_27_0 mediaextractor_27_0 mediaserver_27_0 netd_27_0 otapreopt_slot_27_0 performanced_27_0 perfprofd_27_0 racoon_27_0 radio_27_0 runas_27_0 servicemanager_27_0 shell_27_0 su_27_0 tombstoned_27_0 uncrypt_27_0 vold_27_0))
-(typeattributeset mlstrustedobject (alarm_device_27_0 ashmem_device_27_0 binder_device_27_0 hwbinder_device_27_0 pmsg_device_27_0 gpu_device_27_0 mtp_device_27_0 ptmx_device_27_0 null_device_27_0 random_device_27_0 owntty_device_27_0 zero_device_27_0 fuse_device_27_0 ion_device_27_0 tun_device_27_0 usbaccessory_device_27_0 usb_device_27_0 qtaguid_proc_27_0 selinuxfs_27_0 cgroup_27_0 sysfs_27_0 sysfs_bluetooth_writable_27_0 sysfs_nfc_power_writable_27_0 sysfs_usb_27_0 inotify_27_0 devpts_27_0 fuse_27_0 sdcardfs_27_0 vfat_27_0 debugfs_trace_marker_27_0 functionfs_27_0 anr_data_file_27_0 tombstone_data_file_27_0 apk_tmp_file_27_0 apk_private_tmp_file_27_0 ota_package_file_27_0 user_profile_data_file_27_0 shell_data_file_27_0 heapdump_data_file_27_0 ringtone_file_27_0 media_rw_data_file_27_0 radio_data_file_27_0 perfprofd_data_file_27_0 method_trace_data_file_27_0 system_app_data_file_27_0 cache_file_27_0 cache_backup_file_27_0 cache_recovery_file_27_0 wallpaper_file_27_0 shortcut_manager_icons_27_0 asec_apk_file_27_0 backup_data_file_27_0 app_fuse_file_27_0 dnsproxyd_socket_27_0 fwmarkd_socket_27_0 logd_socket_27_0 logdr_socket_27_0 logdw_socket_27_0 mdnsd_socket_27_0 property_socket_27_0 system_ndebug_socket_27_0 tombstoned_crash_socket_27_0 tombstoned_java_trace_socket_27_0 pdx_display_client_endpoint_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0 qemu_device sysfs_writable))
+(typeattributeset mlstrustedobject (alarm_device_27_0 ashmem_device_27_0 binder_device_27_0 hwbinder_device_27_0 pmsg_device_27_0 gpu_device_27_0 mtp_device_27_0 ptmx_device_27_0 null_device_27_0 random_device_27_0 owntty_device_27_0 zero_device_27_0 fuse_device_27_0 ion_device_27_0 tun_device_27_0 usbaccessory_device_27_0 usb_device_27_0 qtaguid_proc_27_0 selinuxfs_27_0 cgroup_27_0 sysfs_27_0 sysfs_bluetooth_writable_27_0 sysfs_nfc_power_writable_27_0 sysfs_usb_27_0 inotify_27_0 devpts_27_0 fuse_27_0 sdcardfs_27_0 vfat_27_0 fuseblk_27_0 debugfs_trace_marker_27_0 functionfs_27_0 anr_data_file_27_0 tombstone_data_file_27_0 apk_tmp_file_27_0 apk_private_tmp_file_27_0 ota_package_file_27_0 user_profile_data_file_27_0 shell_data_file_27_0 heapdump_data_file_27_0 ringtone_file_27_0 media_rw_data_file_27_0 radio_data_file_27_0 perfprofd_data_file_27_0 method_trace_data_file_27_0 system_app_data_file_27_0 cache_file_27_0 cache_backup_file_27_0 cache_recovery_file_27_0 wallpaper_file_27_0 shortcut_manager_icons_27_0 asec_apk_file_27_0 backup_data_file_27_0 app_fuse_file_27_0 dnsproxyd_socket_27_0 fwmarkd_socket_27_0 logd_socket_27_0 logdr_socket_27_0 logdw_socket_27_0 mdnsd_socket_27_0 property_socket_27_0 system_ndebug_socket_27_0 tombstoned_crash_socket_27_0 tombstoned_java_trace_socket_27_0 pdx_display_client_endpoint_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0 qemu_device sysfs_writable))
(typeattributeset netdomain (clatd_27_0 dhcp_27_0 dnsmasq_27_0 drmserver_27_0 dumpstate_27_0 mediadrmserver_27_0 mediaserver_27_0 mtp_27_0 netd_27_0 ppp_27_0 racoon_27_0 radio_27_0 rild_27_0 shell_27_0 su_27_0 update_engine_27_0 hal_wifi_supplicant_default hostapd))
(typeattributeset bluetoothdomain (radio_27_0))
(typeattributeset binderservicedomain (cameraserver_27_0 drmserver_27_0 gatekeeperd_27_0 healthd_27_0 inputflinger_27_0 keystore_27_0 mediadrmserver_27_0 mediaextractor_27_0 mediametrics_27_0 mediaserver_27_0 radio_27_0 thermalserviced_27_0 virtual_touchpad_27_0 vr_hwc_27_0))
@@ -594,7 +595,9 @@
(typeattribute sdcardfs_27_0)
(roletype object_r sdcardfs_27_0)
(typeattribute vfat_27_0)
+(typeattribute fuseblk_27_0)
(roletype object_r vfat_27_0)
+(roletype object_r fuseblk_27_0)
(typeattribute debugfs_27_0)
(roletype object_r debugfs_27_0)
(typeattribute debugfs_mmc_27_0)
diff --git a/system/sepolicy/prebuilts/api/27.0/private/app.te b/system/sepolicy/prebuilts/api/27.0/private/app.te
old mode 100644
new mode 100755
index 9251ed9..d7b9f0e
--- a/system/sepolicy/prebuilts/api/27.0/private/app.te
+++ b/system/sepolicy/prebuilts/api/27.0/private/app.te
@@ -239,12 +239,16 @@ allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file fuseblk }:dir create_dir_perms;
allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file fuseblk }:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuseblk:dir r_dir_perms;
allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuseblk:file rw_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
diff --git a/system/sepolicy/prebuilts/api/27.0/private/app_neverallows.te b/system/sepolicy/prebuilts/api/27.0/private/app_neverallows.te
old mode 100644
new mode 100755
index 5152e18..bb55946
--- a/system/sepolicy/prebuilts/api/27.0/private/app_neverallows.te
+++ b/system/sepolicy/prebuilts/api/27.0/private/app_neverallows.te
@@ -85,6 +85,7 @@ neverallow { all_untrusted_apps -mediaprovider } {
-fuse # sdcard
-sdcardfs # sdcard
-vfat
+ -fuseblk
file_type
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
diff --git a/system/sepolicy/prebuilts/api/27.0/private/compat/26.0/26.0.cil b/system/sepolicy/prebuilts/api/27.0/private/compat/26.0/26.0.cil
old mode 100644
new mode 100755
index 40bec84..fc5747a
--- a/system/sepolicy/prebuilts/api/27.0/private/compat/26.0/26.0.cil
+++ b/system/sepolicy/prebuilts/api/27.0/private/compat/26.0/26.0.cil
@@ -660,6 +660,7 @@
(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
(typeattributeset vfat_26_0 (vfat))
+(typeattributeset fuseblk_26_0 (fuseblk))
(typeattributeset vibrator_service_26_0 (vibrator_service))
(typeattributeset video_device_26_0 (video_device))
(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
diff --git a/system/sepolicy/prebuilts/api/27.0/private/genfs_contexts b/system/sepolicy/prebuilts/api/27.0/private/genfs_contexts
old mode 100644
new mode 100755
index e77a39b..bac5f56
--- a/system/sepolicy/prebuilts/api/27.0/private/genfs_contexts
+++ b/system/sepolicy/prebuilts/api/27.0/private/genfs_contexts
@@ -111,6 +111,7 @@ genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
+genfscon fuseblk / u:object_r:fuseblk:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon tracefs / u:object_r:debugfs_tracing:s0
genfscon fuse / u:object_r:fuse:s0
diff --git a/system/sepolicy/prebuilts/api/27.0/private/platform_app.te b/system/sepolicy/prebuilts/api/27.0/private/platform_app.te
old mode 100644
new mode 100755
index 2aa7dc9..6f3ebb5
--- a/system/sepolicy/prebuilts/api/27.0/private/platform_app.te
+++ b/system/sepolicy/prebuilts/api/27.0/private/platform_app.te
@@ -36,7 +36,9 @@ allow platform_app cache_file:file create_file_perms;
# This is a performance optimization that allows platform apps to bypass the FUSE layer
allow platform_app mnt_media_rw_file:dir r_dir_perms;
allow platform_app vfat:dir create_dir_perms;
+allow platform_app fuseblk:dir create_dir_perms;
allow platform_app vfat:file create_file_perms;
+allow platform_app fuseblk:file create_file_perms;
# com.android.systemui
allow platform_app rootfs:dir getattr;
diff --git a/system/sepolicy/prebuilts/api/27.0/public/file.te b/system/sepolicy/prebuilts/api/27.0/public/file.te
old mode 100644
new mode 100755
index 09423a2..75a28aad
--- a/system/sepolicy/prebuilts/api/27.0/public/file.te
+++ b/system/sepolicy/prebuilts/api/27.0/public/file.te
@@ -65,6 +65,7 @@ type mqueue, fs_type;
type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
+type fuseblk, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
diff --git a/system/sepolicy/prebuilts/api/28.0/private/compat/26.0/26.0.cil b/system/sepolicy/prebuilts/api/28.0/private/compat/26.0/26.0.cil
old mode 100644
new mode 100755
index 0478a56..3b462ab
--- a/system/sepolicy/prebuilts/api/28.0/private/compat/26.0/26.0.cil
+++ b/system/sepolicy/prebuilts/api/28.0/private/compat/26.0/26.0.cil
@@ -714,6 +714,7 @@
(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
(typeattributeset vfat_26_0 (vfat))
+(typeattributeset fuseblk_26_0 (fuseblk))
(typeattributeset vibrator_service_26_0 (vibrator_service))
(typeattributeset video_device_26_0 (video_device))
(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
diff --git a/system/sepolicy/prebuilts/api/28.0/private/compat/27.0/27.0.cil b/system/sepolicy/prebuilts/api/28.0/private/compat/27.0/27.0.cil
old mode 100644
new mode 100755
index dbe3e88..0239ace
--- a/system/sepolicy/prebuilts/api/28.0/private/compat/27.0/27.0.cil
+++ b/system/sepolicy/prebuilts/api/28.0/private/compat/27.0/27.0.cil
@@ -671,6 +671,7 @@
(expandtypeattribute (vendor_shell_exec_27_0) true)
(expandtypeattribute (vendor_toolbox_exec_27_0) true)
(expandtypeattribute (vfat_27_0) true)
+(expandtypeattribute (fuseblk_27_0) true)
(expandtypeattribute (vibrator_service_27_0) true)
(expandtypeattribute (video_device_27_0) true)
(expandtypeattribute (virtual_touchpad_27_0) true)
@@ -1436,6 +1437,7 @@
(typeattributeset vendor_shell_exec_27_0 (vendor_shell_exec))
(typeattributeset vendor_toolbox_exec_27_0 (vendor_toolbox_exec))
(typeattributeset vfat_27_0 (vfat))
+(typeattributeset fuseblk_27_0 (fuseblk))
(typeattributeset vibrator_service_27_0 (vibrator_service))
(typeattributeset video_device_27_0 (video_device))
(typeattributeset virtual_touchpad_27_0 (virtual_touchpad))
diff --git a/system/sepolicy/prebuilts/api/28.0/private/genfs_contexts b/system/sepolicy/prebuilts/api/28.0/private/genfs_contexts
old mode 100644
new mode 100755
index 7e2ea50..3ea430f
--- a/system/sepolicy/prebuilts/api/28.0/private/genfs_contexts
+++ b/system/sepolicy/prebuilts/api/28.0/private/genfs_contexts
@@ -231,6 +231,7 @@ genfscon debugfs /tracing/events/fence/
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
+genfscon fuseblk / u:object_r:fuseblk:s0
genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
diff --git a/system/sepolicy/prebuilts/api/28.0/public/domain.te b/system/sepolicy/prebuilts/api/28.0/public/domain.te
index 90f861e..4e8c597 100755
--- a/system/sepolicy/prebuilts/api/28.0/public/domain.te
+++ b/system/sepolicy/prebuilts/api/28.0/public/domain.te
@@ -407,7 +407,7 @@ neverallow * vendor_init:binder *;
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold} block_device:blk_file { open read write };
# Do not allow renaming of block files or character files
# Ability to do so can lead to possible use in an exploit chain
diff --git a/system/sepolicy/prebuilts/api/28.0/public/file.te b/system/sepolicy/prebuilts/api/28.0/public/file.te
old mode 100644
new mode 100755
index 76a0921..5c9d016
--- a/system/sepolicy/prebuilts/api/28.0/public/file.te
+++ b/system/sepolicy/prebuilts/api/28.0/public/file.te
@@ -109,6 +109,7 @@ type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
+type fuseblk, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
diff --git a/system/sepolicy/prebuilts/api/28.0/public/hal_configstore.te b/system/sepolicy/prebuilts/api/28.0/public/hal_configstore.te
index c8051e1..7f4f5ef 100644
--- a/system/sepolicy/prebuilts/api/28.0/public/hal_configstore.te
+++ b/system/sepolicy/prebuilts/api/28.0/public/hal_configstore.te
@@ -51,11 +51,11 @@ neverallow hal_configstore_server {
# Should never need sdcard access
neverallow hal_configstore_server {
sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
+ fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness
}:dir ~getattr;
neverallow hal_configstore_server {
sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
+ fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness
}:file *;
# Do not permit access to service_manager and vndservice_manager
diff --git a/system/sepolicy/private/compat/26.0/26.0.cil b/system/sepolicy/private/compat/26.0/26.0.cil
old mode 100644
new mode 100755
index 0478a56..3b462ab
--- a/system/sepolicy/private/compat/26.0/26.0.cil
+++ b/system/sepolicy/private/compat/26.0/26.0.cil
@@ -714,6 +714,7 @@
(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
(typeattributeset vfat_26_0 (vfat))
+(typeattributeset fuseblk_26_0 (fuseblk))
(typeattributeset vibrator_service_26_0 (vibrator_service))
(typeattributeset video_device_26_0 (video_device))
(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
diff --git a/system/sepolicy/private/compat/27.0/27.0.cil b/system/sepolicy/private/compat/27.0/27.0.cil
old mode 100644
new mode 100755
index dbe3e88..0239ace
--- a/system/sepolicy/private/compat/27.0/27.0.cil
+++ b/system/sepolicy/private/compat/27.0/27.0.cil
@@ -671,6 +671,7 @@
(expandtypeattribute (vendor_shell_exec_27_0) true)
(expandtypeattribute (vendor_toolbox_exec_27_0) true)
(expandtypeattribute (vfat_27_0) true)
+(expandtypeattribute (fuseblk_27_0) true)
(expandtypeattribute (vibrator_service_27_0) true)
(expandtypeattribute (video_device_27_0) true)
(expandtypeattribute (virtual_touchpad_27_0) true)
@@ -1436,6 +1437,7 @@
(typeattributeset vendor_shell_exec_27_0 (vendor_shell_exec))
(typeattributeset vendor_toolbox_exec_27_0 (vendor_toolbox_exec))
(typeattributeset vfat_27_0 (vfat))
+(typeattributeset fuseblk_27_0 (fuseblk))
(typeattributeset vibrator_service_27_0 (vibrator_service))
(typeattributeset video_device_27_0 (video_device))
(typeattributeset virtual_touchpad_27_0 (virtual_touchpad))
diff --git a/system/sepolicy/private/genfs_contexts b/system/sepolicy/private/genfs_contexts
old mode 100644
new mode 100755
index 7e2ea50..3ea430f
--- a/system/sepolicy/private/genfs_contexts
+++ b/system/sepolicy/private/genfs_contexts
@@ -231,6 +231,7 @@ genfscon debugfs /tracing/events/fence/
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
+genfscon fuseblk / u:object_r:fuseblk:s0
genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
diff --git a/system/sepolicy/public/domain.te b/system/sepolicy/public/domain.te
index 90f861e..4e8c597 100755
--- a/system/sepolicy/public/domain.te
+++ b/system/sepolicy/public/domain.te
@@ -407,7 +407,7 @@ neverallow * vendor_init:binder *;
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold} block_device:blk_file { open read write };
# Do not allow renaming of block files or character files
# Ability to do so can lead to possible use in an exploit chain
diff --git a/system/sepolicy/public/file.te b/system/sepolicy/public/file.te
old mode 100644
new mode 100755
index 76a0921..5c9d016
--- a/system/sepolicy/public/file.te
+++ b/system/sepolicy/public/file.te
@@ -109,6 +109,7 @@ type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
+type fuseblk, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
diff --git a/system/sepolicy/public/hal_configstore.te b/system/sepolicy/public/hal_configstore.te
index c8051e1..7f4f5ef 100644
--- a/system/sepolicy/public/hal_configstore.te
+++ b/system/sepolicy/public/hal_configstore.te
@@ -51,11 +51,11 @@ neverallow hal_configstore_server {
# Should never need sdcard access
neverallow hal_configstore_server {
sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
+ fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness
}:dir ~getattr;
neverallow hal_configstore_server {
sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
+ fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness
}:file *;
# Do not permit access to service_manager and vndservice_manager