diff --git a/prebuilts/api/26.0/26.0.cil b/prebuilts/api/26.0/26.0.cil
deleted file mode 100644
index 4e35ce8058adc578c5cf08a3698a8b73ff137350..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/26.0.cil
+++ /dev/null
@@ -1,693 +0,0 @@
-(typeattributeset accessibility_service_26_0 (accessibility_service))
-(typeattributeset account_service_26_0 (account_service))
-(typeattributeset activity_service_26_0 (activity_service))
-(typeattributeset adbd_26_0 (adbd))
-(typeattributeset adb_data_file_26_0 (adb_data_file))
-(typeattributeset adbd_socket_26_0 (adbd_socket))
-(typeattributeset adb_keys_file_26_0 (adb_keys_file))
-(typeattributeset alarm_device_26_0 (alarm_device))
-(typeattributeset alarm_service_26_0 (alarm_service))
-(typeattributeset anr_data_file_26_0 (anr_data_file))
-(typeattributeset apk_data_file_26_0 (apk_data_file))
-(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
-(typeattributeset app_data_file_26_0 (app_data_file))
-(typeattributeset app_fuse_file_26_0 (app_fuse_file))
-(typeattributeset app_fusefs_26_0 (app_fusefs))
-(typeattributeset appops_service_26_0 (appops_service))
-(typeattributeset appwidget_service_26_0 (appwidget_service))
-(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop))
-(typeattributeset asec_apk_file_26_0 (asec_apk_file))
-(typeattributeset asec_image_file_26_0 (asec_image_file))
-(typeattributeset asec_public_file_26_0 (asec_public_file))
-(typeattributeset ashmem_device_26_0 (ashmem_device))
-(typeattributeset assetatlas_service_26_0 (assetatlas_service))
-(typeattributeset audio_data_file_26_0 (audio_data_file))
-(typeattributeset audio_device_26_0 (audio_device))
-(typeattributeset audiohal_data_file_26_0 (audiohal_data_file))
-(typeattributeset audio_prop_26_0 (audio_prop))
-(typeattributeset audio_seq_device_26_0 (audio_seq_device))
-(typeattributeset audioserver_26_0 (audioserver))
-(typeattributeset audioserver_data_file_26_0 (audioserver_data_file))
-(typeattributeset audioserver_service_26_0 (audioserver_service))
-(typeattributeset audio_service_26_0 (audio_service))
-(typeattributeset audio_timer_device_26_0 (audio_timer_device))
-(typeattributeset autofill_service_26_0 (autofill_service))
-(typeattributeset backup_data_file_26_0 (backup_data_file))
-(typeattributeset backup_service_26_0 (backup_service))
-(typeattributeset batteryproperties_service_26_0 (batteryproperties_service))
-(typeattributeset battery_service_26_0 (battery_service))
-(typeattributeset batterystats_service_26_0 (batterystats_service))
-(typeattributeset binder_device_26_0 (binder_device))
-(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs))
-(typeattributeset blkid_26_0 (blkid))
-(typeattributeset blkid_untrusted_26_0 (blkid_untrusted))
-(typeattributeset block_device_26_0 (block_device))
-(typeattributeset bluetooth_26_0 (bluetooth))
-(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_26_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_26_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_26_0 (bluetooth_socket))
-(typeattributeset bootanim_26_0 (bootanim))
-(typeattributeset bootanim_exec_26_0 (bootanim_exec))
-(typeattributeset boot_block_device_26_0 (boot_block_device))
-(typeattributeset bootchart_data_file_26_0 (bootchart_data_file))
-(typeattributeset bootstat_26_0 (bootstat))
-(typeattributeset bootstat_data_file_26_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_26_0 (bootstat_exec))
-(typeattributeset boottime_prop_26_0 (boottime_prop))
-(typeattributeset boottrace_data_file_26_0 (boottrace_data_file))
-(typeattributeset bufferhubd_26_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_26_0 (cache_backup_file))
-(typeattributeset cache_block_device_26_0 (cache_block_device))
-(typeattributeset cache_file_26_0 (cache_file))
-(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_26_0 (cache_recovery_file))
-(typeattributeset camera_data_file_26_0 (camera_data_file))
-(typeattributeset camera_device_26_0 (camera_device))
-(typeattributeset cameraproxy_service_26_0 (cameraproxy_service))
-(typeattributeset cameraserver_26_0 (cameraserver))
-(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_26_0 (cameraserver_service))
-(typeattributeset cgroup_26_0 (cgroup))
-(typeattributeset charger_26_0 (charger))
-(typeattributeset clatd_26_0 (clatd))
-(typeattributeset clatd_exec_26_0 (clatd_exec))
-(typeattributeset clipboard_service_26_0 (clipboard_service))
-(typeattributeset commontime_management_service_26_0 (commontime_management_service))
-(typeattributeset companion_device_service_26_0 (companion_device_service))
-(typeattributeset configfs_26_0 (configfs))
-(typeattributeset config_prop_26_0 (config_prop))
-(typeattributeset connectivity_service_26_0 (connectivity_service))
-(typeattributeset connmetrics_service_26_0 (connmetrics_service))
-(typeattributeset console_device_26_0 (console_device))
-(typeattributeset consumer_ir_service_26_0 (consumer_ir_service))
-(typeattributeset content_service_26_0 (content_service))
-(typeattributeset contexthub_service_26_0 (contexthub_service))
-(typeattributeset coredump_file_26_0 (coredump_file))
-(typeattributeset country_detector_service_26_0 (country_detector_service))
-(typeattributeset coverage_service_26_0 (coverage_service))
-(typeattributeset cppreopt_prop_26_0 (cppreopt_prop))
-(typeattributeset cppreopts_26_0 (cppreopts))
-(typeattributeset cppreopts_exec_26_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_26_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_26_0 (cpuinfo_service))
-(typeattributeset crash_dump_26_0 (crash_dump))
-(typeattributeset crash_dump_exec_26_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
-(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_26_0 (dalvik_prop))
-(typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0 (debugfs))
-(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_26_0 (debuggerd_prop))
-(typeattributeset debug_prop_26_0 (debug_prop))
-(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
-(typeattributeset default_android_service_26_0 (default_android_service))
-(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
-(typeattributeset default_prop_26_0 (default_prop))
-(typeattributeset device_26_0 (device))
-(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_26_0 (deviceidle_service))
-(typeattributeset device_logging_prop_26_0 (device_logging_prop))
-(typeattributeset device_policy_service_26_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service))
-(typeattributeset devpts_26_0 (devpts))
-(typeattributeset dex2oat_26_0 (dex2oat))
-(typeattributeset dex2oat_exec_26_0 (dex2oat_exec))
-(typeattributeset dhcp_26_0 (dhcp))
-(typeattributeset dhcp_data_file_26_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_26_0 (dhcp_exec))
-(typeattributeset dhcp_prop_26_0 (dhcp_prop))
-(typeattributeset diskstats_service_26_0 (diskstats_service))
-(typeattributeset display_service_26_0 (display_service))
-(typeattributeset dm_device_26_0 (dm_device))
-(typeattributeset dnsmasq_26_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_26_0 (DockObserver_service))
-(typeattributeset dreams_service_26_0 (dreams_service))
-(typeattributeset drm_data_file_26_0 (drm_data_file))
-(typeattributeset drmserver_26_0 (drmserver))
-(typeattributeset drmserver_exec_26_0 (drmserver_exec))
-(typeattributeset drmserver_service_26_0 (drmserver_service))
-(typeattributeset drmserver_socket_26_0 (drmserver_socket))
-(typeattributeset dropbox_service_26_0 (dropbox_service))
-(typeattributeset dumpstate_26_0 (dumpstate))
-(typeattributeset dumpstate_exec_26_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_26_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_26_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_26_0 (dumpstate_socket))
-(typeattributeset efs_file_26_0 (efs_file))
-(typeattributeset ephemeral_app_26_0 (ephemeral_app))
-(typeattributeset ethernet_service_26_0 (ethernet_service))
-(typeattributeset ffs_prop_26_0 (ffs_prop))
-(typeattributeset file_contexts_file_26_0 (file_contexts_file))
-(typeattributeset fingerprintd_26_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_26_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_26_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_26_0 (fingerprint_service))
-(typeattributeset firstboot_prop_26_0 (firstboot_prop))
-(typeattributeset font_service_26_0 (font_service))
-(typeattributeset frp_block_device_26_0 (frp_block_device))
-(typeattributeset fsck_26_0 (fsck))
-(typeattributeset fsck_exec_26_0 (fsck_exec))
-(typeattributeset fscklogs_26_0 (fscklogs))
-(typeattributeset fsck_untrusted_26_0 (fsck_untrusted))
-(typeattributeset full_device_26_0 (full_device))
-(typeattributeset functionfs_26_0 (functionfs))
-(typeattributeset fuse_26_0 (fuse))
-(typeattributeset fuse_device_26_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_26_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_26_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_26_0 (gfxinfo_service))
-(typeattributeset gps_control_26_0 (gps_control))
-(typeattributeset gpu_device_26_0 (gpu_device))
-(typeattributeset gpu_service_26_0 (gpu_service))
-(typeattributeset graphics_device_26_0 (graphics_device))
-(typeattributeset graphicsstats_service_26_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice))
-(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice))
-(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice))
-(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_26_0 (hardware_properties_service))
-(typeattributeset hardware_service_26_0 (hardware_service))
-(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_26_0 (hdmi_control_service))
-(typeattributeset healthd_26_0 (healthd))
-(typeattributeset healthd_exec_26_0 (healthd_exec))
-(typeattributeset heapdump_data_file_26_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_26_0 (hwbinder_device))
-(typeattributeset hw_random_device_26_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_26_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_26_0 (i2c_device))
-(typeattributeset icon_file_26_0 (icon_file))
-(typeattributeset idmap_26_0 (idmap))
-(typeattributeset idmap_exec_26_0 (idmap_exec))
-(typeattributeset iio_device_26_0 (iio_device))
-(typeattributeset imms_service_26_0 (imms_service))
-(typeattributeset incident_26_0 (incident))
-(typeattributeset incidentd_26_0 (incidentd))
-(typeattributeset incident_data_file_26_0 (incident_data_file))
-(typeattributeset incident_service_26_0 (incident_service))
-(typeattributeset init_26_0 (init))
-(typeattributeset init_exec_26_0 (init_exec))
-(typeattributeset inotify_26_0 (inotify))
-(typeattributeset input_device_26_0 (input_device))
-(typeattributeset inputflinger_26_0 (inputflinger))
-(typeattributeset inputflinger_exec_26_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_26_0 (inputflinger_service))
-(typeattributeset input_method_service_26_0 (input_method_service))
-(typeattributeset input_service_26_0 (input_service))
-(typeattributeset installd_26_0 (installd))
-(typeattributeset install_data_file_26_0 (install_data_file))
-(typeattributeset installd_exec_26_0 (installd_exec))
-(typeattributeset installd_service_26_0 (installd_service))
-(typeattributeset install_recovery_26_0 (install_recovery))
-(typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
-(typeattributeset ion_device_26_0 (ion_device))
-(typeattributeset IProxyService_service_26_0 (IProxyService_service))
-(typeattributeset ipsec_service_26_0 (ipsec_service))
-(typeattributeset isolated_app_26_0 (isolated_app))
-(typeattributeset jobscheduler_service_26_0 (jobscheduler_service))
-(typeattributeset kernel_26_0 (kernel))
-(typeattributeset keychain_data_file_26_0 (keychain_data_file))
-(typeattributeset keychord_device_26_0 (keychord_device))
-(typeattributeset keystore_26_0 (keystore))
-(typeattributeset keystore_data_file_26_0 (keystore_data_file))
-(typeattributeset keystore_exec_26_0 (keystore_exec))
-(typeattributeset keystore_service_26_0 (keystore_service))
-(typeattributeset kmem_device_26_0 (kmem_device))
-(typeattributeset kmsg_device_26_0 (kmsg_device))
-(typeattributeset labeledfs_26_0 (labeledfs))
-(typeattributeset launcherapps_service_26_0 (launcherapps_service))
-(typeattributeset lmkd_26_0 (lmkd))
-(typeattributeset lmkd_exec_26_0 (lmkd_exec))
-(typeattributeset lmkd_socket_26_0 (lmkd_socket))
-(typeattributeset location_service_26_0 (location_service))
-(typeattributeset lock_settings_service_26_0 (lock_settings_service))
-(typeattributeset logcat_exec_26_0 (logcat_exec))
-(typeattributeset logd_26_0 (logd))
-(typeattributeset log_device_26_0 (log_device))
-(typeattributeset logd_exec_26_0 (logd_exec))
-(typeattributeset logd_prop_26_0 (logd_prop))
-(typeattributeset logdr_socket_26_0 (logdr_socket))
-(typeattributeset logd_socket_26_0 (logd_socket))
-(typeattributeset logdw_socket_26_0 (logdw_socket))
-(typeattributeset logpersist_26_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_26_0 (log_prop))
-(typeattributeset log_tag_prop_26_0 (log_tag_prop))
-(typeattributeset loop_control_device_26_0 (loop_control_device))
-(typeattributeset loop_device_26_0 (loop_device))
-(typeattributeset mac_perms_file_26_0 (mac_perms_file))
-(typeattributeset mdnsd_26_0 (mdnsd))
-(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
-(typeattributeset mdns_socket_26_0 (mdns_socket))
-(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
-(typeattributeset mediacodec_26_0 (mediacodec))
-(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_26_0 (mediacodec_service))
-(typeattributeset media_data_file_26_0 (media_data_file))
-(typeattributeset mediadrmserver_26_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_26_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_26_0 (mediaextractor_service))
-(typeattributeset mediametrics_26_0 (mediametrics))
-(typeattributeset mediametrics_exec_26_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_26_0 (mediametrics_service))
-(typeattributeset media_projection_service_26_0 (media_projection_service))
-(typeattributeset media_router_service_26_0 (media_router_service))
-(typeattributeset media_rw_data_file_26_0 (media_rw_data_file))
-(typeattributeset mediaserver_26_0 (mediaserver))
-(typeattributeset mediaserver_exec_26_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_26_0 (mediaserver_service))
-(typeattributeset media_session_service_26_0 (media_session_service))
-(typeattributeset meminfo_service_26_0 (meminfo_service))
-(typeattributeset metadata_block_device_26_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_26_0 (method_trace_data_file))
-(typeattributeset midi_service_26_0 (midi_service))
-(typeattributeset misc_block_device_26_0 (misc_block_device))
-(typeattributeset misc_logd_file_26_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_26_0 (misc_user_data_file))
-(typeattributeset mmc_prop_26_0 (mmc_prop))
-(typeattributeset mnt_expand_file_26_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_26_0 (mnt_user_file))
-(typeattributeset modprobe_26_0 (modprobe))
-(typeattributeset mount_service_26_0 (mount_service))
-(typeattributeset mqueue_26_0 (mqueue))
-(typeattributeset mtd_device_26_0 (mtd_device))
-(typeattributeset mtp_26_0 (mtp))
-(typeattributeset mtp_device_26_0 (mtp_device))
-(typeattributeset mtpd_socket_26_0 (mtpd_socket))
-(typeattributeset mtp_exec_26_0 (mtp_exec))
-(typeattributeset nativetest_data_file_26_0 (nativetest_data_file))
-(typeattributeset netd_26_0 (netd))
-(typeattributeset net_data_file_26_0 (net_data_file))
-(typeattributeset netd_exec_26_0 (netd_exec))
-(typeattributeset netd_listener_service_26_0 (netd_listener_service))
-(typeattributeset net_dns_prop_26_0 (net_dns_prop))
-(typeattributeset netd_service_26_0 (netd_service))
-(typeattributeset netd_socket_26_0 (netd_socket))
-(typeattributeset netif_26_0 (netif))
-(typeattributeset netpolicy_service_26_0 (netpolicy_service))
-(typeattributeset net_radio_prop_26_0 (net_radio_prop))
-(typeattributeset netstats_service_26_0 (netstats_service))
-(typeattributeset netutils_wrapper_26_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_26_0 (network_management_service))
-(typeattributeset network_score_service_26_0 (network_score_service))
-(typeattributeset network_time_update_service_26_0 (network_time_update_service))
-(typeattributeset nfc_26_0 (nfc))
-(typeattributeset nfc_data_file_26_0 (nfc_data_file))
-(typeattributeset nfc_device_26_0 (nfc_device))
-(typeattributeset nfc_prop_26_0 (nfc_prop))
-(typeattributeset nfc_service_26_0 (nfc_service))
-(typeattributeset node_26_0 (node))
-(typeattributeset notification_service_26_0 (notification_service))
-(typeattributeset null_device_26_0 (null_device))
-(typeattributeset oemfs_26_0 (oemfs))
-(typeattributeset oem_lock_service_26_0 (oem_lock_service))
-(typeattributeset ota_data_file_26_0 (ota_data_file))
-(typeattributeset otadexopt_service_26_0 (otadexopt_service))
-(typeattributeset ota_package_file_26_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_26_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_26_0 (overlay_prop))
-(typeattributeset overlay_service_26_0 (overlay_service))
-(typeattributeset owntty_device_26_0 (owntty_device))
-(typeattributeset package_service_26_0 (package_service))
-(typeattributeset pan_result_prop_26_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_26_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
-(typeattributeset performanced_26_0 (performanced))
-(typeattributeset performanced_exec_26_0 (performanced_exec))
-(typeattributeset perfprofd_26_0 (perfprofd))
-(typeattributeset perfprofd_data_file_26_0 (perfprofd_data_file))
-(typeattributeset perfprofd_exec_26_0 (perfprofd_exec))
-(typeattributeset permission_service_26_0 (permission_service))
-(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_26_0 (pinner_service))
-(typeattributeset pipefs_26_0 (pipefs))
-(typeattributeset platform_app_26_0 (platform_app))
-(typeattributeset pmsg_device_26_0 (pmsg_device))
-(typeattributeset port_26_0 (port))
-(typeattributeset port_device_26_0 (port_device))
-(typeattributeset postinstall_26_0 (postinstall))
-(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_26_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_26_0 (powerctl_prop))
-(typeattributeset power_service_26_0 (power_service))
-(typeattributeset ppp_26_0 (ppp))
-(typeattributeset ppp_device_26_0 (ppp_device))
-(typeattributeset ppp_exec_26_0 (ppp_exec))
-(typeattributeset preloads_data_file_26_0 (preloads_data_file))
-(typeattributeset preloads_media_file_26_0 (preloads_media_file))
-(typeattributeset preopt2cachename_26_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
-(typeattributeset print_service_26_0 (print_service))
-(typeattributeset priv_app_26_0 (priv_app))
-(typeattributeset proc_26_0 (proc))
-(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
-(typeattributeset processinfo_service_26_0 (processinfo_service))
-(typeattributeset proc_interrupts_26_0 (proc_interrupts))
-(typeattributeset proc_iomem_26_0 (proc_iomem))
-(typeattributeset proc_meminfo_26_0 (proc_meminfo))
-(typeattributeset proc_misc_26_0 (proc_misc))
-(typeattributeset proc_modules_26_0 (proc_modules))
-(typeattributeset proc_net_26_0 (proc_net))
-(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_26_0 (proc_perf))
-(typeattributeset proc_security_26_0 (proc_security))
-(typeattributeset proc_stat_26_0 (proc_stat))
-(typeattributeset procstats_service_26_0 (procstats_service))
-(typeattributeset proc_sysrq_26_0 (proc_sysrq))
-(typeattributeset proc_timer_26_0 (proc_timer))
-(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set))
-(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo))
-(typeattributeset profman_26_0 (profman))
-(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file))
-(typeattributeset profman_exec_26_0 (profman_exec))
-(typeattributeset properties_device_26_0 (properties_device))
-(typeattributeset properties_serial_26_0 (properties_serial))
-(typeattributeset property_contexts_file_26_0 (property_contexts_file))
-(typeattributeset property_data_file_26_0 (property_data_file))
-(typeattributeset property_socket_26_0 (property_socket))
-(typeattributeset pstorefs_26_0 (pstorefs))
-(typeattributeset ptmx_device_26_0 (ptmx_device))
-(typeattributeset qtaguid_device_26_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_26_0 (qtaguid_proc))
-(typeattributeset racoon_26_0 (racoon))
-(typeattributeset racoon_exec_26_0 (racoon_exec))
-(typeattributeset racoon_socket_26_0 (racoon_socket))
-(typeattributeset radio_26_0 (radio))
-(typeattributeset radio_data_file_26_0 (radio_data_file))
-(typeattributeset radio_device_26_0 (radio_device))
-(typeattributeset radio_prop_26_0 (radio_prop))
-(typeattributeset radio_service_26_0 (radio_service))
-(typeattributeset ram_device_26_0 (ram_device))
-(typeattributeset random_device_26_0 (random_device))
-(typeattributeset reboot_data_file_26_0 (reboot_data_file))
-(typeattributeset recovery_26_0 (recovery))
-(typeattributeset recovery_block_device_26_0 (recovery_block_device))
-(typeattributeset recovery_data_file_26_0 (recovery_data_file))
-(typeattributeset recovery_persist_26_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_26_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_26_0 (recovery_service))
-(typeattributeset registry_service_26_0 (registry_service))
-(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_26_0 (restorecon_prop))
-(typeattributeset restrictions_service_26_0 (restrictions_service))
-(typeattributeset rild_26_0 (rild))
-(typeattributeset rild_debug_socket_26_0 (rild_debug_socket))
-(typeattributeset rild_socket_26_0 (rild_socket))
-(typeattributeset ringtone_file_26_0 (ringtone_file))
-(typeattributeset root_block_device_26_0 (root_block_device))
-(typeattributeset rootfs_26_0 (rootfs))
-(typeattributeset rpmsg_device_26_0 (rpmsg_device))
-(typeattributeset rtc_device_26_0 (rtc_device))
-(typeattributeset rttmanager_service_26_0 (rttmanager_service))
-(typeattributeset runas_26_0 (runas))
-(typeattributeset runas_exec_26_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_26_0 (safemode_prop))
-(typeattributeset same_process_hal_file_26_0 (same_process_hal_file))
-(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
-(typeattributeset sdcardd_26_0 (sdcardd))
-(typeattributeset sdcardd_exec_26_0 (sdcardd_exec))
-(typeattributeset sdcardfs_26_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file))
-(typeattributeset search_service_26_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_26_0 (selinuxfs))
-(typeattributeset sensors_device_26_0 (sensors_device))
-(typeattributeset sensorservice_service_26_0 (sensorservice_service))
-(typeattributeset sepolicy_file_26_0 (sepolicy_file))
-(typeattributeset serial_device_26_0 (serial_device))
-(typeattributeset serialno_prop_26_0 (serialno_prop))
-(typeattributeset serial_service_26_0 (serial_service))
-(typeattributeset service_contexts_file_26_0 (service_contexts_file))
-(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
-(typeattributeset servicemanager_26_0 (servicemanager))
-(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
-(typeattributeset settings_service_26_0 (settings_service))
-(typeattributeset sgdisk_26_0 (sgdisk))
-(typeattributeset sgdisk_exec_26_0 (sgdisk_exec))
-(typeattributeset shared_relro_26_0 (shared_relro))
-(typeattributeset shared_relro_file_26_0 (shared_relro_file))
-(typeattributeset shell_26_0 (shell))
-(typeattributeset shell_data_file_26_0 (shell_data_file))
-(typeattributeset shell_exec_26_0 (shell_exec))
-(typeattributeset shell_prop_26_0 (shell_prop))
-(typeattributeset shm_26_0 (shm))
-(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_26_0 (shortcut_service))
-(typeattributeset slideshow_26_0 (slideshow))
-(typeattributeset socket_device_26_0 (socket_device))
-(typeattributeset sockfs_26_0 (sockfs))
-(typeattributeset statusbar_service_26_0 (statusbar_service))
-(typeattributeset storaged_service_26_0 (storaged_service))
-(typeattributeset storage_file_26_0 (storage_file))
-(typeattributeset storagestats_service_26_0 (storagestats_service))
-(typeattributeset storage_stub_file_26_0 (storage_stub_file))
-(typeattributeset su_26_0 (su))
-(typeattributeset su_exec_26_0 (su_exec))
-(typeattributeset surfaceflinger_26_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0 (sysfs))
-(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_26_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_26_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_26_0 (sysfs_uio))
-(typeattributeset sysfs_usb_26_0 (sysfs_usb))
-(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_26_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent))
-(typeattributeset system_app_26_0 (system_app))
-(typeattributeset system_app_data_file_26_0 (system_app_data_file))
-(typeattributeset system_app_service_26_0 (system_app_service))
-(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0 (system_data_file))
-(typeattributeset system_file_26_0 (system_file))
-(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
-(typeattributeset system_prop_26_0 (system_prop))
-(typeattributeset system_radio_prop_26_0 (system_radio_prop))
-(typeattributeset system_server_26_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_26_0 (system_wpa_socket))
-(typeattributeset task_service_26_0 (task_service))
-(typeattributeset tee_26_0 (tee))
-(typeattributeset tee_data_file_26_0 (tee_data_file))
-(typeattributeset tee_device_26_0 (tee_device))
-(typeattributeset telecom_service_26_0 (telecom_service))
-(typeattributeset textclassification_service_26_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file))
-(typeattributeset textservices_service_26_0 (textservices_service))
-(typeattributeset tmpfs_26_0 (tmpfs))
-(typeattributeset tombstoned_26_0 (tombstoned))
-(typeattributeset tombstone_data_file_26_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_26_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket))
-(typeattributeset toolbox_26_0 (toolbox))
-(typeattributeset toolbox_exec_26_0 (toolbox_exec))
-(typeattributeset tracing_shell_writable_26_0 (tracing_shell_writable))
-(typeattributeset tracing_shell_writable_debug_26_0 (tracing_shell_writable_debug))
-(typeattributeset trust_service_26_0 (trust_service))
-(typeattributeset tty_device_26_0 (tty_device))
-(typeattributeset tun_device_26_0 (tun_device))
-(typeattributeset tv_input_service_26_0 (tv_input_service))
-(typeattributeset tzdatacheck_26_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec))
-(typeattributeset ueventd_26_0 (ueventd))
-(typeattributeset uhid_device_26_0 (uhid_device))
-(typeattributeset uimode_service_26_0 (uimode_service))
-(typeattributeset uio_device_26_0 (uio_device))
-(typeattributeset uncrypt_26_0 (uncrypt))
-(typeattributeset uncrypt_exec_26_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_26_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
-(typeattributeset unlabeled_26_0 (unlabeled))
-(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
-(typeattributeset untrusted_app_26_0 (untrusted_app))
-(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
-(typeattributeset update_engine_26_0 (update_engine))
-(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_26_0 (update_engine_exec))
-(typeattributeset update_engine_service_26_0 (update_engine_service))
-(typeattributeset updatelock_service_26_0 (updatelock_service))
-(typeattributeset update_verifier_26_0 (update_verifier))
-(typeattributeset update_verifier_exec_26_0 (update_verifier_exec))
-(typeattributeset usagestats_service_26_0 (usagestats_service))
-(typeattributeset usbaccessory_device_26_0 (usbaccessory_device))
-(typeattributeset usb_device_26_0 (usb_device))
-(typeattributeset usbfs_26_0 (usbfs))
-(typeattributeset usb_service_26_0 (usb_service))
-(typeattributeset userdata_block_device_26_0 (userdata_block_device))
-(typeattributeset usermodehelper_26_0 (usermodehelper))
-(typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
-(typeattributeset user_service_26_0 (user_service))
-(typeattributeset vcs_device_26_0 (vcs_device))
-(typeattributeset vdc_26_0 (vdc))
-(typeattributeset vdc_exec_26_0 (vdc_exec))
-(typeattributeset vendor_app_file_26_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_26_0 (vendor_configs_file))
-(typeattributeset vendor_file_26_0 (vendor_file))
-(typeattributeset vendor_framework_file_26_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_26_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
-(typeattributeset vfat_26_0 (vfat))
-(typeattributeset vibrator_service_26_0 (vibrator_service))
-(typeattributeset video_device_26_0 (video_device))
-(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_26_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_26_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_26_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service))
-(typeattributeset vold_26_0 (vold))
-(typeattributeset vold_data_file_26_0 (vold_data_file))
-(typeattributeset vold_device_26_0 (vold_device))
-(typeattributeset vold_exec_26_0 (vold_exec))
-(typeattributeset vold_prop_26_0 (vold_prop))
-(typeattributeset vold_socket_26_0 (vold_socket))
-(typeattributeset vpn_data_file_26_0 (vpn_data_file))
-(typeattributeset vr_hwc_26_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_26_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_26_0 (vr_manager_service))
-(typeattributeset wallpaper_file_26_0 (wallpaper_file))
-(typeattributeset wallpaper_service_26_0 (wallpaper_service))
-(typeattributeset watchdogd_26_0 (watchdogd))
-(typeattributeset watchdog_device_26_0 (watchdog_device))
-(typeattributeset webviewupdate_service_26_0 (webviewupdate_service))
-(typeattributeset webview_zygote_26_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_26_0 (wifiaware_service))
-(typeattributeset wificond_26_0 (wificond))
-(typeattributeset wificond_exec_26_0 (wificond_exec))
-(typeattributeset wificond_service_26_0 (wificond_service))
-(typeattributeset wifi_data_file_26_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_26_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_26_0 (wifip2p_service))
-(typeattributeset wifi_prop_26_0 (wifi_prop))
-(typeattributeset wifiscanner_service_26_0 (wifiscanner_service))
-(typeattributeset wifi_service_26_0 (wifi_service))
-(typeattributeset window_service_26_0 (window_service))
-(typeattributeset wpa_socket_26_0 (wpa_socket))
-(typeattributeset zero_device_26_0 (zero_device))
-(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file))
-(typeattributeset zygote_26_0 (zygote))
-(typeattributeset zygote_exec_26_0 (zygote_exec))
-(typeattributeset zygote_socket_26_0 (zygote_socket))
diff --git a/prebuilts/api/26.0/26.0.ignore.cil b/prebuilts/api/26.0/26.0.ignore.cil
deleted file mode 100644
index 990c3ff7219d506b56154b87cf2414fa8f40e5c3..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/26.0.ignore.cil
+++ /dev/null
@@ -1,5 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(typeattribute new_objects)
-(typeattributeset new_objects (kmsg_debug_device))
diff --git a/prebuilts/api/26.0/private/access_vectors b/prebuilts/api/26.0/private/access_vectors
deleted file mode 100644
index 74cf530a6e92484209db5f6e723f9d11d98f8ad8..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/access_vectors
+++ /dev/null
@@ -1,710 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- unlink
- link
- rename
- execute
- quotaon
- mounton
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define a common for capability access vectors.
-#
-common cap
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the cap2 common.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
-
-common cap2
-{
- mac_override # unused by SELinux
- mac_admin # unused by SELinux
- syslog
- wake_alarm
- block_suspend
- audit_read
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- associate
- quotamod
- quotaget
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
- open
- audit_access
- execmod
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
- open
- audit_access
-}
-
-class lnk_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
- open
- audit_access
-}
-
-class blk_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class sock_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class fifo_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- recvfrom
- sendto
-}
-
-class netif
-{
- ingress
- egress
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
-}
-
-class unix_dgram_socket
-inherits socket
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
- setkeycreate
- setsockcreate
-}
-
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
- read_policy
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
- module_request
- module_load
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-#
-
-class capability
-inherits cap
-
-class capability2
-inherits cap2
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
- nlmsg_tty_audit
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
- setcontext
- polmatch
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
-
-class appletalk_socket
-inherits socket
-
-class packet
-{
- send
- recv
- relabelto
- flow_in # deprecated
- flow_out # deprecated
- forward_in
- forward_out
-}
-
-class key
-{
- view
- read
- write
- search
- link
- setattr
- create
-}
-
-class dccp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class memprotect
-{
- mmap_zero
-}
-
-# network peer labels
-class peer
-{
- recv
-}
-
-class kernel_service
-{
- use_as_override
- create_files_as
-}
-
-class tun_socket
-inherits socket
-{
- attach_queue
-}
-
-class binder
-{
- impersonate
- call
- set_context_mgr
- transfer
-}
-
-class netlink_iscsi_socket
-inherits socket
-
-class netlink_fib_lookup_socket
-inherits socket
-
-class netlink_connector_socket
-inherits socket
-
-class netlink_netfilter_socket
-inherits socket
-
-class netlink_generic_socket
-inherits socket
-
-class netlink_scsitransport_socket
-inherits socket
-
-class netlink_rdma_socket
-inherits socket
-
-class netlink_crypto_socket
-inherits socket
-
-#
-# Define the access vector interpretation for controlling capabilities
-# in user namespaces
-#
-
-class cap_userns
-inherits cap
-
-class cap2_userns
-inherits cap2
-
-
-#
-# Define the access vector interpretation for the new socket classes
-# enabled by the extended_socket_class policy capability.
-#
-
-#
-# The next two classes were previously mapped to rawip_socket and therefore
-# have the same definition as rawip_socket (until further permissions
-# are defined).
-#
-class sctp_socket
-inherits socket
-{
- node_bind
-}
-
-class icmp_socket
-inherits socket
-{
- node_bind
-}
-
-#
-# The remaining network socket classes were previously
-# mapped to the socket class and therefore have the
-# same definition as socket.
-#
-
-class ax25_socket
-inherits socket
-
-class ipx_socket
-inherits socket
-
-class netrom_socket
-inherits socket
-
-class atmpvc_socket
-inherits socket
-
-class x25_socket
-inherits socket
-
-class rose_socket
-inherits socket
-
-class decnet_socket
-inherits socket
-
-class atmsvc_socket
-inherits socket
-
-class rds_socket
-inherits socket
-
-class irda_socket
-inherits socket
-
-class pppox_socket
-inherits socket
-
-class llc_socket
-inherits socket
-
-class can_socket
-inherits socket
-
-class tipc_socket
-inherits socket
-
-class bluetooth_socket
-inherits socket
-
-class iucv_socket
-inherits socket
-
-class rxrpc_socket
-inherits socket
-
-class isdn_socket
-inherits socket
-
-class phonet_socket
-inherits socket
-
-class ieee802154_socket
-inherits socket
-
-class caif_socket
-inherits socket
-
-class alg_socket
-inherits socket
-
-class nfc_socket
-inherits socket
-
-class vsock_socket
-inherits socket
-
-class kcm_socket
-inherits socket
-
-class qipcrtr_socket
-inherits socket
-
-class property_service
-{
- set
-}
-
-class service_manager
-{
- add
- find
- list
-}
-
-class hwservice_manager
-{
- add
- find
- list
-}
-
-class keystore_key
-{
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
- gen_unique_id
-}
-
-class drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-}
diff --git a/prebuilts/api/26.0/private/adbd.te b/prebuilts/api/26.0/private/adbd.te
deleted file mode 100644
index 52597ebbf4335a9495ea208d9c20e1c1e42f05e0..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/adbd.te
+++ /dev/null
@@ -1,141 +0,0 @@
-### ADB daemon
-
-typeattribute adbd coredomain;
-typeattribute adbd mlstrustedsubject;
-
-domain_auto_trans(adbd, shell_exec, shell)
-
-userdebug_or_eng(`
- allow adbd self:process setcurrent;
- allow adbd su:process dyntransition;
-')
-
-# Do not sanitize the environment or open fds of the shell. Allow signaling
-# created processes.
-allow adbd shell:process { noatsecure signal };
-
-# Set UID and GID to shell. Set supplementary groups.
-allow adbd self:capability { setuid setgid };
-
-# Drop capabilities from bounding set on user builds.
-allow adbd self:capability setpcap;
-
-# Create and use network sockets.
-net_domain(adbd)
-
-# Access /dev/usb-ffs/adb/ep0
-allow adbd functionfs:dir search;
-allow adbd functionfs:file rw_file_perms;
-
-# Use a pseudo tty.
-allow adbd devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow adbd shell_data_file:dir create_dir_perms;
-allow adbd shell_data_file:file create_file_perms;
-
-# adb pull /data/misc/profman.
-allow adbd profman_dump_data_file:dir r_dir_perms;
-allow adbd profman_dump_data_file:file r_file_perms;
-
-# adb push/pull sdcard.
-allow adbd tmpfs:dir search;
-allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
-allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
-
-# adb pull /data/anr/traces.txt
-allow adbd anr_data_file:dir r_dir_perms;
-allow adbd anr_data_file:file r_file_perms;
-
-# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
-set_prop(adbd, shell_prop)
-set_prop(adbd, powerctl_prop)
-set_prop(adbd, ffs_prop)
-
-# Access device logging gating property
-get_prop(adbd, device_logging_prop)
-
-# Read device's serial number from system properties
-get_prop(adbd, serialno_prop)
-
-# Run /system/bin/bu
-allow adbd system_file:file rx_file_perms;
-
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
-
-# Needed for various screenshots
-hal_client_domain(adbd, hal_graphics_allocator)
-
-# Read /data/misc/adb/adb_keys.
-allow adbd adb_keys_file:dir search;
-allow adbd adb_keys_file:file r_file_perms;
-
-userdebug_or_eng(`
- # Write debugging information to /data/adb
- # when persist.adb.trace_mask is set
- # https://code.google.com/p/android/issues/detail?id=72895
- allow adbd adb_data_file:dir rw_dir_perms;
- allow adbd adb_data_file:file create_file_perms;
-')
-
-# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd app_data_file:dir search;
-allow adbd app_data_file:sock_file write;
-allow adbd appdomain:unix_stream_socket connectto;
-
-# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
-allow adbd zygote_exec:file r_file_perms;
-allow adbd system_file:file r_file_perms;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow adbd selinuxfs:dir r_dir_perms;
-allow adbd selinuxfs:file r_file_perms;
-allow adbd kernel:security read_policy;
-allow adbd service_contexts_file:file r_file_perms;
-allow adbd file_contexts_file:file r_file_perms;
-allow adbd seapp_contexts_file:file r_file_perms;
-allow adbd property_contexts_file:file r_file_perms;
-allow adbd sepolicy_file:file r_file_perms;
-
-# Allow pulling config.gz for CTS purposes
-allow adbd config_gz:file r_file_perms;
-
-allow adbd surfaceflinger_service:service_manager find;
-allow adbd bootchart_data_file:dir search;
-allow adbd bootchart_data_file:file r_file_perms;
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow adbd storage_file:dir r_dir_perms;
-allow adbd storage_file:lnk_file r_file_perms;
-allow adbd mnt_user_file:dir r_dir_perms;
-allow adbd mnt_user_file:lnk_file r_file_perms;
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow adbd media_rw_data_file:dir create_dir_perms;
-allow adbd media_rw_data_file:file create_file_perms;
-
-r_dir_file(adbd, apk_data_file)
-
-allow adbd rootfs:dir r_dir_perms;
-
-###
-### Neverallow rules
-###
-
-# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/prebuilts/api/26.0/private/app.te b/prebuilts/api/26.0/private/app.te
deleted file mode 100644
index 6f2b820b78b8f44be70e47ad22d40fd6cfa56264..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/app.te
+++ /dev/null
@@ -1,524 +0,0 @@
-###
-### Domain for all zygote spawned apps
-###
-### This file is the base policy for all zygote spawned apps.
-### Other policy files, such as isolated_app.te, untrusted_app.te, etc
-### extend from this policy. Only policies which should apply to ALL
-### zygote spawned apps should be added here.
-###
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-# Read system properties managed by zygote.
-allow appdomain zygote_tmpfs:file read;
-
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-
-allow appdomain ashmem_device:chr_file execute;
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-# valgrind needs mmap exec for zygote
-allow appdomain zygote_exec:file rx_file_perms;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Place process into foreground / background
-allow appdomain cgroup:dir { search write };
-allow appdomain cgroup:file rw_file_perms;
-
-# Read /data/dalvik-cache.
-allow appdomain dalvikcache_data_file:dir { search getattr };
-allow appdomain dalvikcache_data_file:file r_file_perms;
-
-# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
-
-# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
-
-userdebug_or_eng(`
- # Notify zygote of the wrapped process PID when using --invoke-with.
- allow appdomain zygote:fifo_file write;
-
- # Allow apps to create and write method traces in /data/misc/trace.
- allow appdomain method_trace_data_file:dir w_dir_perms;
- allow appdomain method_trace_data_file:file { create w_file_perms };
-')
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
-allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file rw_file_perms;
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# Query whether a Surface supports wide color
-allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-
-# App sandbox file accesses.
-allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
-
-# Traverse into expanded storage
-allow appdomain mnt_expand_file:dir r_dir_perms;
-
-# Keychain and user-trusted credentials
-r_dir_file(appdomain, keychain_data_file)
-allow appdomain misc_user_data_file:dir r_dir_perms;
-allow appdomain misc_user_data_file:file r_file_perms;
-
-# TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
-
-# Access to OEM provided data and apps
-allow appdomain oemfs:dir r_dir_perms;
-allow appdomain oemfs:file rx_file_perms;
-
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
-
-# Renderscript needs the ability to read directories on /system
-allow appdomain system_file:dir r_dir_perms;
-allow appdomain system_file:lnk_file { getattr open read };
-# Renderscript specific permissions to open /system/vendor/lib64.
-not_full_treble(`
- allow appdomain vendor_file_type:dir r_dir_perms;
- allow appdomain vendor_file_type:lnk_file { getattr open read };
-')
-
-full_treble_only(`
- # For looking up Renderscript vendor drivers
- allow { appdomain -isolated_app } vendor_file:dir { open read };
-')
-
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
-allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(appdomain, vendor_overlay_file)
-
-# Allow apps access to /vendor/framework
-# for vendor provided libraries.
-r_dir_file(appdomain, vendor_framework_file)
-
-# Execute dex2oat when apps call dexclassloader
-allow appdomain dex2oat_exec:file rx_file_perms;
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write };
-
-# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write };
-
-# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read };
-
-# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read };
-
-# Write to /data/anr/traces.txt.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
-allow appdomain dumpstate:fifo_file { write getattr };
-allow appdomain shell_data_file:file { write getattr };
-
-# Write profiles /data/misc/profiles
-allow appdomain user_profile_data_file:dir { search write add_name };
-allow appdomain user_profile_data_file:file create_file_perms;
-
-# Send heap dumps to system_server via an already open file descriptor
-# % adb shell am set-watch-heap com.android.systemui 1048576
-# % adb shell dumpsys procstats --start-testing
-# debuggable builds only.
-userdebug_or_eng(`
- allow appdomain heapdump_data_file:file append;
-')
-
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
-# read /proc/net/xt_qtguid/stats
-r_dir_file({ appdomain -ephemeral_app}, proc_net)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow appdomain qtaguid_device:chr_file r_file_perms;
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-# Perform binder IPC to ephemeral apps.
-binder_call(appdomain, ephemeral_app)
-
-# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
-# as OMX HAL
-hwbinder_use({ appdomain -isolated_app })
-allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
-allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
-
-# Talk with graphics composer fences
-allow appdomain hal_graphics_composer:fd use;
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr };
-allow appdomain cache_backup_file:file { read write getattr };
-allow appdomain cache_backup_file:dir getattr;
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read };
-
-# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
-
-# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
-
-# Access OBBs (vfat images) mounted by vold (b/17633509)
-# File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
-
-# Allow any app to read shared RELRO files.
-allow appdomain shared_relro_file:dir search;
-allow appdomain shared_relro_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
-
-# /data/resource-cache
-allow appdomain resourcecache_data_file:file r_file_perms;
-allow appdomain resourcecache_data_file:dir r_dir_perms;
-
-# logd access
-read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app untrusted_v2_app })
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-
-use_keystore({ appdomain -isolated_app -ephemeral_app })
-
-allow appdomain console_device:chr_file { read write };
-
-# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
-# TODO is write really necessary ?
-auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
-
-# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
-get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
-
-# Allow app access to mediacodec (IOMX HAL)
-binder_call({ appdomain -isolated_app }, mediacodec)
-
-# Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
-
-# Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
-
-# RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
-
-# TODO: switch to meminfo service
-allow appdomain proc_meminfo:file r_file_perms;
-
-# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write };
-
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
-
-###
-### CTS-specific rules
-###
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
-# Check SELinux policy and contexts.
-selinux_check_access(appdomain)
-selinux_check_context(appdomain)
-
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow appdomain adbd:unix_stream_socket connectto;
-allow appdomain adbd:fd use;
-allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-allow appdomain cache_file:dir getattr;
-
-###
-### Neverallow rules
-###
-### These are things that Android apps should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability *;
-neverallow { appdomain -bluetooth } self:capability2 *;
-
-# Block device access.
-neverallow appdomain dev_type:blk_file { read write };
-
-# Access to any of the following character devices.
-neverallow appdomain {
- audio_device
- camera_device
- dm_device
- radio_device
- rpmsg_device
- video_device
-}:chr_file { read write };
-
-# Note: Try expanding list of app domains in the future.
-neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
-
-neverallow { appdomain -nfc } nfc_device:chr_file
- { read write };
-neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
- { read write };
-neverallow appdomain tee_device:chr_file { read write };
-
-# Privileged netlink socket interfaces.
-neverallow appdomain
- domain:{
- netlink_tcpdiag_socket
- netlink_nflog_socket
- netlink_xfrm_socket
- netlink_audit_socket
- netlink_dnrt_socket
- } *;
-
-# These messages are broadcast messages from the kernel to userspace.
-# Do not allow the writing of netlink messages, which has been a source
-# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
-
-# Sockets under /dev/socket that are not specifically typed.
-neverallow appdomain socket_device:sock_file write;
-
-# Unix domain sockets.
-neverallow appdomain adbd_socket:sock_file write;
-neverallow { appdomain -radio } rild_socket:sock_file write;
-neverallow appdomain vold_socket:sock_file write;
-neverallow appdomain zygote_socket:sock_file write;
-
-# ptrace access to non-app domains.
-neverallow appdomain { domain -appdomain }:process ptrace;
-
-# Write access to /proc/pid entries for any non-app domain.
-neverallow appdomain { domain -appdomain }:file write;
-
-# signal access to non-app domains.
-# sigchld allowed for parent death notification.
-# signull allowed for kill(pid, 0) existence test.
-# All others prohibited.
-neverallow appdomain { domain -appdomain }:process
- { sigkill sigstop signal };
-
-# Transition to a non-app domain.
-# Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump.
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
- { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
- { dyntransition };
-
-# Write to rootfs.
-neverallow appdomain rootfs:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to /system.
-neverallow appdomain system_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to entrypoint executables.
-neverallow appdomain exec_type:file
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to system-owned parts of /data.
-# This is the default type for anything under /data not otherwise
-# specified in file_contexts. Define a different type for portions
-# that should be writable by apps.
-neverallow appdomain system_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to various other parts of /data.
-neverallow appdomain drm_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -shell }
- shell_data_file:dir_file_class_set
- { create setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -bluetooth }
- bluetooth_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- keystore_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- systemkeys_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- wifi_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- dhcp_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# access tmp apk files
-neverallow { appdomain -platform_app -priv_app }
- { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-
-# Access to factory files.
-neverallow appdomain efs_file:dir_file_class_set write;
-neverallow { appdomain -shell } efs_file:dir_file_class_set read;
-
-# Write to various pseudo file systems.
-neverallow { appdomain -bluetooth -nfc }
- sysfs:dir_file_class_set write;
-neverallow appdomain
- proc:dir_file_class_set write;
-
-# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
-
-# Ability to perform any filesystem operation other than statfs(2).
-# i.e. no mount(2), unmount(2), etc.
-neverallow appdomain fs_type:filesystem ~getattr;
-
-# prevent creation/manipulation of globally readable symlinks
-neverallow appdomain {
- apk_data_file
- cache_file
- cache_recovery_file
- dev_type
- rootfs
- system_file
- tmpfs
-}:lnk_file no_w_file_perms;
-
-# Blacklist app domains not allowed to execute from /data
-neverallow {
- bluetooth
- isolated_app
- nfc
- radio
- shared_relro
- system_app
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
-# Applications should use the activity model for receiving events
-neverallow {
- appdomain
- -shell # bugreport
-} input_device:chr_file ~getattr;
-
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
-# neverallow rules for access to Bluetooth-related data files are above.
-neverallow {
- appdomain
- -bluetooth
- -system_app
-} bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/26.0/private/app_neverallows.te b/prebuilts/api/26.0/private/app_neverallows.te
deleted file mode 100644
index 3c159d5f136e814e3af7ce6a7d0491e773930afa..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/app_neverallows.te
+++ /dev/null
@@ -1,215 +0,0 @@
-###
-### neverallow rules for untrusted app domains
-###
-
-# Only allow domains in AOSP to use the untrusted_app_all attribute.
-neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
-
-define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app }')
-# Receive or send uevent messages.
-neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow all_untrusted_apps domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow all_untrusted_apps debugfs_type:file read;
-
-# Do not allow untrusted apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow all_untrusted_apps service_manager_type:service_manager add;
-
-# Do not allow untrusted apps to use VendorBinder
-neverallow all_untrusted_apps vndbinder_device:chr_file *;
-neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
-
-# Do not allow untrusted apps to connect to the property service
-# or set properties. b/10243159
-neverallow all_untrusted_apps property_socket:sock_file write;
-neverallow all_untrusted_apps init:unix_stream_socket connectto;
-neverallow all_untrusted_apps property_type:property_service set;
-
-# Do not allow untrusted apps to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints. As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and an untrusted app is allowed fork permission to itself.
-neverallow all_untrusted_apps mlstrustedsubject:process fork;
-
-# Do not allow untrusted apps to hard link to any files.
-# In particular, if an untrusted app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure untrusted apps never have this
-# capability.
-neverallow all_untrusted_apps file_type:file link;
-
-# Do not allow untrusted apps to access network MAC address file
-neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
-
-# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
-# ioctl permission, or 3. disallow the socket class.
-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
-neverallow all_untrusted_apps *:{
- socket netlink_socket packet_socket key_socket appletalk_socket
- netlink_tcpdiag_socket netlink_nflog_socket
- netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
- netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
- netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket
-} *;
-
-# Do not allow untrusted apps access to /cache
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr };
-
-# Do not allow untrusted apps to create/unlink files outside of its sandbox,
-# internal storage or sdcard.
-# World accessible data locations allow application to fill the device
-# with unaccounted for data. This data will not get removed during
-# application un-installation.
-neverallow all_untrusted_apps {
- fs_type
- -fuse # sdcard
- -sdcardfs # sdcard
- -vfat
- file_type
- -app_data_file # The apps sandbox itself
- -media_rw_data_file # Internal storage. Known that apps can
- # leave artfacts here after uninstall.
- -user_profile_data_file # Access to profile files
- userdebug_or_eng(`
- -method_trace_data_file # only on ro.debuggable=1
- -coredump_file # userdebug/eng only
- ')
-}:dir_file_class_set { create unlink };
-
-# No untrusted component should be touching /dev/fuse
-neverallow all_untrusted_apps fuse_device:chr_file *;
-
-# Do not allow untrusted apps to directly open tun_device
-neverallow all_untrusted_apps tun_device:chr_file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-neverallow all_untrusted_apps anr_data_file:file ~{ open append };
-neverallow all_untrusted_apps anr_data_file:dir ~search;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
-
-# Avoid all access to kernel configuration
-neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
-
-# Do not allow untrusted apps access to preloads data files
-neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
-
-# Locking of files on /system could lead to denial of service attacks
-# against privileged system components
-neverallow all_untrusted_apps system_file:file lock;
-
-# Do not permit untrusted apps to perform actions on HwBinder service_manager
-# other than find actions for services listed below
-neverallow all_untrusted_apps *:hwservice_manager ~find;
-
-# Do not permit access from apps which host arbitrary code to HwBinder services,
-# except those considered sufficiently safe for access from such apps.
-# The two main reasons for this are:
-# 1. HwBinder servers do not perform client authentication because HIDL
-# currently does not expose caller UID information and, even if it did, many
-# HwBinder services either operate at a level below that of apps (e.g., HALs)
-# or must not rely on app identity for authorization. Thus, to be safe, the
-# default assumption is that every HwBinder service treats all its clients as
-# equally authorized to perform operations offered by the service.
-# 2. HAL servers (a subset of HwBinder services) contain code with higher
-# incidence rate of security issues than system/core components and have
-# access to lower layes of the stack (all the way down to hardware) thus
-# increasing opportunities for bypassing the Android security model.
-#
-# Safe services include:
-# - same process services: because they by definition run in the process
-# of the client and thus have the same access as the client domain in which
-# the process runs
-# - coredomain_hwservice: are considered safe because they do not pose risks
-# associated with reason #2 above.
-# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
-# designed for use by any domain.
-# - hal_graphics_allocator_hwservice: because these operations are also offered
-# by surfaceflinger Binder service, which apps are permitted to access
-# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
-# Binder service which apps were permitted to access.
-neverallow all_untrusted_apps {
- hwservice_manager_type
- -same_process_hwservice
- -coredomain_hwservice
- -hal_configstore_ISurfaceFlingerConfigs
- -hal_graphics_allocator_hwservice
- -hal_omx_hwservice
- -untrusted_app_visible_hwservice
-}:hwservice_manager find;
-neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
-# Make sure that the following services are never accessible by untrusted_apps
-neverallow all_untrusted_apps {
- default_android_hwservice
- hal_audio_hwservice
- hal_bluetooth_hwservice
- hal_bootctl_hwservice
- hal_camera_hwservice
- hal_contexthub_hwservice
- hal_drm_hwservice
- hal_dumpstate_hwservice
- hal_fingerprint_hwservice
- hal_gatekeeper_hwservice
- hal_gnss_hwservice
- hal_graphics_composer_hwservice
- hal_health_hwservice
- hal_ir_hwservice
- hal_keymaster_hwservice
- hal_light_hwservice
- hal_memtrack_hwservice
- hal_nfc_hwservice
- hal_oemlock_hwservice
- hal_power_hwservice
- hal_sensors_hwservice
- hal_telephony_hwservice
- hal_thermal_hwservice
- hal_tv_cec_hwservice
- hal_tv_input_hwservice
- hal_usb_hwservice
- hal_vibrator_hwservice
- hal_vr_hwservice
- hal_weaver_hwservice
- hal_wifi_hwservice
- hal_wifi_supplicant_hwservice
- hidl_base_hwservice
-}:hwservice_manager find;
-# HwBinder services offered by core components (as opposed to vendor components)
-# are considered somewhat safer due to point #2 above.
-neverallow all_untrusted_apps {
- coredomain_hwservice
- -same_process_hwservice
- -hidl_allocator_hwservice # Designed for use by any domain
- -hidl_manager_hwservice # Designed for use by any domain
- -hidl_memory_hwservice # Designed for use by any domain
- -hidl_token_hwservice # Designed for use by any domain
-}:hwservice_manager find;
-
-# Restrict *Binder access from apps to HAL domains. We can only do this on full
-# Treble devices where *Binder communications between apps and HALs are tightly
-# restricted.
-full_treble_only(`
- neverallow all_untrusted_apps {
- halserverdomain
- -coredomain
- -hal_configstore_server
- -hal_graphics_allocator_server
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- }:binder { call transfer };
-')
diff --git a/prebuilts/api/26.0/private/asan_extract.te b/prebuilts/api/26.0/private/asan_extract.te
deleted file mode 100644
index 1c20d78ecdb055d2ca26614dc4d5584883715af8..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/asan_extract.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-# Technically not a daemon but we do want the transition from init domain to
-# asan_extract to occur.
-with_asan(`
-typeattribute asan_extract coredomain;
-init_daemon_domain(asan_extract)
-')
diff --git a/prebuilts/api/26.0/private/atrace.te b/prebuilts/api/26.0/private/atrace.te
deleted file mode 100644
index 94d84834d116ddf9020232f883f2fec997a1f2b8..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/atrace.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# Domain for atrace process spawned by boottrace service.
-
-type atrace_exec, exec_type, file_type;
-
-userdebug_or_eng(`
- type atrace, domain, coredomain, domain_deprecated;
-
- init_daemon_domain(atrace)
-
- # boottrace services uses /data/misc/boottrace/categories
- allow atrace boottrace_data_file:dir search;
- allow atrace boottrace_data_file:file r_file_perms;
-
- # atrace reads the files in /sys/kernel/debug/tracing/
- allow atrace debugfs_tracing:file r_file_perms;
-
- # atrace sets debug.atrace.* properties
- set_prop(atrace, debug_prop)
-
- # atrace pokes all the binder-enabled processes at startup.
- binder_use(atrace)
- allow atrace healthd:binder call;
- allow atrace surfaceflinger:binder call;
-')
diff --git a/prebuilts/api/26.0/private/attributes b/prebuilts/api/26.0/private/attributes
deleted file mode 100644
index fcbfecfb26a5495ae07230da0734a58971291187..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/attributes
+++ /dev/null
@@ -1,9 +0,0 @@
-# Temporary attribute used for migrating permissions out of domain.
-# Motivation: Domain is overly permissive. Start removing permissions
-# from domain and assign them to the domain_deprecated attribute.
-# Domain_deprecated and domain can initially be assigned to all
-# domains. The goal is to not assign domain_deprecated to new domains
-# and to start removing domain_deprecated where it's not required or
-# reassigning the appropriate permissions to the inheriting domain
-# when necessary.
-attribute domain_deprecated;
diff --git a/prebuilts/api/26.0/private/audioserver.te b/prebuilts/api/26.0/private/audioserver.te
deleted file mode 100644
index 9119daa5ddbcb42138ffc3a14520e01d9497bd33..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/audioserver.te
+++ /dev/null
@@ -1,66 +0,0 @@
-# audioserver - audio services daemon
-
-typeattribute audioserver coredomain;
-
-type audioserver_exec, exec_type, file_type;
-init_daemon_domain(audioserver)
-
-r_dir_file(audioserver, sdcard_type)
-
-binder_use(audioserver)
-binder_call(audioserver, binderservicedomain)
-binder_call(audioserver, appdomain)
-binder_service(audioserver)
-
-hal_client_domain(audioserver, hal_allocator)
-# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
-r_dir_file(audioserver, system_file)
-
-hal_client_domain(audioserver, hal_audio)
-
-userdebug_or_eng(`
- # used for TEE sink - pcm capture for debug.
- allow audioserver media_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:file create_file_perms;
-
- # ptrace to processes in the same domain for memory leak detection
- allow audioserver self:process ptrace;
-')
-
-add_service(audioserver, audioserver_service)
-allow audioserver appops_service:service_manager find;
-allow audioserver batterystats_service:service_manager find;
-allow audioserver permission_service:service_manager find;
-allow audioserver power_service:service_manager find;
-allow audioserver scheduling_policy_service:service_manager find;
-
-# Grant access to audio files to audioserver
-allow audioserver audio_data_file:dir ra_dir_perms;
-allow audioserver audio_data_file:file create_file_perms;
-
-# allow access to ALSA MMAP FDs for AAudio API
-allow audioserver audio_device:chr_file { read write };
-
-# For A2DP bridge which is loaded directly into audioserver
-unix_socket_connect(audioserver, bluetooth, bluetooth)
-
-###
-### neverallow rules
-###
-
-# audioserver should never execute any executable without a
-# domain transition
-neverallow audioserver { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/26.0/private/binder_in_vendor_violators.te b/prebuilts/api/26.0/private/binder_in_vendor_violators.te
deleted file mode 100644
index 4a1218e1da65f72cc871664a2fb1db2c63b42a8a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/binder_in_vendor_violators.te
+++ /dev/null
@@ -1 +0,0 @@
-allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/26.0/private/binderservicedomain.te b/prebuilts/api/26.0/private/binderservicedomain.te
deleted file mode 100644
index 0891ee5b2195f386b7493e68dd9af52570ab546b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/binderservicedomain.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# Rules common to all binder service domains
-
-# Allow dumpstate and incidentd to collect information from binder services
-allow binderservicedomain { dumpstate incidentd }:fd use;
-allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
-allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
-allow binderservicedomain shell_data_file:file { getattr write };
-
-# Allow dumpsys to work from adb shell or the serial console
-allow binderservicedomain devpts:chr_file rw_file_perms;
-allow binderservicedomain console_device:chr_file rw_file_perms;
-
-# Receive and write to a pipe received over Binder from an app.
-allow binderservicedomain appdomain:fd use;
-allow binderservicedomain appdomain:fifo_file write;
-
-# allow all services to run permission checks
-allow binderservicedomain permission_service:service_manager find;
-
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-
-use_keystore(binderservicedomain)
diff --git a/prebuilts/api/26.0/private/blkid.te b/prebuilts/api/26.0/private/blkid.te
deleted file mode 100644
index 090912b82140c6a108afacc0a80b4f822413f28f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/blkid.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# blkid called from vold
-
-typeattribute blkid coredomain;
-
-type blkid_exec, exec_type, file_type;
-
-# Allowed read-only access to encrypted devices to extract UUID/label
-allow blkid block_device:dir search;
-allow blkid userdata_block_device:blk_file r_file_perms;
-allow blkid dm_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid vold:fd use;
-allow blkid vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid blkid_exec:file rx_file_perms;
-
-# Only allow entry from vold
-neverallow { domain -vold } blkid:process transition;
-neverallow * blkid:process dyntransition;
-neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/26.0/private/blkid_untrusted.te b/prebuilts/api/26.0/private/blkid_untrusted.te
deleted file mode 100644
index 125677157ebaadf6fce40e245c85904008103b13..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/blkid_untrusted.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# blkid for untrusted block devices
-
-typeattribute blkid_untrusted coredomain;
-
-# Allowed read-only access to vold block devices to extract UUID/label
-allow blkid_untrusted block_device:dir search;
-allow blkid_untrusted vold_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid_untrusted vold:fd use;
-allow blkid_untrusted vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid_untrusted blkid_exec:file rx_file_perms;
-
-###
-### neverallow rules
-###
-
-# Untrusted blkid should never be run on block devices holding sensitive data
-neverallow blkid_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via blkid binary
-neverallow { domain -vold } blkid_untrusted:process transition;
-neverallow * blkid_untrusted:process dyntransition;
-neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/26.0/private/bluetooth.te b/prebuilts/api/26.0/private/bluetooth.te
deleted file mode 100644
index 1c0e14fb21834d621792ad1508964893f6387f0e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/bluetooth.te
+++ /dev/null
@@ -1,77 +0,0 @@
-# bluetooth subsystem
-
-typeattribute bluetooth coredomain;
-typeattribute bluetooth domain_deprecated;
-
-app_domain(bluetooth)
-net_domain(bluetooth)
-
-# Socket creation under /data/misc/bluedroid.
-type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
-
-# Allow access to net_admin ioctls
-allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
-
-wakelock_use(bluetooth);
-
-# Data file accesses.
-allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
-allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
-allow bluetooth bluetooth_logs_data_file:file create_file_perms;
-
-# Socket creation under /data/misc/bluedroid.
-allow bluetooth bluetooth_socket:sock_file create_file_perms;
-
-allow bluetooth self:capability net_admin;
-allow bluetooth self:capability2 wake_alarm;
-
-# tethering
-allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
-allow bluetooth self:capability { net_admin net_raw net_bind_service };
-allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
-allow bluetooth tun_device:chr_file rw_file_perms;
-allow bluetooth efs_file:dir search;
-
-# allow Bluetooth to access uhid device for HID profile
-allow bluetooth uhid_device:chr_file rw_file_perms;
-
-# proc access.
-allow bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# Allow write access to bluetooth specific properties
-set_prop(bluetooth, bluetooth_prop)
-set_prop(bluetooth, pan_result_prop)
-
-allow bluetooth audioserver_service:service_manager find;
-allow bluetooth bluetooth_service:service_manager find;
-allow bluetooth drmserver_service:service_manager find;
-allow bluetooth mediaserver_service:service_manager find;
-allow bluetooth radio_service:service_manager find;
-allow bluetooth surfaceflinger_service:service_manager find;
-allow bluetooth app_api_service:service_manager find;
-allow bluetooth system_api_service:service_manager find;
-
-# already open bugreport file descriptors may be shared with
-# the bluetooth process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow bluetooth shell_data_file:file read;
-
-# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
-allow bluetooth self:capability sys_nice;
-
-hal_client_domain(bluetooth, hal_bluetooth)
-hal_client_domain(bluetooth, hal_telephony)
-
-read_runtime_log_tags(bluetooth)
-
-###
-### Neverallow rules
-###
-### These are things that the bluetooth app should NEVER be able to do
-###
-
-# Superuser capabilities.
-# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
-neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/prebuilts/api/26.0/private/bluetoothdomain.te b/prebuilts/api/26.0/private/bluetoothdomain.te
deleted file mode 100644
index fe4f0e663e6ae203381c9e365896f87f919399b2..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/bluetoothdomain.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow clients to use a socket provided by the bluetooth app.
-allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
diff --git a/prebuilts/api/26.0/private/bootanim.te b/prebuilts/api/26.0/private/bootanim.te
deleted file mode 100644
index 8c9f6c76ef8a0db457c724a447d57a879b3fc4ca..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/bootanim.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute bootanim coredomain;
-
-init_daemon_domain(bootanim)
diff --git a/prebuilts/api/26.0/private/bootstat.te b/prebuilts/api/26.0/private/bootstat.te
deleted file mode 100644
index 806144cf6d34d1d0e4fa82f23863d2d20f217a2b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/bootstat.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute bootstat coredomain;
-
-init_daemon_domain(bootstat)
diff --git a/prebuilts/api/26.0/private/bufferhubd.te b/prebuilts/api/26.0/private/bufferhubd.te
deleted file mode 100644
index 012eb20270cb536f73ae5c02e199a76706106312..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/bufferhubd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute bufferhubd coredomain;
-
-init_daemon_domain(bufferhubd)
diff --git a/prebuilts/api/26.0/private/cameraserver.te b/prebuilts/api/26.0/private/cameraserver.te
deleted file mode 100644
index c16c13260d187562822104ec370bdefa1cb8778b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/cameraserver.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute cameraserver coredomain;
-
-init_daemon_domain(cameraserver)
diff --git a/prebuilts/api/26.0/private/charger.te b/prebuilts/api/26.0/private/charger.te
deleted file mode 100644
index 65109deff1cd8bc78d679e2faa0a2c440ebc8ef0..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/charger.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute charger coredomain;
diff --git a/prebuilts/api/26.0/private/clatd.te b/prebuilts/api/26.0/private/clatd.te
deleted file mode 100644
index c09398dddbc0a30ca85eabdf924a7879bd729b74..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/clatd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-typeattribute clatd coredomain;
-typeattribute clatd domain_deprecated;
diff --git a/prebuilts/api/26.0/private/cppreopts.te b/prebuilts/api/26.0/private/cppreopts.te
deleted file mode 100644
index 34f0d669b3d6bc5897f848a5904edf952ccb117e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/cppreopts.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute cppreopts coredomain;
-
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(cppreopts)
-domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
diff --git a/prebuilts/api/26.0/private/crash_dump.te b/prebuilts/api/26.0/private/crash_dump.te
deleted file mode 100644
index fb73f08a994a8912746b87a257e323ae762c5931..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/crash_dump.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute crash_dump coredomain;
diff --git a/prebuilts/api/26.0/private/dex2oat.te b/prebuilts/api/26.0/private/dex2oat.te
deleted file mode 100644
index 89c3970afcd68562e594a949c00a78e3ba2eb82a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/dex2oat.te
+++ /dev/null
@@ -1,2 +0,0 @@
-typeattribute dex2oat coredomain;
-typeattribute dex2oat domain_deprecated;
diff --git a/prebuilts/api/26.0/private/dexoptanalyzer.te b/prebuilts/api/26.0/private/dexoptanalyzer.te
deleted file mode 100644
index db81d0dad0f826de8a8a8294440ac38284e3ca76..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/dexoptanalyzer.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# dexoptanalyzer
-type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
-type dexoptanalyzer_exec, exec_type, file_type;
-
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by dexoptanalyzer vs other
-#processes.
-tmpfs_domain(dexoptanalyzer)
-
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
-# app_data_file the oat file is symlinked to the original file in /system.
-allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
-allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
-allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
-
-allow dexoptanalyzer installd:fd use;
-
-# Allow reading secondary dex files that were reported by the app to the
-# package manager.
-allow dexoptanalyzer app_data_file:dir { getattr search };
-allow dexoptanalyzer app_data_file:file r_file_perms;
-
-# Allow testing /data/user/0 which symlinks to /data/data
-allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/prebuilts/api/26.0/private/dhcp.te b/prebuilts/api/26.0/private/dhcp.te
deleted file mode 100644
index 6a6a139e28c9c63a08e3f39d2973f5cab63ac360..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/dhcp.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute dhcp coredomain;
-typeattribute dhcp domain_deprecated;
-
-init_daemon_domain(dhcp)
-type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/prebuilts/api/26.0/private/dnsmasq.te b/prebuilts/api/26.0/private/dnsmasq.te
deleted file mode 100644
index 96084b490a08b671853cafdbf5762b7ae1c5118c..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/dnsmasq.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute dnsmasq coredomain;
diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te
deleted file mode 100644
index d37a0bd2656f0bcca2abf6e41b22aee93158c20f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/domain.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# Transition to crash_dump when /system/bin/crash_dump* is executed.
-# This occurs when the process crashes.
-domain_auto_trans(domain, crash_dump_exec, crash_dump);
-allow domain crash_dump:process sigchld;
-
-# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
-neverallow {
- domain
- -vold
- -dumpstate
- -storaged
- -system_server
- userdebug_or_eng(`-perfprofd')
-} self:capability sys_ptrace;
-
-# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app } *:keystore_key gen_unique_id;
diff --git a/prebuilts/api/26.0/private/domain_deprecated.te b/prebuilts/api/26.0/private/domain_deprecated.te
deleted file mode 100644
index aefb724f7189ed03c5b602951ccbf725eb32fe3e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/domain_deprecated.te
+++ /dev/null
@@ -1,311 +0,0 @@
-# rules removed from the domain attribute
-
-# Search /storage/emulated tmpfs mount.
-allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -installd
- -sdcardd
- -surfaceflinger
- -system_server
- -vold
- -zygote
-} tmpfs:dir r_dir_perms;
-')
-
-# Inherit or receive open files from others.
-allow domain_deprecated system_server:fd use;
-userdebug_or_eng(`
-auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
-')
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow domain_deprecated adbd:fd use;
-userdebug_or_eng(`
-auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
-')
-
-# Root fs.
-allow domain_deprecated rootfs:dir r_dir_perms;
-allow domain_deprecated rootfs:file r_file_perms;
-allow domain_deprecated rootfs:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -fsck
- -healthd
- -installd
- -servicemanager
- -system_server
- -ueventd
- -uncrypt
- -vold
- -zygote
-} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -healthd
- -installd
- -servicemanager
- -system_server
- -ueventd
- -uncrypt
- -vold
- -zygote
-} rootfs:file r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -healthd
- -installd
- -servicemanager
- -system_server
- -ueventd
- -uncrypt
- -vold
- -zygote
-} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-')
-
-# System file accesses.
-allow domain_deprecated system_file:dir r_dir_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -fingerprintd
- -installd
- -keystore
- -surfaceflinger
- -system_server
- -update_engine
- -vold
- -zygote
-} system_file:dir { open read ioctl lock }; # search getattr in domain
-')
-
-# Read files already opened under /data.
-allow domain_deprecated system_data_file:file { getattr read };
-allow domain_deprecated system_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -sdcardd
- -system_server
- -tee
-} system_data_file:file { getattr read };
-auditallow {
- domain_deprecated
- -appdomain
- -system_server
- -tee
-} system_data_file:lnk_file r_file_perms;
-')
-
-# Read apk files under /data/app.
-allow domain_deprecated apk_data_file:dir { getattr search };
-allow domain_deprecated apk_data_file:file r_file_perms;
-allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:dir { getattr search };
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:file r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:lnk_file r_file_perms;
-')
-
-# Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -system_server
- -vold
-} cache_file:dir { open read search ioctl lock };
-auditallow {
- domain_deprecated
- -appdomain
- -system_server
- -vold
-} cache_file:dir getattr;
-auditallow {
- domain_deprecated
- -system_server
- -vold
-} cache_file:file { getattr read };
-auditallow {
- domain_deprecated
- -system_server
- -vold
-} cache_file:lnk_file r_file_perms;
-')
-
-# Allow access to ion memory allocation device
-allow domain_deprecated ion_device:chr_file rw_file_perms;
-# split this auditallow into read and write perms since most domains seem to
-# only require read
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -fingerprintd
- -keystore
- -surfaceflinger
- -system_server
- -tee
- -vold
- -zygote
-} ion_device:chr_file r_file_perms;
-auditallow domain_deprecated ion_device:chr_file { write append };
-')
-
-# Read access to pseudo filesystems.
-r_dir_file(domain_deprecated, proc)
-r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, cgroup)
-allow domain_deprecated proc_meminfo:file r_file_perms;
-
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -fsck
- -fsck_untrusted
- -sdcardd
- -system_server
- -update_engine
- -vold
-} proc:file r_file_perms;
-auditallow {
- domain_deprecated
- -fsck
- -fsck_untrusted
- -system_server
- -vold
-} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
-auditallow {
- domain_deprecated
- -bluetooth
- -fingerprintd
- -healthd
- -netd
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -bluetooth
- -fingerprintd
- -healthd
- -netd
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:file r_file_perms;
-auditallow {
- domain_deprecated
- -bluetooth
- -fingerprintd
- -healthd
- -netd
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-auditallow {
- domain_deprecated
- -appdomain
- -dumpstate
- -fingerprintd
- -healthd
- -inputflinger
- -installd
- -keystore
- -netd
- -surfaceflinger
- -system_server
- -zygote
-} cgroup:dir r_dir_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -dumpstate
- -fingerprintd
- -healthd
- -inputflinger
- -installd
- -keystore
- -netd
- -surfaceflinger
- -system_server
- -zygote
-} cgroup:{ file lnk_file } r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -surfaceflinger
- -system_server
- -vold
-} proc_meminfo:file r_file_perms;
-')
-
-# Get SELinux enforcing status.
-allow domain_deprecated selinuxfs:dir r_dir_perms;
-allow domain_deprecated selinuxfs:file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -installd
- -keystore
- -postinstall_dexopt
- -runas
- -servicemanager
- -system_server
- -ueventd
- -zygote
-} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -appdomain
- -installd
- -keystore
- -postinstall_dexopt
- -runas
- -servicemanager
- -system_server
- -ueventd
- -zygote
-} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
-')
diff --git a/prebuilts/api/26.0/private/drmserver.te b/prebuilts/api/26.0/private/drmserver.te
deleted file mode 100644
index afe4f0aae833466a1cdb72d354e3d50649832920..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/drmserver.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute drmserver coredomain;
-
-init_daemon_domain(drmserver)
-
-type_transition drmserver apk_data_file:sock_file drmserver_socket;
-
-typeattribute drmserver_socket coredomain_socket;
diff --git a/prebuilts/api/26.0/private/dumpstate.te b/prebuilts/api/26.0/private/dumpstate.te
deleted file mode 100644
index 0fe2adfc68137d9099233ce0924f2471b7082460..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/dumpstate.te
+++ /dev/null
@@ -1,26 +0,0 @@
-typeattribute dumpstate coredomain;
-typeattribute dumpstate domain_deprecated;
-
-init_daemon_domain(dumpstate)
-
-# Execute and transition to the vdc domain
-domain_auto_trans(dumpstate, vdc_exec, vdc)
-
-# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
-allow dumpstate system_file:file lock;
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-allow dumpstate dumpstate_tmpfs:file execute;
-
-# systrace support - allow atrace to run
-allow dumpstate debugfs_tracing:dir r_dir_perms;
-allow dumpstate debugfs_tracing:file rw_file_perms;
-allow dumpstate debugfs_trace_marker:file getattr;
-allow dumpstate atrace_exec:file rx_file_perms;
-allow dumpstate storaged_exec:file rx_file_perms;
-
-# Allow dumpstate to make binder calls to storaged service
-binder_call(dumpstate, storaged)
-
-# Collect metrics on boot time created by init
-get_prop(dumpstate, boottime_prop)
diff --git a/prebuilts/api/26.0/private/ephemeral_app.te b/prebuilts/api/26.0/private/ephemeral_app.te
deleted file mode 100644
index d664a5027ff50d2ef1d7e17c2ae354327343b605..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/ephemeral_app.te
+++ /dev/null
@@ -1,68 +0,0 @@
-###
-### Ephemeral apps.
-###
-### This file defines the security policy for apps with the ephemeral
-### feature.
-###
-### The ephemeral_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to ephemeral to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as ephemeral at install time.
-
-typeattribute ephemeral_app coredomain;
-
-net_domain(ephemeral_app)
-app_domain(ephemeral_app)
-
-# Allow ephemeral apps to read/write files in visible storage if provided fds
-allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
-
-# services
-allow ephemeral_app audioserver_service:service_manager find;
-allow ephemeral_app cameraserver_service:service_manager find;
-allow ephemeral_app mediaserver_service:service_manager find;
-allow ephemeral_app mediaextractor_service:service_manager find;
-allow ephemeral_app mediacodec_service:service_manager find;
-allow ephemeral_app mediametrics_service:service_manager find;
-allow ephemeral_app mediadrmserver_service:service_manager find;
-allow ephemeral_app mediacasserver_service:service_manager find;
-allow ephemeral_app surfaceflinger_service:service_manager find;
-allow ephemeral_app radio_service:service_manager find;
-allow ephemeral_app ephemeral_app_api_service:service_manager find;
-
-###
-### neverallow rules
-###
-
-# Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
-
-# Receive or send uevent messages.
-neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow ephemeral_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
-
-# execute gpu_device
-neverallow ephemeral_app gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow ephemeral_app sysfs:file *;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
-
-# Directly access external storage
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
-
-# Avoid reads to proc_net, it contains too much device wide information about
-# ongoing connections.
-neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/prebuilts/api/26.0/private/file.te b/prebuilts/api/26.0/private/file.te
deleted file mode 100644
index da5f9adde64d45cebadb8b6539d47d7599d8a61b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/file.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# Compatibility with type names used in vanilla Android 4.3 and 4.4.
-typealias audio_data_file alias audio_firmware_file;
-typealias app_data_file alias platform_app_data_file;
-typealias app_data_file alias download_file;
-
-# /proc/config.gz
-type config_gz, fs_type;
diff --git a/prebuilts/api/26.0/private/file_contexts b/prebuilts/api/26.0/private/file_contexts
deleted file mode 100644
index 4485b9537f98a2af908f255c4e6d4046c4ca2b5e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/file_contexts
+++ /dev/null
@@ -1,539 +0,0 @@
-###########################################
-# Root
-/ u:object_r:rootfs:s0
-
-# Data files
-/adb_keys u:object_r:adb_keys_file:s0
-/build\.prop u:object_r:rootfs:s0
-/default\.prop u:object_r:rootfs:s0
-/fstab\..* u:object_r:rootfs:s0
-/init\..* u:object_r:rootfs:s0
-/res(/.*)? u:object_r:rootfs:s0
-/selinux_version u:object_r:rootfs:s0
-/ueventd\..* u:object_r:rootfs:s0
-/verity_key u:object_r:rootfs:s0
-
-# Executables
-/charger u:object_r:rootfs:s0
-/init u:object_r:init_exec:s0
-/sbin(/.*)? u:object_r:rootfs:s0
-
-# For kernel modules
-/lib(/.*)? u:object_r:rootfs:s0
-
-# Empty directories
-/lost\+found u:object_r:rootfs:s0
-/acct u:object_r:cgroup:s0
-/config u:object_r:rootfs:s0
-/mnt u:object_r:tmpfs:s0
-/postinstall u:object_r:postinstall_mnt_dir:s0
-/proc u:object_r:rootfs:s0
-/root u:object_r:rootfs:s0
-/sys u:object_r:sysfs:s0
-
-# Symlinks
-/bugreports u:object_r:rootfs:s0
-/d u:object_r:rootfs:s0
-/etc u:object_r:rootfs:s0
-/sdcard u:object_r:rootfs:s0
-
-# SELinux policy files
-/nonplat_file_contexts u:object_r:file_contexts_file:s0
-/plat_file_contexts u:object_r:file_contexts_file:s0
-/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
-/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
-/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
-/plat_property_contexts u:object_r:property_contexts_file:s0
-/nonplat_property_contexts u:object_r:property_contexts_file:s0
-/seapp_contexts u:object_r:seapp_contexts_file:s0
-/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/sepolicy u:object_r:sepolicy_file:s0
-/plat_service_contexts u:object_r:service_contexts_file:s0
-/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/nonplat_service_contexts u:object_r:service_contexts_file:s0
-/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/vndservice_contexts u:object_r:vndservice_contexts_file:s0
-
-##########################
-# Devices
-#
-/dev(/.*)? u:object_r:device:s0
-/dev/akm8973.* u:object_r:sensors_device:s0
-/dev/accelerometer u:object_r:sensors_device:s0
-/dev/adf[0-9]* u:object_r:graphics_device:s0
-/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
-/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
-/dev/alarm u:object_r:alarm_device:s0
-/dev/ashmem u:object_r:ashmem_device:s0
-/dev/audio.* u:object_r:audio_device:s0
-/dev/binder u:object_r:binder_device:s0
-/dev/block(/.*)? u:object_r:block_device:s0
-/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
-/dev/block/loop[0-9]* u:object_r:loop_device:s0
-/dev/block/vold/.+ u:object_r:vold_device:s0
-/dev/block/ram[0-9]* u:object_r:ram_device:s0
-/dev/block/zram[0-9]* u:object_r:ram_device:s0
-/dev/bus/usb(.*)? u:object_r:usb_device:s0
-/dev/cam u:object_r:camera_device:s0
-/dev/console u:object_r:console_device:s0
-/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
-/dev/device-mapper u:object_r:dm_device:s0
-/dev/eac u:object_r:audio_device:s0
-/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
-/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
-/dev/full u:object_r:full_device:s0
-/dev/fuse u:object_r:fuse_device:s0
-/dev/graphics(/.*)? u:object_r:graphics_device:s0
-/dev/hw_random u:object_r:hw_random_device:s0
-/dev/hwbinder u:object_r:hwbinder_device:s0
-/dev/i2c-[0-9]+ u:object_r:i2c_device:s0
-/dev/input(/.*) u:object_r:input_device:s0
-/dev/iio:device[0-9]+ u:object_r:iio_device:s0
-/dev/ion u:object_r:ion_device:s0
-/dev/keychord u:object_r:keychord_device:s0
-/dev/kmem u:object_r:kmem_device:s0
-/dev/log(/.*)? u:object_r:log_device:s0
-/dev/loop-control u:object_r:loop_control_device:s0
-/dev/mem u:object_r:kmem_device:s0
-/dev/modem.* u:object_r:radio_device:s0
-/dev/mtd(/.*)? u:object_r:mtd_device:s0
-/dev/mtp_usb u:object_r:mtp_device:s0
-/dev/pmsg0 u:object_r:pmsg_device:s0
-/dev/pn544 u:object_r:nfc_device:s0
-/dev/port u:object_r:port_device:s0
-/dev/ppp u:object_r:ppp_device:s0
-/dev/ptmx u:object_r:ptmx_device:s0
-/dev/pvrsrvkm u:object_r:gpu_device:s0
-/dev/kmsg u:object_r:kmsg_device:s0
-/dev/null u:object_r:null_device:s0
-/dev/nvhdcp1 u:object_r:video_device:s0
-/dev/random u:object_r:random_device:s0
-/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
-/dev/rproc_user u:object_r:rpmsg_device:s0
-/dev/rtc[0-9] u:object_r:rtc_device:s0
-/dev/snd(/.*)? u:object_r:audio_device:s0
-/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0
-/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
-/dev/socket(/.*)? u:object_r:socket_device:s0
-/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/cryptd u:object_r:vold_socket:s0
-/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
-/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
-/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
-/dev/socket/lmkd u:object_r:lmkd_socket:s0
-/dev/socket/logd u:object_r:logd_socket:s0
-/dev/socket/logdr u:object_r:logdr_socket:s0
-/dev/socket/logdw u:object_r:logdw_socket:s0
-/dev/socket/mdns u:object_r:mdns_socket:s0
-/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
-/dev/socket/mtpd u:object_r:mtpd_socket:s0
-/dev/socket/netd u:object_r:netd_socket:s0
-/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
-/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
-/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
-/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
-/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
-/dev/socket/property_service u:object_r:property_socket:s0
-/dev/socket/racoon u:object_r:racoon_socket:s0
-/dev/socket/rild u:object_r:rild_socket:s0
-/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
-/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
-/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
-/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
-/dev/socket/vold u:object_r:vold_socket:s0
-/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
-/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
-/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
-/dev/socket/zygote u:object_r:zygote_socket:s0
-/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
-/dev/spdif_out.* u:object_r:audio_device:s0
-/dev/tegra.* u:object_r:video_device:s0
-/dev/tty u:object_r:owntty_device:s0
-/dev/tty[0-9]* u:object_r:tty_device:s0
-/dev/ttyS[0-9]* u:object_r:serial_device:s0
-/dev/tun u:object_r:tun_device:s0
-/dev/uhid u:object_r:uhid_device:s0
-/dev/uinput u:object_r:uhid_device:s0
-/dev/uio[0-9]* u:object_r:uio_device:s0
-/dev/urandom u:object_r:random_device:s0
-/dev/usb_accessory u:object_r:usbaccessory_device:s0
-/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
-/dev/video[0-9]* u:object_r:video_device:s0
-/dev/vndbinder u:object_r:vndbinder_device:s0
-/dev/watchdog u:object_r:watchdog_device:s0
-/dev/xt_qtaguid u:object_r:qtaguid_device:s0
-/dev/zero u:object_r:zero_device:s0
-/dev/__properties__ u:object_r:properties_device:s0
-#############################
-# System files
-#
-/system(/.*)? u:object_r:system_file:s0
-/system/bin/atrace u:object_r:atrace_exec:s0
-/system/bin/e2fsck -- u:object_r:fsck_exec:s0
-/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
-/system/bin/tune2fs -- u:object_r:fsck_exec:s0
-/system/bin/toolbox -- u:object_r:toolbox_exec:s0
-/system/bin/toybox -- u:object_r:toolbox_exec:s0
-/system/bin/logcat -- u:object_r:logcat_exec:s0
-/system/bin/logcatd -- u:object_r:logcat_exec:s0
-/system/bin/sh -- u:object_r:shell_exec:s0
-/system/bin/run-as -- u:object_r:runas_exec:s0
-/system/bin/bootanimation u:object_r:bootanim_exec:s0
-/system/bin/bootstat u:object_r:bootstat_exec:s0
-/system/bin/app_process32 u:object_r:zygote_exec:s0
-/system/bin/app_process64 u:object_r:zygote_exec:s0
-/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
-/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
-/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
-/system/bin/performanced u:object_r:performanced_exec:s0
-/system/bin/drmserver u:object_r:drmserver_exec:s0
-/system/bin/dumpstate u:object_r:dumpstate_exec:s0
-/system/bin/incident u:object_r:incident_exec:s0
-/system/bin/incidentd u:object_r:incidentd_exec:s0
-/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
-/system/bin/vold u:object_r:vold_exec:s0
-/system/bin/netd u:object_r:netd_exec:s0
-/system/bin/wificond u:object_r:wificond_exec:s0
-/system/bin/audioserver u:object_r:audioserver_exec:s0
-/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
-/system/bin/mediaserver u:object_r:mediaserver_exec:s0
-/system/bin/mediametrics u:object_r:mediametrics_exec:s0
-/system/bin/cameraserver u:object_r:cameraserver_exec:s0
-/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
-/system/bin/mdnsd u:object_r:mdnsd_exec:s0
-/system/bin/installd u:object_r:installd_exec:s0
-/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
-/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
-/system/bin/keystore u:object_r:keystore_exec:s0
-/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
-/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
-/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
-/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
-/system/bin/tombstoned u:object_r:tombstoned_exec:s0
-/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
-/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
-/system/bin/sdcard u:object_r:sdcardd_exec:s0
-/system/bin/dhcpcd u:object_r:dhcp_exec:s0
-/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
-/system/bin/mtpd u:object_r:mtp_exec:s0
-/system/bin/pppd u:object_r:ppp_exec:s0
-/system/bin/racoon u:object_r:racoon_exec:s0
-/system/xbin/su u:object_r:su_exec:s0
-/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
-/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
-/system/bin/healthd u:object_r:healthd_exec:s0
-/system/bin/clatd u:object_r:clatd_exec:s0
-/system/bin/lmkd u:object_r:lmkd_exec:s0
-/system/bin/inputflinger u:object_r:inputflinger_exec:s0
-/system/bin/logd u:object_r:logd_exec:s0
-/system/bin/uncrypt u:object_r:uncrypt_exec:s0
-/system/bin/update_verifier u:object_r:update_verifier_exec:s0
-/system/bin/logwrapper u:object_r:system_file:s0
-/system/bin/vdc u:object_r:vdc_exec:s0
-/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0
-/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
-/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
-/system/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
-# patchoat executable has (essentially) the same requirements as dex2oat.
-/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
-/system/bin/profman u:object_r:profman_exec:s0
-/system/bin/sgdisk u:object_r:sgdisk_exec:s0
-/system/bin/blkid u:object_r:blkid_exec:s0
-/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
-/system/bin/idmap u:object_r:idmap_exec:s0
-/system/bin/update_engine u:object_r:update_engine_exec:s0
-/system/bin/bspatch u:object_r:update_engine_exec:s0
-/system/bin/storaged u:object_r:storaged_exec:s0
-/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
-/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
-/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
-/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
-/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
-/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
-/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
-/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
-/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
-
-#############################
-# Vendor files
-#
-/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
-/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
-/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
-/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
-
-/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
-
-/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-
-# TODO: b/36790901 move this to /vendor/etc
-/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
-/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
-/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
-/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
-
-# HAL location
-/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-
-/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
-/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
-/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
-/vendor/etc/selinux/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
-/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
-
-#############################
-# OEM and ODM files
-#
-/odm(/.*)? u:object_r:system_file:s0
-/oem(/.*)? u:object_r:oemfs:s0
-
-
-#############################
-# Data files
-#
-# NOTE: When modifying existing label rules, changes may also need to
-# propagate to the "Expanded data files" section.
-#
-/data(/.*)? u:object_r:system_data_file:s0
-/data/.layout_version u:object_r:install_data_file:s0
-/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
-/data/backup(/.*)? u:object_r:backup_data_file:s0
-/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
-/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
-/data/drm(/.*)? u:object_r:drm_data_file:s0
-/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
-/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/ota(/.*)? u:object_r:ota_data_file:s0
-/data/ota_package(/.*)? u:object_r:ota_package_file:s0
-/data/adb(/.*)? u:object_r:adb_data_file:s0
-/data/anr(/.*)? u:object_r:anr_data_file:s0
-/data/app(/.*)? u:object_r:apk_data_file:s0
-/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
-/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
-/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
-/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
-/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/data/media(/.*)? u:object_r:media_rw_data_file:s0
-/data/mediadrm(/.*)? u:object_r:media_data_file:s0
-/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
-/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
-/data/property(/.*)? u:object_r:property_data_file:s0
-/data/preloads(/.*)? u:object_r:preloads_data_file:s0
-/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
-/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
-
-# Misc data
-/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
-/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
-/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
-/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
-/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
-/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
-/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
-/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0
-/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
-/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
-/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
-/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
-/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
-/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0
-/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
-/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
-/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
-/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
-/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
-/data/misc/media(/.*)? u:object_r:media_data_file:s0
-/data/misc/net(/.*)? u:object_r:net_data_file:s0
-/data/misc/reboot(/.*)? u:object_r:reboot_data_file:s0
-/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
-/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
-/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
-/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
-/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
-/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
-/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
-/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
-/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
-/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
-/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
-/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
-/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
-/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
-/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
-# TODO(calin) label profile reference differently so that only
-# profman run as a special user can write to them
-/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
-/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
-/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
-
-# Fingerprint data
-/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
-
-# Bootchart data
-/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
-
-#############################
-# Expanded data files
-#
-/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
-/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
-/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
-/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
-/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
-/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
-
-# coredump directory for userdebug/eng devices
-/cores(/.*)? u:object_r:coredump_file:s0
-
-# Wallpaper files
-/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
-
-# Ringtone files
-/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
-
-# ShortcutManager icons, e.g.
-# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
-/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
-
-# User icon files
-/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
-
-#############################
-# efs files
-#
-/efs(/.*)? u:object_r:efs_file:s0
-
-#############################
-# Cache files
-#
-/cache(/.*)? u:object_r:cache_file:s0
-/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
-# General backup/restore interchange with apps
-/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this subtree
-/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
-
-/data/cache(/.*)? u:object_r:cache_file:s0
-/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
-# General backup/restore interchange with apps
-/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this subtree
-/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
-
-#############################
-# sysfs files
-#
-/sys/class/leds(/.*)? u:object_r:sysfs_leds:s0
-/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
-/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
-/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0
-/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0
-/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
-/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
-/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
-/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
-/sys/module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
-/sys/devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
-
-#############################
-# debugfs files
-#
-/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
-
-#############################
-# tracefs files
-#
-/sys/kernel(/debug)?/tracing/buffer_size_kb u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_locked/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_lock/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_transaction/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_transaction_received/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_unlock/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/cpufreq_interactive/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/clock_set_rate/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/cpu_frequency/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/cpu_frequency_limits/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/cpu_idle/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_blocked_reason/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_cpu_hotplug/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_switch/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_wakeup/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/options/overwrite u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/options/print-tgid u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/trace u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/trace_clock u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
-/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0
-
-###########################################
-# debug-only tracing
-#
-/sys/kernel/debug/tracing/events/sync/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/workqueue/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/regulator/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/pagecache/enable u:object_r:tracing_shell_writable_debug:s0
-
-/sys/kernel/debug/tracing/events/irq/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ipi/enable u:object_r:tracing_shell_writable_debug:s0
-
-/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/f2fs/f2fs_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/f2fs/f2fs_write_end/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_da_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_da_write_end/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/block/block_rq_issue/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/block/block_rq_complete/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/saved_cmdlines_size u:object_r:tracing_shell_writable_debug:s0
-
-#############################
-# asec containers
-/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
-/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
-/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
-/data/app-asec(/.*)? u:object_r:asec_image_file:s0
-
-#############################
-# external storage
-/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
-/mnt/user(/.*)? u:object_r:mnt_user_file:s0
-/mnt/runtime(/.*)? u:object_r:storage_file:s0
-/storage(/.*)? u:object_r:storage_file:s0
diff --git a/prebuilts/api/26.0/private/file_contexts_asan b/prebuilts/api/26.0/private/file_contexts_asan
deleted file mode 100644
index d35cd3c947d95fae218bf54ceb2c6e320f4795e9..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/file_contexts_asan
+++ /dev/null
@@ -1,5 +0,0 @@
-/data/asan/system/lib(/.*)? u:object_r:system_file:s0
-/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
-/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
-/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
-/system/bin/asan_extract u:object_r:asan_extract_exec:s0
diff --git a/prebuilts/api/26.0/private/fingerprintd.te b/prebuilts/api/26.0/private/fingerprintd.te
deleted file mode 100644
index 0c1dfaa3748abb9a8c90e0c9edc48ce82a76c0a8..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/fingerprintd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute fingerprintd coredomain;
-typeattribute fingerprintd domain_deprecated;
-
-init_daemon_domain(fingerprintd)
diff --git a/prebuilts/api/26.0/private/fs_use b/prebuilts/api/26.0/private/fs_use
deleted file mode 100644
index 4bd11126e7b8b917e012c65dda0261bd780821db..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/fs_use
+++ /dev/null
@@ -1,23 +0,0 @@
-# Label inodes via getxattr.
-fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
-fs_use_xattr jffs2 u:object_r:labeledfs:s0;
-fs_use_xattr ext2 u:object_r:labeledfs:s0;
-fs_use_xattr ext3 u:object_r:labeledfs:s0;
-fs_use_xattr ext4 u:object_r:labeledfs:s0;
-fs_use_xattr xfs u:object_r:labeledfs:s0;
-fs_use_xattr btrfs u:object_r:labeledfs:s0;
-fs_use_xattr f2fs u:object_r:labeledfs:s0;
-fs_use_xattr squashfs u:object_r:labeledfs:s0;
-
-# Label inodes from task label.
-fs_use_task pipefs u:object_r:pipefs:s0;
-fs_use_task sockfs u:object_r:sockfs:s0;
-
-# Label inodes from combination of task label and fs label.
-# Define type_transition rules if you want per-domain types.
-fs_use_trans devpts u:object_r:devpts:s0;
-fs_use_trans tmpfs u:object_r:tmpfs:s0;
-fs_use_trans devtmpfs u:object_r:device:s0;
-fs_use_trans shm u:object_r:shm:s0;
-fs_use_trans mqueue u:object_r:mqueue:s0;
-
diff --git a/prebuilts/api/26.0/private/fsck.te b/prebuilts/api/26.0/private/fsck.te
deleted file mode 100644
index e8467972fa00cab78cf61c76d722638d01f7a296..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/fsck.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute fsck coredomain;
-typeattribute fsck domain_deprecated;
-
-init_daemon_domain(fsck)
diff --git a/prebuilts/api/26.0/private/fsck_untrusted.te b/prebuilts/api/26.0/private/fsck_untrusted.te
deleted file mode 100644
index 2a1a39f46d1850e97b26ba177b748a9ed23a7550..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/fsck_untrusted.te
+++ /dev/null
@@ -1,2 +0,0 @@
-typeattribute fsck_untrusted coredomain;
-typeattribute fsck_untrusted domain_deprecated;
diff --git a/prebuilts/api/26.0/private/gatekeeperd.te b/prebuilts/api/26.0/private/gatekeeperd.te
deleted file mode 100644
index 5e4d0a2e9de7c4649a6b699d46ef8a8d3d2def99..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/gatekeeperd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute gatekeeperd coredomain;
-
-init_daemon_domain(gatekeeperd)
diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts
deleted file mode 100644
index a2d9b892fe5b405718f2907a881637abaffb19c8..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/genfs_contexts
+++ /dev/null
@@ -1,61 +0,0 @@
-# Label inodes with the fs label.
-genfscon rootfs / u:object_r:rootfs:s0
-# proc labeling can be further refined (longest matching prefix).
-genfscon proc / u:object_r:proc:s0
-genfscon proc /config.gz u:object_r:config_gz:s0
-genfscon proc /interrupts u:object_r:proc_interrupts:s0
-genfscon proc /iomem u:object_r:proc_iomem:s0
-genfscon proc /meminfo u:object_r:proc_meminfo:s0
-genfscon proc /misc u:object_r:proc_misc:s0
-genfscon proc /modules u:object_r:proc_modules:s0
-genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
-genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
-genfscon proc /softirqs u:object_r:proc_timer:s0
-genfscon proc /stat u:object_r:proc_stat:s0
-genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
-genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
-genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
-genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
-genfscon proc /sys/net u:object_r:proc_net:s0
-genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
-genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
-genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
-genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
-genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
-genfscon proc /timer_list u:object_r:proc_timer:s0
-genfscon proc /timer_stats u:object_r:proc_timer:s0
-genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
-genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
-genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
-genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
-genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
-genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
-
-# selinuxfs booleans can be individually labeled.
-genfscon selinuxfs / u:object_r:selinuxfs:s0
-genfscon cgroup / u:object_r:cgroup:s0
-# sysfs labels can be set by userspace.
-genfscon sysfs / u:object_r:sysfs:s0
-genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
-genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:vfat:s0
-genfscon debugfs / u:object_r:debugfs:s0
-genfscon tracefs / u:object_r:debugfs_tracing:s0
-genfscon fuse / u:object_r:fuse:s0
-genfscon configfs / u:object_r:configfs:s0
-genfscon sdcardfs / u:object_r:sdcardfs:s0
-genfscon pstore / u:object_r:pstorefs:s0
-genfscon functionfs / u:object_r:functionfs:s0
-genfscon usbfs / u:object_r:usbfs:s0
-genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
diff --git a/prebuilts/api/26.0/private/hal_allocator_default.te b/prebuilts/api/26.0/private/hal_allocator_default.te
deleted file mode 100644
index 49ef1781bb0e5f0296e44d3784958c607d2f1382..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/hal_allocator_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_allocator_default, domain, coredomain;
-hal_server_domain(hal_allocator_default, hal_allocator)
-
-type hal_allocator_default_exec, exec_type, file_type;
-init_daemon_domain(hal_allocator_default)
diff --git a/prebuilts/api/26.0/private/halclientdomain.te b/prebuilts/api/26.0/private/halclientdomain.te
deleted file mode 100644
index 9dcd3ee3846a74094ad45970754e76405846f626..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/halclientdomain.te
+++ /dev/null
@@ -1,13 +0,0 @@
-###
-### Rules for all domains which are clients of a HAL
-###
-
-# Find out whether a HAL in passthrough/in-process mode or
-# binderized/out-of-process mode
-hwbinder_use(halclientdomain)
-
-# Used to wait for hwservicemanager
-get_prop(halclientdomain, hwservicemanager_prop)
-
-# Wait for HAL server to be up (used by getService)
-allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/private/halserverdomain.te b/prebuilts/api/26.0/private/halserverdomain.te
deleted file mode 100644
index f36e0e7d8f15cae1cc86b4259a1610540d9839ce..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/halserverdomain.te
+++ /dev/null
@@ -1,12 +0,0 @@
-###
-### Rules for all domains which offer a HAL service over HwBinder
-###
-
-# Register the HAL service with hwservicemanager
-hwbinder_use(halserverdomain)
-
-# Find HAL implementations
-allow halserverdomain system_file:dir r_dir_perms;
-
-# Used to wait for hwservicemanager
-get_prop(halserverdomain, hwservicemanager_prop)
diff --git a/prebuilts/api/26.0/private/healthd.te b/prebuilts/api/26.0/private/healthd.te
deleted file mode 100644
index 0693a3a683d078e39b086c36fedf3c579908a229..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/healthd.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute healthd coredomain;
-
-init_daemon_domain(healthd)
-
-# Allow callback to storaged batteryproperties listener
-binder_call(healthd, storaged)
diff --git a/prebuilts/api/26.0/private/hwservice_contexts b/prebuilts/api/26.0/private/hwservice_contexts
deleted file mode 100644
index 051636462e3f0b1e3098d7567022ffe4ccd09d45..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/hwservice_contexts
+++ /dev/null
@@ -1,52 +0,0 @@
-android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
-android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
-android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
-android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
-android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
-android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
-android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
-android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
-android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
-android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
-android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
-android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
-android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
-android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
-android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
-android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
-android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
-android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
-android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
-android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
-android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
-android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
-android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
-android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
-android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
-android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
-android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
-android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
-android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
-android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
-android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
-android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
-android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
-android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
-android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
-android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
-android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
-android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
-android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
-android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
-android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
-android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
-android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
-android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
-android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
-android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
-android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
-android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
-* u:object_r:default_android_hwservice:s0
diff --git a/prebuilts/api/26.0/private/hwservicemanager.te b/prebuilts/api/26.0/private/hwservicemanager.te
deleted file mode 100644
index a43eb020631f5d4538b090935893937d1e79785b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/hwservicemanager.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute hwservicemanager coredomain;
-
-init_daemon_domain(hwservicemanager)
-
-add_hwservice(hwservicemanager, hidl_manager_hwservice)
-add_hwservice(hwservicemanager, hidl_token_hwservice)
diff --git a/prebuilts/api/26.0/private/idmap.te b/prebuilts/api/26.0/private/idmap.te
deleted file mode 100644
index 73abf355291f7ad485f2e8013794a23a63c287df..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/idmap.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute idmap coredomain;
diff --git a/prebuilts/api/26.0/private/incident.te b/prebuilts/api/26.0/private/incident.te
deleted file mode 100644
index b910ddef3687d0f778050413153b6b5fd4d9a1d3..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/incident.te
+++ /dev/null
@@ -1,25 +0,0 @@
-typeattribute incident coredomain;
-
-type incident_exec, exec_type, file_type;
-
-# switch to incident domain for incident command
-domain_auto_trans(shell, incident_exec, incident)
-
-# allow incident access to stdout from its parent shell.
-allow incident shell:fd use;
-
-# allow incident to communicate use, read and write over the adb
-# connection.
-allow incident adbd:fd use;
-allow incident adbd:unix_stream_socket { read write };
-
-# allow adbd to reap incident
-allow incident adbd:process { sigchld };
-
-# Allow the incident command to talk to the incidentd over the binder, and get
-# back the incident report data from a ParcelFileDescriptor.
-binder_use(incident)
-allow incident incident_service:service_manager find;
-binder_call(incident, incidentd)
-allow incident incidentd:fifo_file write;
-
diff --git a/prebuilts/api/26.0/private/incidentd.te b/prebuilts/api/26.0/private/incidentd.te
deleted file mode 100644
index efd23bdae8896c29a4bce0757e9a8c4b61e6e60f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/incidentd.te
+++ /dev/null
@@ -1,110 +0,0 @@
-typeattribute incidentd coredomain;
-
-init_daemon_domain(incidentd)
-type incidentd_exec, exec_type, file_type;
-binder_use(incidentd)
-wakelock_use(incidentd)
-
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-# TODO allow incidentd self:capability { setuid setgid sys_resource };
-
-# Allow incidentd to scan through /proc/pid for all processes
-r_dir_file(incidentd, domain)
-
-allow incidentd self:capability {
- # Send signals to processes
- kill
-};
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow incidentd system_file:file execute_no_trans;
-allow incidentd toolbox_exec:file rx_file_perms;
-
-# Create and write into /data/misc/incidents
-allow incidentd incident_data_file:dir rw_dir_perms;
-allow incidentd incident_data_file:file create_file_perms;
-
-# Get process attributes
-# TODO allow incidentd domain:process getattr;
-
-# Signal java processes to dump their stack and get the results
-# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
-# TODO allow incidentd anr_data_file:dir rw_dir_perms;
-# TODO allow incidentd anr_data_file:file create_file_perms;
-
-# Signal native processes to dump their stack.
-# This list comes from native_processes_to_dump in incidentd/utils.c
-allow incidentd {
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediacodec
- mediadrmserver
- mediaextractor
- mediaserver
- sdcardd
- surfaceflinger
-}:process signal;
-
-# Allow incidentd to make binder calls to any binder service
-binder_call(incidentd, binderservicedomain)
-binder_call(incidentd, appdomain)
-
-# Reading /proc/PID/maps of other processes
-# TODO allow incidentd self:capability sys_ptrace;
-
-# Run a shell.
-allow incidentd shell_exec:file rx_file_perms;
-
-# logd access - work to be done is a PII safe log (possibly an event log?)
-# TODO read_logd(incidentd)
-# TODO control_logd(incidentd)
-
-# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
-allow incidentd {
- system_server_service
- app_api_service
- system_api_service
-}:service_manager find;
-
-# Only incidentd can publish the binder service
-add_service(incidentd, incident_service)
-
-# Allow pipes from (and only from) incident
-allow incidentd incident:fd use;
-allow incidentd incident:fifo_file write;
-
-# Allow incident to call back to incident with status updates.
-binder_call(incidentd, incident)
-
-###
-### neverallow rules
-###
-
-# only system_server, system_app and incident command can find the incident service
-neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
-
-# only incidentd and the other root services in limited circumstances
-# can get to the files in /data/misc/incidents
-#
-# write, execute, append are forbidden almost everywhere
-neverallow { domain -incidentd -init -vold } incident_data_file:file {
- w_file_perms
- x_file_perms
- create
- rename
- setattr
- unlink
- append
-};
-# read is also allowed by system_server, for when the file is handed to dropbox
-neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
-# limited access to the directory itself
-neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
-
diff --git a/prebuilts/api/26.0/private/init.te b/prebuilts/api/26.0/private/init.te
deleted file mode 100644
index 568e0d360eb53aa2da45e854bae7a753ab0bf5ae..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/init.te
+++ /dev/null
@@ -1,25 +0,0 @@
-typeattribute init coredomain;
-
-tmpfs_domain(init)
-
-# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, adbd)
-domain_trans(init, rootfs, charger)
-domain_trans(init, rootfs, healthd)
-domain_trans(init, rootfs, slideshow)
-recovery_only(`
- domain_trans(init, rootfs, recovery)
-')
-domain_trans(init, shell_exec, shell)
-domain_trans(init, init_exec, ueventd)
-domain_trans(init, init_exec, watchdogd)
-domain_trans(init, { rootfs toolbox_exec }, modprobe)
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
-userdebug_or_eng(`
- domain_auto_trans(init, logcat_exec, logpersist)
-')
-
-# Creating files on sysfs is impossible so this isn't a threat
-# Sometimes we have to write to non-existent files to avoid conditional
-# init behavior. See b/35303861 for an example.
-dontaudit init sysfs:dir write;
diff --git a/prebuilts/api/26.0/private/initial_sid_contexts b/prebuilts/api/26.0/private/initial_sid_contexts
deleted file mode 100644
index 98190510f2a65869b031c62304436979620cdf06..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/initial_sid_contexts
+++ /dev/null
@@ -1,27 +0,0 @@
-sid kernel u:r:kernel:s0
-sid security u:object_r:kernel:s0
-sid unlabeled u:object_r:unlabeled:s0
-sid fs u:object_r:labeledfs:s0
-sid file u:object_r:unlabeled:s0
-sid file_labels u:object_r:unlabeled:s0
-sid init u:object_r:unlabeled:s0
-sid any_socket u:object_r:unlabeled:s0
-sid port u:object_r:port:s0
-sid netif u:object_r:netif:s0
-sid netmsg u:object_r:unlabeled:s0
-sid node u:object_r:node:s0
-sid igmp_packet u:object_r:unlabeled:s0
-sid icmp_socket u:object_r:unlabeled:s0
-sid tcp_socket u:object_r:unlabeled:s0
-sid sysctl_modprobe u:object_r:unlabeled:s0
-sid sysctl u:object_r:proc:s0
-sid sysctl_fs u:object_r:unlabeled:s0
-sid sysctl_kernel u:object_r:unlabeled:s0
-sid sysctl_net u:object_r:unlabeled:s0
-sid sysctl_net_unix u:object_r:unlabeled:s0
-sid sysctl_vm u:object_r:unlabeled:s0
-sid sysctl_dev u:object_r:unlabeled:s0
-sid kmod u:object_r:unlabeled:s0
-sid policy u:object_r:unlabeled:s0
-sid scmp_packet u:object_r:unlabeled:s0
-sid devnull u:object_r:null_device:s0
diff --git a/prebuilts/api/26.0/private/initial_sids b/prebuilts/api/26.0/private/initial_sids
deleted file mode 100644
index 91ac816ba7657261a9f2f486d551626d3cc0ce1e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/initial_sids
+++ /dev/null
@@ -1,35 +0,0 @@
-# FLASK
-
-#
-# Define initial security identifiers
-#
-
-sid kernel
-sid security
-sid unlabeled
-sid fs
-sid file
-sid file_labels
-sid init
-sid any_socket
-sid port
-sid netif
-sid netmsg
-sid node
-sid igmp_packet
-sid icmp_socket
-sid tcp_socket
-sid sysctl_modprobe
-sid sysctl
-sid sysctl_fs
-sid sysctl_kernel
-sid sysctl_net
-sid sysctl_net_unix
-sid sysctl_vm
-sid sysctl_dev
-sid kmod
-sid policy
-sid scmp_packet
-sid devnull
-
-# FLASK
diff --git a/prebuilts/api/26.0/private/inputflinger.te b/prebuilts/api/26.0/private/inputflinger.te
deleted file mode 100644
index 9696b491b75897d98346b9494cce5f92ad10733c..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/inputflinger.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute inputflinger coredomain;
-
-init_daemon_domain(inputflinger)
diff --git a/prebuilts/api/26.0/private/install_recovery.te b/prebuilts/api/26.0/private/install_recovery.te
deleted file mode 100644
index b79d683a6d7bf756695d22b0b889dd032eb6de75..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/install_recovery.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute install_recovery coredomain;
-
-init_daemon_domain(install_recovery)
diff --git a/prebuilts/api/26.0/private/installd.te b/prebuilts/api/26.0/private/installd.te
deleted file mode 100644
index d726e7df2e5165f8b8f649ceb2b90d4cae803a9a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/installd.te
+++ /dev/null
@@ -1,19 +0,0 @@
-typeattribute installd coredomain;
-typeattribute installd domain_deprecated;
-
-init_daemon_domain(installd)
-
-# Run dex2oat in its own sandbox.
-domain_auto_trans(installd, dex2oat_exec, dex2oat)
-
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
-
-# Run profman in its own sandbox.
-domain_auto_trans(installd, profman_exec, profman)
-
-# Run idmap in its own sandbox.
-domain_auto_trans(installd, idmap_exec, idmap)
-
-# Create /data/.layout_version.* file
-type_transition installd system_data_file:file install_data_file;
diff --git a/prebuilts/api/26.0/private/isolated_app.te b/prebuilts/api/26.0/private/isolated_app.te
deleted file mode 100644
index 418a3224e5695c8ad1323267b0fc0b8efe602e62..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/isolated_app.te
+++ /dev/null
@@ -1,93 +0,0 @@
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-
-typeattribute isolated_app coredomain;
-
-app_domain(isolated_app)
-
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { append read write getattr lock };
-
-allow isolated_app activity_service:service_manager find;
-allow isolated_app display_service:service_manager find;
-allow isolated_app webviewupdate_service:service_manager find;
-
-# Google Breakpad (crash reporter for Chrome) relies on ptrace
-# functionality. Without the ability to ptrace, the crash reporter
-# tool is broken.
-# b/20150694
-# https://code.google.com/p/chromium/issues/detail?id=475270
-allow isolated_app self:process ptrace;
-
-# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
-# by other processes. Open should never be allowed, and is blocked by
-# neverallow rules below.
-# TODO: consider removing write/append. We want to limit isolated_apps
-# ability to mutate files of any type.
-# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
-# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
-auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
-
-# For webviews, isolated_app processes can be forked from the webview_zygote
-# in addition to the zygote. Allow access to resources inherited from the
-# webview_zygote process. These rules are specialized copies of the ones in app.te.
-# Inherit FDs from the webview_zygote.
-allow isolated_app webview_zygote:fd use;
-# Notify webview_zygote of child death.
-allow isolated_app webview_zygote:process sigchld;
-# Inherit logd write socket.
-allow isolated_app webview_zygote:unix_dgram_socket write;
-# Read system properties managed by webview_zygote.
-allow isolated_app webview_zygote_tmpfs:file read;
-
-#####
-##### Neverallow
-#####
-
-# Do not allow isolated_app to directly open tun_device
-neverallow isolated_app tun_device:chr_file open;
-
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-# TODO: are there situations where isolated_apps write to this file?
-# TODO: should we tighten these restrictions further?
-neverallow isolated_app anr_data_file:file ~{ open append };
-neverallow isolated_app anr_data_file:dir ~search;
-
-# b/17487348
-# Isolated apps can only access three services,
-# activity_service, display_service and webviewupdate_service.
-neverallow isolated_app {
- service_manager_type
- -activity_service
- -display_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
-
-# Do not allow isolated_app access to /cache
-neverallow isolated_app cache_file:dir ~{ r_dir_perms };
-neverallow isolated_app cache_file:file ~{ read getattr };
-
-# Do not allow isolated_app to access external storage, except for files passed
-# via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
-neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
-
-# Do not allow USB access
-neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
-
-# Restrict the webview_zygote control socket.
-neverallow isolated_app webview_zygote_socket:sock_file write;
diff --git a/prebuilts/api/26.0/private/kernel.te b/prebuilts/api/26.0/private/kernel.te
deleted file mode 100644
index a4e6ebe360f9ebfaf2aacd1befef51b87bd02d0f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/kernel.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute kernel coredomain;
-
-domain_auto_trans(kernel, init_exec, init)
diff --git a/prebuilts/api/26.0/private/keys.conf b/prebuilts/api/26.0/private/keys.conf
deleted file mode 100644
index 7a307b5de8592734661849e6312787c91e844b9b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/keys.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#
-# Maps an arbitrary tag [TAGNAME] with the string contents found in
-# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
-# name it after the base file name of the pem file.
-#
-# Each tag (section) then allows one to specify any string found in
-# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
-# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
-#
-
-[@PLATFORM]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
-
-[@MEDIA]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
-
-[@SHARED]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
-
-# Example of ALL TARGET_BUILD_VARIANTS
-[@RELEASE]
-ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-
diff --git a/prebuilts/api/26.0/private/keystore.te b/prebuilts/api/26.0/private/keystore.te
deleted file mode 100644
index 1e563389e102b3f320f4fe6a349a139d0a083e08..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/keystore.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute keystore coredomain;
-typeattribute keystore domain_deprecated;
-
-init_daemon_domain(keystore)
-
-# talk to keymaster
-hal_client_domain(keystore, hal_keymaster)
-
-# Offer the Wifi Keystore HwBinder service
-typeattribute keystore wifi_keystore_service_server;
-add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/prebuilts/api/26.0/private/lmkd.te b/prebuilts/api/26.0/private/lmkd.te
deleted file mode 100644
index a07ce879cc6eedbaddfe024633416b053e43bf35..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/lmkd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute lmkd coredomain;
-
-init_daemon_domain(lmkd)
diff --git a/prebuilts/api/26.0/private/logd.te b/prebuilts/api/26.0/private/logd.te
deleted file mode 100644
index 4338e40054183a611300801ebb53b594c83c791b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/logd.te
+++ /dev/null
@@ -1,39 +0,0 @@
-typeattribute logd coredomain;
-
-init_daemon_domain(logd)
-
-# logd is not allowed to write anywhere other than /data/misc/logd, and then
-# only on userdebug or eng builds
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow logd {
- file_type
- -logd_tmpfs
- -runtime_event_log_tags_file
- userdebug_or_eng(`-coredump_file -misc_logd_file')
-}:file { create write append };
-
-# protect the event-log-tags file
-neverallow {
- domain
- -appdomain # covered below
- -bootstat
- -dumpstate
- -init
- -logd
- userdebug_or_eng(`-logpersist')
- -servicemanager
- -system_server
- -surfaceflinger
- -zygote
-} runtime_event_log_tags_file:file no_rw_file_perms;
-
-neverallow {
- appdomain
- -bluetooth
- -platform_app
- -priv_app
- -radio
- -shell
- userdebug_or_eng(`-su')
- -system_app
-} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/prebuilts/api/26.0/private/logpersist.te b/prebuilts/api/26.0/private/logpersist.te
deleted file mode 100644
index 70e3198b54fb04f230575ac384da5291a4363543..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/logpersist.te
+++ /dev/null
@@ -1,24 +0,0 @@
-typeattribute logpersist coredomain;
-
-# android debug log storage in logpersist domains (eng and userdebug only)
-userdebug_or_eng(`
-
- r_dir_file(logpersist, cgroup)
-
- allow logpersist misc_logd_file:file create_file_perms;
- allow logpersist misc_logd_file:dir rw_dir_perms;
-
- allow logpersist self:capability sys_nice;
- allow logpersist pstorefs:dir search;
- allow logpersist pstorefs:file r_file_perms;
-
- control_logd(logpersist)
- unix_socket_connect(logpersist, logdr, logd)
- read_runtime_log_tags(logpersist)
-
-')
-
-# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
-neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/prebuilts/api/26.0/private/mac_permissions.xml b/prebuilts/api/26.0/private/mac_permissions.xml
deleted file mode 100644
index 1fcd2a409da016b09304b7408113aa7830d8b091..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/mac_permissions.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policy>
-
-<!--
-
- * A signature is a hex encoded X.509 certificate or a tag defined in
- keys.conf and is required for each signer tag. The signature can
- either appear as a set of attached cert child tags or as an attribute.
- * A signer tag must contain a seinfo tag XOR multiple package stanzas.
- * Each signer/package tag is allowed to contain one seinfo tag. This tag
- represents additional info that each app can use in setting a SELinux security
- context on the eventual process as well as the apps data directory.
- * seinfo assignments are made according to the following rules:
- - Stanzas with package name refinements will be checked first.
- - Stanzas w/o package name refinements will be checked second.
- - The "default" seinfo label is automatically applied.
-
- * valid stanzas can take one of the following forms:
-
- // single cert protecting seinfo
- <signer signature="@PLATFORM" >
- <seinfo value="platform" />
- </signer>
-
- // multiple certs protecting seinfo (all contained certs must match)
- <signer>
- <cert signature="@PLATFORM1"/>
- <cert signature="@PLATFORM2"/>
- <seinfo value="platform" />
- </signer>
-
- // single cert protecting explicitly named app
- <signer signature="@PLATFORM" >
- <package name="com.android.foo">
- <seinfo value="bar" />
- </package>
- </signer>
-
- // multiple certs protecting explicitly named app (all certs must match)
- <signer>
- <cert signature="@PLATFORM1"/>
- <cert signature="@PLATFORM2"/>
- <package name="com.android.foo">
- <seinfo value="bar" />
- </package>
- </signer>
--->
-
- <!-- Platform dev key in AOSP -->
- <signer signature="@PLATFORM" >
- <seinfo value="platform" />
- </signer>
-
- <!-- Media key in AOSP -->
- <signer signature="@MEDIA" >
- <seinfo value="media" />
- </signer>
-
-</policy>
diff --git a/prebuilts/api/26.0/private/mdnsd.te b/prebuilts/api/26.0/private/mdnsd.te
deleted file mode 100644
index 96259e2986258cd4381fbc117d06e6e91aa99c5f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/mdnsd.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# mdns daemon
-
-typeattribute mdnsd coredomain;
-typeattribute mdnsd mlstrustedsubject;
-
-type mdnsd_exec, exec_type, file_type;
-init_daemon_domain(mdnsd)
-
-net_domain(mdnsd)
-
-# Read from /proc/net
-r_dir_file(mdnsd, proc_net)
diff --git a/prebuilts/api/26.0/private/mediadrmserver.te b/prebuilts/api/26.0/private/mediadrmserver.te
deleted file mode 100644
index 4e511a81908db79a52dea340725f7c771efa9c7e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/mediadrmserver.te
+++ /dev/null
@@ -1,8 +0,0 @@
-typeattribute mediadrmserver coredomain;
-
-init_daemon_domain(mediadrmserver)
-
-# allocate and use graphic buffers
-hal_client_domain(mediadrmserver, hal_graphics_allocator)
-auditallow mediadrmserver hal_graphics_allocator_server:binder call;
-
diff --git a/prebuilts/api/26.0/private/mediaextractor.te b/prebuilts/api/26.0/private/mediaextractor.te
deleted file mode 100644
index c1a85219c34447bffb208b0ec4853b9f05936826..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/mediaextractor.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mediaextractor coredomain;
-
-init_daemon_domain(mediaextractor)
diff --git a/prebuilts/api/26.0/private/mediametrics.te b/prebuilts/api/26.0/private/mediametrics.te
deleted file mode 100644
index f8b2fa5cdcf1995c62fd767be217af4bd80d9905..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/mediametrics.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mediametrics coredomain;
-
-init_daemon_domain(mediametrics)
diff --git a/prebuilts/api/26.0/private/mediaserver.te b/prebuilts/api/26.0/private/mediaserver.te
deleted file mode 100644
index a9b85be0cb1f90bed7a3a85b19daeb09f9e3ef4b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/mediaserver.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute mediaserver coredomain;
-
-init_daemon_domain(mediaserver)
-
-# allocate and use graphic buffers
-hal_client_domain(mediaserver, hal_graphics_allocator)
-
-# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
-# of OMX HAL.
-allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/private/mls b/prebuilts/api/26.0/private/mls
deleted file mode 100644
index a561de1f01e96d5d4e4e5d6f3f104f25640fa148..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/mls
+++ /dev/null
@@ -1,100 +0,0 @@
-#################################################
-# MLS policy constraints
-#
-
-#
-# Process constraints
-#
-
-# Process transition: Require equivalence unless the subject is trusted.
-mlsconstrain process { transition dyntransition }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Process read operations: No read up unless trusted.
-mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
- (l1 dom l2 or t1 == mlstrustedsubject);
-
-# Process write operations: Require equivalence unless trusted.
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
- (l1 eq l2 or t1 == mlstrustedsubject);
-
-#
-# Socket constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Sockets inherit the range of their creator.
-mlsconstrain socket_class_set { create relabelfrom relabelto }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Datagram send: Sender must be equivalent to the receiver unless one of them
-# is trusted.
-mlsconstrain unix_dgram_socket { sendto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-# Stream connect: Client must be equivalent to server unless one of them
-# is trusted.
-mlsconstrain unix_stream_socket { connectto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-#
-# Directory/file constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Also, files should always be single-level.
-# Do NOT exempt mlstrustedobject types from this constraint.
-mlsconstrain dir_file_class_set { create relabelfrom relabelto }
- (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
-
-#
-# Constraints for app data files only.
-#
-
-# Only constrain open, not read/write.
-# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
-# Subject must be equivalent to object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
- (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
-mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
- (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
-
-#
-# Constraints for file types other than app data files.
-#
-
-# Read operations: Subject must dominate object unless the subject
-# or the object is trusted.
-mlsconstrain dir { read getattr search }
- (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Write operations: Subject must be equivalent to the object unless the
-# subject or the object is trusted.
-mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Special case for FIFOs.
-# These can be unnamed pipes, in which case they will be labeled with the
-# creating process' label. Thus we also have an exemption when the "object"
-# is a domain type, so that processes can communicate via unnamed pipes
-# passed by binder or local socket IPC.
-mlsconstrain fifo_file { read getattr }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-mlsconstrain fifo_file { write setattr append unlink link rename }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-#
-# Binder IPC constraints
-#
-# Presently commented out, as apps are expected to call one another.
-# This would only make sense if apps were assigned categories
-# based on allowable communications rather than per-app categories.
-#mlsconstrain binder call
-# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
diff --git a/prebuilts/api/26.0/private/mls_decl b/prebuilts/api/26.0/private/mls_decl
deleted file mode 100644
index dd53bea7e83755ed099489e70215f810e610695e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/mls_decl
+++ /dev/null
@@ -1,10 +0,0 @@
-#########################################
-# MLS declarations
-#
-
-# Generate the desired number of sensitivities and categories.
-gen_sens(mls_num_sens)
-gen_cats(mls_num_cats)
-
-# Generate level definitions for each sensitivity and category.
-gen_levels(mls_num_sens,mls_num_cats)
diff --git a/prebuilts/api/26.0/private/mls_macros b/prebuilts/api/26.0/private/mls_macros
deleted file mode 100644
index 83e05425b27f234203ac747ca613d8a39fac3d28..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/mls_macros
+++ /dev/null
@@ -1,54 +0,0 @@
-########################################
-#
-# gen_cats(N)
-#
-# declares categores c0 to c(N-1)
-#
-define(`decl_cats',`dnl
-category c$1;
-ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
-')
-
-define(`gen_cats',`decl_cats(0,decr($1))')
-
-########################################
-#
-# gen_sens(N)
-#
-# declares sensitivites s0 to s(N-1) with dominance
-# in increasing numeric order with s0 lowest, s(N-1) highest
-#
-define(`decl_sens',`dnl
-sensitivity s$1;
-ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
-')
-
-define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
-
-define(`gen_sens',`
-# Each sensitivity has a name and zero or more aliases.
-decl_sens(0,decr($1))
-
-# Define the ordering of the sensitivity levels (least to greatest)
-dominance { gen_dominance(0,decr($1)) }
-')
-
-########################################
-#
-# gen_levels(N,M)
-#
-# levels from s0 to (N-1) with categories c0 to (M-1)
-#
-define(`decl_levels',`dnl
-level s$1:c0.c$3;
-ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
-')
-
-define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
-
-########################################
-#
-# Basic level names for system low and high
-#
-define(`mls_systemlow',`s0')
-define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
diff --git a/prebuilts/api/26.0/private/modprobe.te b/prebuilts/api/26.0/private/modprobe.te
deleted file mode 100644
index 98586756f91da77583959db541ca421a565ebcf3..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/modprobe.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute modprobe coredomain;
diff --git a/prebuilts/api/26.0/private/mtp.te b/prebuilts/api/26.0/private/mtp.te
deleted file mode 100644
index 3cfda0b1aba7a7c0f15f0a7365e2475fe7c9a49f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/mtp.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute mtp coredomain;
-typeattribute mtp domain_deprecated;
-
-init_daemon_domain(mtp)
diff --git a/prebuilts/api/26.0/private/net.te b/prebuilts/api/26.0/private/net.te
deleted file mode 100644
index f16daf94cf468a1b23c0e58f55dec3ad90b7d667..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/net.te
+++ /dev/null
@@ -1,24 +0,0 @@
-###
-### Domain with network access
-###
-
-# Use network sockets.
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
-# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)
-
-# Talks to netd via fwmarkd socket.
-unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/prebuilts/api/26.0/private/netd.te b/prebuilts/api/26.0/private/netd.te
deleted file mode 100644
index 3a824af13668b28303a126ca44c371ff887d52e3..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/netd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute netd coredomain;
-typeattribute netd domain_deprecated;
-
-init_daemon_domain(netd)
-
-# Allow netd to spawn dnsmasq in it's own domain
-domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-
-# Allow netd to start clatd in its own domain
-domain_auto_trans(netd, clatd_exec, clatd)
diff --git a/prebuilts/api/26.0/private/netutils_wrapper.te b/prebuilts/api/26.0/private/netutils_wrapper.te
deleted file mode 100644
index f7fe32ae46bd6212ccbeb559e9c5812a9a8369f0..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/netutils_wrapper.te
+++ /dev/null
@@ -1,28 +0,0 @@
-typeattribute netutils_wrapper coredomain;
-
-r_dir_file(netutils_wrapper, system_file);
-
-# For netutils (ip, iptables, tc)
-allow netutils_wrapper self:capability net_raw;
-
-allow netutils_wrapper system_file:file { execute execute_no_trans };
-allow netutils_wrapper proc_net:file { open read getattr };
-allow netutils_wrapper self:rawip_socket create_socket_perms;
-allow netutils_wrapper self:udp_socket create_socket_perms;
-allow netutils_wrapper self:capability net_admin;
-# ip utils need everything but ioctl
-allow netutils_wrapper self:netlink_route_socket ~ioctl;
-allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
-
-# For netutils (ndc) to be able to talk to netd
-allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
-allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
-
-# For /data/misc/net access to ndc and ip
-r_dir_file(netutils_wrapper, net_data_file)
-
-domain_auto_trans({
- domain
- -coredomain
- -appdomain
-}, netutils_wrapper_exec, netutils_wrapper)
diff --git a/prebuilts/api/26.0/private/nfc.te b/prebuilts/api/26.0/private/nfc.te
deleted file mode 100644
index 25ad702b536fc927416963f4cb7d8c532aaab439..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/nfc.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# nfc subsystem
-typeattribute nfc coredomain;
-app_domain(nfc)
-net_domain(nfc)
-
-binder_service(nfc)
-add_service(nfc, nfc_service)
-
-hal_client_domain(nfc, hal_nfc)
-
-# Data file accesses.
-allow nfc nfc_data_file:dir create_dir_perms;
-allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
-
-# SoundPool loading and playback
-allow nfc audioserver_service:service_manager find;
-allow nfc drmserver_service:service_manager find;
-allow nfc mediacodec_service:service_manager find;
-allow nfc mediametrics_service:service_manager find;
-allow nfc mediaextractor_service:service_manager find;
-allow nfc mediaserver_service:service_manager find;
-
-allow nfc radio_service:service_manager find;
-allow nfc surfaceflinger_service:service_manager find;
-allow nfc app_api_service:service_manager find;
-allow nfc system_api_service:service_manager find;
-
-# already open bugreport file descriptors may be shared with
-# the nfc process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow nfc shell_data_file:file read;
diff --git a/prebuilts/api/26.0/private/otapreopt_chroot.te b/prebuilts/api/26.0/private/otapreopt_chroot.te
deleted file mode 100644
index 1f69931c8b0589858f24724ae9daebf3fb9b551a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/otapreopt_chroot.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute otapreopt_chroot coredomain;
-
-# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/prebuilts/api/26.0/private/otapreopt_slot.te b/prebuilts/api/26.0/private/otapreopt_slot.te
deleted file mode 100644
index 98b93d4065a767898729a6977f78031ae873981a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/otapreopt_slot.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute otapreopt_slot coredomain;
-
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(otapreopt_slot)
diff --git a/prebuilts/api/26.0/private/performanced.te b/prebuilts/api/26.0/private/performanced.te
deleted file mode 100644
index 792826e02297ffdeb248014a2af721339c6593ed..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/performanced.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute performanced coredomain;
-
-init_daemon_domain(performanced)
diff --git a/prebuilts/api/26.0/private/perfprofd.te b/prebuilts/api/26.0/private/perfprofd.te
deleted file mode 100644
index a655f1d340320aa8c17cf0ef741ad35a70003abd..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/perfprofd.te
+++ /dev/null
@@ -1,5 +0,0 @@
-userdebug_or_eng(`
- typeattribute perfprofd coredomain;
- typeattribute perfprofd domain_deprecated;
- init_daemon_domain(perfprofd)
-')
diff --git a/prebuilts/api/26.0/private/platform_app.te b/prebuilts/api/26.0/private/platform_app.te
deleted file mode 100644
index fd4634a30aa132da435fd15f876231fbe78330c3..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/platform_app.te
+++ /dev/null
@@ -1,70 +0,0 @@
-###
-### Apps signed with the platform key.
-###
-
-typeattribute platform_app coredomain;
-typeattribute platform_app domain_deprecated;
-
-app_domain(platform_app)
-
-# Access the network.
-net_domain(platform_app)
-# Access bluetooth.
-bluetooth_domain(platform_app)
-# Read from /data/local/tmp or /data/data/com.android.shell.
-allow platform_app shell_data_file:dir search;
-allow platform_app shell_data_file:file { open getattr read };
-allow platform_app icon_file:file { open getattr read };
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-# created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
-allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
-allow platform_app apk_private_data_file:dir search;
-# ASEC
-allow platform_app asec_apk_file:dir create_dir_perms;
-allow platform_app asec_apk_file:file create_file_perms;
-
-# Access to /data/media.
-allow platform_app media_rw_data_file:dir create_dir_perms;
-allow platform_app media_rw_data_file:file create_file_perms;
-
-# Write to /cache.
-allow platform_app cache_file:dir create_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-
-# Direct access to vold-mounted storage under /mnt/media_rw
-# This is a performance optimization that allows platform apps to bypass the FUSE layer
-allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app vfat:dir create_dir_perms;
-allow platform_app vfat:file create_file_perms;
-
-allow platform_app audioserver_service:service_manager find;
-allow platform_app cameraserver_service:service_manager find;
-allow platform_app drmserver_service:service_manager find;
-allow platform_app mediaserver_service:service_manager find;
-allow platform_app mediametrics_service:service_manager find;
-allow platform_app mediaextractor_service:service_manager find;
-allow platform_app mediacodec_service:service_manager find;
-allow platform_app mediadrmserver_service:service_manager find;
-allow platform_app mediacasserver_service:service_manager find;
-allow platform_app persistent_data_block_service:service_manager find;
-allow platform_app radio_service:service_manager find;
-allow platform_app surfaceflinger_service:service_manager find;
-allow platform_app app_api_service:service_manager find;
-allow platform_app system_api_service:service_manager find;
-allow platform_app vr_manager_service:service_manager find;
-
-# Access to /data/preloads
-allow platform_app preloads_data_file:file r_file_perms;
-allow platform_app preloads_data_file:dir r_dir_perms;
-allow platform_app preloads_media_file:file r_file_perms;
-allow platform_app preloads_media_file:dir r_dir_perms;
-
-read_runtime_log_tags(platform_app)
-
-###
-### Neverallow rules
-###
-
-# app domains which access /dev/fuse should not run as platform_app
-neverallow platform_app fuse_device:chr_file *;
diff --git a/prebuilts/api/26.0/private/policy_capabilities b/prebuilts/api/26.0/private/policy_capabilities
deleted file mode 100644
index ab55c15e38d8581052a2bfad1badc3cdb8df2752..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/policy_capabilities
+++ /dev/null
@@ -1,13 +0,0 @@
-# Enable new networking controls.
-policycap network_peer_controls;
-
-# Enable open permission check.
-policycap open_perms;
-
-# Enable separate security classes for
-# all network address families previously
-# mapped to the socket class and for
-# ICMP and SCTP sockets previously mapped
-# to the rawip_socket class.
-policycap extended_socket_class;
-
diff --git a/prebuilts/api/26.0/private/port_contexts b/prebuilts/api/26.0/private/port_contexts
deleted file mode 100644
index b473c0c9b431fe79309f2df9aa7bfd3c8223b3c8..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/port_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-# portcon statements go here, e.g.
-# portcon tcp 80 u:object_r:http_port:s0
-
diff --git a/prebuilts/api/26.0/private/postinstall.te b/prebuilts/api/26.0/private/postinstall.te
deleted file mode 100644
index 363e362dda7be27d3127e4006428a31e427a8e60..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/postinstall.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute postinstall coredomain;
-
-domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/prebuilts/api/26.0/private/postinstall_dexopt.te b/prebuilts/api/26.0/private/postinstall_dexopt.te
deleted file mode 100644
index ff5fe8735d9d097c6b02191e029897cf77399919..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/postinstall_dexopt.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute postinstall_dexopt coredomain;
-
-# Run dex2oat/patchoat in its own sandbox.
-# We have to manually transition, as we don't have an entrypoint.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/prebuilts/api/26.0/private/ppp.te b/prebuilts/api/26.0/private/ppp.te
deleted file mode 100644
index 9b301f4757ba1bf92cd076bb6a8236c5f6191138..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/ppp.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute ppp coredomain;
-typeattribute ppp domain_deprecated;
-
-domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/prebuilts/api/26.0/private/preopt2cachename.te b/prebuilts/api/26.0/private/preopt2cachename.te
deleted file mode 100644
index d10f76766c0aad8d6a72474ed767a1a3dfe66a7d..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/preopt2cachename.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute preopt2cachename coredomain;
diff --git a/prebuilts/api/26.0/private/priv_app.te b/prebuilts/api/26.0/private/priv_app.te
deleted file mode 100644
index 065ea1ad373c392ae5261eb075a0e6f5366be6a7..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/priv_app.te
+++ /dev/null
@@ -1,168 +0,0 @@
-###
-### A domain for further sandboxing privileged apps.
-###
-
-typeattribute priv_app coredomain;
-app_domain(priv_app)
-
-# Access the network.
-net_domain(priv_app)
-# Access bluetooth.
-bluetooth_domain(priv_app)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
-create_pty(priv_app)
-
-# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
-allow priv_app self:process ptrace;
-
-# Some apps ship with shared libraries that they write out
-# to their sandbox directory and then dlopen().
-allow priv_app app_data_file:file execute;
-
-allow priv_app audioserver_service:service_manager find;
-allow priv_app cameraserver_service:service_manager find;
-allow priv_app drmserver_service:service_manager find;
-allow priv_app mediacodec_service:service_manager find;
-allow priv_app mediametrics_service:service_manager find;
-allow priv_app mediadrmserver_service:service_manager find;
-allow priv_app mediacasserver_service:service_manager find;
-allow priv_app mediaextractor_service:service_manager find;
-allow priv_app mediaserver_service:service_manager find;
-allow priv_app nfc_service:service_manager find;
-allow priv_app oem_lock_service:service_manager find;
-allow priv_app radio_service:service_manager find;
-allow priv_app surfaceflinger_service:service_manager find;
-allow priv_app app_api_service:service_manager find;
-allow priv_app system_api_service:service_manager find;
-allow priv_app persistent_data_block_service:service_manager find;
-allow priv_app recovery_service:service_manager find;
-
-# Write to /cache.
-allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
-allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
-# /cache is a symlink to /data/cache on some devices. Allow reading the link.
-allow priv_app cache_file:lnk_file r_file_perms;
-
-# Write to /data/ota_package for OTA packages.
-allow priv_app ota_package_file:dir rw_dir_perms;
-allow priv_app ota_package_file:file create_file_perms;
-
-# Access to /data/media.
-allow priv_app media_rw_data_file:dir create_dir_perms;
-allow priv_app media_rw_data_file:file create_file_perms;
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow priv_app shell_data_file:file r_file_perms;
-allow priv_app shell_data_file:dir r_dir_perms;
-
-# Allow verifier to access staged apks.
-allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
-allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-
-# b/18504118: Allow reads from /data/anr/traces.txt
-allow priv_app anr_data_file:file r_file_perms;
-
-# Allow GMS core to access perfprofd output, which is stored
-# in /data/misc/perfprofd/. GMS core will need to list all
-# data stored in that directory to process them one by one.
-userdebug_or_eng(`
- allow priv_app perfprofd_data_file:file r_file_perms;
- allow priv_app perfprofd_data_file:dir r_dir_perms;
-')
-
-# For AppFuse.
-allow priv_app vold:fd use;
-allow priv_app fuse_device:chr_file { read write };
-
-# /sys and /proc access
-r_dir_file(priv_app, sysfs_type)
-r_dir_file(priv_app, proc)
-r_dir_file(priv_app, rootfs)
-
-# Allow GMS core to open kernel config for OTA matching through libvintf
-allow priv_app config_gz:file { open read getattr };
-
-# access the mac address
-allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-
-# Allow GMS core to communicate with update_engine for A/B update.
-binder_call(priv_app, update_engine)
-allow priv_app update_engine_service:service_manager find;
-
-# Allow GMS core to communicate with dumpsys storaged.
-binder_call(priv_app, storaged)
-allow priv_app storaged_service:service_manager find;
-
-# Allow Phone to read/write cached ringtones (opened by system).
-allow priv_app ringtone_file:file { getattr read write };
-
-# Access to /data/preloads
-allow priv_app preloads_data_file:file r_file_perms;
-allow priv_app preloads_data_file:dir r_dir_perms;
-allow priv_app preloads_media_file:file r_file_perms;
-allow priv_app preloads_media_file:dir r_dir_perms;
-
-# TODO: revert this as part of fixing 33574909
-# android.process.media uses /dev/mtp_usb
-allow priv_app mtp_device:chr_file rw_file_perms;
-
-# TODO: revert this as part of fixing 33574909
-# MtpServer uses /dev/usb-ffs/mtp
-allow priv_app functionfs:dir search;
-allow priv_app functionfs:file rw_file_perms;
-
-# TODO: revert this as part of fixing 33574909
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow priv_app mnt_media_rw_file:dir search;
-
-# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
-allow priv_app keystore:keystore_key gen_unique_id;
-
-read_runtime_log_tags(priv_app)
-
-###
-### neverallow rules
-###
-
-# Receive or send uevent messages.
-neverallow priv_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow priv_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
-
-# Do not allow privileged apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow priv_app service_manager_type:service_manager add;
-
-# Do not allow privileged apps to connect to the property service
-# or set properties. b/10243159
-neverallow priv_app property_socket:sock_file write;
-neverallow priv_app init:unix_stream_socket connectto;
-neverallow priv_app property_type:property_service set;
-
-# Do not allow priv_app to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints. As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and priv_app is allowed fork permission to itself.
-neverallow priv_app mlstrustedsubject:process fork;
-
-# Do not allow priv_app to hard link to any files.
-# In particular, if priv_app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure priv_app never has this
-# capability.
-neverallow priv_app file_type:file link;
diff --git a/prebuilts/api/26.0/private/profman.te b/prebuilts/api/26.0/private/profman.te
deleted file mode 100644
index f61d05efe7b8908ba5dbd7464cfb84b2c4118e94..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/profman.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute profman coredomain;
diff --git a/prebuilts/api/26.0/private/property_contexts b/prebuilts/api/26.0/private/property_contexts
deleted file mode 100644
index 4c27b35d6b3d9cadd8853f9d6814fc52e77a7383..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/property_contexts
+++ /dev/null
@@ -1,116 +0,0 @@
-##########################
-# property service keys
-#
-#
-net.rmnet u:object_r:net_radio_prop:s0
-net.gprs u:object_r:net_radio_prop:s0
-net.ppp u:object_r:net_radio_prop:s0
-net.qmi u:object_r:net_radio_prop:s0
-net.lte u:object_r:net_radio_prop:s0
-net.cdma u:object_r:net_radio_prop:s0
-net.dns u:object_r:net_dns_prop:s0
-sys.usb.config u:object_r:system_radio_prop:s0
-ril. u:object_r:radio_prop:s0
-ro.ril. u:object_r:radio_prop:s0
-gsm. u:object_r:radio_prop:s0
-persist.radio u:object_r:radio_prop:s0
-
-net. u:object_r:system_prop:s0
-dev. u:object_r:system_prop:s0
-ro.runtime. u:object_r:system_prop:s0
-ro.runtime.firstboot u:object_r:firstboot_prop:s0
-hw. u:object_r:system_prop:s0
-ro.hw. u:object_r:system_prop:s0
-sys. u:object_r:system_prop:s0
-sys.cppreopt u:object_r:cppreopt_prop:s0
-sys.powerctl u:object_r:powerctl_prop:s0
-sys.usb.ffs. u:object_r:ffs_prop:s0
-service. u:object_r:system_prop:s0
-dhcp. u:object_r:dhcp_prop:s0
-dhcp.bt-pan.result u:object_r:pan_result_prop:s0
-bluetooth. u:object_r:bluetooth_prop:s0
-
-debug. u:object_r:debug_prop:s0
-debug.db. u:object_r:debuggerd_prop:s0
-dumpstate. u:object_r:dumpstate_prop:s0
-dumpstate.options u:object_r:dumpstate_options_prop:s0
-log. u:object_r:log_prop:s0
-log.tag u:object_r:log_tag_prop:s0
-log.tag.WifiHAL u:object_r:wifi_log_prop:s0
-security.perf_harden u:object_r:shell_prop:s0
-service.adb.root u:object_r:shell_prop:s0
-service.adb.tcp.port u:object_r:shell_prop:s0
-
-persist.audio. u:object_r:audio_prop:s0
-persist.bluetooth. u:object_r:bluetooth_prop:s0
-persist.debug. u:object_r:persist_debug_prop:s0
-persist.logd. u:object_r:logd_prop:s0
-persist.logd.security u:object_r:device_logging_prop:s0
-persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
-logd.logpersistd u:object_r:logpersistd_logging_prop:s0
-persist.log.tag u:object_r:log_tag_prop:s0
-persist.mmc. u:object_r:mmc_prop:s0
-persist.sys. u:object_r:system_prop:s0
-persist.sys.safemode u:object_r:safemode_prop:s0
-ro.sys.safemode u:object_r:safemode_prop:s0
-persist.sys.audit_safemode u:object_r:safemode_prop:s0
-persist.service. u:object_r:system_prop:s0
-persist.service.bdroid. u:object_r:bluetooth_prop:s0
-persist.security. u:object_r:system_prop:s0
-persist.vendor.overlay. u:object_r:overlay_prop:s0
-ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
-ro.boottime. u:object_r:boottime_prop:s0
-ro.serialno u:object_r:serialno_prop:s0
-ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
-ro.boot.serialno u:object_r:serialno_prop:s0
-ro.bt. u:object_r:bluetooth_prop:s0
-
-# Boolean property set by system server upon boot indicating
-# if device owner is provisioned.
-ro.device_owner u:object_r:device_logging_prop:s0
-
-# selinux non-persistent properties
-selinux.restorecon_recursive u:object_r:restorecon_prop:s0
-
-# default property context
-* u:object_r:default_prop:s0
-
-# data partition encryption properties
-vold. u:object_r:vold_prop:s0
-ro.crypto. u:object_r:vold_prop:s0
-
-# ro.build.fingerprint is either set in /system/build.prop, or is
-# set at runtime by system_server.
-ro.build.fingerprint u:object_r:fingerprint_prop:s0
-
-ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
-
-# ctl properties
-ctl.bootanim u:object_r:ctl_bootanim_prop:s0
-ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
-ctl.fuse_ u:object_r:ctl_fuse_prop:s0
-ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
-ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
-ctl.bugreport u:object_r:ctl_bugreport_prop:s0
-ctl.console u:object_r:ctl_console_prop:s0
-ctl. u:object_r:ctl_default_prop:s0
-
-# NFC properties
-nfc. u:object_r:nfc_prop:s0
-
-# These properties are not normally set by processes other than init.
-# They are only distinguished here for setting by qemu-props on the
-# emulator/goldfish.
-config. u:object_r:config_prop:s0
-ro.config. u:object_r:config_prop:s0
-dalvik. u:object_r:dalvik_prop:s0
-ro.dalvik. u:object_r:dalvik_prop:s0
-
-# Shared between system server and wificond
-wlan. u:object_r:wifi_prop:s0
-
-# hwservicemanager properties
-hwservicemanager. u:object_r:hwservicemanager_prop:s0
-
-# ASAN install trigger
-asan.restore_reboot u:object_r:asan_reboot_prop:s0
diff --git a/prebuilts/api/26.0/private/racoon.te b/prebuilts/api/26.0/private/racoon.te
deleted file mode 100644
index 42ea7c9e48416235ba3f28b878ff7fac20d87196..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/racoon.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute racoon coredomain;
-
-init_daemon_domain(racoon)
diff --git a/prebuilts/api/26.0/private/radio.te b/prebuilts/api/26.0/private/radio.te
deleted file mode 100644
index 83b5b416b248c2533f353e4afa62b8e7e585118e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/radio.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute radio coredomain;
-typeattribute radio domain_deprecated;
-
-app_domain(radio)
-
-read_runtime_log_tags(radio)
diff --git a/prebuilts/api/26.0/private/recovery.te b/prebuilts/api/26.0/private/recovery.te
deleted file mode 100644
index b7b2847ecf6ef7bf099abb02e5593912806167d3..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/recovery.te
+++ /dev/null
@@ -1,2 +0,0 @@
-typeattribute recovery coredomain;
-typeattribute recovery domain_deprecated;
diff --git a/prebuilts/api/26.0/private/recovery_persist.te b/prebuilts/api/26.0/private/recovery_persist.te
deleted file mode 100644
index 1fdd7583d735021ca0bbcce783af2ea906c14a92..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/recovery_persist.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute recovery_persist coredomain;
-
-init_daemon_domain(recovery_persist)
-
-# recovery_persist is not allowed to write anywhere other than recovery_data_file
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/prebuilts/api/26.0/private/recovery_refresh.te b/prebuilts/api/26.0/private/recovery_refresh.te
deleted file mode 100644
index 327098dadb87835c3c1367409282ea73a70cac5e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/recovery_refresh.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute recovery_refresh coredomain;
-
-init_daemon_domain(recovery_refresh)
-
-# recovery_refresh is not allowed to write anywhere
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/prebuilts/api/26.0/private/roles_decl b/prebuilts/api/26.0/private/roles_decl
deleted file mode 100644
index c84fcba0ffabdd4ae4460e34b79333466f62f4a9..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/roles_decl
+++ /dev/null
@@ -1 +0,0 @@
-role r;
diff --git a/prebuilts/api/26.0/private/runas.te b/prebuilts/api/26.0/private/runas.te
deleted file mode 100644
index 73a91ffd68f32ec11d3b2e40a927eb2c741cef30..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/runas.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute runas coredomain;
-typeattribute runas domain_deprecated;
-
-# ndk-gdb invokes adb shell run-as.
-domain_auto_trans(shell, runas_exec, runas)
diff --git a/prebuilts/api/26.0/private/sdcardd.te b/prebuilts/api/26.0/private/sdcardd.te
deleted file mode 100644
index ac6bb4e2c4da4da1493109efe95e4cf23b345d39..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/sdcardd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute sdcardd coredomain;
-typeattribute sdcardd domain_deprecated;
-
-type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/prebuilts/api/26.0/private/seapp_contexts b/prebuilts/api/26.0/private/seapp_contexts
deleted file mode 100644
index 4356889b5b79d9798525c39c10785027a029a5ec..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/seapp_contexts
+++ /dev/null
@@ -1,110 +0,0 @@
-# Input selectors:
-# isSystemServer (boolean)
-# isEphemeralApp (boolean)
-# isV2App (boolean)
-# isOwner (boolean)
-# user (string)
-# seinfo (string)
-# name (string)
-# path (string)
-# isPrivApp (boolean)
-# minTargetSdkVersion (unsigned integer)
-# isSystemServer=true can only be used once.
-# An unspecified isSystemServer defaults to false.
-# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
-# isV2App=true will match apps in the v2 app sandbox.
-# isOwner=true will only match for the owner/primary user.
-# isOwner=false will only match for secondary users.
-# If unspecified, the entry can match either case.
-# An unspecified string selector will match any value.
-# A user string selector that ends in * will perform a prefix match.
-# user=_app will match any regular app UID.
-# user=_isolated will match any isolated service UID.
-# isPrivApp=true will only match for applications preinstalled in
-# /system/priv-app.
-# minTargetSdkVersion will match applications with a targetSdkVersion
-# greater than or equal to the specified value. If unspecified,
-# it has a default value of 0.
-# All specified input selectors in an entry must match (i.e. logical AND).
-# Matching is case-insensitive.
-#
-# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
-# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
-# (3) Specified isV2App= before unspecified isV2App= boolean.
-# (4) Specified isOwner= before unspecified isOwner= boolean.
-# (5) Specified user= string before unspecified user= string.
-# (6) Fixed user= string before user= prefix (i.e. ending in *).
-# (7) Longer user= prefix before shorter user= prefix.
-# (8) Specified seinfo= string before unspecified seinfo= string.
-# ':' character is reserved and may not be used.
-# (9) Specified name= string before unspecified name= string.
-# (10) Specified path= string before unspecified path= string.
-# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
-# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
-# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
-#
-# Outputs:
-# domain (string)
-# type (string)
-# levelFrom (string; one of none, all, app, or user)
-# level (string)
-# Only entries that specify domain= will be used for app process labeling.
-# Only entries that specify type= will be used for app directory labeling.
-# levelFrom=user is only supported for _app or _isolated UIDs.
-# levelFrom=app or levelFrom=all is only supported for _app UIDs.
-# level may be used to specify a fixed level for any UID.
-#
-#
-# Neverallow Assertions
-# Additional compile time assertion checks can be added as well. The assertion
-# rules are lines beginning with the keyword neverallow. Full support for PCRE
-# regular expressions exists on all input and output selectors. Neverallow
-# rules are never output to the built seapp_contexts file. Like all keywords,
-# neverallows are case-insensitive. A neverallow is asserted when all key value
-# inputs are matched on a key value rule line.
-#
-
-# only the system server can be in system_server domain
-neverallow isSystemServer=false domain=system_server
-neverallow isSystemServer="" domain=system_server
-
-# system domains should never be assigned outside of system uid
-neverallow user=((?!system).)* domain=system_app
-neverallow user=((?!system).)* type=system_app_data_file
-
-# anything with a non-known uid with a specified name should have a specified seinfo
-neverallow user=_app name=.* seinfo=""
-neverallow user=_app name=.* seinfo=default
-
-# neverallow shared relro to any other domain
-# and neverallow any other uid into shared_relro
-neverallow user=shared_relro domain=((?!shared_relro).)*
-neverallow user=((?!shared_relro).)* domain=shared_relro
-
-# neverallow non-isolated uids into isolated_app domain
-# and vice versa
-neverallow user=_isolated domain=((?!isolated_app).)*
-neverallow user=((?!_isolated).)* domain=isolated_app
-
-# uid shell should always be in shell domain, however non-shell
-# uid's can be in shell domain
-neverallow user=shell domain=((?!shell).)*
-
-# Ephemeral Apps must run in the ephemeral_app domain
-neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
-
-isSystemServer=true domain=system_server
-user=system seinfo=platform domain=system_app type=system_app_data_file
-user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=nfc seinfo=platform domain=nfc type=nfc_data_file
-user=radio seinfo=platform domain=radio type=radio_data_file
-user=shared_relro domain=shared_relro
-user=shell seinfo=platform domain=shell type=shell_data_file
-user=_isolated domain=isolated_app levelFrom=user
-user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
-user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
-user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
-user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/prebuilts/api/26.0/private/security_classes b/prebuilts/api/26.0/private/security_classes
deleted file mode 100644
index 02e3ef2f6ee2d109a62e814f86e77b158ac2159c..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/security_classes
+++ /dev/null
@@ -1,144 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_dnrt_socket
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-class appletalk_socket
-
-class packet
-
-# Kernel access key retention
-class key
-
-class dccp_socket
-
-class memprotect
-
-# network peer labels
-class peer
-
-# Capabilities >= 32
-class capability2
-
-# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
-
-class tun_socket
-
-class binder
-
-# Updated netlink classes for more recent netlink protocols.
-class netlink_iscsi_socket
-class netlink_fib_lookup_socket
-class netlink_connector_socket
-class netlink_netfilter_socket
-class netlink_generic_socket
-class netlink_scsitransport_socket
-class netlink_rdma_socket
-class netlink_crypto_socket
-
-# Capability checks when on a non-init user namespace
-class cap_userns
-class cap2_userns
-
-# New socket classes introduced by extended_socket_class policy capability.
-# These two were previously mapped to rawip_socket.
-class sctp_socket
-class icmp_socket
-# These were previously mapped to socket.
-class ax25_socket
-class ipx_socket
-class netrom_socket
-class atmpvc_socket
-class x25_socket
-class rose_socket
-class decnet_socket
-class atmsvc_socket
-class rds_socket
-class irda_socket
-class pppox_socket
-class llc_socket
-class can_socket
-class tipc_socket
-class bluetooth_socket
-class iucv_socket
-class rxrpc_socket
-class isdn_socket
-class phonet_socket
-class ieee802154_socket
-class caif_socket
-class alg_socket
-class nfc_socket
-class vsock_socket
-class kcm_socket
-class qipcrtr_socket
-
-# Property service
-class property_service # userspace
-
-# Service manager
-class service_manager # userspace
-
-# hardware service manager # userspace
-class hwservice_manager
-
-# Keystore Key
-class keystore_key # userspace
-
-class drmservice # userspace
-# FLASK
diff --git a/prebuilts/api/26.0/private/service_contexts b/prebuilts/api/26.0/private/service_contexts
deleted file mode 100644
index dc77cb9c32237fa454056031dfde8124050525c0..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/service_contexts
+++ /dev/null
@@ -1,172 +0,0 @@
-accessibility u:object_r:accessibility_service:s0
-account u:object_r:account_service:s0
-activity u:object_r:activity_service:s0
-alarm u:object_r:alarm_service:s0
-android.os.UpdateEngineService u:object_r:update_engine_service:s0
-android.security.keystore u:object_r:keystore_service:s0
-android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
-appops u:object_r:appops_service:s0
-appwidget u:object_r:appwidget_service:s0
-assetatlas u:object_r:assetatlas_service:s0
-audio u:object_r:audio_service:s0
-autofill u:object_r:autofill_service:s0
-backup u:object_r:backup_service:s0
-batteryproperties u:object_r:batteryproperties_service:s0
-batterystats u:object_r:batterystats_service:s0
-battery u:object_r:battery_service:s0
-bluetooth_manager u:object_r:bluetooth_manager_service:s0
-bluetooth u:object_r:bluetooth_service:s0
-carrier_config u:object_r:radio_service:s0
-clipboard u:object_r:clipboard_service:s0
-com.android.net.IProxyService u:object_r:IProxyService_service:s0
-commontime_management u:object_r:commontime_management_service:s0
-common_time.clock u:object_r:mediaserver_service:s0
-common_time.config u:object_r:mediaserver_service:s0
-companiondevice u:object_r:companion_device_service:s0
-connectivity u:object_r:connectivity_service:s0
-connmetrics u:object_r:connmetrics_service:s0
-consumer_ir u:object_r:consumer_ir_service:s0
-content u:object_r:content_service:s0
-contexthub u:object_r:contexthub_service:s0
-country_detector u:object_r:country_detector_service:s0
-coverage u:object_r:coverage_service:s0
-cpuinfo u:object_r:cpuinfo_service:s0
-dbinfo u:object_r:dbinfo_service:s0
-device_policy u:object_r:device_policy_service:s0
-device_identifiers u:object_r:device_identifiers_service:s0
-deviceidle u:object_r:deviceidle_service:s0
-devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
-diskstats u:object_r:diskstats_service:s0
-display.qservice u:object_r:surfaceflinger_service:s0
-display u:object_r:display_service:s0
-netd_listener u:object_r:netd_listener_service:s0
-DockObserver u:object_r:DockObserver_service:s0
-dreams u:object_r:dreams_service:s0
-drm.drmManager u:object_r:drmserver_service:s0
-dropbox u:object_r:dropbox_service:s0
-dumpstate u:object_r:dumpstate_service:s0
-econtroller u:object_r:radio_service:s0
-ethernet u:object_r:ethernet_service:s0
-fingerprint u:object_r:fingerprint_service:s0
-font u:object_r:font_service:s0
-android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
-gfxinfo u:object_r:gfxinfo_service:s0
-graphicsstats u:object_r:graphicsstats_service:s0
-gpu u:object_r:gpu_service:s0
-hardware u:object_r:hardware_service:s0
-hardware_properties u:object_r:hardware_properties_service:s0
-hdmi_control u:object_r:hdmi_control_service:s0
-incident u:object_r:incident_service:s0
-inputflinger u:object_r:inputflinger_service:s0
-input_method u:object_r:input_method_service:s0
-input u:object_r:input_service:s0
-installd u:object_r:installd_service:s0
-iphonesubinfo_msim u:object_r:radio_service:s0
-iphonesubinfo2 u:object_r:radio_service:s0
-iphonesubinfo u:object_r:radio_service:s0
-ims u:object_r:radio_service:s0
-imms u:object_r:imms_service:s0
-ipsec u:object_r:ipsec_service:s0
-isms_msim u:object_r:radio_service:s0
-isms2 u:object_r:radio_service:s0
-isms u:object_r:radio_service:s0
-isub u:object_r:radio_service:s0
-jobscheduler u:object_r:jobscheduler_service:s0
-launcherapps u:object_r:launcherapps_service:s0
-location u:object_r:location_service:s0
-lock_settings u:object_r:lock_settings_service:s0
-media.aaudio u:object_r:audioserver_service:s0
-media.audio_flinger u:object_r:audioserver_service:s0
-media.audio_policy u:object_r:audioserver_service:s0
-media.camera u:object_r:cameraserver_service:s0
-media.camera.proxy u:object_r:cameraproxy_service:s0
-media.log u:object_r:audioserver_service:s0
-media.player u:object_r:mediaserver_service:s0
-media.metrics u:object_r:mediametrics_service:s0
-media.extractor u:object_r:mediaextractor_service:s0
-media.codec u:object_r:mediacodec_service:s0
-media.resource_manager u:object_r:mediaserver_service:s0
-media.radio u:object_r:audioserver_service:s0
-media.sound_trigger_hw u:object_r:audioserver_service:s0
-media.drm u:object_r:mediadrmserver_service:s0
-media.cas u:object_r:mediacasserver_service:s0
-media_projection u:object_r:media_projection_service:s0
-media_resource_monitor u:object_r:media_session_service:s0
-media_router u:object_r:media_router_service:s0
-media_session u:object_r:media_session_service:s0
-meminfo u:object_r:meminfo_service:s0
-midi u:object_r:midi_service:s0
-mount u:object_r:mount_service:s0
-netd u:object_r:netd_service:s0
-netpolicy u:object_r:netpolicy_service:s0
-netstats u:object_r:netstats_service:s0
-network_management u:object_r:network_management_service:s0
-network_score u:object_r:network_score_service:s0
-network_time_update_service u:object_r:network_time_update_service:s0
-nfc u:object_r:nfc_service:s0
-notification u:object_r:notification_service:s0
-oem_lock u:object_r:oem_lock_service:s0
-otadexopt u:object_r:otadexopt_service:s0
-overlay u:object_r:overlay_service:s0
-package u:object_r:package_service:s0
-permission u:object_r:permission_service:s0
-persistent_data_block u:object_r:persistent_data_block_service:s0
-phone_msim u:object_r:radio_service:s0
-phone1 u:object_r:radio_service:s0
-phone2 u:object_r:radio_service:s0
-phone u:object_r:radio_service:s0
-pinner u:object_r:pinner_service:s0
-power u:object_r:power_service:s0
-print u:object_r:print_service:s0
-processinfo u:object_r:processinfo_service:s0
-procstats u:object_r:procstats_service:s0
-radio.phonesubinfo u:object_r:radio_service:s0
-radio.phone u:object_r:radio_service:s0
-radio.sms u:object_r:radio_service:s0
-recovery u:object_r:recovery_service:s0
-restrictions u:object_r:restrictions_service:s0
-rttmanager u:object_r:rttmanager_service:s0
-samplingprofiler u:object_r:samplingprofiler_service:s0
-scheduling_policy u:object_r:scheduling_policy_service:s0
-search u:object_r:search_service:s0
-sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
-sensorservice u:object_r:sensorservice_service:s0
-serial u:object_r:serial_service:s0
-servicediscovery u:object_r:servicediscovery_service:s0
-settings u:object_r:settings_service:s0
-shortcut u:object_r:shortcut_service:s0
-simphonebook_msim u:object_r:radio_service:s0
-simphonebook2 u:object_r:radio_service:s0
-simphonebook u:object_r:radio_service:s0
-sip u:object_r:radio_service:s0
-soundtrigger u:object_r:voiceinteraction_service:s0
-statusbar u:object_r:statusbar_service:s0
-storaged u:object_r:storaged_service:s0
-storagestats u:object_r:storagestats_service:s0
-SurfaceFlinger u:object_r:surfaceflinger_service:s0
-task u:object_r:task_service:s0
-telecom u:object_r:telecom_service:s0
-telephony.registry u:object_r:registry_service:s0
-textclassification u:object_r:textclassification_service:s0
-textservices u:object_r:textservices_service:s0
-trust u:object_r:trust_service:s0
-tv_input u:object_r:tv_input_service:s0
-uimode u:object_r:uimode_service:s0
-updatelock u:object_r:updatelock_service:s0
-usagestats u:object_r:usagestats_service:s0
-usb u:object_r:usb_service:s0
-user u:object_r:user_service:s0
-vibrator u:object_r:vibrator_service:s0
-virtual_touchpad u:object_r:virtual_touchpad_service:s0
-voiceinteraction u:object_r:voiceinteraction_service:s0
-vr_hwc u:object_r:vr_hwc_service:s0
-vrmanager u:object_r:vr_manager_service:s0
-wallpaper u:object_r:wallpaper_service:s0
-webviewupdate u:object_r:webviewupdate_service:s0
-wifip2p u:object_r:wifip2p_service:s0
-wifiscanner u:object_r:wifiscanner_service:s0
-wifi u:object_r:wifi_service:s0
-wificond u:object_r:wificond_service:s0
-wifiaware u:object_r:wifiaware_service:s0
-window u:object_r:window_service:s0
-* u:object_r:default_android_service:s0
diff --git a/prebuilts/api/26.0/private/servicemanager.te b/prebuilts/api/26.0/private/servicemanager.te
deleted file mode 100644
index 9f675a2bed692007a3fba82c7be774daeaf749a7..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/servicemanager.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute servicemanager coredomain;
-
-init_daemon_domain(servicemanager)
-
-read_runtime_log_tags(servicemanager)
diff --git a/prebuilts/api/26.0/private/sgdisk.te b/prebuilts/api/26.0/private/sgdisk.te
deleted file mode 100644
index a17342e01023583ada9fc6526fea79fb2c685145..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/sgdisk.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute sgdisk coredomain;
diff --git a/prebuilts/api/26.0/private/shared_relro.te b/prebuilts/api/26.0/private/shared_relro.te
deleted file mode 100644
index 8d06294d96a53ee83b7109af1e3781ca3fa4a85f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/shared_relro.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute shared_relro coredomain;
-typeattribute shared_relro domain_deprecated;
-
-# The shared relro process is a Java program forked from the zygote, so it
-# inherits from app to get basic permissions it needs to run.
-app_domain(shared_relro)
diff --git a/prebuilts/api/26.0/private/shell.te b/prebuilts/api/26.0/private/shell.te
deleted file mode 100644
index fbd9676a733c74b6ae39c225bca0f370330c7c80..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/shell.te
+++ /dev/null
@@ -1,22 +0,0 @@
-typeattribute shell coredomain;
-
-# systrace support - allow atrace to run
-allow shell debugfs_tracing:dir r_dir_perms;
-allow shell debugfs_tracing:file r_file_perms;
-allow shell tracing_shell_writable:file rw_file_perms;
-allow shell debugfs_trace_marker:file getattr;
-allow shell atrace_exec:file rx_file_perms;
-
-# read config.gz for CTS purposes
-allow shell config_gz:file r_file_perms;
-
-userdebug_or_eng(`
- allow shell tracing_shell_writable_debug:file rw_file_perms;
-')
-
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
-# allow shell to call dumpsys storaged
-binder_call(shell, storaged)
diff --git a/prebuilts/api/26.0/private/slideshow.te b/prebuilts/api/26.0/private/slideshow.te
deleted file mode 100644
index 7dfa994ea7add2eddb4c6e3f2598a79c6d9b5de0..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/slideshow.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute slideshow coredomain;
diff --git a/prebuilts/api/26.0/private/storaged.te b/prebuilts/api/26.0/private/storaged.te
deleted file mode 100644
index 96433b308535cd63f48306eaccf43dc33d54cd9f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/storaged.te
+++ /dev/null
@@ -1,51 +0,0 @@
-# storaged daemon
-type storaged, domain, coredomain, mlstrustedsubject;
-type storaged_exec, exec_type, file_type;
-
-init_daemon_domain(storaged)
-
-# Read access to pseudo filesystems
-r_dir_file(storaged, sysfs_type)
-r_dir_file(storaged, proc_net)
-r_dir_file(storaged, domain)
-
-# Read /proc/uid_io/stats
-allow storaged proc_uid_io_stats:file r_file_perms;
-
-# Read /data/system/packages.list
-allow storaged system_data_file:file r_file_perms;
-
-userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
-')
-
-# Needed to provide debug dump output via dumpsys pipes.
-allow storaged shell:fd use;
-allow storaged shell:fifo_file write;
-
-# Needed for GMScore to call dumpsys storaged
-allow storaged priv_app:fd use;
-allow storaged app_data_file:file write;
-allow storaged permission_service:service_manager find;
-
-# Binder permissions
-add_service(storaged, storaged_service)
-
-binder_use(storaged)
-binder_call(storaged, system_server)
-
-# use batteryproperties service
-allow storaged batteryproperties_service:service_manager find;
-binder_call(storaged, healthd)
-
-# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
-# running as root. See b/35323867 #3.
-dontaudit storaged self:capability dac_override;
-
-###
-### neverallow
-###
-neverallow storaged domain:process ptrace;
-neverallow storaged self:capability_class_set *;
diff --git a/prebuilts/api/26.0/private/su.te b/prebuilts/api/26.0/private/su.te
deleted file mode 100644
index d42bf614c332393113e0c4998a3a7cebe0c28a86..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/su.te
+++ /dev/null
@@ -1,20 +0,0 @@
-userdebug_or_eng(`
- typeattribute su coredomain;
-
- domain_auto_trans(shell, su_exec, su)
- # Allow dumpstate to call su on userdebug / eng builds to collect
- # additional information.
- domain_auto_trans(dumpstate, su_exec, su)
-
- # Make sure that dumpstate runs the same from the "su" domain as
- # from the "init" domain.
- domain_auto_trans(su, dumpstate_exec, dumpstate)
-
- # Put the incident command into its domain so it is the same on user, userdebug and eng.
- domain_auto_trans(su, incident_exec, incident)
-
-# su is also permissive to permit setenforce.
- permissive su;
-
- app_domain(su)
-')
diff --git a/prebuilts/api/26.0/private/surfaceflinger.te b/prebuilts/api/26.0/private/surfaceflinger.te
deleted file mode 100644
index 3595ee426c67b0923bff62f5ba8a4024aa77fbae..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/surfaceflinger.te
+++ /dev/null
@@ -1,110 +0,0 @@
-# surfaceflinger - display compositor service
-
-typeattribute surfaceflinger coredomain;
-
-type surfaceflinger_exec, exec_type, file_type;
-init_daemon_domain(surfaceflinger)
-
-typeattribute surfaceflinger mlstrustedsubject;
-typeattribute surfaceflinger display_service_server;
-
-read_runtime_log_tags(surfaceflinger)
-
-# Perform HwBinder IPC.
-hal_client_domain(surfaceflinger, hal_graphics_allocator)
-hal_client_domain(surfaceflinger, hal_graphics_composer)
-hal_client_domain(surfaceflinger, hal_configstore)
-allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
-
-# Perform Binder IPC.
-binder_use(surfaceflinger)
-binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, appdomain)
-binder_call(surfaceflinger, bootanim)
-binder_service(surfaceflinger)
-
-# Binder IPC to bu, presently runs in adbd domain.
-binder_call(surfaceflinger, adbd)
-
-# Read /proc/pid files for Binder clients.
-r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, appdomain)
-
-# Access the GPU.
-allow surfaceflinger gpu_device:chr_file rw_file_perms;
-
-# Access /dev/graphics/fb0.
-allow surfaceflinger graphics_device:dir search;
-allow surfaceflinger graphics_device:chr_file rw_file_perms;
-
-# Access /dev/video1.
-allow surfaceflinger video_device:dir r_dir_perms;
-allow surfaceflinger video_device:chr_file rw_file_perms;
-
-# Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Set properties.
-set_prop(surfaceflinger, system_prop)
-set_prop(surfaceflinger, ctl_bootanim_prop)
-
-# Use open files supplied by an app.
-allow surfaceflinger appdomain:fd use;
-allow surfaceflinger app_data_file:file { read write };
-
-# Use socket supplied by adbd, for cmd gpu vkjson etc.
-allow surfaceflinger adbd:unix_stream_socket { read write getattr };
-
-# Allow a dumpstate triggered screenshot
-binder_call(surfaceflinger, dumpstate)
-binder_call(surfaceflinger, shell)
-r_dir_file(surfaceflinger, dumpstate)
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-allow surfaceflinger tee_device:chr_file rw_file_perms;
-
-
-# media.player service
-add_service(surfaceflinger, gpu_service)
-
-# do not use add_service() as hal_graphics_composer_default may be the
-# provider as well
-#add_service(surfaceflinger, surfaceflinger_service)
-allow surfaceflinger surfaceflinger_service:service_manager { add find };
-
-allow surfaceflinger mediaserver_service:service_manager find;
-allow surfaceflinger permission_service:service_manager find;
-allow surfaceflinger power_service:service_manager find;
-allow surfaceflinger vr_manager_service:service_manager find;
-allow surfaceflinger window_service:service_manager find;
-
-
-# allow self to set SCHED_FIFO
-allow surfaceflinger self:capability sys_nice;
-allow surfaceflinger proc_meminfo:file r_file_perms;
-r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, sysfs_type)
-r_dir_file(surfaceflinger, system_file)
-allow surfaceflinger tmpfs:dir r_dir_perms;
-allow surfaceflinger system_server:fd use;
-allow surfaceflinger ion_device:chr_file r_file_perms;
-
-# pdx IPC
-pdx_server(surfaceflinger, display_client)
-pdx_server(surfaceflinger, display_manager)
-pdx_server(surfaceflinger, display_screenshot)
-pdx_server(surfaceflinger, display_vsync)
-
-pdx_client(surfaceflinger, bufferhub_client)
-pdx_client(surfaceflinger, performance_client)
-
-###
-### Neverallow rules
-###
-### surfaceflinger should NEVER do any of this
-
-# Do not allow accessing SDcard files as unsafe ejection could
-# cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
diff --git a/prebuilts/api/26.0/private/system_app.te b/prebuilts/api/26.0/private/system_app.te
deleted file mode 100644
index 7950044baaea6eb5eb00ed30f98ead14fd69b27c..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/system_app.te
+++ /dev/null
@@ -1,92 +0,0 @@
-###
-### Apps that run with the system UID, e.g. com.android.system.ui,
-### com.android.settings. These are not as privileged as the system
-### server.
-###
-
-typeattribute system_app coredomain;
-typeattribute system_app domain_deprecated;
-
-app_domain(system_app)
-net_domain(system_app)
-binder_service(system_app)
-
-# Read and write /data/data subdirectory.
-allow system_app system_app_data_file:dir create_dir_perms;
-allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
-
-# Read and write to /data/misc/user.
-allow system_app misc_user_data_file:dir create_dir_perms;
-allow system_app misc_user_data_file:file create_file_perms;
-
-# Access to vold-mounted storage for measuring free space
-allow system_app mnt_media_rw_file:dir search;
-
-# Read wallpaper file.
-allow system_app wallpaper_file:file r_file_perms;
-
-# Read icon file.
-allow system_app icon_file:file r_file_perms;
-
-# Write to properties
-set_prop(system_app, bluetooth_prop)
-set_prop(system_app, debug_prop)
-set_prop(system_app, system_prop)
-set_prop(system_app, logd_prop)
-set_prop(system_app, net_radio_prop)
-set_prop(system_app, system_radio_prop)
-set_prop(system_app, log_tag_prop)
-userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
-auditallow system_app net_radio_prop:property_service set;
-auditallow system_app system_radio_prop:property_service set;
-
-# ctl interface
-set_prop(system_app, ctl_default_prop)
-set_prop(system_app, ctl_bugreport_prop)
-
-# Create /data/anr/traces.txt.
-allow system_app anr_data_file:dir ra_dir_perms;
-allow system_app anr_data_file:file create_file_perms;
-
-# Settings need to access app name and icon from asec
-allow system_app asec_apk_file:file r_file_perms;
-
-# Allow system apps to interact with incidentd
-binder_call(system_app, incidentd)
-
-allow system_app servicemanager:service_manager list;
-# TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
-
-allow system_app keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- user_changed
-};
-
-# /sys access
-r_dir_file(system_app, sysfs_type)
-
-control_logd(system_app)
-read_runtime_log_tags(system_app)
-
-###
-### Neverallow rules
-###
-
-# app domains which access /dev/fuse should not run as system_app
-neverallow system_app fuse_device:chr_file *;
diff --git a/prebuilts/api/26.0/private/system_server.te b/prebuilts/api/26.0/private/system_server.te
deleted file mode 100644
index 05e47734b75ceed759fb80756917cc40412ca602..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/system_server.te
+++ /dev/null
@@ -1,740 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-
-typeattribute system_server coredomain;
-typeattribute system_server domain_deprecated;
-typeattribute system_server mlstrustedsubject;
-
-# Define a type for tmpfs-backed ashmem regions.
-tmpfs_domain(system_server)
-
-# Create a socket for connections from crash_dump.
-type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
-
-allow system_server zygote_tmpfs:file read;
-
-# For art.
-allow system_server dalvikcache_data_file:dir r_dir_perms;
-allow system_server dalvikcache_data_file:file { r_file_perms execute };
-userdebug_or_eng(`
- # Report dalvikcache_data_file:file execute violations.
- auditallow system_server dalvikcache_data_file:file execute;
-')
-
-# /data/resource-cache
-allow system_server resourcecache_data_file:file r_file_perms;
-allow system_server resourcecache_data_file:dir r_dir_perms;
-
-# ptrace to processes in the same domain for debugging crashes.
-allow system_server self:process ptrace;
-
-# Read and delete last_reboot_reason file
-allow system_server reboot_data_file:file { rename r_file_perms unlink };
-allow system_server reboot_data_file:dir { write search open remove_name };
-
-# Child of the zygote.
-allow system_server zygote:fd use;
-allow system_server zygote:process sigchld;
-
-# May kill zygote on crashes.
-allow system_server zygote:process sigkill;
-allow system_server crash_dump:process sigkill;
-
-# Read /system/bin/app_process.
-allow system_server zygote_exec:file r_file_perms;
-
-# Needed to close the zygote socket, which involves getopt / getattr
-allow system_server zygote:unix_stream_socket { getopt getattr };
-
-# system server gets network and bluetooth permissions.
-net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
-# to use privileged ioctls commands. Needed to set up VPNs.
-allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
-bluetooth_domain(system_server)
-
-# These are the capabilities assigned by the zygote to the
-# system server.
-allow system_server self:capability {
- ipc_lock
- kill
- net_admin
- net_bind_service
- net_broadcast
- net_raw
- sys_boot
- sys_nice
- sys_ptrace
- sys_time
- sys_tty_config
-};
-
-wakelock_use(system_server)
-
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
-# Allow alarmtimers to be set
-allow system_server self:capability2 wake_alarm;
-
-# Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Use generic netlink sockets.
-allow system_server self:netlink_socket create_socket_perms_no_ioctl;
-allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-# libvintf reads the kernel config to verify vendor interface compatibility.
-allow system_server config_gz:file { read open };
-
-# Use generic "sockets" where the address family is not known
-# to the kernel. The ioctl permission is specifically omitted here, but may
-# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
-allow system_server self:socket create_socket_perms_no_ioctl;
-
-# Set and get routes directly via netlink.
-allow system_server self:netlink_route_socket nlmsg_write;
-
-# Kill apps.
-allow system_server appdomain:process { sigkill signal };
-
-# Set scheduling info for apps.
-allow system_server appdomain:process { getsched setsched };
-allow system_server audioserver:process { getsched setsched };
-allow system_server hal_audio:process { getsched setsched };
-allow system_server hal_bluetooth:process { getsched setsched };
-allow system_server cameraserver:process { getsched setsched };
-allow system_server hal_camera:process { getsched setsched };
-allow system_server mediaserver:process { getsched setsched };
-allow system_server bootanim:process { getsched setsched };
-
-# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
-# within system_server to keep track of memory and CPU usage for
-# all processes on the device. In addition, /proc/pid files access is needed
-# for dumping stack traces of native processes.
-r_dir_file(system_server, domain)
-
-# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
-allow system_server qtaguid_proc:file rw_file_perms;
-allow system_server qtaguid_device:chr_file rw_file_perms;
-
-# Read /proc/uid_cputime/show_uid_stat.
-allow system_server proc_uid_cputime_showstat:file r_file_perms;
-
-# Write /proc/uid_cputime/remove_uid_range.
-allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
-
-# Write /proc/uid_procstat/set.
-allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
-
-# Write to /proc/sysrq-trigger.
-allow system_server proc_sysrq:file rw_file_perms;
-
-# Read /proc/stat for CPU usage statistics
-allow system_server proc_stat:file r_file_perms;
-
-# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs:file r_file_perms;
-
-# The DhcpClient and WifiWatchdog use packet_sockets
-allow system_server self:packet_socket create_socket_perms_no_ioctl;
-
-# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
-# as raw sockets, but the kernel doesn't yet distinguish between the two.
-allow system_server node:rawip_socket node_bind;
-
-# 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create_socket_perms_no_ioctl;
-
-# Talk to init and various daemons via sockets.
-unix_socket_connect(system_server, lmkd, lmkd)
-unix_socket_connect(system_server, mtpd, mtp)
-unix_socket_connect(system_server, netd, netd)
-unix_socket_connect(system_server, vold, vold)
-unix_socket_connect(system_server, webview_zygote, webview_zygote)
-unix_socket_connect(system_server, zygote, zygote)
-unix_socket_connect(system_server, racoon, racoon)
-unix_socket_connect(system_server, uncrypt, uncrypt)
-
-# Communicate over a socket created by surfaceflinger.
-allow system_server surfaceflinger:unix_stream_socket { read write setopt };
-
-# Perform Binder IPC.
-binder_use(system_server)
-binder_call(system_server, appdomain)
-binder_call(system_server, binderservicedomain)
-binder_call(system_server, dumpstate)
-binder_call(system_server, fingerprintd)
-binder_call(system_server, gatekeeperd)
-binder_call(system_server, installd)
-binder_call(system_server, incidentd)
-binder_call(system_server, netd)
-binder_call(system_server, wificond)
-binder_service(system_server)
-
-# Use HALs
-hal_client_domain(system_server, hal_allocator)
-hal_client_domain(system_server, hal_contexthub)
-hal_client_domain(system_server, hal_fingerprint)
-hal_client_domain(system_server, hal_gnss)
-hal_client_domain(system_server, hal_graphics_allocator)
-hal_client_domain(system_server, hal_ir)
-hal_client_domain(system_server, hal_light)
-hal_client_domain(system_server, hal_memtrack)
-hal_client_domain(system_server, hal_oemlock)
-allow system_server hal_omx_hwservice:hwservice_manager find;
-allow system_server hidl_token_hwservice:hwservice_manager find;
-hal_client_domain(system_server, hal_power)
-hal_client_domain(system_server, hal_sensors)
-hal_client_domain(system_server, hal_tetheroffload)
-hal_client_domain(system_server, hal_thermal)
-hal_client_domain(system_server, hal_tv_cec)
-hal_client_domain(system_server, hal_tv_input)
-hal_client_domain(system_server, hal_usb)
-hal_client_domain(system_server, hal_vibrator)
-hal_client_domain(system_server, hal_vr)
-hal_client_domain(system_server, hal_weaver)
-hal_client_domain(system_server, hal_wifi)
-hal_client_domain(system_server, hal_wifi_offload)
-hal_client_domain(system_server, hal_wifi_supplicant)
-
-binder_call(system_server, mediacodec)
-
-# Talk with graphics composer fences
-allow system_server hal_graphics_composer:fd use;
-
-# Use RenderScript always-passthrough HAL
-allow system_server hal_renderscript_hwservice:hwservice_manager find;
-
-# Offer HwBinder services
-add_hwservice(system_server, fwk_scheduler_hwservice)
-add_hwservice(system_server, fwk_sensor_hwservice)
-
-# Talk to tombstoned to get ANR traces.
-unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
-
-# List HAL interfaces to get ANR traces.
-allow system_server hwservicemanager:hwservice_manager list;
-
-# Send signals to trigger ANR traces.
-allow system_server {
- # This is derived from the list that system server defines as interesting native processes
- # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
- # frameworks/base/services/core/java/com/android/server/Watchdog.java.
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediadrmserver
- mediaextractor
- mediaserver
- mediametrics
- sdcardd
- surfaceflinger
-
- # This list comes from HAL_INTERFACES_OF_INTEREST in
- # frameworks/base/services/core/java/com/android/server/Watchdog.java.
- hal_audio_server
- hal_bluetooth_server
- hal_camera_server
- hal_graphics_composer_server
- hal_vr_server
- mediacodec # TODO(b/36375899): hal_omx_server
-}:process { signal };
-
-# Use sockets received over binder from various services.
-allow system_server audioserver:tcp_socket rw_socket_perms;
-allow system_server audioserver:udp_socket rw_socket_perms;
-allow system_server mediaserver:tcp_socket rw_socket_perms;
-allow system_server mediaserver:udp_socket rw_socket_perms;
-
-# Use sockets received over binder from various services.
-allow system_server mediadrmserver:tcp_socket rw_socket_perms;
-allow system_server mediadrmserver:udp_socket rw_socket_perms;
-
-# Get file context
-allow system_server file_contexts_file:file r_file_perms;
-# access for mac_permissions
-allow system_server mac_perms_file: file r_file_perms;
-# Check SELinux permissions.
-selinux_check_access(system_server)
-
-# XXX Label sysfs files with a specific type?
-allow system_server sysfs:file rw_file_perms;
-allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_devices_system_cpu:file w_file_perms;
-allow system_server sysfs_mac_address:file r_file_perms;
-allow system_server sysfs_thermal:dir search;
-allow system_server sysfs_thermal:file r_file_perms;
-
-# TODO: Remove when HALs are forced into separate processes
-allow system_server sysfs_vibrator:file { write append };
-
-# TODO: added to match above sysfs rule. Remove me?
-allow system_server sysfs_usb:file w_file_perms;
-
-# Access devices.
-allow system_server device:dir r_dir_perms;
-allow system_server mdns_socket:sock_file rw_file_perms;
-allow system_server alarm_device:chr_file rw_file_perms;
-allow system_server gpu_device:chr_file rw_file_perms;
-allow system_server iio_device:chr_file rw_file_perms;
-allow system_server input_device:dir r_dir_perms;
-allow system_server input_device:chr_file rw_file_perms;
-allow system_server radio_device:chr_file r_file_perms;
-allow system_server tty_device:chr_file rw_file_perms;
-allow system_server usbaccessory_device:chr_file rw_file_perms;
-allow system_server video_device:dir r_dir_perms;
-allow system_server video_device:chr_file rw_file_perms;
-allow system_server adbd_socket:sock_file rw_file_perms;
-allow system_server rtc_device:chr_file rw_file_perms;
-allow system_server audio_device:dir r_dir_perms;
-
-# write access needed for MIDI
-allow system_server audio_device:chr_file rw_file_perms;
-
-# tun device used for 3rd party vpn apps
-allow system_server tun_device:chr_file rw_file_perms;
-
-# Manage system data files.
-allow system_server system_data_file:dir create_dir_perms;
-allow system_server system_data_file:notdevfile_class_set create_file_perms;
-allow system_server keychain_data_file:dir create_dir_perms;
-allow system_server keychain_data_file:file create_file_perms;
-allow system_server keychain_data_file:lnk_file create_file_perms;
-
-# Manage /data/app.
-allow system_server apk_data_file:dir create_dir_perms;
-allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
-allow system_server apk_tmp_file:dir create_dir_perms;
-allow system_server apk_tmp_file:file create_file_perms;
-
-# Access /vendor/app
-r_dir_file(system_server, vendor_app_file)
-
-# Access /vendor/app
-r_dir_file(system_server, vendor_overlay_file)
-
-# Manage /data/app-private.
-allow system_server apk_private_data_file:dir create_dir_perms;
-allow system_server apk_private_data_file:file create_file_perms;
-allow system_server apk_private_tmp_file:dir create_dir_perms;
-allow system_server apk_private_tmp_file:file create_file_perms;
-
-# Manage files within asec containers.
-allow system_server asec_apk_file:dir create_dir_perms;
-allow system_server asec_apk_file:file create_file_perms;
-allow system_server asec_public_file:file create_file_perms;
-
-# Manage /data/anr.
-allow system_server anr_data_file:dir create_dir_perms;
-allow system_server anr_data_file:file create_file_perms;
-
-# Read /data/misc/incidents - only read. The fd will be sent over binder,
-# with no DAC access to it, for dropbox to read.
-allow system_server incident_data_file:file read;
-
-# Manage /data/backup.
-allow system_server backup_data_file:dir create_dir_perms;
-allow system_server backup_data_file:file create_file_perms;
-
-# Write to /data/system/heapdump
-allow system_server heapdump_data_file:dir rw_dir_perms;
-allow system_server heapdump_data_file:file create_file_perms;
-
-# Manage /data/misc/adb.
-allow system_server adb_keys_file:dir create_dir_perms;
-allow system_server adb_keys_file:file create_file_perms;
-
-# Manage /data/misc/sms.
-# TODO: Split into a separate type?
-allow system_server radio_data_file:dir create_dir_perms;
-allow system_server radio_data_file:file create_file_perms;
-
-# Manage /data/misc/systemkeys.
-allow system_server systemkeys_data_file:dir create_dir_perms;
-allow system_server systemkeys_data_file:file create_file_perms;
-
-# Manage /data/misc/textclassifier.
-allow system_server textclassifier_data_file:dir create_dir_perms;
-allow system_server textclassifier_data_file:file create_file_perms;
-
-# Access /data/tombstones.
-allow system_server tombstone_data_file:dir r_dir_perms;
-allow system_server tombstone_data_file:file r_file_perms;
-
-# Manage /data/misc/vpn.
-allow system_server vpn_data_file:dir create_dir_perms;
-allow system_server vpn_data_file:file create_file_perms;
-
-# Manage /data/misc/wifi.
-allow system_server wifi_data_file:dir create_dir_perms;
-allow system_server wifi_data_file:file create_file_perms;
-
-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
-# Walk /data/data subdirectories.
-# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
-# Also permit for unlabeled /data/data subdirectories and
-# for unlabeled asec containers on upgrades from 4.2.
-allow system_server unlabeled:dir r_dir_perms;
-# Read pkg.apk file before it has been relabeled by vold.
-allow system_server unlabeled:file r_file_perms;
-
-# Populate com.android.providers.settings/databases/settings.db.
-allow system_server system_app_data_file:dir create_dir_perms;
-allow system_server system_app_data_file:file create_file_perms;
-
-# Receive and use open app data files passed over binder IPC.
-# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
-
-# Access to /data/media for measuring disk usage.
-allow system_server media_rw_data_file:dir { search getattr open read };
-
-# Receive and use open /data/media files passed over binder IPC.
-# Also used for measuring disk usage.
-allow system_server media_rw_data_file:file { getattr read write append };
-
-# Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
-
-# Relabel wallpaper.
-allow system_server system_data_file:file relabelfrom;
-allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file { rw_file_perms rename unlink };
-
-# Backup of wallpaper imagery uses temporary hard links to avoid data churn
-allow system_server { system_data_file wallpaper_file }:file link;
-
-# ShortcutManager icons
-allow system_server system_data_file:dir relabelfrom;
-allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
-allow system_server shortcut_manager_icons:file create_file_perms;
-
-# Manage ringtones.
-allow system_server ringtone_file:dir { create_dir_perms relabelto };
-allow system_server ringtone_file:file create_file_perms;
-
-# Relabel icon file.
-allow system_server icon_file:file relabelto;
-allow system_server icon_file:file { rw_file_perms unlink };
-
-# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
-allow system_server system_data_file:dir relabelfrom;
-
-# Property Service write
-set_prop(system_server, system_prop)
-set_prop(system_server, safemode_prop)
-set_prop(system_server, dhcp_prop)
-set_prop(system_server, net_radio_prop)
-set_prop(system_server, net_dns_prop)
-set_prop(system_server, system_radio_prop)
-set_prop(system_server, debug_prop)
-set_prop(system_server, powerctl_prop)
-set_prop(system_server, fingerprint_prop)
-set_prop(system_server, device_logging_prop)
-set_prop(system_server, dumpstate_options_prop)
-set_prop(system_server, overlay_prop)
-userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
-
-# ctl interface
-set_prop(system_server, ctl_default_prop)
-set_prop(system_server, ctl_bugreport_prop)
-
-# cppreopt property
-set_prop(system_server, cppreopt_prop)
-
-# Collect metrics on boot time created by init
-get_prop(system_server, boottime_prop)
-
-# Read device's serial number from system properties
-get_prop(system_server, serialno_prop)
-
-# Read/write the property which keeps track of whether this is the first start of system_server
-set_prop(system_server, firstboot_prop)
-
-# Create a socket for connections from debuggerd.
-allow system_server system_ndebug_socket:sock_file create_file_perms;
-
-# Manage cache files.
-allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
-allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
-allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
-
-allow system_server system_file:dir r_dir_perms;
-allow system_server system_file:lnk_file r_file_perms;
-
-# LocationManager(e.g, GPS) needs to read and write
-# to uart driver and ctrl proc entry
-allow system_server gps_control:file rw_file_perms;
-
-# Allow system_server to use app-created sockets and pipes.
-allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
-
-# BackupManagerService needs to manipulate backup data files
-allow system_server cache_backup_file:dir rw_dir_perms;
-allow system_server cache_backup_file:file create_file_perms;
-# LocalTransport works inside /cache/backup
-allow system_server cache_private_backup_file:dir create_dir_perms;
-allow system_server cache_private_backup_file:file create_file_perms;
-
-# Allow system to talk to usb device
-allow system_server usb_device:chr_file rw_file_perms;
-allow system_server usb_device:dir r_dir_perms;
-
-# Read from HW RNG (needed by EntropyMixer).
-allow system_server hw_random_device:chr_file r_file_perms;
-
-# Read and delete files under /dev/fscklogs.
-r_dir_file(system_server, fscklogs)
-allow system_server fscklogs:dir { write remove_name };
-allow system_server fscklogs:file unlink;
-
-# logd access, system_server inherit logd write socket
-# (urge is to deprecate this long term)
-allow system_server zygote:unix_dgram_socket write;
-
-# Read from log daemon.
-read_logd(system_server)
-read_runtime_log_tags(system_server)
-
-# Be consistent with DAC permissions. Allow system_server to write to
-# /sys/module/lowmemorykiller/parameters/adj
-# /sys/module/lowmemorykiller/parameters/minfree
-allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow system_server pstorefs:dir r_dir_perms;
-allow system_server pstorefs:file r_file_perms;
-
-# /sys access
-allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file r_file_perms;
-
-add_service(system_server, system_server_service);
-allow system_server audioserver_service:service_manager find;
-allow system_server batteryproperties_service:service_manager find;
-allow system_server cameraserver_service:service_manager find;
-allow system_server drmserver_service:service_manager find;
-allow system_server dumpstate_service:service_manager find;
-allow system_server fingerprintd_service:service_manager find;
-allow system_server hal_fingerprint_service:service_manager find;
-allow system_server gatekeeper_service:service_manager find;
-allow system_server incident_service:service_manager find;
-allow system_server installd_service:service_manager find;
-allow system_server keystore_service:service_manager find;
-allow system_server mediaserver_service:service_manager find;
-allow system_server mediametrics_service:service_manager find;
-allow system_server mediaextractor_service:service_manager find;
-allow system_server mediacodec_service:service_manager find;
-allow system_server mediadrmserver_service:service_manager find;
-allow system_server mediacasserver_service:service_manager find;
-allow system_server netd_service:service_manager find;
-allow system_server nfc_service:service_manager find;
-allow system_server radio_service:service_manager find;
-allow system_server surfaceflinger_service:service_manager find;
-allow system_server wificond_service:service_manager find;
-
-allow system_server keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
-};
-
-# Allow system server to search and write to the persistent factory reset
-# protection partition. This block device does not get wiped in a factory reset.
-allow system_server block_device:dir search;
-allow system_server frp_block_device:blk_file rw_file_perms;
-
-# Clean up old cgroups
-allow system_server cgroup:dir { remove_name rmdir };
-
-# /oem access
-r_dir_file(system_server, oemfs)
-
-# Allow resolving per-user storage symlinks
-allow system_server { mnt_user_file storage_file }:dir { getattr search };
-allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
-
-# Allow statfs() on storage devices, which happens fast enough that
-# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
-
-# Traverse into expanded storage
-allow system_server mnt_expand_file:dir r_dir_perms;
-
-# Allow system process to relabel the fingerprint directory after mkdir
-# and delete the directory and files when no longer needed
-allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
-allow system_server fingerprintd_data_file:file { getattr unlink };
-
-# Allow system process to read network MAC address
-allow system_server sysfs_mac_address:file r_file_perms;
-
-userdebug_or_eng(`
- # Allow system server to create and write method traces in /data/misc/trace.
- allow system_server method_trace_data_file:dir w_dir_perms;
- allow system_server method_trace_data_file:file { create w_file_perms };
-
- # Allow system server to read dmesg
- allow system_server kernel:system syslog_read;
-')
-
-# For AppFuse.
-allow system_server vold:fd use;
-allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:dir rw_dir_perms;
-allow system_server app_fuse_file:file { read write open getattr append };
-
-# For configuring sdcardfs
-allow system_server configfs:dir { create_dir_perms };
-allow system_server configfs:file { getattr open unlink write };
-
-# Connect to adbd and use a socket transferred from it.
-# Used for e.g. jdwp.
-allow system_server adbd:unix_stream_socket connectto;
-allow system_server adbd:fd use;
-allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-# Allow invoking tools like "timeout"
-allow system_server toolbox_exec:file rx_file_perms;
-
-# Postinstall
-#
-# For OTA dexopt, allow calls coming from postinstall.
-binder_call(system_server, postinstall)
-
-allow system_server postinstall:fifo_file write;
-allow system_server update_engine:fd use;
-allow system_server update_engine:fifo_file write;
-
-# Access to /data/preloads
-allow system_server preloads_data_file:file { r_file_perms unlink };
-allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-allow system_server preloads_media_file:file { r_file_perms unlink };
-allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
-
-r_dir_file(system_server, cgroup)
-allow system_server ion_device:chr_file r_file_perms;
-
-r_dir_file(system_server, proc)
-r_dir_file(system_server, proc_meminfo)
-r_dir_file(system_server, proc_net)
-r_dir_file(system_server, rootfs)
-r_dir_file(system_server, sysfs_type)
-
-### Rules needed when Light HAL runs inside system_server process.
-### These rules should eventually be granted only when needed.
-allow system_server sysfs_leds:lnk_file read;
-allow system_server sysfs_leds:file rw_file_perms;
-allow system_server sysfs_leds:dir r_dir_perms;
-###
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow system_server debugfs_tracing_instances:dir search;
-allow system_server debugfs_wifi_tracing:file rw_file_perms;
-
-# allow system_server to exec shell on ASAN builds. Needed to run
-# asanwrapper.
-with_asan(`
- allow system_server shell_exec:file rx_file_perms;
-')
-
-###
-### Neverallow rules
-###
-### system_server should NEVER do any of this
-
-# Do not allow opening files from external storage as unsafe ejection
-# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
-
-# system server should never be operating on zygote spawned app data
-# files directly. Rather, they should always be passed via a
-# file descriptor.
-# Types extracted from seapp_contexts type= fields, excluding
-# those types that system_server needs to open directly.
-neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
-
-# Forking and execing is inherently dangerous and racy. See, for
-# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
-# Prevent the addition of new file execs to stop the problem from
-# getting worse. b/28035297
-neverallow system_server {
- file_type
- -toolbox_exec
- -logcat_exec
- with_asan(`-shell_exec')
-}:file execute_no_trans;
-
-# Ensure that system_server doesn't perform any domain transitions other than
-# transitioning to the crash_dump domain when a crash occurs.
-neverallow system_server { domain -crash_dump }:process transition;
-neverallow system_server *:process dyntransition;
-
-# Only allow crash_dump to connect to system_ndebug_socket.
-neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
-
-# system_server should never be executing dex2oat. This is either
-# a bug (for example, bug 16317188), or represents an attempt by
-# system server to dynamically load a dex file, something we do not
-# want to allow.
-neverallow system_server dex2oat_exec:file no_x_file_perms;
-
-# system_server should never execute or load executable shared libraries
-# in /data except for /data/dalvik-cache files.
-neverallow system_server {
- data_file_type
- -dalvikcache_data_file #mapping with PROT_EXEC
-}:file no_x_file_perms;
-
-# The only block device system_server should be accessing is
-# the frp_block_device. This helps avoid a system_server to root
-# escalation by writing to raw block devices.
-neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
-
-# system_server should never use JIT functionality
-neverallow system_server self:process execmem;
-neverallow system_server ashmem_device:chr_file execute;
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow system_server system_server_tmpfs:file execute;
-
-# dexoptanalyzer is currently used only for secondary dex files which
-# system_server should never access.
-neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
-
-# No ptracing others
-neverallow system_server { domain -system_server }:process ptrace;
-
-# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
-# file read access. However, that is now unnecessary (b/34951864)
-# This neverallow can be removed after b/34951864 is fixed.
-neverallow system_server system_server:capability sys_resource;
diff --git a/prebuilts/api/26.0/private/technical_debt.cil b/prebuilts/api/26.0/private/technical_debt.cil
deleted file mode 100644
index ccbae108881effbbdae7a1291a0064c5d3e26f92..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/technical_debt.cil
+++ /dev/null
@@ -1,28 +0,0 @@
-; THIS IS A WORKAROUND for the current limitations of the module policy language
-; This should be used sparingly until we figure out a saner way to achieve the
-; stuff below, for example, by improving typeattribute statement of module
-; language.
-;
-; NOTE: This file has no effect on recovery policy.
-
-; Apps, except isolated apps, are clients of Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_allocator_client;
-; typeattribute hal_allocator_client halclientdomain;
-(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
-(typeattributeset halclientdomain (hal_allocator_client))
-
-; Apps, except isolated apps, are clients of Configstore HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_configstore_client;
-(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Graphics Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
-(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
-
-; Domains hosting Camera HAL implementations are clients of Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute hal_camera hal_allocator_client;
-(typeattributeset hal_allocator_client (hal_camera))
diff --git a/prebuilts/api/26.0/private/tombstoned.te b/prebuilts/api/26.0/private/tombstoned.te
deleted file mode 100644
index 305f9d00679e573f56837a9ff9c215ae217e777c..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/tombstoned.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tombstoned coredomain;
-
-init_daemon_domain(tombstoned)
diff --git a/prebuilts/api/26.0/private/toolbox.te b/prebuilts/api/26.0/private/toolbox.te
deleted file mode 100644
index a2b958dba339a87ece3bc9fa66112cc49abc23ae..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/toolbox.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute toolbox coredomain;
-
-init_daemon_domain(toolbox)
diff --git a/prebuilts/api/26.0/private/tzdatacheck.te b/prebuilts/api/26.0/private/tzdatacheck.te
deleted file mode 100644
index 502735cad0c34d31e410302fbb3dc6b3de090109..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/tzdatacheck.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tzdatacheck coredomain;
-
-init_daemon_domain(tzdatacheck)
diff --git a/prebuilts/api/26.0/private/ueventd.te b/prebuilts/api/26.0/private/ueventd.te
deleted file mode 100644
index 0df587fffd1a5fd3cb81b3d3175c2a1d6a5b5014..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/ueventd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute ueventd coredomain;
-typeattribute ueventd domain_deprecated;
-
-tmpfs_domain(ueventd)
diff --git a/prebuilts/api/26.0/private/uncrypt.te b/prebuilts/api/26.0/private/uncrypt.te
deleted file mode 100644
index fde686be99d2b09fbceaafb68a45d864815ab182..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/uncrypt.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute uncrypt coredomain;
-typeattribute uncrypt domain_deprecated;
-
-init_daemon_domain(uncrypt)
diff --git a/prebuilts/api/26.0/private/untrusted_app.te b/prebuilts/api/26.0/private/untrusted_app.te
deleted file mode 100644
index 68c1a41bd19c50f3e2e9d8bc3c0d7d6f9e52b155..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/untrusted_app.te
+++ /dev/null
@@ -1,29 +0,0 @@
-###
-### Untrusted apps.
-###
-### This file defines the rules for untrusted apps.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-typeattribute untrusted_app coredomain;
-
-app_domain(untrusted_app)
-untrusted_app_domain(untrusted_app)
-net_domain(untrusted_app)
-bluetooth_domain(untrusted_app)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app)
diff --git a/prebuilts/api/26.0/private/untrusted_app_25.te b/prebuilts/api/26.0/private/untrusted_app_25.te
deleted file mode 100644
index 3fa79efcef8b66af46f34f7763551cacbdf874e3..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/untrusted_app_25.te
+++ /dev/null
@@ -1,46 +0,0 @@
-###
-### Untrusted_app_25
-###
-### This file defines the rules for untrusted apps running with
-### targetSdkVersion <= 25.
-###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-typeattribute untrusted_app_25 coredomain;
-
-app_domain(untrusted_app_25)
-untrusted_app_domain(untrusted_app_25)
-net_domain(untrusted_app_25)
-bluetooth_domain(untrusted_app_25)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app_25)
-
-# b/34115651 - net.dns* properties read
-# This will go away in a future Android release
-get_prop(untrusted_app_25, net_dns_prop)
-
-# b/35917228 - /proc/misc access
-# This will go away in a future Android release
-allow untrusted_app_25 proc_misc:file r_file_perms;
-
-# Access to /proc/tty/drivers, to allow apps to determine if they
-# are running in an emulated environment.
-# b/33214085 b/33814662 b/33791054 b/33211769
-# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
-# This will go away in a future Android release
-allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
diff --git a/prebuilts/api/26.0/private/untrusted_app_all.te b/prebuilts/api/26.0/private/untrusted_app_all.te
deleted file mode 100644
index fc80129a76b558946c46f995720ac4428573e51d..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/untrusted_app_all.te
+++ /dev/null
@@ -1,106 +0,0 @@
-###
-### Untrusted_app_all.
-###
-### This file defines the rules shared by all untrusted app domains except
-### apps which target the v2 security sandbox (ephemeral_app for instant apps,
-### untrusted_v2_app for fully installed v2 apps).
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app_all attribute is assigned to all default
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### attribute is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-### Note that rules that should apply to all untrusted apps must be in app.te or also
-### added to untrusted_v2_app.te and ephemeral_app.te.
-
-# Legacy text relocations
-allow untrusted_app_all apk_data_file:file execmod;
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
-
-# ASEC
-allow untrusted_app_all asec_apk_file:file r_file_perms;
-allow untrusted_app_all asec_apk_file:dir r_dir_perms;
-# Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute execmod };
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-# TODO: Long term, we don't want apps probing into shell data files.
-# Figure out a way to remove these rules.
-allow untrusted_app_all shell_data_file:file r_file_perms;
-allow untrusted_app_all shell_data_file:dir r_dir_perms;
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_app_all system_app_data_file:file { read write getattr };
-
-#
-# Rules migrated from old app domains coalesced into untrusted_app.
-# This includes what used to be media_app, shared_app, and release_app.
-#
-
-# Access to /data/media.
-allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
-allow untrusted_app_all media_rw_data_file:file create_file_perms;
-
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_app_all mnt_media_rw_file:dir search;
-
-# allow cts to query all services
-allow untrusted_app_all servicemanager:service_manager list;
-
-allow untrusted_app_all audioserver_service:service_manager find;
-allow untrusted_app_all cameraserver_service:service_manager find;
-allow untrusted_app_all drmserver_service:service_manager find;
-allow untrusted_app_all mediaserver_service:service_manager find;
-allow untrusted_app_all mediaextractor_service:service_manager find;
-allow untrusted_app_all mediacodec_service:service_manager find;
-allow untrusted_app_all mediametrics_service:service_manager find;
-allow untrusted_app_all mediadrmserver_service:service_manager find;
-allow untrusted_app_all mediacasserver_service:service_manager find;
-allow untrusted_app_all nfc_service:service_manager find;
-allow untrusted_app_all radio_service:service_manager find;
-allow untrusted_app_all surfaceflinger_service:service_manager find;
-allow untrusted_app_all app_api_service:service_manager find;
-allow untrusted_app_all vr_manager_service:service_manager find;
-
-# Allow GMS core to access perfprofd output, which is stored
-# in /data/misc/perfprofd/. GMS core will need to list all
-# data stored in that directory to process them one by one.
-userdebug_or_eng(`
- allow untrusted_app_all perfprofd_data_file:file r_file_perms;
- allow untrusted_app_all perfprofd_data_file:dir r_dir_perms;
-')
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow untrusted_app_all self:process ptrace;
-
-# Cts: HwRngTest
-allow untrusted_app_all sysfs_hwrandom:dir search;
-allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
-
-# Allow apps to view preloaded media content
-allow untrusted_app_all preloads_media_file:dir r_dir_perms;
-allow untrusted_app_all preloads_media_file:file r_file_perms;
-allow untrusted_app_all preloads_data_file:dir search;
-
-# Allow untrusted apps read / execute access to /vendor/app for there can
-# be pre-installed vendor apps that package a library within themselves.
-# TODO (b/37784178) Consider creating a special type for /vendor/app installed
-# apps.
-allow untrusted_app_all vendor_app_file:dir { open getattr read search };
-allow untrusted_app_all vendor_app_file:file { open getattr read execute };
-allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
diff --git a/prebuilts/api/26.0/private/untrusted_v2_app.te b/prebuilts/api/26.0/private/untrusted_v2_app.te
deleted file mode 100644
index ef628414d746f2b5a2997fb76c40c2f9e8e5d7fb..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/untrusted_v2_app.te
+++ /dev/null
@@ -1,43 +0,0 @@
-###
-### Untrusted v2 sandbox apps.
-###
-
-typeattribute untrusted_v2_app coredomain;
-
-app_domain(untrusted_v2_app)
-net_domain(untrusted_v2_app)
-bluetooth_domain(untrusted_v2_app)
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_v2_app system_app_data_file:file { read write getattr };
-
-# Access to /data/media.
-allow untrusted_v2_app media_rw_data_file:dir create_dir_perms;
-allow untrusted_v2_app media_rw_data_file:file create_file_perms;
-
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_v2_app mnt_media_rw_file:dir search;
-
-# allow cts to query all services
-allow untrusted_v2_app servicemanager:service_manager list;
-
-allow untrusted_v2_app audioserver_service:service_manager find;
-allow untrusted_v2_app cameraserver_service:service_manager find;
-allow untrusted_v2_app drmserver_service:service_manager find;
-allow untrusted_v2_app mediaserver_service:service_manager find;
-allow untrusted_v2_app mediaextractor_service:service_manager find;
-allow untrusted_v2_app mediacodec_service:service_manager find;
-allow untrusted_v2_app mediametrics_service:service_manager find;
-allow untrusted_v2_app mediadrmserver_service:service_manager find;
-allow untrusted_v2_app mediacasserver_service:service_manager find;
-allow untrusted_v2_app nfc_service:service_manager find;
-allow untrusted_v2_app radio_service:service_manager find;
-allow untrusted_v2_app surfaceflinger_service:service_manager find;
-# TODO: potentially provide a tighter list of services here
-allow untrusted_v2_app app_api_service:service_manager find;
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow untrusted_v2_app self:process ptrace;
diff --git a/prebuilts/api/26.0/private/update_engine.te b/prebuilts/api/26.0/private/update_engine.te
deleted file mode 100644
index f460272d1dc2bb034678c46e2935bd4415cd5ec8..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/update_engine.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute update_engine coredomain;
-typeattribute update_engine domain_deprecated;
-
-init_daemon_domain(update_engine);
diff --git a/prebuilts/api/26.0/private/update_engine_common.te b/prebuilts/api/26.0/private/update_engine_common.te
deleted file mode 100644
index a7fb584717a67896ed22a205fa55f229846812e7..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/update_engine_common.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-# The postinstall program is run by update_engine_common and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
-domain_auto_trans(update_engine_common, postinstall_file, postinstall)
diff --git a/prebuilts/api/26.0/private/update_verifier.te b/prebuilts/api/26.0/private/update_verifier.te
deleted file mode 100644
index 1b934d9805eff901c50e2f5c7277034b5941722a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/update_verifier.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute update_verifier coredomain;
-
-init_daemon_domain(update_verifier)
diff --git a/prebuilts/api/26.0/private/users b/prebuilts/api/26.0/private/users
deleted file mode 100644
index 51b7b57e6798ca0f476cf87d5de69ae956df26c7..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/users
+++ /dev/null
@@ -1 +0,0 @@
-user u roles { r } level s0 range s0 - mls_systemhigh;
diff --git a/prebuilts/api/26.0/private/vdc.te b/prebuilts/api/26.0/private/vdc.te
deleted file mode 100644
index bc7409eee5f72ec9c706f7d9e303c3ae9f84f7c4..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/vdc.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute vdc coredomain;
-
-init_daemon_domain(vdc)
diff --git a/prebuilts/api/26.0/private/virtual_touchpad.te b/prebuilts/api/26.0/private/virtual_touchpad.te
deleted file mode 100644
index e735172fed4128d3f841f0c4cef2c8e10a5c3bab..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/virtual_touchpad.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute virtual_touchpad coredomain;
-
-init_daemon_domain(virtual_touchpad)
diff --git a/prebuilts/api/26.0/private/vold.te b/prebuilts/api/26.0/private/vold.te
deleted file mode 100644
index f2416f895e98f1586ec1b7d983b259627f70f5d3..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/vold.te
+++ /dev/null
@@ -1,20 +0,0 @@
-typeattribute vold coredomain;
-typeattribute vold domain_deprecated;
-
-init_daemon_domain(vold)
-
-# Switch to more restrictive domains when executing common tools
-domain_auto_trans(vold, sgdisk_exec, sgdisk);
-domain_auto_trans(vold, sdcardd_exec, sdcardd);
-
-# For a handful of probing tools, we choose an even more restrictive
-# domain when working with untrusted block devices
-domain_trans(vold, shell_exec, blkid);
-domain_trans(vold, shell_exec, blkid_untrusted);
-domain_trans(vold, fsck_exec, fsck);
-domain_trans(vold, fsck_exec, fsck_untrusted);
-
-# Newly created storage dirs are always treated as mount stubs to prevent us
-# from accidentally writing when the mount point isn't present.
-type_transition vold storage_file:dir storage_stub_file;
-type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
diff --git a/prebuilts/api/26.0/private/vr_hwc.te b/prebuilts/api/26.0/private/vr_hwc.te
deleted file mode 100644
index 053c03d9867da94abbd7a32c1bce1a7586b6fa8d..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/vr_hwc.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute vr_hwc coredomain;
-
-# Daemon started by init.
-init_daemon_domain(vr_hwc)
-
-hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/prebuilts/api/26.0/private/watchdogd.te b/prebuilts/api/26.0/private/watchdogd.te
deleted file mode 100644
index 36dd30fd77bbb1d38c7ab650449a24ce042e9ab5..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/watchdogd.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute watchdogd coredomain;
diff --git a/prebuilts/api/26.0/private/webview_zygote.te b/prebuilts/api/26.0/private/webview_zygote.te
deleted file mode 100644
index 501581abf3b3f091bc31b30b5641f844b2cd2517..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/webview_zygote.te
+++ /dev/null
@@ -1,116 +0,0 @@
-# webview_zygote is an auxiliary zygote process that is used to spawn
-# isolated_app processes for rendering untrusted web content.
-
-typeattribute webview_zygote coredomain;
-
-# The webview_zygote needs to be able to transition domains.
-typeattribute webview_zygote mlstrustedsubject;
-
-# When init launches the WebView zygote's executable, transition the
-# resulting process into webview_zygote domain.
-init_daemon_domain(webview_zygote)
-
-# Allow reading/executing installed binaries to enable preloading the
-# installed WebView implementation.
-allow webview_zygote apk_data_file:dir r_dir_perms;
-allow webview_zygote apk_data_file:file { r_file_perms execute };
-
-# Access to the WebView relro file.
-allow webview_zygote shared_relro_file:dir search;
-allow webview_zygote shared_relro_file:file r_file_perms;
-
-# Set the UID/GID of the process.
-allow webview_zygote self:capability { setgid setuid };
-# Drop capabilities from bounding set.
-allow webview_zygote self:capability setpcap;
-# Switch SELinux context to app domains.
-allow webview_zygote self:process setcurrent;
-allow webview_zygote isolated_app:process dyntransition;
-
-# For art.
-allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
-allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
-allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
-
-# Allow webview_zygote to stat the files that it opens. It must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow webview_zygote debugfs_trace_marker:file getattr;
-
-# Allow webview_zygote to manage the pgroup of its children.
-allow webview_zygote system_server:process getpgid;
-
-# Interaction between the webview_zygote and its children.
-allow webview_zygote isolated_app:process setpgid;
-
-# Get seapp_contexts
-allow webview_zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(webview_zygote)
-# Check SELinux permissions.
-selinux_check_access(webview_zygote)
-
-#####
-##### Neverallow
-#####
-
-# Only permit transition to isolated_app.
-neverallow webview_zygote { domain -isolated_app }:process dyntransition;
-
-# Only setcon() transitions, no exec() based transitions, except for crash_dump.
-neverallow webview_zygote { domain -crash_dump }:process transition;
-
-# Must not exec() a program without changing domains.
-# Having said that, exec() above is not allowed.
-neverallow webview_zygote *:file execute_no_trans;
-
-# The only way to enter this domain is for init to exec() us.
-neverallow { domain -init } webview_zygote:process transition;
-neverallow * webview_zygote:process dyntransition;
-
-# Disallow write access to properties.
-neverallow webview_zygote property_socket:sock_file write;
-neverallow webview_zygote property_type:property_service set;
-
-# Should not have any access to app data files.
-neverallow webview_zygote {
- app_data_file
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
-}:file { rwx_file_perms };
-
-neverallow webview_zygote {
- service_manager_type
- -activity_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
-
-# Do not allow webview_zygote access to /cache.
-neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
-neverallow webview_zygote cache_file:file ~{ read getattr };
-
-# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
-# unix_stream_socket, and netlink_selinux_socket.
-neverallow webview_zygote domain:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
- appletalk_socket netlink_route_socket netlink_tcpdiag_socket
- netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
- sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
- x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
- pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
- rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket
-} *;
-
-# Do not allow access to Bluetooth-related system properties.
-# neverallow rules for Bluetooth-related data files are listed above.
-neverallow webview_zygote bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/26.0/private/wificond.te b/prebuilts/api/26.0/private/wificond.te
deleted file mode 100644
index cc76447458de1cf79f864720b00617631f78aedd..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/wificond.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute wificond coredomain;
-
-init_daemon_domain(wificond)
-hal_client_domain(wificond, hal_wifi_offload)
diff --git a/prebuilts/api/26.0/private/zygote.te b/prebuilts/api/26.0/private/zygote.te
deleted file mode 100644
index daabbc06e766b622b26b4f59e4851016197f2d3e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/private/zygote.te
+++ /dev/null
@@ -1,134 +0,0 @@
-# zygote
-typeattribute zygote coredomain;
-typeattribute zygote domain_deprecated;
-typeattribute zygote mlstrustedsubject;
-
-init_daemon_domain(zygote)
-
-read_runtime_log_tags(zygote)
-
-# Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid fowner chown };
-
-# Drop capabilities from bounding set.
-allow zygote self:capability setpcap;
-
-# Switch SELinux context to app domains.
-allow zygote self:process setcurrent;
-allow zygote system_server:process dyntransition;
-allow zygote appdomain:process dyntransition;
-
-# Allow zygote to read app /proc/pid dirs (b/10455872).
-allow zygote appdomain:dir { getattr search };
-allow zygote appdomain:file { r_file_perms };
-
-# Move children into the peer process group.
-allow zygote system_server:process { getpgid setpgid };
-allow zygote appdomain:process { getpgid setpgid };
-
-# Read system data.
-allow zygote system_data_file:dir r_dir_perms;
-allow zygote system_data_file:file r_file_perms;
-
-# Write to /data/dalvik-cache.
-allow zygote dalvikcache_data_file:dir create_dir_perms;
-allow zygote dalvikcache_data_file:file create_file_perms;
-
-# Create symlinks in /data/dalvik-cache.
-allow zygote dalvikcache_data_file:lnk_file create_file_perms;
-
-# Write to /data/resource-cache.
-allow zygote resourcecache_data_file:dir rw_dir_perms;
-allow zygote resourcecache_data_file:file create_file_perms;
-
-# When WITH_DEXPREOPT is true, the zygote does not load executable content from
-# /data/dalvik-cache.
-allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
-
-# Execute idmap and dex2oat within zygote's own domain.
-# TODO: Should either of these be transitioned to the same domain
-# used by installd or stay in-domain for zygote?
-allow zygote idmap_exec:file rx_file_perms;
-allow zygote dex2oat_exec:file rx_file_perms;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(zygote, vendor_overlay_file)
-
-# Control cgroups.
-allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote self:capability sys_admin;
-
-# Allow zygote to stat the files that it opens. The zygote must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow zygote pmsg_device:chr_file getattr;
-allow zygote debugfs_trace_marker:file getattr;
-
-# Get seapp_contexts
-allow zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(zygote)
-# Check SELinux permissions.
-selinux_check_access(zygote)
-
-# Native bridge functionality requires that zygote replaces
-# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
-allow zygote proc_cpuinfo:file mounton;
-
-# Allow remounting rootfs as MS_SLAVE.
-allow zygote rootfs:dir mounton;
-allow zygote tmpfs:filesystem { mount unmount };
-allow zygote fuse:filesystem { unmount };
-allow zygote sdcardfs:filesystem { unmount };
-
-# Allow creating user-specific storage source if started before vold.
-allow zygote mnt_user_file:dir create_dir_perms;
-allow zygote mnt_user_file:lnk_file create_file_perms;
-# Allowed to mount user-specific storage into place
-allow zygote storage_file:dir { search mounton };
-
-# Handle --invoke-with command when launching Zygote with a wrapper command.
-allow zygote zygote_exec:file rx_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net)
-
-# Root fs.
-r_dir_file(zygote, rootfs)
-
-# System file accesses.
-r_dir_file(zygote, system_file)
-
-userdebug_or_eng(`
- # Allow zygote to create and write method traces in /data/misc/trace.
- allow zygote method_trace_data_file:dir w_dir_perms;
- allow zygote method_trace_data_file:file { create w_file_perms };
-')
-
-allow zygote ion_device:chr_file r_file_perms;
-allow zygote tmpfs:dir r_dir_perms;
-
-# Let the zygote access overlays so it can initialize the AssetManager.
-get_prop(zygote, overlay_prop)
-
-###
-### neverallow rules
-###
-
-# Ensure that all types assigned to app processes are included
-# in the appdomain attribute, so that all allow and neverallow rules
-# written on appdomain are applied to all app processes.
-# This is achieved by ensuring that it is impossible for zygote to
-# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server.
-neverallow zygote ~{ appdomain system_server }:process dyntransition;
-
-# Zygote should never execute anything from /data except for /data/dalvik-cache files.
-neverallow zygote {
- data_file_type
- -dalvikcache_data_file # map PROT_EXEC
-}:file no_x_file_perms;
-
-# Do not allow access to Bluetooth-related system properties and files
-neverallow zygote bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/26.0/public/adbd.te b/prebuilts/api/26.0/public/adbd.te
deleted file mode 100644
index 7ecd045fc0a8b8942b2e49056a58c4fd6c0fa36a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/adbd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# adbd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type adbd, domain;
diff --git a/prebuilts/api/26.0/public/asan_extract.te b/prebuilts/api/26.0/public/asan_extract.te
deleted file mode 100644
index 6d0de6cf1fd517067cb55aeb27874028a4e98dfb..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/asan_extract.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# asan_extract
-#
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-with_asan(`
- type asan_extract, domain, coredomain;
- type asan_extract_exec, exec_type, file_type;
-
- # Allow asan_extract to execute itself using #!/system/bin/sh
- allow asan_extract shell_exec:file rx_file_perms;
-
- # We execute log, rm, gzip and tar.
- allow asan_extract toolbox_exec:file rx_file_perms;
- allow asan_extract system_file:file execute_no_trans;
-
- # asan_extract deletes old /data/lib.
- allow asan_extract system_file:dir { open read remove_name rmdir write };
- allow asan_extract system_file:file unlink;
-
- # asan_extract untars ASAN libraries into /data.
- allow asan_extract system_data_file:dir create_dir_perms ;
- allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
-
- # Relabel the libraries with restorecon.
- allow asan_extract file_contexts_file:file r_file_perms;
- allow asan_extract system_data_file:{ dir file } relabelfrom;
- allow asan_extract system_file:dir { relabelto setattr };
- allow asan_extract system_file:file relabelto;
-
- # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
- allow asan_extract system_data_file:file execute;
-
- # We use asan.restore_reboot to signal a reboot is required.
- set_prop(asan_extract, asan_reboot_prop)
-')
diff --git a/prebuilts/api/26.0/public/attributes b/prebuilts/api/26.0/public/attributes
deleted file mode 100644
index cde55da19f52574828f6448ec4dee3b332e39cfd..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/attributes
+++ /dev/null
@@ -1,291 +0,0 @@
-######################################
-# Attribute declarations
-#
-
-# All types used for devices.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# in tools/checkfc.c
-attribute dev_type;
-
-# All types used for processes.
-attribute domain;
-
-# All types used for filesystems.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute fs_type;
-
-# All types used for context= mounts.
-attribute contextmount_type;
-
-# All types used for files that can exist on a labeled fs.
-# Do not use for pseudo file types.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute file_type;
-
-# All types used for domain entry points.
-attribute exec_type;
-
-# All types used for /data files.
-attribute data_file_type;
-# All types in /data, not in /data/vendor
-attribute core_data_file_type;
-# All types in /vendor
-attribute vendor_file_type;
-
-# All types use for sysfs files.
-attribute sysfs_type;
-
-# All types use for debugfs files.
-attribute debugfs_type;
-
-# Attribute used for all sdcards
-attribute sdcard_type;
-
-# All types used for nodes/hosts.
-attribute node_type;
-
-# All types used for network interfaces.
-attribute netif_type;
-
-# All types used for network ports.
-attribute port_type;
-
-# All types used for property service
-# On change, update CHECK_PC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute property_type;
-
-# All properties defined in core SELinux policy. Should not be
-# used by device specific properties
-attribute core_property_type;
-
-# All properties used to configure log filtering.
-attribute log_property_type;
-
-# All service_manager types created by system_server
-attribute system_server_service;
-
-# services which should be available to all but isolated apps
-attribute app_api_service;
-
-# services which should be available to all ephemeral apps
-attribute ephemeral_app_api_service;
-
-# services which export only system_api
-attribute system_api_service;
-
-# All types used for services managed by servicemanager.
-# On change, update CHECK_SC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute service_manager_type;
-
-# All types used for services managed by hwservicemanager
-attribute hwservice_manager_type;
-
-# All HwBinder services guaranteed to be passthrough. These services always run
-# in the process of their clients, and thus operate with the same access as
-# their clients.
-attribute same_process_hwservice;
-
-# All HwBinder services guaranteed to be offered only by core domain components
-attribute coredomain_hwservice;
-
-# All types used for services managed by vndservicemanager
-attribute vndservice_manager_type;
-
-
-# All domains that can override MLS restrictions.
-# i.e. processes that can read up and write down.
-attribute mlstrustedsubject;
-
-# All types that can override MLS restrictions.
-# i.e. files that can be read by lower and written by higher
-attribute mlstrustedobject;
-
-# All domains used for apps.
-attribute appdomain;
-
-# All third party apps.
-attribute untrusted_app_all;
-
-# All domains used for apps with network access.
-attribute netdomain;
-
-# All domains used for apps with bluetooth access.
-attribute bluetoothdomain;
-
-# All domains used for binder service domains.
-attribute binderservicedomain;
-
-# update_engine related domains that need to apply an update and run
-# postinstall. This includes the background daemon and the sideload tool from
-# recovery for A/B devices.
-attribute update_engine_common;
-
-# All core domains (as opposed to vendor/device-specific domains)
-attribute coredomain;
-
-# All socket devices owned by core domain components
-attribute coredomain_socket;
-
-# All vendor domains which violate the requirement of not using Binder
-# TODO(b/35870313): Remove this once there are no violations
-attribute binder_in_vendor_violators;
-
-# All vendor domains which violate the requirement of not using sockets for
-# communicating with core components
-# TODO(b/36577153): Remove this once there are no violations
-attribute socket_between_core_and_vendor_violators;
-
-# All vendor domains which violate the requirement of not executing
-# system processes
-# TODO(b/36463595)
-attribute vendor_executes_system_violators;
-
-# hwservices that are accessible from untrusted applications
-# WARNING: Use of this attribute should be avoided unless
-# absolutely necessary. It is a temporary allowance to aid the
-# transition to treble and will be removed in a future platform
-# version, requiring all hwservices that are labeled with this
-# attribute to be submitted to AOSP in order to maintain their
-# app-visibility.
-attribute untrusted_app_visible_hwservice;
-
-# PDX services
-attribute pdx_endpoint_dir_type;
-attribute pdx_endpoint_socket_type;
-attribute pdx_channel_socket_type;
-
-pdx_service_attributes(display_client)
-pdx_service_attributes(display_manager)
-pdx_service_attributes(display_screenshot)
-pdx_service_attributes(display_vsync)
-pdx_service_attributes(performance_client)
-pdx_service_attributes(bufferhub_client)
-
-# All HAL servers
-attribute halserverdomain;
-# All HAL clients
-attribute halclientdomain;
-
-# HALs
-attribute hal_allocator;
-attribute hal_allocator_client;
-attribute hal_allocator_server;
-attribute hal_audio;
-attribute hal_audio_client;
-attribute hal_audio_server;
-attribute hal_bluetooth;
-attribute hal_bluetooth_client;
-attribute hal_bluetooth_server;
-attribute hal_bootctl;
-attribute hal_bootctl_client;
-attribute hal_bootctl_server;
-attribute hal_camera;
-attribute hal_camera_client;
-attribute hal_camera_server;
-attribute hal_configstore;
-attribute hal_configstore_client;
-attribute hal_configstore_server;
-attribute hal_contexthub;
-attribute hal_contexthub_client;
-attribute hal_contexthub_server;
-attribute hal_drm;
-attribute hal_drm_client;
-attribute hal_drm_server;
-attribute hal_dumpstate;
-attribute hal_dumpstate_client;
-attribute hal_dumpstate_server;
-attribute hal_fingerprint;
-attribute hal_fingerprint_client;
-attribute hal_fingerprint_server;
-attribute hal_gatekeeper;
-attribute hal_gatekeeper_client;
-attribute hal_gatekeeper_server;
-attribute hal_gnss;
-attribute hal_gnss_client;
-attribute hal_gnss_server;
-attribute hal_graphics_allocator;
-attribute hal_graphics_allocator_client;
-attribute hal_graphics_allocator_server;
-attribute hal_graphics_composer;
-attribute hal_graphics_composer_client;
-attribute hal_graphics_composer_server;
-attribute hal_health;
-attribute hal_health_client;
-attribute hal_health_server;
-attribute hal_ir;
-attribute hal_ir_client;
-attribute hal_ir_server;
-attribute hal_keymaster;
-attribute hal_keymaster_client;
-attribute hal_keymaster_server;
-attribute hal_light;
-attribute hal_light_client;
-attribute hal_light_server;
-attribute hal_memtrack;
-attribute hal_memtrack_client;
-attribute hal_memtrack_server;
-attribute hal_nfc;
-attribute hal_nfc_client;
-attribute hal_nfc_server;
-attribute hal_oemlock;
-attribute hal_oemlock_client;
-attribute hal_oemlock_server;
-attribute hal_power;
-attribute hal_power_client;
-attribute hal_power_server;
-attribute hal_sensors;
-attribute hal_sensors_client;
-attribute hal_sensors_server;
-attribute hal_telephony;
-attribute hal_telephony_client;
-attribute hal_telephony_server;
-attribute hal_tetheroffload;
-attribute hal_tetheroffload_client;
-attribute hal_tetheroffload_server;
-attribute hal_thermal;
-attribute hal_thermal_client;
-attribute hal_thermal_server;
-attribute hal_tv_cec;
-attribute hal_tv_cec_client;
-attribute hal_tv_cec_server;
-attribute hal_tv_input;
-attribute hal_tv_input_client;
-attribute hal_tv_input_server;
-attribute hal_usb;
-attribute hal_usb_client;
-attribute hal_usb_server;
-attribute hal_vibrator;
-attribute hal_vibrator_client;
-attribute hal_vibrator_server;
-attribute hal_vr;
-attribute hal_vr_client;
-attribute hal_vr_server;
-attribute hal_weaver;
-attribute hal_weaver_client;
-attribute hal_weaver_server;
-attribute hal_wifi;
-attribute hal_wifi_client;
-attribute hal_wifi_server;
-attribute hal_wifi_keystore;
-attribute hal_wifi_keystore_client;
-attribute hal_wifi_keystore_server;
-attribute hal_wifi_offload;
-attribute hal_wifi_offload_client;
-attribute hal_wifi_offload_server;
-attribute hal_wifi_supplicant;
-attribute hal_wifi_supplicant_client;
-attribute hal_wifi_supplicant_server;
-
-# HwBinder services offered across the core-vendor boundary
-#
-# We annotate server domains with x_server to loosen the coupling between
-# system and vendor images. For example, it should be possible to move a service
-# from one core domain to another, without having to update the vendor image
-# which contains clients of this service.
-
-attribute display_service_server;
-attribute wifi_keystore_service_server;
diff --git a/prebuilts/api/26.0/public/audioserver.te b/prebuilts/api/26.0/public/audioserver.te
deleted file mode 100644
index 9a728582191a84e3000c4e17c4d54c01f195bfa1..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/audioserver.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# audioserver - audio services daemon
-type audioserver, domain;
diff --git a/prebuilts/api/26.0/public/blkid.te b/prebuilts/api/26.0/public/blkid.te
deleted file mode 100644
index dabe01452062f9d2d4c8fdb9938633daff89e548..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/blkid.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# blkid called from vold
-type blkid, domain;
diff --git a/prebuilts/api/26.0/public/blkid_untrusted.te b/prebuilts/api/26.0/public/blkid_untrusted.te
deleted file mode 100644
index 4be4c0cb2371e5b89d6b8b05f534944e2aa9f72b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/blkid_untrusted.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# blkid for untrusted block devices
-type blkid_untrusted, domain;
diff --git a/prebuilts/api/26.0/public/bluetooth.te b/prebuilts/api/26.0/public/bluetooth.te
deleted file mode 100644
index 9b3442aa5b65cc56e831169890469f23d517772d..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/bluetooth.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# bluetooth subsystem
-type bluetooth, domain;
diff --git a/prebuilts/api/26.0/public/bootanim.te b/prebuilts/api/26.0/public/bootanim.te
deleted file mode 100644
index e2584c3b45b372ed03b7f35e9b5c210a1ef083f7..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/bootanim.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# bootanimation oneshot service
-type bootanim, domain;
-type bootanim_exec, exec_type, file_type;
-
-hal_client_domain(bootanim, hal_graphics_allocator)
-hal_client_domain(bootanim, hal_graphics_composer)
-
-binder_use(bootanim)
-binder_call(bootanim, surfaceflinger)
-binder_call(bootanim, audioserver)
-
-hwbinder_use(bootanim)
-
-allow bootanim gpu_device:chr_file rw_file_perms;
-
-# /oem access
-allow bootanim oemfs:dir search;
-allow bootanim oemfs:file r_file_perms;
-
-allow bootanim audio_device:dir r_dir_perms;
-allow bootanim audio_device:chr_file rw_file_perms;
-
-allow bootanim audioserver_service:service_manager find;
-allow bootanim surfaceflinger_service:service_manager find;
-
-# Allow access to ion memory allocation device
-allow bootanim ion_device:chr_file rw_file_perms;
-allow bootanim hal_graphics_allocator:fd use;
-
-# Fences
-allow bootanim hal_graphics_composer:fd use;
-
-# Read access to pseudo filesystems.
-r_dir_file(bootanim, proc)
-allow bootanim proc_meminfo:file r_file_perms;
-r_dir_file(bootanim, sysfs)
-r_dir_file(bootanim, cgroup)
-
-# System file accesses.
-allow bootanim system_file:dir r_dir_perms;
diff --git a/prebuilts/api/26.0/public/bootstat.te b/prebuilts/api/26.0/public/bootstat.te
deleted file mode 100644
index f5c7268e0be590f2a1dd1920baf50bc8d2833724..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/bootstat.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# bootstat command
-type bootstat, domain;
-type bootstat_exec, exec_type, file_type;
-
-read_runtime_log_tags(bootstat)
-
-# Allow persistent storage in /data/misc/bootstat.
-allow bootstat bootstat_data_file:dir rw_dir_perms;
-allow bootstat bootstat_data_file:file create_file_perms;
-
-# Read access to pseudo filesystems (for /proc/uptime).
-r_dir_file(bootstat, proc)
-
-# Collect metrics on boot time created by init
-get_prop(bootstat, boottime_prop)
diff --git a/prebuilts/api/26.0/public/bufferhubd.te b/prebuilts/api/26.0/public/bufferhubd.te
deleted file mode 100644
index 274c2716b3a69141863a3eed0a11772f37f88ddf..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/bufferhubd.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# bufferhubd
-type bufferhubd, domain, mlstrustedsubject;
-type bufferhubd_exec, exec_type, file_type;
-
-hal_client_domain(bufferhubd, hal_graphics_allocator)
-
-pdx_server(bufferhubd, bufferhub_client)
-pdx_client(bufferhubd, performance_client)
-
-# Access the GPU.
-allow bufferhubd gpu_device:chr_file rw_file_perms;
-
-# Access /dev/ion
-allow bufferhubd ion_device:chr_file r_file_perms;
-
-# Receive sync fence FDs from mediacodec. Note that mediacodec never directly
-# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
-# those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX.
-# Thus, there is no need to use pdx_client macro.
-allow bufferhubd mediacodec:fd use;
diff --git a/prebuilts/api/26.0/public/cameraserver.te b/prebuilts/api/26.0/public/cameraserver.te
deleted file mode 100644
index 0dd4a80ce16b1e8d88531b5ce16c406f59d80871..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/cameraserver.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# cameraserver - camera daemon
-type cameraserver, domain;
-type cameraserver_exec, exec_type, file_type;
-
-binder_use(cameraserver)
-binder_call(cameraserver, binderservicedomain)
-binder_call(cameraserver, appdomain)
-binder_service(cameraserver)
-
-hal_client_domain(cameraserver, hal_camera)
-
-hal_client_domain(cameraserver, hal_graphics_allocator)
-
-allow cameraserver ion_device:chr_file rw_file_perms;
-
-# Talk with graphics composer fences
-allow cameraserver hal_graphics_composer:fd use;
-
-add_service(cameraserver, cameraserver_service)
-allow cameraserver appops_service:service_manager find;
-allow cameraserver audioserver_service:service_manager find;
-allow cameraserver batterystats_service:service_manager find;
-allow cameraserver cameraproxy_service:service_manager find;
-allow cameraserver mediaserver_service:service_manager find;
-allow cameraserver processinfo_service:service_manager find;
-allow cameraserver scheduling_policy_service:service_manager find;
-allow cameraserver surfaceflinger_service:service_manager find;
-
-allow cameraserver hidl_token_hwservice:hwservice_manager find;
-
-###
-### neverallow rules
-###
-
-# cameraserver should never execute any executable without a
-# domain transition
-neverallow cameraserver { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/26.0/public/charger.te b/prebuilts/api/26.0/public/charger.te
deleted file mode 100644
index 4b20d1dd521477fac79936bd75cd104a9b3827fa..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/charger.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# charger seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type charger, domain;
-
-# Write to /dev/kmsg
-allow charger kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(charger, sysfs_type)
-r_dir_file(charger, rootfs)
-r_dir_file(charger, cgroup)
-
-allow charger self:capability { sys_tty_config };
-allow charger self:capability sys_boot;
-
-wakelock_use(charger)
-
-allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Write to /sys/power/state
-# TODO: Split into a separate type?
-allow charger sysfs:file write;
-
-allow charger sysfs_batteryinfo:file r_file_perms;
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow charger pstorefs:dir r_dir_perms;
-allow charger pstorefs:file r_file_perms;
-
-allow charger graphics_device:dir r_dir_perms;
-allow charger graphics_device:chr_file rw_file_perms;
-allow charger input_device:dir r_dir_perms;
-allow charger input_device:chr_file r_file_perms;
-allow charger tty_device:chr_file rw_file_perms;
-allow charger proc_sysrq:file rw_file_perms;
-
-# charger needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(charger, system_prop)
diff --git a/prebuilts/api/26.0/public/clatd.te b/prebuilts/api/26.0/public/clatd.te
deleted file mode 100644
index 212b76edee64ff5ceb097bc7511c6757a3b074c0..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/clatd.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# 464xlat daemon
-type clatd, domain;
-type clatd_exec, exec_type, file_type;
-
-net_domain(clatd)
-
-r_dir_file(clatd, proc_net)
-
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
-
-allow clatd self:capability { net_admin net_raw setuid setgid };
-
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:capability ipc_lock;
-
-allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
-allow clatd tun_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/26.0/public/cppreopts.te b/prebuilts/api/26.0/public/cppreopts.te
deleted file mode 100644
index 8cbf8018728192c988294be60b22632ec9da157d..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/cppreopts.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# cppreopts
-#
-# This command copies preopted files from the system_b partition to the data
-# partition. This domain ensures that we are only copying into specific
-# directories.
-
-type cppreopts, domain, mlstrustedsubject;
-type cppreopts_exec, exec_type, file_type;
-
-# Allow cppreopts copy files into the dalvik-cache
-allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
-allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow cppreopts shell_exec:file rx_file_perms;
-
-# Allow us to run find on /postinstall
-allow cppreopts system_file:dir { open read };
-
-# Allow running the cp command using cppreopts permissions. Needed so we can
-# write into dalvik-cache
-allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/prebuilts/api/26.0/public/crash_dump.te b/prebuilts/api/26.0/public/crash_dump.te
deleted file mode 100644
index ee617a171cf7fdc90531093b61943d88e65ede2f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/crash_dump.te
+++ /dev/null
@@ -1,60 +0,0 @@
-type crash_dump, domain;
-type crash_dump_exec, exec_type, file_type;
-
-allow crash_dump {
- domain
- -init
- -crash_dump
- -keystore
- -logd
-}:process { ptrace signal sigchld sigstop sigkill };
-
-# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
-# which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:capability { sys_ptrace };
-
-userdebug_or_eng(`
- allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
-')
-
-# Use inherited file descriptors
-allow crash_dump domain:fd use;
-
-# Write to the IPC pipe inherited from crashing processes.
-# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
-allow crash_dump domain:fifo_file { write append };
-
-r_dir_file(crash_dump, domain)
-allow crash_dump exec_type:file r_file_perms;
-
-# Read /data/dalvik-cache.
-allow crash_dump dalvikcache_data_file:dir { search getattr };
-allow crash_dump dalvikcache_data_file:file r_file_perms;
-
-# Read APK files.
-r_dir_file(crash_dump, apk_data_file);
-
-# Read all /vendor
-r_dir_file(crash_dump, { vendor_file same_process_hal_file })
-
-# Talk to tombstoned
-unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
-
-# Talk to ActivityManager.
-unix_socket_connect(crash_dump, system_ndebug, system_server)
-
-# Append to ANR files.
-allow crash_dump anr_data_file:file { append getattr };
-
-# Append to tombstone files.
-allow crash_dump tombstone_data_file:file { append getattr };
-
-read_logd(crash_dump)
-
-###
-### neverallow assertions
-###
-
-# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
-# Do not allow the execution of crash_dump without a domain transition.
-neverallow domain crash_dump_exec:file execute_no_trans;
diff --git a/prebuilts/api/26.0/public/device.te b/prebuilts/api/26.0/public/device.te
deleted file mode 100644
index 4a3bec91f0bd14a6fd2bce9b5c2d05ca06d23833..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/device.te
+++ /dev/null
@@ -1,103 +0,0 @@
-# Device types
-type device, dev_type, fs_type;
-type alarm_device, dev_type, mlstrustedobject;
-type ashmem_device, dev_type, mlstrustedobject;
-type audio_device, dev_type;
-type audio_timer_device, dev_type;
-type audio_seq_device, dev_type;
-type binder_device, dev_type, mlstrustedobject;
-type hwbinder_device, dev_type, mlstrustedobject;
-type vndbinder_device, dev_type;
-type block_device, dev_type;
-type camera_device, dev_type;
-type dm_device, dev_type;
-type keychord_device, dev_type;
-type loop_control_device, dev_type;
-type loop_device, dev_type;
-type pmsg_device, dev_type, mlstrustedobject;
-type radio_device, dev_type;
-type ram_device, dev_type;
-type rtc_device, dev_type;
-type vold_device, dev_type;
-type console_device, dev_type;
-type cpuctl_device, dev_type;
-type fscklogs, dev_type;
-type full_device, dev_type;
-# GPU (used by most UI apps)
-type gpu_device, dev_type, mlstrustedobject;
-type graphics_device, dev_type;
-type hw_random_device, dev_type;
-type input_device, dev_type;
-type kmem_device, dev_type;
-type port_device, dev_type;
-type log_device, dev_type, mlstrustedobject;
-type mtd_device, dev_type;
-type mtp_device, dev_type, mlstrustedobject;
-type nfc_device, dev_type;
-type ptmx_device, dev_type, mlstrustedobject;
-type kmsg_device, dev_type;
-type null_device, dev_type, mlstrustedobject;
-type random_device, dev_type, mlstrustedobject;
-type sensors_device, dev_type;
-type serial_device, dev_type;
-type socket_device, dev_type;
-type owntty_device, dev_type, mlstrustedobject;
-type tty_device, dev_type;
-type video_device, dev_type;
-type vcs_device, dev_type;
-type zero_device, dev_type, mlstrustedobject;
-type fuse_device, dev_type, mlstrustedobject;
-type iio_device, dev_type;
-type ion_device, dev_type, mlstrustedobject;
-type qtaguid_device, dev_type;
-type watchdog_device, dev_type;
-type uhid_device, dev_type;
-type uio_device, dev_type;
-type tun_device, dev_type, mlstrustedobject;
-type usbaccessory_device, dev_type, mlstrustedobject;
-type usb_device, dev_type, mlstrustedobject;
-type properties_device, dev_type;
-type properties_serial, dev_type;
-type i2c_device, dev_type;
-
-# All devices have a uart for the hci
-# attach service. The uart dev node
-# varies per device. This type
-# is used in per device policy
-type hci_attach_dev, dev_type;
-
-# All devices have a rpmsg device for
-# achieving remoteproc and rpmsg modules
-type rpmsg_device, dev_type;
-
-# Partition layout block device
-type root_block_device, dev_type;
-
-# factory reset protection block device
-type frp_block_device, dev_type;
-
-# System block device mounted on /system.
-type system_block_device, dev_type;
-
-# Recovery block device.
-type recovery_block_device, dev_type;
-
-# boot block device.
-type boot_block_device, dev_type;
-
-# Userdata block device mounted on /data.
-type userdata_block_device, dev_type;
-
-# Cache block device mounted on /cache.
-type cache_block_device, dev_type;
-
-# Block device for any swap partition.
-type swap_block_device, dev_type;
-
-# Metadata block device used for encryption metadata.
-# Assign this type to the partition specified by the encryptable=
-# mount option in your fstab file in the entry for userdata.
-type metadata_block_device, dev_type;
-
-# The 'misc' partition used by recovery and A/B.
-type misc_block_device, dev_type;
diff --git a/prebuilts/api/26.0/public/dex2oat.te b/prebuilts/api/26.0/public/dex2oat.te
deleted file mode 100644
index 47f3bcb60bdae710edb451fcc7fcc4c90bfce0bb..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/dex2oat.te
+++ /dev/null
@@ -1,66 +0,0 @@
-# dex2oat
-type dex2oat, domain;
-type dex2oat_exec, exec_type, file_type;
-
-r_dir_file(dex2oat, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dex2oat, vendor_app_file)
-# Access /vendor/framework
-allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read };
-
-allow dex2oat tmpfs:file { read getattr };
-
-r_dir_file(dex2oat, dalvikcache_data_file)
-allow dex2oat dalvikcache_data_file:file write;
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
-# the oat file is symlinked to the original file in /system.
-allow dex2oat dalvikcache_data_file:lnk_file read;
-allow dex2oat installd:fd use;
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dex2oat system_file:file lock;
-
-# Read already open asec_apk_file file descriptors passed by installd.
-# Also allow reading unlabeled files, to allow for upgrading forward
-# locked APKs.
-allow dex2oat asec_apk_file:file read;
-allow dex2oat unlabeled:file read;
-allow dex2oat oemfs:file read;
-allow dex2oat apk_tmp_file:dir search;
-allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock };
-
-# Allow dex2oat to compile app's secondary dex files which were reported back to
-# the framework.
-allow dex2oat app_data_file:file { getattr read write lock };
-
-##################
-# A/B OTA Dexopt #
-##################
-
-# Allow dex2oat to use file descriptors from otapreopt.
-allow dex2oat postinstall_dexopt:fd use;
-
-allow dex2oat postinstall_file:dir { getattr search };
-allow dex2oat postinstall_file:filesystem getattr;
-allow dex2oat postinstall_file:lnk_file read;
-
-# Allow dex2oat access to files in /data/ota.
-allow dex2oat ota_data_file:dir ra_dir_perms;
-allow dex2oat ota_data_file:file r_file_perms;
-
-# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
-# where the oat file is symlinked to the original file in /system.
-allow dex2oat ota_data_file:lnk_file { create read };
-
-# It would be nice to tie this down, but currently, because of how images are written, we can't
-# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
-# create them itself (and make them world-readable).
-allow dex2oat ota_data_file:file { create w_file_perms setattr };
-
-##############
-# Neverallow #
-##############
-
-neverallow dex2oat app_data_file:notdevfile_class_set open;
diff --git a/prebuilts/api/26.0/public/dhcp.te b/prebuilts/api/26.0/public/dhcp.te
deleted file mode 100644
index 2b54b7f8850443e9ec5b18b08cca0bedfb6eabbc..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/dhcp.te
+++ /dev/null
@@ -1,30 +0,0 @@
-type dhcp, domain;
-type dhcp_exec, exec_type, file_type;
-
-net_domain(dhcp)
-
-allow dhcp cgroup:dir { create write add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket create_socket_perms_no_ioctl;
-allow dhcp self:netlink_route_socket nlmsg_write;
-allow dhcp shell_exec:file rx_file_perms;
-allow dhcp system_file:file rx_file_perms;
-not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
-
-# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
-allow dhcp toolbox_exec:file rx_file_perms;
-
-# For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file write;
-
-set_prop(dhcp, dhcp_prop)
-set_prop(dhcp, pan_result_prop)
-
-allow dhcp dhcp_data_file:dir create_dir_perms;
-allow dhcp dhcp_data_file:file create_file_perms;
-
-# PAN connections
-allow dhcp netd:fd use;
-allow dhcp netd:fifo_file rw_file_perms;
-allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
-allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
diff --git a/prebuilts/api/26.0/public/display_service_server.te b/prebuilts/api/26.0/public/display_service_server.te
deleted file mode 100644
index c5839fa544b524ab61fdcddd991a93294955ae80..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/display_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(display_service_server, fwk_display_hwservice)
diff --git a/prebuilts/api/26.0/public/dnsmasq.te b/prebuilts/api/26.0/public/dnsmasq.te
deleted file mode 100644
index ccac69a3370c0e65a91a4dcaf1b41fd2d187ad5c..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/dnsmasq.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# DNS, DHCP services
-type dnsmasq, domain;
-type dnsmasq_exec, exec_type, file_type;
-
-net_domain(dnsmasq)
-allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
-
-# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:capability dac_override;
-
-allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
-
-allow dnsmasq dhcp_data_file:dir w_dir_perms;
-allow dnsmasq dhcp_data_file:file create_file_perms;
-
-# Inherit and use open files from netd.
-allow dnsmasq netd:fd use;
-allow dnsmasq netd:fifo_file { read write };
-# TODO: Investigate whether these inherited sockets should be closed on exec.
-allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
-allow dnsmasq netd:netlink_nflog_socket { read write };
-allow dnsmasq netd:netlink_route_socket { read write };
-allow dnsmasq netd:unix_stream_socket { read write };
-allow dnsmasq netd:unix_dgram_socket { read write };
-allow dnsmasq netd:udp_socket { read write };
diff --git a/prebuilts/api/26.0/public/domain.te b/prebuilts/api/26.0/public/domain.te
deleted file mode 100644
index d2b370a21b244e639d80b16f2bd29c7ae74554cd..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/domain.te
+++ /dev/null
@@ -1,1028 +0,0 @@
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Intra-domain accesses.
-allow domain self:process {
- fork
- sigchld
- sigkill
- sigstop
- signull
- signal
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- getattr
- setrlimit
-};
-allow domain self:fd use;
-allow domain proc:dir r_dir_perms;
-allow domain proc_net:dir search;
-r_dir_file(domain, self)
-allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:unix_dgram_socket { create_socket_perms sendto };
-allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-
-userdebug_or_eng(`
- # Same as adbd rules above, except allow su to do the same thing
- allow domain su:unix_stream_socket connectto;
- allow domain su:fd use;
- allow domain su:unix_stream_socket { getattr getopt read write shutdown };
-
- allow { domain -init } su:binder { call transfer };
- allow { domain -init } su:fd use;
-
- # Running something like "pm dump com.android.bluetooth" requires
- # fifo writes
- allow domain su:fifo_file { write getattr };
-
- # allow "gdbserver --attach" to work for su.
- allow domain su:process sigchld;
-
- # Allow writing coredumps to /cores/*
- allow domain coredump_file:file create_file_perms;
- allow domain coredump_file:dir ra_dir_perms;
-')
-
-# Root fs.
-allow domain rootfs:dir search;
-allow domain rootfs:lnk_file { read getattr };
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file r_file_perms;
-allow domain devpts:dir search;
-allow domain socket_device:dir r_dir_perms;
-allow domain owntty_device:chr_file rw_file_perms;
-allow domain null_device:chr_file rw_file_perms;
-allow domain zero_device:chr_file rw_file_perms;
-allow domain ashmem_device:chr_file rw_file_perms;
-# /dev/binder can be accessed by non-vendor domains and by apps
-allow {
- coredomain
- appdomain
- binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- -hwservicemanager
-} binder_device:chr_file rw_file_perms;
-# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
-not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
-allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
-allow domain ptmx_device:chr_file rw_file_perms;
-allow domain alarm_device:chr_file r_file_perms;
-allow domain random_device:chr_file rw_file_perms;
-allow domain properties_device:dir { search getattr };
-allow domain properties_serial:file r_file_perms;
-
-# For now, everyone can access core property files
-# Device specific properties are not granted by default
-get_prop(domain, core_property_type)
-# Let everyone read log properties, so that liblog can avoid sending unloggable
-# messages to logd.
-get_prop(domain, log_property_type)
-dontaudit domain property_type:file audit_access;
-allow domain property_contexts_file:file r_file_perms;
-
-allow domain init:key search;
-allow domain vold:key search;
-
-# logd access
-write_logd(domain)
-
-# System file accesses.
-allow domain system_file:dir { search getattr };
-allow domain system_file:file { execute read open getattr };
-allow domain system_file:lnk_file { getattr read };
-
-# Make sure system/vendor split doesn not affect non-treble
-# devices
-not_full_treble(`
- allow domain vendor_file_type:dir { search getattr };
- allow domain vendor_file_type:file { execute read open getattr };
- allow domain vendor_file_type:lnk_file { getattr read };
-')
-
-# All domains are allowed to open and read directories
-# that contain HAL implementations (e.g. passthrough
-# HALs require clients to have these permissions)
-allow domain vendor_hal_file:dir r_dir_perms;
-
-# Everyone can read and execute all same process HALs
-allow domain same_process_hal_file:dir r_dir_perms;
-allow domain same_process_hal_file:file { execute read open getattr };
-
-# Any process can load vndk-sp libraries, which are system libraries
-# used by same process HALs
-allow domain vndk_sp_file:dir r_dir_perms;
-allow domain vndk_sp_file:file { execute read open getattr };
-
-# All domains get access to /vendor/etc
-allow domain vendor_configs_file:dir r_dir_perms;
-allow domain vendor_configs_file:file { read open getattr };
-
-full_treble_only(`
- # Allow all domains to be able to follow /system/vendor symlink
- allow domain vendor_file:lnk_file { getattr open read };
-
- # This is required to be able to search & read /vendor/lib64
- # in order to lookup vendor libraries. The execute permission
- # for coredomains is granted *only* for same process HALs
- allow domain vendor_file:dir { getattr search };
-
- # Allow reading and executing out of /vendor to all vendor domains
- allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
- allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
- allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
-')
-
-# read any sysfs symlinks
-allow domain sysfs:lnk_file read;
-
-# libc references /data/misc/zoneinfo for timezone related information
-# This directory is considered to be a VNDK-stable
-r_dir_file(domain, zoneinfo_data_file)
-
-# Lots of processes access current CPU information
-r_dir_file(domain, sysfs_devices_system_cpu)
-
-r_dir_file(domain, sysfs_usb);
-
-# files under /data.
-not_full_treble(`allow domain system_data_file:dir getattr;')
-allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_file. Vendor components need the search
-# permission on system_data_file for path traversal to /data/vendor.
-allow domain system_data_file:dir search;
-
-# required by the dynamic linker
-allow domain proc:lnk_file { getattr read };
-
-# /proc/cpuinfo
-allow domain proc_cpuinfo:file r_file_perms;
-
-# jemalloc needs to read /proc/sys/vm/overcommit_memory
-allow domain proc_overcommit_memory:file r_file_perms;
-
-# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
-allow domain proc_perf:file r_file_perms;
-
-# toybox loads libselinux which stats /sys/fs/selinux/
-allow domain selinuxfs:dir search;
-allow domain selinuxfs:file getattr;
-allow domain sysfs:dir search;
-allow domain selinuxfs:filesystem getattr;
-
-# For /acct/uid/*/tasks.
-allow domain cgroup:dir { search write };
-allow domain cgroup:file w_file_perms;
-
-# Almost all processes log tracing information to
-# /sys/kernel/debug/tracing/trace_marker
-# The reason behind this is documented in b/6513400
-allow domain debugfs:dir search;
-allow domain debugfs_tracing:dir search;
-allow domain debugfs_trace_marker:file w_file_perms;
-
-# Filesystem access.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-# Restrict all domains to a whitelist for common socket types. Additional
-# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
-# not grant the ioctl permission on these socket types. That must be granted
-# separately.
-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
-allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
- ioctl unpriv_unix_sock_ioctls;
-
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
-# not grant the wider ioctl permission. That must be granted
-# separately.
-allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
-
-# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
-# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:service_manager { add find };
-
-###
-### neverallow rules
-###
-
-# All socket ioctls must be restricted to a whitelist.
-neverallowxperm domain domain:socket_class_set ioctl { 0 };
-
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * devpts:chr_file ioctl TIOCSTI;
-
-# Do not allow any domain other than init or recovery to create unlabeled files.
-neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-
-# Limit device node creation to these whitelisted domains.
-neverallow {
- domain
- -kernel
- -init
- -ueventd
- -vold
-} self:capability mknod;
-
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
-neverallow {
- domain
- userdebug_or_eng(`-domain')
- -kernel
- -init
- -recovery
- -ueventd
- -healthd
- -uncrypt
- -tee
-} self:capability sys_rawio;
-
-# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
-neverallow * self:memprotect mmap_zero;
-
-# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:capability2 mac_override;
-
-# Only recovery needs mac_admin to set contexts not defined in current policy.
-neverallow { domain -recovery } self:capability2 mac_admin;
-
-# Once the policy has been loaded there shall be none to modify the policy.
-# It is sealed.
-neverallow * kernel:security load_policy;
-
-# Only init prior to switching context should be able to set enforcing mode.
-# init starts in kernel domain and switches to init domain via setcon in
-# the init.rc, so the setenforce occurs while still in kernel. After
-# switching domains, there is never any need to setenforce again by init.
-neverallow * kernel:security setenforce;
-neverallow { domain -kernel } kernel:security setcheckreqprot;
-
-# No booleans in AOSP policy, so no need to ever set them.
-neverallow * kernel:security setbool;
-
-# Adjusting the AVC cache threshold.
-# Not presently allowed to anything in policy, but possibly something
-# that could be set from init.rc.
-neverallow { domain -init } kernel:security setsecparam;
-
-# Only init, ueventd, shell and system_server should be able to access HW RNG
-neverallow {
- domain
- -init
- -shell # For CTS and is restricted to getattr in shell.te
- -system_server
- -ueventd
-} hw_random_device:chr_file *;
-
-# Ensure that all entrypoint executables are in exec_type or postinstall_file.
-neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow {
- domain
- -shell # For CTS and is restricted to getattr in shell.te
- -ueventd # Further restricted in ueventd.te
-} kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
-
-#Ensure that nothing in userspace can access /dev/port
-neverallow {
- domain
- -shell # Shell user should not have any abilities outside of getattr
- -ueventd
-} port_device:chr_file *;
-neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
-# Only init should be able to configure kernel usermodehelpers or
-# security-sensitive proc settings.
-neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append open read write };
-
-# No domain should be allowed to ptrace init.
-neverallow * init:process ptrace;
-
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
-
-# Don't allow raw read/write/open access to block_device
-# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
-
-# Do not allow renaming of block files or character files
-# Ability to do so can lead to possible use in an exploit chain
-# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
-neverallow * *:{ blk_file chr_file } rename;
-
-# Don't allow raw read/write/open access to generic devices.
-# Rather force a relabel to a more specific type.
-neverallow domain device:chr_file { open read write };
-
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-
-#
-# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
-#
-neverallow {
- domain
- -appdomain
- with_asan(`-asan_extract')
- -dumpstate
- -shell
- userdebug_or_eng(`-su')
- -system_server
- -webview_zygote
- -zygote
-} {
- file_type
- -system_file
- -vendor_file_type
- -exec_type
- -postinstall_file
-}:file execute;
-
-neverallow {
- domain
- -appdomain # for oemfs
- -recovery # for /tmp/update_binary in tmpfs
-} { fs_type -rootfs }:file execute;
-# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
-
-# Protect most domains from executing arbitrary content from /data.
-neverallow {
- domain
- -appdomain
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
-neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
-
-# Only the init property service should write to /data/property and /dev/__properties__
-neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-
-# Only recovery should be doing writes to /system & /vendor
-neverallow {
- domain
- -recovery
- with_asan(`-asan_extract')
-} {
- system_file
- vendor_file_type
- exec_type
-}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-
-neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
-
-# Don't allow mounting on top of /system files or directories
-neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
-
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
-
-# Restrict context mounts to specific types marked with
-# the contextmount_type attribute.
-neverallow * {fs_type -contextmount_type}:filesystem relabelto;
-
-# Ensure that context mount types are not writable, to ensure that
-# the write to /system restriction above is not bypassed via context=
-# mount to another type.
-neverallow { domain -recovery } contextmount_type:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Do not allow service_manager add for default service labels.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager add;
-neverallow * default_android_vndservice:service_manager { add find };
-neverallow * default_android_hwservice:hwservice_manager { add find };
-
-# Looking up the base class/interface of all HwBinder services is a bad idea.
-# hwservicemanager currently offer such lookups only to make it so that security
-# decisions are expressed in SELinux policy. However, it's unclear whether this
-# lookup has security implications. If it doesn't, hwservicemanager should be
-# modified to not offer this lookup.
-# This rule can be removed if hwservicemanager is modified to not permit these
-# lookups.
-neverallow * hidl_base_hwservice:hwservice_manager find;
-
-# Require that domains explicitly label unknown properties, and do not allow
-# anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
-neverallow { domain -init } mmc_prop:property_service set;
-
-# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
-neverallow {
- domain
- -adbd
- -dumpstate
- -hal_drm
- -init
- -mediadrmserver
- -recovery
- -shell
- -system_server
-} serialno_prop:file r_file_perms;
-
-# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
-
-neverallow {
- domain
- -init
- -recovery
- -system_server
- -shell # Shell is further restricted in shell.te
- -ueventd # Further restricted in ueventd.te
-} frp_block_device:blk_file no_rw_file_perms;
-
-# The metadata block device is set aside for device encryption and
-# verified boot metadata. It may be reset at will and should not
-# be used by other domains.
-neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
- { append link rename write open read ioctl lock };
-
-# No domain other than recovery and update_engine can write to system partition(s).
-neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
-
-# No domains other than install_recovery or recovery can write to recovery.
-neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
-
-# No domains other than a select few can access the misc_block_device. This
-# block device is reserved for OTA use.
-# Do not assert this rule on userdebug/eng builds, due to some devices using
-# this partition for testing purposes.
-neverallow {
- domain
- userdebug_or_eng(`-domain') # exclude debuggable builds
- -hal_bootctl
- -init
- -uncrypt
- -update_engine
- -vold
- -recovery
- -ueventd
-} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-neverallow hal_bootctl unlabeled:service_manager list; #TODO: b/62658302
-
-# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
-# The service managers are only allowed to access their own device node
-neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
-neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-
-# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
-# domain apps need this because Android framework offers many of its services to apps as Binder
-# services.
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } binder_device:chr_file rw_file_perms;
- neverallow {
- domain
- -coredomain
- -appdomain # restrictions for vendor apps are declared lower down
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } service_manager_type:service_manager find;
- # Vendor apps are permited to use only stable public services. If they were to use arbitrary
- # services which can change any time framework/core is updated, breakage is likely.
- neverallow {
- appdomain
- -coredomain
- } {
- service_manager_type
- -app_api_service
- -ephemeral_app_api_service
- -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
- -cameraserver_service
- -drmserver_service
- -keystore_service
- -mediacasserver_service
- -mediadrmserver_service
- -mediaextractor_service
- -mediametrics_service
- -mediaserver_service
- -nfc_service
- -radio_service
- -surfaceflinger_service
- -virtual_touchpad_service
- -vr_hwc_service
- -vr_manager_service
- }:service_manager find;
- neverallow {
- domain
- -coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } servicemanager:binder { call transfer };
- neverallow binder_in_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
-')
-
-# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- -ueventd # uevent is granted create for this device, but we still neverallow I/O below
- } vndbinder_device:chr_file rw_file_perms;
- neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservice_manager_type:service_manager *;
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservicemanager:binder *;
-')
-
-# On full TREBLE devices, socket communications between core components and vendor components are
-# not permitted.
-full_treble_only(`
- # Most general rules first, more specific rules below.
-
- # Core domains are not permitted to initiate communications to vendor domain sockets.
- # We are not restricting the use of already established sockets because it is fine for a process
- # to obtain an already established socket via some public/official/stable API and then exchange
- # data with its peer over that socket. The wire format in this scenario is dicatated by the API
- # and thus does not break the core-vendor separation.
- neverallow_establish_socket_comms({
- coredomain
- -init
- -adbd
- }, {
- domain
- -coredomain
- -socket_between_core_and_vendor_violators
- });
- # Vendor domains are not permitted to initiate communications to core domain sockets
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -appdomain
- -socket_between_core_and_vendor_violators
- }, {
- coredomain
- -logd # Logging by writing to logd Unix domain socket is public API
- -netd # netdomain needs this
- -mdnsd # netdomain needs this
- userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
- -init
- -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
- -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
- });
- neverallow socket_between_core_and_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
-
- # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -netdomain
- -socket_between_core_and_vendor_violators
- }, netd);
-
- # Vendor domains are not permitted to initiate create/open sockets owned by core domains
- neverallow {
- domain
- -coredomain
- -appdomain # appdomain restrictions below
- -socket_between_core_and_vendor_violators
- } {
- coredomain_socket
- core_data_file_type
- unlabeled # used only by core domains
- }:sock_file ~{ append getattr ioctl read write };
- neverallow {
- appdomain
- -coredomain
- } {
- coredomain_socket
- unlabeled # used only by core domains
- core_data_file_type
- -app_data_file
- -pdx_endpoint_socket_type # used by VR layer
- -pdx_channel_socket_type # used by VR layer
- }:sock_file ~{ append getattr ioctl read write };
- neverallow {
- pdx_endpoint_socket_type
- pdx_channel_socket_type
- } unlabeled:service_manager list; #TODO: b/62658302
-
- # Core domains are not permitted to create/open sockets owned by vendor domains
- neverallow {
- coredomain
- -init
- -ueventd
- -socket_between_core_and_vendor_violators
- } {
- file_type
- dev_type
- -coredomain_socket
- -core_data_file_type
- -unlabeled
- }:sock_file ~{ append getattr ioctl read write };
-')
-
-# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
-full_treble_only(`
- # Limit access to /vendor/app
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -idmap
- -init
- -installd
- -postinstall_dexopt
- -system_server
- } vendor_app_file:dir { open read getattr search };
-
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -idmap
- -init
- -installd
- -postinstall_dexopt
- -system_server
- } vendor_app_file:{ file lnk_file } r_file_perms;
-
- # Limit access to /vendor/overlay
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -system_server
- -zygote
- } vendor_overlay_file:dir { getattr open read search };
-
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -system_server
- -zygote
- } vendor_overlay_file:{ file lnk_file } r_file_perms;
-
- # Non-vendor domains are not allowed to file execute shell
- # from vendor
- neverallow {
- coredomain
- -init
- } vendor_shell_exec:file { execute execute_no_trans };
-
- # Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
- neverallow {
- domain
- -coredomain
- -appdomain
- -rild
- -vendor_executes_system_violators
- } {
- exec_type
- -vendor_file_type
- -crash_dump_exec
- -netutils_wrapper_exec
- }:file { entrypoint execute execute_no_trans };
- neverallow vendor_executes_system_violators unlabeled:service_manager list; #TODO: b/62658302
-')
-
-# Only authorized processes should be writing to files in /data/dalvik-cache
-neverallow {
- domain
- -init # TODO: limit init to relabelfrom for files
- -zygote
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -otapreopt_slot
-} dalvikcache_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- -init
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -zygote
- -otapreopt_slot
-} dalvikcache_data_file:dir no_w_dir_perms;
-
-# Only system_server should be able to send commands via the zygote socket
-neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } zygote_socket:sock_file write;
-
-neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } webview_zygote_socket:sock_file write;
-
-neverallow {
- domain
- -tombstoned
- -crash_dump
- -dumpstate
- -system_server
-
- # Processes that can't exec crash_dump
- -mediacodec
- -mediaextractor
-} tombstoned:unix_stream_socket connectto;
-neverallow {
- domain
- -crash_dump
- -mediacodec
- -mediaextractor
-} tombstoned_crash_socket:sock_file write;
-neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
-
-# Android does not support System V IPCs.
-#
-# The reason for this is due to the fact that, by design, they lead to global
-# kernel resource leakage.
-#
-# For example, there is no way to automatically release a SysV semaphore
-# allocated in the kernel when:
-#
-# - a buggy or malicious process exits
-# - a non-buggy and non-malicious process crashes or is explicitly killed.
-#
-# Killing processes automatically to make room for new ones is an
-# important part of Android's application lifecycle implementation. This means
-# that, even assuming only non-buggy and non-malicious code, it is very likely
-# that over time, the kernel global tables used to implement SysV IPCs will fill
-# up.
-neverallow * *:{ shm sem msg msgq } *;
-
-# Do not mount on top of symlinks, fifos, or sockets.
-# Feature parity with Chromium LSM.
-neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only dumpstate, shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
-
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-# The only exceptions are for NDK text relocations associated with
-# https://code.google.com/p/android/issues/detail?id=23203
-# which, long term, need to go away.
-neverallow * {
- file_type
- -apk_data_file
- -app_data_file
- -asec_public_file
-}:file execmod;
-
-# Do not allow making the stack or heap executable.
-# We would also like to minimize execmem but it seems to be
-# required by some device-specific service domains.
-neverallow * self:process { execstack execheap };
-
-# prohibit non-zygote spawned processes from using shared libraries
-# with text relocations. b/20013628 .
-neverallow { domain -untrusted_app_all } file_type:file execmod;
-
-neverallow { domain -init } proc:{ file dir } mounton;
-
-# Ensure that all types assigned to processes are included
-# in the domain attribute, so that all allow and neverallow rules
-# written on domain are applied to all processes.
-# This is achieved by ensuring that it is impossible to transition
-# from a domain to a non-domain type and vice versa.
-# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
-neverallow ~domain domain:process { transition dyntransition };
-
-#
-# Only system_app and system_server should be creating or writing
-# their files. The proper way to share files is to setup
-# type transitions to a more specific type or assigning a type
-# to its parent directory via a file_contexts entry.
-# Example type transition:
-# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
-#
-neverallow {
- domain
- -system_server
- -system_app
- -init
- -installd # for relabelfrom and unlink, check for this in explicit neverallow
- with_asan(`-asan_extract')
-} system_data_file:file no_w_file_perms;
-# do not grant anything greater than r_file_perms and relabelfrom unlink
-# to installd
-neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-
-# respect system_app sandboxes
-neverallow {
- domain
- -appdomain # finer-grained rules for appdomain are listed below
- -system_server #populate com.android.providers.settings/databases/settings.db.
- -installd # creation of app sandbox
-} system_app_data_file:dir_file_class_set { create unlink open };
-neverallow {
- isolated_app
- untrusted_app_all # finer-grained rules for appdomain are listed below
- ephemeral_app
- priv_app
-} system_app_data_file:dir_file_class_set { create unlink open };
-
-
-# Services should respect app sandboxes
-neverallow {
- domain
- -appdomain
- -installd # creation of sandbox
-} app_data_file:dir_file_class_set { create unlink };
-
-#
-# Only these domains should transition to shell domain. This domain is
-# permissible for the "shell user". If you need a process to exec a shell
-# script with differing privilege, define a domain and set up a transition.
-#
-neverallow {
- domain
- -adbd
- -init
- -runas
- -zygote
-} shell:process { transition dyntransition };
-
-# Only domains spawned from zygote and runas may have the appdomain attribute.
-neverallow { domain -runas -webview_zygote -zygote } {
- appdomain -shell userdebug_or_eng(`-su') -bluetooth
-}:process { transition dyntransition };
-
-# Minimize read access to shell- or app-writable symlinks.
-# This is to prevent malicious symlink attacks.
-neverallow {
- domain
- -appdomain
- -installd
- -uncrypt # TODO: see if we can remove
-} app_data_file:lnk_file read;
-
-neverallow {
- domain
- -shell
- userdebug_or_eng(`-uncrypt')
- -installd
-} shell_data_file:lnk_file read;
-
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
-# not be trusting any content in those directories.
-neverallow {
- domain
- -adbd
- -dumpstate
- -installd
- -init
- -shell
- -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -init
- -installd
- -system_server # why?
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
-# Same as above for /data/local/tmp files. We allow shell files
-# to be passed around by file descriptor, but not directly opened.
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -installd
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:file open;
-
-
-# servicemanager and vndservicemanager are the only processes which handle the
-# service_manager list request
-neverallow * ~{
- servicemanager
- vndservicemanager
- }:service_manager list;
-
-# hwservicemanager is the only process which handles hw list requests
-neverallow * ~{
- hwservicemanager
- }:hwservice_manager list;
-
-# only service_manager_types can be added to service_manager
-# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
-
-# Prevent assigning non property types to properties
-# TODO - rework this: neverallow * ~property_type:property_service set;
-
-# Domain types should never be assigned to any files other
-# than the /proc/pid files associated with a process. The
-# executable file used to enter a domain should be labeled
-# with its own _exec type, not with the domain type.
-# Conventionally, this looks something like:
-# $ cat mydaemon.te
-# type mydaemon, domain;
-# type mydaemon_exec, exec_type, file_type;
-# init_daemon_domain(mydaemon)
-# $ grep mydaemon file_contexts
-# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
-neverallow * domain:file { execute execute_no_trans entrypoint };
-
-# Do not allow access to the generic debugfs label. This is too broad.
-# Instead, if access to part of debugfs is desired, it should have a
-# more specific label.
-# TODO: fix system_server and dumpstate
-neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
-
-# Profiles contain untrusted data and profman parses that. We should only run
-# in from installd forked processes.
-neverallow {
- domain
- -installd
- -profman
-} profman_exec:file no_x_file_perms;
-
-# Enforce restrictions on kernel module origin.
-# Do not allow kernel module loading except from system,
-# vendor, and boot partitions.
-neverallow * ~{ system_file vendor_file rootfs }:system module_load;
-
-# Only allow filesystem caps to be set at build time or
-# during upgrade by recovery.
-neverallow {
- domain
- -recovery
-} self:capability setfcap;
-
-# Enforce AT_SECURE for executing crash_dump.
-neverallow domain crash_dump:process noatsecure;
-
-# Do not permit non-core domains to register HwBinder services which are
-# guaranteed to be provided by core domains only.
-neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
-
-# Do not permit the registeration of HwBinder services which are guaranteed to
-# be passthrough only (i.e., run in the process of their clients instead of a
-# separate server process).
-neverallow * same_process_hwservice:hwservice_manager add;
diff --git a/prebuilts/api/26.0/public/drmserver.te b/prebuilts/api/26.0/public/drmserver.te
deleted file mode 100644
index f752c13ee8dcaf544154395dd86aea68b66e7185..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/drmserver.te
+++ /dev/null
@@ -1,58 +0,0 @@
-# drmserver - DRM service
-type drmserver, domain;
-type drmserver_exec, exec_type, file_type;
-
-typeattribute drmserver mlstrustedsubject;
-
-net_domain(drmserver)
-
-# Perform Binder IPC to system server.
-binder_use(drmserver)
-binder_call(drmserver, system_server)
-binder_call(drmserver, appdomain)
-binder_service(drmserver)
-# Inherit or receive open files from system_server.
-allow drmserver system_server:fd use;
-
-# Perform Binder IPC to mediaserver
-binder_call(drmserver, mediaserver)
-
-allow drmserver sdcard_type:dir search;
-allow drmserver drm_data_file:dir create_dir_perms;
-allow drmserver drm_data_file:file create_file_perms;
-allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver app_data_file:file { read write getattr };
-allow drmserver sdcard_type:file { read write getattr };
-r_dir_file(drmserver, efs_file)
-
-type drmserver_socket, file_type;
-
-# /data/app/tlcd_sock socket file.
-# Clearly, /data/app is the most logical place to create a socket. Not.
-allow drmserver apk_data_file:dir rw_dir_perms;
-allow drmserver drmserver_socket:sock_file create_file_perms;
-# Delete old socket file if present.
-allow drmserver apk_data_file:sock_file unlink;
-
-# After taking a video, drmserver looks at the video file.
-r_dir_file(drmserver, media_rw_data_file)
-
-# Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr };
-allow drmserver asec_apk_file:file { read getattr };
-allow drmserver ringtone_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr };
-
-# /oem access
-allow drmserver oemfs:dir search;
-allow drmserver oemfs:file r_file_perms;
-
-add_service(drmserver, drmserver_service)
-allow drmserver permission_service:service_manager find;
-
-selinux_check_access(drmserver)
-
-r_dir_file(drmserver, cgroup)
-r_dir_file(drmserver, system_file)
diff --git a/prebuilts/api/26.0/public/dumpstate.te b/prebuilts/api/26.0/public/dumpstate.te
deleted file mode 100644
index 4f66ffb4a7daca1ce0d5ade9aff15219678781e8..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/dumpstate.te
+++ /dev/null
@@ -1,215 +0,0 @@
-# dumpstate
-type dumpstate, domain, mlstrustedsubject;
-type dumpstate_exec, exec_type, file_type;
-
-net_domain(dumpstate)
-binder_use(dumpstate)
-wakelock_use(dumpstate)
-
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-allow dumpstate self:capability { setuid setgid sys_resource };
-
-# Allow dumpstate to scan through /proc/pid for all processes
-r_dir_file(dumpstate, domain)
-
-allow dumpstate self:capability {
- # Send signals to processes
- kill
- # Run iptables
- net_raw
- net_admin
-};
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow dumpstate system_file:file execute_no_trans;
-not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
-allow dumpstate toolbox_exec:file rx_file_perms;
-
-# Create and write into /data/anr/
-allow dumpstate self:capability { dac_override chown fowner fsetid };
-allow dumpstate anr_data_file:dir rw_dir_perms;
-allow dumpstate anr_data_file:file create_file_perms;
-
-# Allow reading /data/system/uiderrors.txt
-# TODO: scope this down.
-allow dumpstate system_data_file:file r_file_perms;
-
-# Read dmesg
-allow dumpstate self:capability2 syslog;
-allow dumpstate kernel:system syslog_read;
-
-# Read /sys/fs/pstore/console-ramoops
-allow dumpstate pstorefs:dir r_dir_perms;
-allow dumpstate pstorefs:file r_file_perms;
-
-# Get process attributes
-allow dumpstate domain:process getattr;
-
-# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server }:process signal;
-
-# Signal native processes to dump their stack.
-allow dumpstate {
- # This list comes from native_processes_to_dump in dumpstate/utils.c
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediadrmserver
- mediaextractor
- mediaserver
- sdcardd
- surfaceflinger
-
- # This list comes from hal_interfaces_to_dump in dumpstate/utils.c
- hal_audio_server
- hal_bluetooth_server
- hal_camera_server
- hal_graphics_composer_server
- hal_vr_server
- mediacodec # TODO(b/36375899): hal_omx_server
-}:process signal;
-
-# Connect to tombstoned to intercept dumps.
-unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
-
-# TODO: added to match above sysfs rule. Remove me?
-allow dumpstate sysfs_usb:file w_file_perms;
-
-# Other random bits of data we want to collect
-allow dumpstate qtaguid_proc:file r_file_perms;
-allow dumpstate debugfs:file r_file_perms;
-# df for /storage/emulated needs search
-allow dumpstate { storage_file block_device }:dir { search getattr };
-allow dumpstate fuse_device:chr_file getattr;
-allow dumpstate { dm_device cache_block_device }:blk_file getattr;
-
-# Read /dev/cpuctl and /dev/cpuset
-r_dir_file(dumpstate, cgroup)
-
-# Allow dumpstate to make binder calls to any binder service
-binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain netd wificond })
-
-hal_client_domain(dumpstate, hal_dumpstate)
-hal_client_domain(dumpstate, hal_graphics_allocator)
-# Vibrate the device after we are done collecting the bugreport
-hal_client_domain(dumpstate, hal_vibrator)
-# For passthrough mode:
-allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
-
-# Reading /proc/PID/maps of other processes
-allow dumpstate self:capability sys_ptrace;
-
-# Allow the bugreport service to create a file in
-# /data/data/com.android.shell/files/bugreports/bugreport
-allow dumpstate shell_data_file:dir create_dir_perms;
-allow dumpstate shell_data_file:file create_file_perms;
-
-# Run a shell.
-allow dumpstate shell_exec:file rx_file_perms;
-
-# For running am and similar framework commands.
-# Run /system/bin/app_process.
-allow dumpstate zygote_exec:file rx_file_perms;
-# Dalvik Compiler JIT.
-allow dumpstate ashmem_device:chr_file execute;
-allow dumpstate self:process execmem;
-# For art.
-allow dumpstate dalvikcache_data_file:dir { search getattr };
-allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
-allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
-
-# For Bluetooth
-allow dumpstate bluetooth_data_file:dir search;
-allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
-allow dumpstate bluetooth_logs_data_file:file r_file_perms;
-
-# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
-allow dumpstate gpu_device:chr_file rw_file_perms;
-
-# logd access
-read_logd(dumpstate)
-control_logd(dumpstate)
-read_runtime_log_tags(dumpstate)
-
-# Read /proc/net
-allow dumpstate proc_net:file r_file_perms;
-
-# Read network state info files.
-allow dumpstate net_data_file:dir search;
-allow dumpstate net_data_file:file r_file_perms;
-
-# List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Access /data/tombstones.
-allow dumpstate tombstone_data_file:dir r_dir_perms;
-allow dumpstate tombstone_data_file:file r_file_perms;
-
-# Access /cache/recovery
-allow dumpstate cache_recovery_file:dir r_dir_perms;
-allow dumpstate cache_recovery_file:file r_file_perms;
-
-# Access /data/misc/recovery
-allow dumpstate recovery_data_file:dir r_dir_perms;
-allow dumpstate recovery_data_file:file r_file_perms;
-
-# Access /data/misc/profiles/{cur,ref}/
-userdebug_or_eng(`
- allow dumpstate user_profile_data_file:dir r_dir_perms;
- allow dumpstate user_profile_data_file:file r_file_perms;
-')
-
-# Access /data/misc/logd
-userdebug_or_eng(`
- allow dumpstate misc_logd_file:dir r_dir_perms;
- allow dumpstate misc_logd_file:file r_file_perms;
-')
-
-allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
-allow dumpstate servicemanager:service_manager list;
-allow dumpstate hwservicemanager:hwservice_manager list;
-
-allow dumpstate devpts:chr_file rw_file_perms;
-
-# Set properties.
-# dumpstate_prop is used to share state with the Shell app.
-set_prop(dumpstate, dumpstate_prop)
-# dumpstate_options_prop is used to pass extra command-line args.
-set_prop(dumpstate, dumpstate_options_prop)
-
-# Read device's serial number from system properties
-get_prop(dumpstate, serialno_prop)
-
-# Read state of logging-related properties
-get_prop(dumpstate, device_logging_prop)
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow dumpstate media_rw_data_file:dir getattr;
-allow dumpstate proc_interrupts:file r_file_perms;
-allow dumpstate proc_zoneinfo:file r_file_perms;
-
-# Create a service for talking back to system_server
-add_service(dumpstate, dumpstate_service)
-
-###
-### neverallow rules
-###
-
-# dumpstate has capability sys_ptrace, but should only use that capability for
-# accessing sensitive /proc/PID files, never for using ptrace attach.
-neverallow dumpstate *:process ptrace;
-
-# only system_server, dumpstate and shell can find the dumpstate service
-neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
-
-# Dumpstate should not be writing to any generically labeled sysfs files.
-# Create a specific label for the file type
-neverallow dumpstate sysfs:file no_w_file_perms;
diff --git a/prebuilts/api/26.0/public/ephemeral_app.te b/prebuilts/api/26.0/public/ephemeral_app.te
deleted file mode 100644
index dc39a22b59ddfca70a42208b143c68caf4b133b3..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/ephemeral_app.te
+++ /dev/null
@@ -1,14 +0,0 @@
-###
-### Ephemeral apps.
-###
-### This file defines the security policy for apps with the ephemeral
-### feature.
-###
-### The ephemeral_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to ephemeral to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as ephemeral at install time.
-
-type ephemeral_app, domain;
diff --git a/prebuilts/api/26.0/public/file.te b/prebuilts/api/26.0/public/file.te
deleted file mode 100644
index 057af41338ec236edbbb4c271a3471d75f3bcab3..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/file.te
+++ /dev/null
@@ -1,337 +0,0 @@
-# Filesystem types
-type labeledfs, fs_type;
-type pipefs, fs_type;
-type sockfs, fs_type;
-type rootfs, fs_type;
-type proc, fs_type;
-# Security-sensitive proc nodes that should not be writable to most.
-type proc_security, fs_type;
-type proc_drop_caches, fs_type;
-type proc_overcommit_memory, fs_type;
-# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type, sysfs_type;
-type qtaguid_proc, fs_type, mlstrustedobject;
-type proc_bluetooth_writable, fs_type;
-type proc_cpuinfo, fs_type;
-type proc_interrupts, fs_type;
-type proc_iomem, fs_type;
-type proc_meminfo, fs_type;
-type proc_misc, fs_type;
-type proc_modules, fs_type;
-type proc_net, fs_type;
-type proc_perf, fs_type;
-type proc_stat, fs_type;
-type proc_sysrq, fs_type;
-type proc_timer, fs_type;
-type proc_tty_drivers, fs_type;
-type proc_uid_cputime_showstat, fs_type;
-type proc_uid_cputime_removeuid, fs_type;
-type proc_uid_io_stats, fs_type;
-type proc_uid_procstat_set, fs_type;
-type proc_zoneinfo, fs_type;
-type selinuxfs, fs_type, mlstrustedobject;
-type cgroup, fs_type, mlstrustedobject;
-type sysfs, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_uio, sysfs_type, fs_type;
-type sysfs_batteryinfo, fs_type, sysfs_type;
-type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_leds, fs_type, sysfs_type;
-type sysfs_hwrandom, fs_type, sysfs_type;
-type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_wake_lock, fs_type, sysfs_type;
-type sysfs_mac_address, fs_type, sysfs_type;
-type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
-type configfs, fs_type;
-# /sys/devices/system/cpu
-type sysfs_devices_system_cpu, fs_type, sysfs_type;
-# /sys/module/lowmemorykiller
-type sysfs_lowmemorykiller, fs_type, sysfs_type;
-# /sys/module/wlan/parameters/fwpath
-type sysfs_wlan_fwpath, fs_type, sysfs_type;
-type sysfs_vibrator, fs_type, sysfs_type;
-
-type sysfs_thermal, sysfs_type, fs_type;
-
-type sysfs_zram, fs_type, sysfs_type;
-type sysfs_zram_uevent, fs_type, sysfs_type;
-type inotify, fs_type, mlstrustedobject;
-type devpts, fs_type, mlstrustedobject;
-type tmpfs, fs_type;
-type shm, fs_type;
-type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
-type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
-type vfat, sdcard_type, fs_type, mlstrustedobject;
-type debugfs, fs_type;
-type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type;
-type debugfs_tracing_instances, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type;
-type tracing_shell_writable, fs_type, debugfs_type;
-type tracing_shell_writable_debug, fs_type, debugfs_type;
-
-type pstorefs, fs_type;
-type functionfs, fs_type, mlstrustedobject;
-type oemfs, fs_type, contextmount_type;
-type usbfs, fs_type;
-type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
-
-# File types
-type unlabeled, file_type;
-
-# Default type for anything under /system.
-type system_file, file_type;
-
-# Default type for directories search for
-# HAL implementations
-type vendor_hal_file, vendor_file_type, file_type;
-# Default type for under /vendor or /system/vendor
-type vendor_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/app
-type vendor_app_file, vendor_file_type, file_type;
-# Default type for everything under /vendor/etc/
-type vendor_configs_file, vendor_file_type, file_type;
-# Default type for all *same process* HALs.
-# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
-type same_process_hal_file, vendor_file_type, file_type;
-# Default type for vndk-sp libs. /vendor/lib/vndk-sp
-type vndk_sp_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/framework
-type vendor_framework_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/overlay
-type vendor_overlay_file, vendor_file_type, file_type;
-
-# Speedup access for trusted applications to the runtime event tags
-type runtime_event_log_tags_file, file_type;
-# Type for /system/bin/logcat.
-type logcat_exec, exec_type, file_type;
-# /cores for coredumps on userdebug / eng builds
-type coredump_file, file_type;
-# Default type for anything under /data.
-type system_data_file, file_type, data_file_type, core_data_file_type;
-# Unencrypted data
-type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
-# /data/.layout_version or other installd-created files that
-# are created in a system_data_file directory.
-type install_data_file, file_type, data_file_type, core_data_file_type;
-# /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type, core_data_file_type;
-# /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type, core_data_file_type;
-# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type, core_data_file_type;
-type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type, core_data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota
-type ota_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota_package
-type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profiles
-type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profman
-type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
-# /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/property
-type property_data_file, file_type, data_file_type, core_data_file_type;
-# /data/bootchart
-type bootchart_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/nativetest
-type nativetest_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/preloads
-type preloads_data_file, file_type, data_file_type, core_data_file_type;
-# /data/preloads/media
-type preloads_media_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/dhcp and /data/misc/dhcp-6.8.2
-type dhcp_data_file, file_type, data_file_type, core_data_file_type;
-
-# Mount locations managed by vold
-type mnt_media_rw_file, file_type;
-type mnt_user_file, file_type;
-type mnt_expand_file, file_type;
-type storage_file, file_type;
-
-# Label for storage dirs which are just mount stubs
-type mnt_media_rw_stub_file, file_type;
-type storage_stub_file, file_type;
-
-# /postinstall: Mount point used by update_engine to run postinstall.
-type postinstall_mnt_dir, file_type;
-# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type;
-
-# /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type, core_data_file_type;
-type audio_data_file, file_type, data_file_type, core_data_file_type;
-type audiohal_data_file, file_type, data_file_type, core_data_file_type;
-type audioserver_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
-type bootstat_data_file, file_type, data_file_type, core_data_file_type;
-type boottrace_data_file, file_type, data_file_type, core_data_file_type;
-type camera_data_file, file_type, data_file_type, core_data_file_type;
-type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
-type incident_data_file, file_type, data_file_type, core_data_file_type;
-type keychain_data_file, file_type, data_file_type, core_data_file_type;
-type keystore_data_file, file_type, data_file_type, core_data_file_type;
-type media_data_file, file_type, data_file_type, core_data_file_type;
-type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type, core_data_file_type;
-type net_data_file, file_type, data_file_type, core_data_file_type;
-type nfc_data_file, file_type, data_file_type, core_data_file_type;
-type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type reboot_data_file, file_type, data_file_type, core_data_file_type;
-type recovery_data_file, file_type, data_file_type, core_data_file_type;
-type shared_relro_file, file_type, data_file_type, core_data_file_type;
-type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
-type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
-type vpn_data_file, file_type, data_file_type, core_data_file_type;
-type wifi_data_file, file_type, data_file_type, core_data_file_type;
-type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
-type vold_data_file, file_type, data_file_type, core_data_file_type;
-type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type tee_data_file, file_type, data_file_type;
-type update_engine_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-
-# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type, core_data_file_type;
-# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Compatibility with type name used in Android 4.3 and 4.4.
-# Default type for anything under /cache
-type cache_file, file_type, mlstrustedobject;
-# Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, mlstrustedobject;
-# type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type;
-# Type for anything under /cache/recovery
-type cache_recovery_file, file_type, mlstrustedobject;
-# Default type for anything under /efs
-type efs_file, file_type;
-# Type for wallpaper file.
-type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for shortcut manager icon file.
-type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for user icon file.
-type icon_file, file_type, data_file_type, core_data_file_type;
-# /mnt/asec
-type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type, core_data_file_type;
-# /data/app-asec
-type asec_image_file, file_type, data_file_type, core_data_file_type;
-# /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# All devices have bluetooth efs files. But they
-# vary per device, so this type is used in per
-# device policy
-type bluetooth_efs_file, file_type;
-# Type for fingerprint template file
-type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
-# Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-
-# Socket types
-type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type, coredomain_socket;
-type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
-type dumpstate_socket, file_type, coredomain_socket;
-type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
-type lmkd_socket, file_type, coredomain_socket;
-type logd_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
-type mdns_socket, file_type, coredomain_socket;
-type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, coredomain_socket, file_type;
-type mtpd_socket, file_type, coredomain_socket;
-type netd_socket, file_type, coredomain_socket;
-type property_socket, file_type, coredomain_socket, mlstrustedobject;
-type racoon_socket, file_type, coredomain_socket;
-type rild_socket, file_type;
-type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, coredomain_socket;
-type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_intercept_socket, file_type, coredomain_socket;
-type uncrypt_socket, file_type, coredomain_socket;
-type vold_socket, file_type, coredomain_socket;
-type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type;
-type zygote_socket, file_type, coredomain_socket;
-# UART (for GPS) control proc file
-type gps_control, file_type;
-
-# PDX endpoint types
-type pdx_display_dir, pdx_endpoint_dir_type, file_type;
-type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
-type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
-
-pdx_service_socket_types(display_client, pdx_display_dir)
-pdx_service_socket_types(display_manager, pdx_display_dir)
-pdx_service_socket_types(display_screenshot, pdx_display_dir)
-pdx_service_socket_types(display_vsync, pdx_display_dir)
-pdx_service_socket_types(performance_client, pdx_performance_dir)
-pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
-
-# file_contexts files
-type file_contexts_file, file_type;
-
-# mac_permissions file
-type mac_perms_file, file_type;
-
-# property_contexts file
-type property_contexts_file, file_type;
-
-# seapp_contexts file
-type seapp_contexts_file, file_type;
-
-# sepolicy files binary and others
-type sepolicy_file, file_type;
-
-# service_contexts file
-type service_contexts_file, file_type;
-
-# hwservice_contexts file
-type hwservice_contexts_file, file_type;
-
-# vndservice_contexts file
-type vndservice_contexts_file, file_type;
-
-# Allow files to be created in their appropriate filesystems.
-allow fs_type self:filesystem associate;
-allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
-allow file_type labeledfs:filesystem associate;
-allow file_type tmpfs:filesystem associate;
-allow file_type rootfs:filesystem associate;
-allow dev_type tmpfs:filesystem associate;
-allow app_fuse_file app_fusefs:filesystem associate;
-allow postinstall_file self:filesystem associate;
-
-# It's a bug to assign the file_type attribute and fs_type attribute
-# to any type. Do not allow it.
-#
-# For example, the following is a bug:
-# type apk_data_file, file_type, data_file_type, fs_type;
-# Should be:
-# type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem associate;
diff --git a/prebuilts/api/26.0/public/fingerprintd.te b/prebuilts/api/26.0/public/fingerprintd.te
deleted file mode 100644
index 5dd18a352a26df126f30b06f2ac5d4d1eaf66d4e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/fingerprintd.te
+++ /dev/null
@@ -1,28 +0,0 @@
-type fingerprintd, domain;
-type fingerprintd_exec, exec_type, file_type;
-
-binder_use(fingerprintd)
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow fingerprintd system_file:dir r_dir_perms;
-
-# need to find KeyStore and add self
-add_service(fingerprintd, fingerprintd_service)
-
-# allow HAL module to read dir contents
-allow fingerprintd fingerprintd_data_file:file { create_file_perms };
-
-# allow HAL module to read/write/unlink contents of this dir
-allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
-
-# Need to add auth tokens to KeyStore
-use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
-
-# For permissions checking
-binder_call(fingerprintd, system_server);
-allow fingerprintd permission_service:service_manager find;
-
-r_dir_file(fingerprintd, cgroup)
-r_dir_file(fingerprintd, sysfs_type)
-allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/26.0/public/fsck.te b/prebuilts/api/26.0/public/fsck.te
deleted file mode 100644
index b682a877f0de5c1d6b7eac98fad9e3fc2e1eeb19..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/fsck.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# Any fsck program run by init
-type fsck, domain;
-type fsck_exec, exec_type, file_type;
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow fsck tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck vold:fd use;
-allow fsck vold:fifo_file { read write getattr };
-
-# Run fsck on certain block devices
-allow fsck block_device:dir search;
-allow fsck userdata_block_device:blk_file rw_file_perms;
-allow fsck cache_block_device:blk_file rw_file_perms;
-allow fsck dm_device:blk_file rw_file_perms;
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck dev_type:blk_file getattr;
-
-r_dir_file(fsck, proc)
-allow fsck rootfs:dir r_dir_perms;
-
-###
-### neverallow rules
-###
-
-# fsck should never be run on these block devices
-neverallow fsck {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- vold_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from init or vold via fsck binaries
-neverallow { domain -init -vold } fsck:process transition;
-neverallow * fsck:process dyntransition;
-neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/26.0/public/fsck_untrusted.te b/prebuilts/api/26.0/public/fsck_untrusted.te
deleted file mode 100644
index e2aceb87b00b4abc470fb121a7502951388c5312..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/fsck_untrusted.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain;
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck_untrusted vold:fd use;
-allow fsck_untrusted vold:fifo_file { read write getattr };
-
-# Run fsck on vold block devices
-allow fsck_untrusted block_device:dir search;
-allow fsck_untrusted vold_device:blk_file rw_file_perms;
-
-r_dir_file(fsck_untrusted, proc)
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck_untrusted dev_type:blk_file getattr;
-
-###
-### neverallow rules
-###
-
-# Untrusted fsck should never be run on block devices holding sensitive data
-neverallow fsck_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via fsck binaries
-neverallow { domain -vold } fsck_untrusted:process transition;
-neverallow * fsck_untrusted:process dyntransition;
-neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/26.0/public/gatekeeperd.te b/prebuilts/api/26.0/public/gatekeeperd.te
deleted file mode 100644
index ff369567b6d9c2a548876504f838d1e7fa322055..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/gatekeeperd.te
+++ /dev/null
@@ -1,42 +0,0 @@
-type gatekeeperd, domain;
-type gatekeeperd_exec, exec_type, file_type;
-
-# gatekeeperd
-binder_service(gatekeeperd)
-binder_use(gatekeeperd)
-
-### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
-### These rules should eventually be granted only when needed.
-allow gatekeeperd tee_device:chr_file rw_file_perms;
-allow gatekeeperd ion_device:chr_file r_file_perms;
-# Load HAL implementation
-allow gatekeeperd system_file:dir r_dir_perms;
-###
-
-### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
-### These rules should eventually be granted only when needed.
-hal_client_domain(gatekeeperd, hal_gatekeeper)
-###
-
-# need to find KeyStore and add self
-add_service(gatekeeperd, gatekeeper_service)
-
-# Need to add auth tokens to KeyStore
-use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
-
-# For permissions checking
-allow gatekeeperd system_server:binder call;
-allow gatekeeperd permission_service:service_manager find;
-
-# For parent user ID lookup
-allow gatekeeperd user_service:service_manager find;
-
-# for SID file access
-allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
-allow gatekeeperd gatekeeper_data_file:file create_file_perms;
-
-# For hardware properties retrieval
-allow gatekeeperd hardware_properties_service:service_manager find;
-
-r_dir_file(gatekeeperd, cgroup)
diff --git a/prebuilts/api/26.0/public/global_macros b/prebuilts/api/26.0/public/global_macros
deleted file mode 100644
index a61ffbc42a6e0e98b652bc3c6155d9b58466eb05..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/global_macros
+++ /dev/null
@@ -1,48 +0,0 @@
-#####################################
-# Common groupings of object classes.
-#
-define(`capability_class_set', `{ capability capability2 }')
-
-define(`devfile_class_set', `{ chr_file blk_file }')
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
-define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
-define(`dir_file_class_set', `{ dir file_class_set }')
-
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket }')
-define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
-
-define(`ipc_class_set', `{ sem msgq shm ipc }')
-
-#####################################
-# Common groupings of permissions.
-#
-define(`x_file_perms', `{ getattr execute execute_no_trans }')
-define(`r_file_perms', `{ getattr open read ioctl lock }')
-define(`w_file_perms', `{ open append write lock }')
-define(`rx_file_perms', `{ r_file_perms x_file_perms }')
-define(`ra_file_perms', `{ r_file_perms append }')
-define(`rw_file_perms', `{ r_file_perms w_file_perms }')
-define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
-define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
-
-define(`r_dir_perms', `{ open getattr read search ioctl lock }')
-define(`w_dir_perms', `{ open search write add_name remove_name lock }')
-define(`ra_dir_perms', `{ r_dir_perms add_name write }')
-define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
-define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
-
-define(`r_ipc_perms', `{ getattr read associate unix_read }')
-define(`w_ipc_perms', `{ write unix_write }')
-define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
-define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
-
-#####################################
-# Common socket permission sets.
-define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }')
-define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }')
-define(`create_socket_perms', `{ create rw_socket_perms }')
-define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
-define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
-define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/prebuilts/api/26.0/public/hal_allocator.te b/prebuilts/api/26.0/public/hal_allocator.te
deleted file mode 100644
index 646cebdebec48a251147e2e8d984b95102e70ccc..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_allocator.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_allocator_client, hal_allocator_server)
-
-add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
-allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
-allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_audio.te b/prebuilts/api/26.0/public/hal_audio.te
deleted file mode 100644
index 33330bf6bdf859c7fa2c5539f39924f9aa346b5d..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_audio.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_audio_client, hal_audio_server)
-binder_call(hal_audio_server, hal_audio_client)
-
-add_hwservice(hal_audio_server, hal_audio_hwservice)
-allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
-
-allow hal_audio ion_device:chr_file r_file_perms;
-
-userdebug_or_eng(`
- # used for pcm capture for debug.
- allow hal_audio audiohal_data_file:dir create_dir_perms;
- allow hal_audio audiohal_data_file:file create_file_perms;
-')
-
-r_dir_file(hal_audio, proc)
-allow hal_audio audio_device:dir r_dir_perms;
-allow hal_audio audio_device:chr_file rw_file_perms;
-
-# Needed to provide debug dump output via dumpsys' pipes.
-allow hal_audio shell:fd use;
-allow hal_audio shell:fifo_file write;
-allow hal_audio dumpstate:fd use;
-allow hal_audio dumpstate:fifo_file write;
-
-###
-### neverallow rules
-###
-
-# Should never execute any executable without a domain transition
-neverallow hal_audio { file_type fs_type }:file execute_no_trans;
-
-# Should never need network access.
-# Disallow network sockets.
-neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
-
-# Only audio HAL may directly access the audio hardware
-neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
diff --git a/prebuilts/api/26.0/public/hal_bluetooth.te b/prebuilts/api/26.0/public/hal_bluetooth.te
deleted file mode 100644
index 2394e2ebcd393d6153d8c896fb2986be6ef9cd04..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_bluetooth.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_bluetooth_client, hal_bluetooth_server)
-binder_call(hal_bluetooth_server, hal_bluetooth_client)
-
-add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
-allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
-
-wakelock_use(hal_bluetooth);
-
-# The HAL toggles rfkill to power the chip off/on.
-allow hal_bluetooth self:capability net_admin;
-
-# bluetooth factory file accesses.
-r_dir_file(hal_bluetooth, bluetooth_efs_file)
-
-allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-
-# sysfs access.
-r_dir_file(hal_bluetooth, sysfs_type)
-allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth self:capability2 wake_alarm;
-
-# Allow write access to bluetooth-specific properties
-set_prop(hal_bluetooth, bluetooth_prop)
-
-# /proc access (bluesleep etc.).
-allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# allow to run with real-time scheduling policy
-allow hal_bluetooth self:capability sys_nice;
diff --git a/prebuilts/api/26.0/public/hal_bootctl.te b/prebuilts/api/26.0/public/hal_bootctl.te
deleted file mode 100644
index 8b240b1ce3013649202b0908dddf63b5e905e630..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_bootctl.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_bootctl_client, hal_bootctl_server)
-binder_call(hal_bootctl_server, hal_bootctl_client)
-
-add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
-allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_camera.te b/prebuilts/api/26.0/public/hal_camera.te
deleted file mode 100644
index 413a057bc803f2fbf9430c254bfdf30f68eb5f8c..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_camera.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# HwBinder IPC from clients to server and callbacks
-binder_call(hal_camera_client, hal_camera_server)
-binder_call(hal_camera_server, hal_camera_client)
-
-add_hwservice(hal_camera_server, hal_camera_hwservice)
-allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
-
-# access /data/misc/camera
-allow hal_camera camera_data_file:dir create_dir_perms;
-allow hal_camera camera_data_file:file create_file_perms;
-
-allow hal_camera video_device:dir r_dir_perms;
-allow hal_camera video_device:chr_file rw_file_perms;
-allow hal_camera camera_device:chr_file rw_file_perms;
-allow hal_camera ion_device:chr_file rw_file_perms;
-# Both the client and the server need to use the graphics allocator
-allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
-
-# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
-allow hal_camera { appdomain -isolated_app }:fd use;
-allow hal_camera surfaceflinger:fd use;
-allow hal_camera hal_allocator_server:fd use;
-
-###
-### neverallow rules
-###
-
-# hal_camera should never execute any executable without a
-# domain transition
-neverallow hal_camera { file_type fs_type }:file execute_no_trans;
-
-# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
-
-# Only camera HAL may directly access the camera hardware
-neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/prebuilts/api/26.0/public/hal_configstore.te b/prebuilts/api/26.0/public/hal_configstore.te
deleted file mode 100644
index 4bf6cfd522748f0d4db61f771e737059dec4e18a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_configstore.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_configstore_client, hal_configstore_server)
-
-add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
-# As opposed to the rules of most other HALs, the different services exposed by
-# this HAL should be restricted to different clients. Thus, the allow rules for
-# clients are defined in the .te files of the clients.
diff --git a/prebuilts/api/26.0/public/hal_contexthub.te b/prebuilts/api/26.0/public/hal_contexthub.te
deleted file mode 100644
index f11bfc816e0e48820181b36b9b93c5b16cceb92f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_contexthub.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_contexthub_client, hal_contexthub_server)
-binder_call(hal_contexthub_server, hal_contexthub_client)
-
-add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
-allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_drm.te b/prebuilts/api/26.0/public/hal_drm.te
deleted file mode 100644
index 5a6bf5c740b2971db539cb95f80c6961106b2231..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_drm.te
+++ /dev/null
@@ -1,60 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_drm_client, hal_drm_server)
-binder_call(hal_drm_server, hal_drm_client)
-
-add_hwservice(hal_drm_server, hal_drm_hwservice)
-allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
-
-allow hal_drm hidl_memory_hwservice:hwservice_manager find;
-
-# Required by Widevine DRM (b/22990512)
-allow hal_drm self:process execmem;
-
-# Permit reading device's serial number from system properties
-get_prop(hal_drm, serialno_prop)
-
-# System file accesses
-allow hal_drm system_file:dir r_dir_perms;
-allow hal_drm system_file:file r_file_perms;
-allow hal_drm system_file:lnk_file r_file_perms;
-
-# Read files already opened under /data
-allow hal_drm system_data_file:dir { search getattr };
-allow hal_drm system_data_file:file { getattr read };
-allow hal_drm system_data_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems
-r_dir_file(hal_drm, cgroup)
-allow hal_drm cgroup:dir { search write };
-allow hal_drm cgroup:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow hal_drm ion_device:chr_file rw_file_perms;
-allow hal_drm hal_graphics_allocator:fd use;
-
-# Allow access to fds allocated by mediaserver
-allow hal_drm mediaserver:fd use;
-
-# Allow access to app_data and media_data_files
-allow hal_drm media_data_file:dir create_dir_perms;
-allow hal_drm media_data_file:file create_file_perms;
-allow hal_drm media_data_file:file { getattr read };
-
-allow hal_drm sysfs:file r_file_perms;
-
-allow hal_drm tee_device:chr_file rw_file_perms;
-
-# only allow unprivileged socket ioctl commands
-allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-###
-### neverallow rules
-###
-
-# hal_drm should never execute any executable without a
-# domain transition
-neverallow hal_drm { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/26.0/public/hal_dumpstate.te b/prebuilts/api/26.0/public/hal_dumpstate.te
deleted file mode 100644
index 2853567e0c2b2b4d5bb7bf968d1faf374a9e40ea..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_dumpstate.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_dumpstate_client, hal_dumpstate_server)
-binder_call(hal_dumpstate_server, hal_dumpstate_client)
-
-add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
-allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
-
-# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
-allow hal_dumpstate shell_data_file:file write;
-# allow reading /proc/interrupts for all hal impls
-allow hal_dumpstate proc_interrupts:file r_file_perms;
diff --git a/prebuilts/api/26.0/public/hal_fingerprint.te b/prebuilts/api/26.0/public/hal_fingerprint.te
deleted file mode 100644
index bef9f556ee8a94519e5ff1bb540d52234b577233..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_fingerprint.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_fingerprint_client, hal_fingerprint_server)
-binder_call(hal_fingerprint_server, hal_fingerprint_client)
-
-add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
-allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
-
-# allow HAL module to read dir contents
-allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
-
-# allow HAL module to read/write/unlink contents of this dir
-allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
-
-# For memory allocation
-allow hal_fingerprint ion_device:chr_file r_file_perms;
-
-r_dir_file(hal_fingerprint, cgroup)
-r_dir_file(hal_fingerprint, sysfs)
diff --git a/prebuilts/api/26.0/public/hal_gatekeeper.te b/prebuilts/api/26.0/public/hal_gatekeeper.te
deleted file mode 100644
index 123acf5674f26f776fbe82eadff8aa8bcd4c4c8a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_gatekeeper.te
+++ /dev/null
@@ -1,8 +0,0 @@
-binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
-
-add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
-allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
-
-# TEE access.
-allow hal_gatekeeper tee_device:chr_file rw_file_perms;
-allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/26.0/public/hal_gnss.te b/prebuilts/api/26.0/public/hal_gnss.te
deleted file mode 100644
index b59cd1d5a6aba07027b153b15273f9c5b86ee358..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_gnss.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_gnss_client, hal_gnss_server)
-binder_call(hal_gnss_server, hal_gnss_client)
-
-add_hwservice(hal_gnss_server, hal_gnss_hwservice)
-allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_graphics_allocator.te b/prebuilts/api/26.0/public/hal_graphics_allocator.te
deleted file mode 100644
index f56e8f6d72297e4658a4a7c307634732d6c3b0e4..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_graphics_allocator.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
-
-add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
-allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
-allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# GPU device access
-allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
-allow hal_graphics_allocator ion_device:chr_file r_file_perms;
-
-# allow to run with real-time scheduling policy
-allow hal_graphics_allocator self:capability sys_nice;
diff --git a/prebuilts/api/26.0/public/hal_graphics_composer.te b/prebuilts/api/26.0/public/hal_graphics_composer.te
deleted file mode 100644
index 287037c6e0e621f41fc301451512dc7223dd8839..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_graphics_composer.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
-binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
-
-add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
-allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
-
-# Coordinate with hal_graphics_mapper
-allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# GPU device access
-allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
-allow hal_graphics_composer ion_device:chr_file r_file_perms;
-allow hal_graphics_composer hal_graphics_allocator:fd use;
-
-# Access /dev/graphics/fb0.
-allow hal_graphics_composer graphics_device:dir search;
-allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
-
-# Fences
-allow hal_graphics_composer system_server:fd use;
-allow hal_graphics_composer bootanim:fd use;
-allow hal_graphics_composer appdomain:fd use;
-
-# allow self to set SCHED_FIFO
-allow hal_graphics_composer self:capability sys_nice;
diff --git a/prebuilts/api/26.0/public/hal_health.te b/prebuilts/api/26.0/public/hal_health.te
deleted file mode 100644
index c19c5f1d78f8e931b1c02d8b4294d2936c43997a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_health.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_health_client, hal_health_server)
-binder_call(hal_health_server, hal_health_client)
-
-add_hwservice(hal_health_server, hal_health_hwservice)
-allow hal_health_client hal_health_hwservice:hwservice_manager find;
-
-# Read access to system files for HALs in
-# /{system,vendor,odm}/lib[64]/hw/ in order
-# to be able to open the hal implementation .so files
-r_dir_file(hal_health, system_file)
diff --git a/prebuilts/api/26.0/public/hal_ir.te b/prebuilts/api/26.0/public/hal_ir.te
deleted file mode 100644
index b1bfdd804b144b92c786e34f5a6b7ceebc3868b0..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_ir.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_ir_client, hal_ir_server)
-binder_call(hal_ir_server, hal_ir_client)
-
-add_hwservice(hal_ir_server, hal_ir_hwservice)
-allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_keymaster.te b/prebuilts/api/26.0/public/hal_keymaster.te
deleted file mode 100644
index dc5f6d01d15ea48f280c0be36162699246245bc1..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_keymaster.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_keymaster_client, hal_keymaster_server)
-
-add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
-allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
-
-allow hal_keymaster tee_device:chr_file rw_file_perms;
-allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/26.0/public/hal_light.te b/prebuilts/api/26.0/public/hal_light.te
deleted file mode 100644
index 5b93dd115fd478a1c9a396ca898ca1f688f16ac4..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_light.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_light_client, hal_light_server)
-binder_call(hal_light_server, hal_light_client)
-
-add_hwservice(hal_light_server, hal_light_hwservice)
-allow hal_light_client hal_light_hwservice:hwservice_manager find;
-
-allow hal_light sysfs_leds:lnk_file read;
-allow hal_light sysfs_leds:file rw_file_perms;
-allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/prebuilts/api/26.0/public/hal_memtrack.te b/prebuilts/api/26.0/public/hal_memtrack.te
deleted file mode 100644
index b2cc9cd1ec730b2feb27ef098da2329b9319be9e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_memtrack.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_memtrack_client, hal_memtrack_server)
-
-add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
-allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_neverallows.te b/prebuilts/api/26.0/public/hal_neverallows.te
deleted file mode 100644
index 036e1d2dca7cb2dbca35b58a897c4465bb3fd8e1..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_neverallows.te
+++ /dev/null
@@ -1,52 +0,0 @@
-# only HALs responsible for network hardware should have privileged
-# network capabilities
-neverallow {
- halserverdomain
- -hal_bluetooth_server
- -hal_wifi_server
- -hal_wifi_supplicant_server
- -rild
-} self:capability { net_admin net_raw };
-
-# Unless a HAL's job is to communicate over the network, or control network
-# hardware, it should not be using network sockets.
-neverallow {
- halserverdomain
- -hal_tetheroffload_server
- -hal_wifi_server
- -hal_wifi_supplicant_server
- -rild
-} domain:{ tcp_socket udp_socket rawip_socket } *;
-
-###
-# HALs are defined as an attribute and so a given domain could hypothetically
-# have multiple HALs in it (or even all of them) with the subsequent policy of
-# the domain comprised of the union of all the HALs.
-#
-# This is a problem because
-# 1) Security sensitive components should only be accessed by specific HALs.
-# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
-# the platform.
-# 3) The platform cannot reason about defense in depth if there are
-# monolithic domains etc.
-#
-# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
-# its OK for them to share a process its not OK with them to share processes
-# with other hals.
-#
-# The following neverallow rules, in conjuntion with CTS tests, assert that
-# these security principles are adhered to.
-#
-# Do not allow a hal to exec another process without a domain transition.
-# TODO remove exemptions.
-neverallow {
- halserverdomain
- -hal_dumpstate_server
- -rild
-} { file_type fs_type }:file execute_no_trans;
-# Do not allow a process other than init to transition into a HAL domain.
-neverallow { domain -init } halserverdomain:process transition;
-# Only allow transitioning to a domain by running its executable. Do not
-# allow transitioning into a HAL domain by use of seclabel in an
-# init.*.rc script.
-neverallow * halserverdomain:process dyntransition;
diff --git a/prebuilts/api/26.0/public/hal_nfc.te b/prebuilts/api/26.0/public/hal_nfc.te
deleted file mode 100644
index a027c48bebd80f1830d357c807b5cbc88e5b1da9..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_nfc.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_nfc_client, hal_nfc_server)
-binder_call(hal_nfc_server, hal_nfc_client)
-
-add_hwservice(hal_nfc_server, hal_nfc_hwservice)
-allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
-
-# Set NFC properties (used by bcm2079x HAL).
-set_prop(hal_nfc, nfc_prop)
-
-# NFC device access.
-allow hal_nfc nfc_device:chr_file rw_file_perms;
-
-# Data file accesses.
-allow hal_nfc nfc_data_file:dir create_dir_perms;
-allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/prebuilts/api/26.0/public/hal_oemlock.te b/prebuilts/api/26.0/public/hal_oemlock.te
deleted file mode 100644
index 3fb5a18713647337e79ab91ca7a05645f113f241..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_oemlock.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_oemlock_client, hal_oemlock_server)
-
-add_hwservice(hal_oemlock_server, hal_oemlock_hwservice)
-allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_power.te b/prebuilts/api/26.0/public/hal_power.te
deleted file mode 100644
index fcba3d25dadd72ec7b502f2fbd16dce706f6b71b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_power.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_power_client, hal_power_server)
-binder_call(hal_power_server, hal_power_client)
-
-add_hwservice(hal_power_server, hal_power_hwservice)
-allow hal_power_client hal_power_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_sensors.te b/prebuilts/api/26.0/public/hal_sensors.te
deleted file mode 100644
index 068c93b8c351b9d37813e00d8713e2d7e6c5a644..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_sensors.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_sensors_client, hal_sensors_server)
-
-add_hwservice(hal_sensors_server, hal_sensors_hwservice)
-allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
-
-# Allow sensor hals to access ashmem memory allocated by apps
-allow hal_sensors { appdomain -isolated_app }:fd use;
-
-# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
-# fd is passed in from framework sensorservice HAL.
-allow hal_sensors hal_allocator:fd use;
-
-# allow to run with real-time scheduling policy
-allow hal_sensors self:capability sys_nice;
diff --git a/prebuilts/api/26.0/public/hal_telephony.te b/prebuilts/api/26.0/public/hal_telephony.te
deleted file mode 100644
index 41cfd4bf3fa76cbdfdf7c94d974465975af46d0a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_telephony.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_telephony_client, hal_telephony_server)
-binder_call(hal_telephony_server, hal_telephony_client)
-
-add_hwservice(hal_telephony_server, hal_telephony_hwservice)
-allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
-
diff --git a/prebuilts/api/26.0/public/hal_tetheroffload.te b/prebuilts/api/26.0/public/hal_tetheroffload.te
deleted file mode 100644
index a4c21fcdf507997a0621008de364f16a7ecc5381..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_tetheroffload.te
+++ /dev/null
@@ -1,3 +0,0 @@
-## HwBinder IPC from client to server, and callbacks
-binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
-binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
diff --git a/prebuilts/api/26.0/public/hal_thermal.te b/prebuilts/api/26.0/public/hal_thermal.te
deleted file mode 100644
index b1764f114c9862ce0eb3abf118bfe0fb428c374a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_thermal.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_thermal_client, hal_thermal_server)
-binder_call(hal_thermal_server, hal_thermal_client)
-
-add_hwservice(hal_thermal_server, hal_thermal_hwservice)
-allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_tv_cec.te b/prebuilts/api/26.0/public/hal_tv_cec.te
deleted file mode 100644
index 7719cae92092228bb3c4d52551d7980654d0aae1..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_tv_cec.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_tv_cec_client, hal_tv_cec_server)
-binder_call(hal_tv_cec_server, hal_tv_cec_client)
-
-add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
-allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_tv_input.te b/prebuilts/api/26.0/public/hal_tv_input.te
deleted file mode 100644
index 31a006740da1fd891ae90c2711ba3c18f0770f4e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_tv_input.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_tv_input_client, hal_tv_input_server)
-binder_call(hal_tv_input_server, hal_tv_input_client)
-
-add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
-allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_usb.te b/prebuilts/api/26.0/public/hal_usb.te
deleted file mode 100644
index 9cfd5165d282b0ea21acddda9574b68e7443e4bf..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_usb.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_usb_client, hal_usb_server)
-binder_call(hal_usb_server, hal_usb_client)
-
-add_hwservice(hal_usb_server, hal_usb_hwservice)
-allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
-
-allow hal_usb self:netlink_kobject_uevent_socket create;
-allow hal_usb self:netlink_kobject_uevent_socket setopt;
-allow hal_usb self:netlink_kobject_uevent_socket bind;
-allow hal_usb self:netlink_kobject_uevent_socket read;
-allow hal_usb sysfs:dir open;
-allow hal_usb sysfs:dir read;
-allow hal_usb sysfs:file read;
-allow hal_usb sysfs:file open;
-allow hal_usb sysfs:file write;
-allow hal_usb sysfs:file getattr;
-
diff --git a/prebuilts/api/26.0/public/hal_vibrator.te b/prebuilts/api/26.0/public/hal_vibrator.te
deleted file mode 100644
index c8612d77a3bd76b0283be5ffc440fd16f34a0a99..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_vibrator.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_vibrator_client, hal_vibrator_server)
-
-add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
-allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
-
-# vibrator sysfs rw access
-allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/prebuilts/api/26.0/public/hal_vr.te b/prebuilts/api/26.0/public/hal_vr.te
deleted file mode 100644
index 3cb392d144f5985aba44c335c5d1a3d14866ff95..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_vr.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_vr_client, hal_vr_server)
-binder_call(hal_vr_server, hal_vr_client)
-
-add_hwservice(hal_vr_server, hal_vr_hwservice)
-allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_weaver.te b/prebuilts/api/26.0/public/hal_weaver.te
deleted file mode 100644
index b80ba292c6eb7e1fc710a9ca366db3674f3585ad..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_weaver.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_weaver_client, hal_weaver_server)
-
-add_hwservice(hal_weaver_server, hal_weaver_hwservice)
-allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_wifi.te b/prebuilts/api/26.0/public/hal_wifi.te
deleted file mode 100644
index 5e0b9bc49030b670f8e02bcab4f041c11d30cd17..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_wifi.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_wifi_client, hal_wifi_server)
-binder_call(hal_wifi_server, hal_wifi_client)
-
-add_hwservice(hal_wifi_server, hal_wifi_hwservice)
-allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
-
-r_dir_file(hal_wifi, proc_net)
-r_dir_file(hal_wifi, sysfs_type)
-
-set_prop(hal_wifi, wifi_prop)
-
-# allow hal wifi set interfaces up and down
-allow hal_wifi self:udp_socket create_socket_perms;
-allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
-
-allow hal_wifi self:capability { net_admin net_raw };
-# allow hal_wifi to speak to nl80211 in the kernel
-allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
-# hal_wifi writes firmware paths to this file.
-allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
diff --git a/prebuilts/api/26.0/public/hal_wifi_offload.te b/prebuilts/api/26.0/public/hal_wifi_offload.te
deleted file mode 100644
index dac5171b1e6c4d30923c0fcf77c7e4314e7fc75c..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_wifi_offload.te
+++ /dev/null
@@ -1,6 +0,0 @@
-## HwBinder IPC from client to server, and callbacks
-binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
-binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
-
-r_dir_file(hal_wifi_offload, proc_net)
-r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/prebuilts/api/26.0/public/hal_wifi_supplicant.te b/prebuilts/api/26.0/public/hal_wifi_supplicant.te
deleted file mode 100644
index 0f2540e40d9804264b832cd392efc7bf6c75f5d8..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hal_wifi_supplicant.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
-binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
-
-add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
-allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
-allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(hal_wifi_supplicant, sysfs_type)
-r_dir_file(hal_wifi_supplicant, proc_net)
-
-allow hal_wifi_supplicant kernel:system module_request;
-allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
-allow hal_wifi_supplicant cgroup:dir create_dir_perms;
-allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
-allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
-allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_wifi_supplicant self:packet_socket create_socket_perms;
-allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
-allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
-allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
-
-# Create a socket for receiving info from wpa
-allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
-allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
-
-# Allow wpa_cli to work. wpa_cli creates a socket in
-# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
-userdebug_or_eng(`
- unix_socket_send(hal_wifi_supplicant, wpa, su)
-')
-
-###
-### neverallow rules
-###
-
-# wpa_supplicant should not trust any data from sdcards
-neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_supplicant_server sdcard_type:file *;
diff --git a/prebuilts/api/26.0/public/healthd.te b/prebuilts/api/26.0/public/healthd.te
deleted file mode 100644
index c0a7bec7bd3d5f02f6562ba0090852e929901c79..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/healthd.te
+++ /dev/null
@@ -1,63 +0,0 @@
-# healthd - battery/charger monitoring service daemon
-type healthd, domain;
-type healthd_exec, exec_type, file_type;
-
-# Write to /dev/kmsg
-allow healthd kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(healthd, sysfs_type)
-r_dir_file(healthd, rootfs)
-r_dir_file(healthd, cgroup)
-
-# Read access to system files for passthrough HALs in
-# /{system,vendor,odm}/lib[64]/hw/
-r_dir_file(healthd, system_file)
-
-allow healthd self:capability { sys_tty_config };
-allow healthd self:capability sys_boot;
-
-allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-wakelock_use(healthd)
-
-binder_use(healthd)
-binder_service(healthd)
-binder_call(healthd, system_server)
-hal_client_domain(healthd, hal_health)
-
-# Write to state file.
-# TODO: Split into a separate type?
-allow healthd sysfs:file write;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow healthd sysfs_usb:file write;
-
-allow healthd sysfs_batteryinfo:file r_file_perms;
-
-r_dir_file(healthd, sysfs_type)
-
-###
-### healthd: charger mode
-###
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow healthd pstorefs:dir r_dir_perms;
-allow healthd pstorefs:file r_file_perms;
-
-allow healthd graphics_device:dir r_dir_perms;
-allow healthd graphics_device:chr_file rw_file_perms;
-allow healthd input_device:dir r_dir_perms;
-allow healthd input_device:chr_file r_file_perms;
-allow healthd tty_device:chr_file rw_file_perms;
-allow healthd ashmem_device:chr_file execute;
-allow healthd self:process execmem;
-allow healthd proc_sysrq:file rw_file_perms;
-
-add_service(healthd, batteryproperties_service)
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
diff --git a/prebuilts/api/26.0/public/hwservice.te b/prebuilts/api/26.0/public/hwservice.te
deleted file mode 100644
index 65c52a23b6f8e4dad67c615e65e797136719576c..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hwservice.te
+++ /dev/null
@@ -1,45 +0,0 @@
-type default_android_hwservice, hwservice_manager_type;
-type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_audio_hwservice, hwservice_manager_type;
-type hal_bluetooth_hwservice, hwservice_manager_type;
-type hal_bootctl_hwservice, hwservice_manager_type;
-type hal_camera_hwservice, hwservice_manager_type;
-type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
-type hal_contexthub_hwservice, hwservice_manager_type;
-type hal_drm_hwservice, hwservice_manager_type;
-type hal_dumpstate_hwservice, hwservice_manager_type;
-type hal_fingerprint_hwservice, hwservice_manager_type;
-type hal_gatekeeper_hwservice, hwservice_manager_type;
-type hal_gnss_hwservice, hwservice_manager_type;
-type hal_graphics_allocator_hwservice, hwservice_manager_type;
-type hal_graphics_composer_hwservice, hwservice_manager_type;
-type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_health_hwservice, hwservice_manager_type;
-type hal_ir_hwservice, hwservice_manager_type;
-type hal_keymaster_hwservice, hwservice_manager_type;
-type hal_light_hwservice, hwservice_manager_type;
-type hal_memtrack_hwservice, hwservice_manager_type;
-type hal_nfc_hwservice, hwservice_manager_type;
-type hal_oemlock_hwservice, hwservice_manager_type;
-type hal_omx_hwservice, hwservice_manager_type;
-type hal_power_hwservice, hwservice_manager_type;
-type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_sensors_hwservice, hwservice_manager_type;
-type hal_telephony_hwservice, hwservice_manager_type;
-type hal_thermal_hwservice, hwservice_manager_type;
-type hal_tv_cec_hwservice, hwservice_manager_type;
-type hal_tv_input_hwservice, hwservice_manager_type;
-type hal_usb_hwservice, hwservice_manager_type;
-type hal_vibrator_hwservice, hwservice_manager_type;
-type hal_vr_hwservice, hwservice_manager_type;
-type hal_weaver_hwservice, hwservice_manager_type;
-type hal_wifi_hwservice, hwservice_manager_type;
-type hal_wifi_supplicant_hwservice, hwservice_manager_type;
-type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_base_hwservice, hwservice_manager_type;
-type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/prebuilts/api/26.0/public/hwservicemanager.te b/prebuilts/api/26.0/public/hwservicemanager.te
deleted file mode 100644
index 1ffd2a67ec4074501fada827daf29d3b92a80031..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/hwservicemanager.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# hwservicemanager - the Binder context manager for HAL services
-type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, exec_type, file_type;
-
-# Note that we do not use the binder_* macros here.
-# hwservicemanager provides name service (aka context manager)
-# for hwbinder.
-# Additionally, it initiates binder IPC calls to
-# clients who request service notifications. The permission
-# to do this is granted in the hwbinder_use macro.
-allow hwservicemanager self:binder set_context_mgr;
-
-set_prop(hwservicemanager, hwservicemanager_prop)
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow hwservicemanager system_file:dir r_dir_perms;
-
-# Read hwservice_contexts
-allow hwservicemanager hwservice_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(hwservicemanager)
diff --git a/prebuilts/api/26.0/public/idmap.te b/prebuilts/api/26.0/public/idmap.te
deleted file mode 100644
index 1c32f8fd54ce8721c21dc09f539865368aa47275..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/idmap.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# idmap, when executed by installd
-type idmap, domain;
-type idmap_exec, exec_type, file_type;
-
-# Use open file to /data/resource-cache file inherited from installd.
-allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file { getattr read write };
-
-# Open and read from target and overlay apk files passed by argument.
-allow idmap apk_data_file:file r_file_perms;
-allow idmap apk_data_file:dir search;
-
-# Allow apps access to /vendor/app
-r_dir_file(idmap, vendor_app_file)
-
-# Allow apps access to /vendor/overlay
-r_dir_file(idmap, vendor_overlay_file)
diff --git a/prebuilts/api/26.0/public/incident.te b/prebuilts/api/26.0/public/incident.te
deleted file mode 100644
index ce57bf650869616b9345bfea957353cd5c2fe5fc..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/incident.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# The incident command is used to call into the incidentd service to
-# take an incident report (binary, shared bugreport), download incident
-# reports that have already been taken, and monitor for new ones.
-# It doesn't do anything else.
-
-# incident
-type incident, domain;
-
diff --git a/prebuilts/api/26.0/public/incidentd.te b/prebuilts/api/26.0/public/incidentd.te
deleted file mode 100644
index b03249c88b92bdc9184e966d2b16523e1d1ff3ff..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/incidentd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# incidentd
-type incidentd, domain;
-
diff --git a/prebuilts/api/26.0/public/init.te b/prebuilts/api/26.0/public/init.te
deleted file mode 100644
index 6d43ef463d765923884bf02b42eb67d11d048f09..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/init.te
+++ /dev/null
@@ -1,429 +0,0 @@
-# init is its own domain.
-type init, domain, mlstrustedsubject;
-
-# The init domain is entered by execing init.
-type init_exec, exec_type, file_type;
-
-# /dev/__null__ node created by init.
-allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
-
-#
-# init direct restorecon calls.
-#
-# /dev/kmsg
-allow init tmpfs:chr_file relabelfrom;
-allow init kmsg_device:chr_file { write relabelto };
-# /dev/__properties__
-allow init properties_device:dir relabelto;
-allow init properties_serial:file { write relabelto };
-allow init property_type:file { create_file_perms relabelto };
-# /dev/event-log-tags
-allow init device:file relabelfrom;
-allow init runtime_event_log_tags_file:file { open write setattr relabelto };
-# /dev/socket
-allow init { device socket_device }:dir relabelto;
-# /dev/random, /dev/urandom
-allow init random_device:chr_file relabelto;
-# /dev/device-mapper, /dev/block(/.*)?
-allow init tmpfs:{ chr_file blk_file } relabelfrom;
-allow init tmpfs:blk_file getattr;
-allow init block_device:{ dir blk_file lnk_file } relabelto;
-allow init dm_device:{ chr_file blk_file } relabelto;
-allow init kernel:fd use;
-# restorecon for early mount device symlinks
-allow init tmpfs:lnk_file { getattr read relabelfrom };
-allow init system_block_device:{ blk_file lnk_file } relabelto;
-
-# setrlimit
-allow init self:capability sys_resource;
-
-# Remove /dev/.booting, created before initial policy load or restorecon /dev.
-allow init tmpfs:file unlink;
-
-# Access pty created for fsck.
-allow init devpts:chr_file { read write open };
-
-# Create /dev/fscklogs files.
-allow init fscklogs:file create_file_perms;
-
-# Access /dev/__null__ node created prior to initial policy load.
-allow init tmpfs:chr_file write;
-
-# Access /dev/console.
-allow init console_device:chr_file rw_file_perms;
-
-# Access /dev/tty0.
-allow init tty_device:chr_file rw_file_perms;
-
-# Call mount(2).
-allow init self:capability sys_admin;
-
-# Create and mount on directories in /.
-allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
-
-# Mount on /dev/usb-ffs/adb.
-allow init device:dir mounton;
-
-# Create and remove symlinks in /.
-allow init rootfs:lnk_file { create unlink };
-
-# Mount debugfs on /sys/kernel/debug.
-allow init sysfs:dir mounton;
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow init tmpfs:dir create_dir_perms;
-allow init tmpfs:dir mounton;
-allow init cgroup:dir create_dir_perms;
-r_dir_file(init, cgroup)
-allow init cpuctl_device:dir { create mounton };
-
-# /config
-allow init configfs:dir mounton;
-allow init configfs:dir create_dir_perms;
-
-# Use tmpfs as /data, used for booting when /data is encrypted
-allow init tmpfs:dir relabelfrom;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:capability dac_override;
-
-# Set system clock.
-allow init self:capability sys_time;
-
-allow init self:capability { sys_rawio mknod };
-
-# Mounting filesystems from block devices.
-allow init dev_type:blk_file r_file_perms;
-
-# Mounting filesystems.
-# Only allow relabelto for types used in context= mount options,
-# which should all be assigned the contextmount_type attribute.
-# This can be done in device-specific policy via type or typeattribute
-# declarations.
-allow init fs_type:filesystem ~relabelto;
-allow init unlabeled:filesystem ~relabelto;
-allow init contextmount_type:filesystem relabelto;
-
-# Allow read-only access to context= mounted filesystems.
-allow init contextmount_type:dir r_dir_perms;
-allow init contextmount_type:notdevfile_class_set r_file_perms;
-
-# restorecon /adb_keys or any other rootfs files and directories to a more
-# specific type.
-allow init rootfs:{ dir file } relabelfrom;
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow init self:capability { chown fowner fsetid };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -misc_logd_file
- -system_app_data_file
- -system_file
- -vendor_file_type
-}:dir { create search getattr open read setattr ioctl };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -keystore_data_file
- -misc_logd_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -vendor_file_type
- -vold_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow init {
- file_type
- -app_data_file
- -runtime_event_log_tags_file
- -exec_type
- -keystore_data_file
- -misc_logd_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -vendor_file_type
- -vold_data_file
-}:file { create getattr open read write setattr relabelfrom unlink };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -keystore_data_file
- -misc_logd_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -vendor_file_type
- -vold_data_file
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -keystore_data_file
- -misc_logd_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -vendor_file_type
- -vold_data_file
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow init cache_file:lnk_file r_file_perms;
-
-allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
-allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
-allow init dev_type:dir create_dir_perms;
-allow init dev_type:lnk_file create;
-
-# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow init tracing_shell_writable:file w_file_perms;
-
-# Setup and control wifi event tracing (see wifi-events.rc)
-allow init debugfs_tracing_instances:dir create_dir_perms;
-allow init debugfs_tracing_instances:file w_file_perms;
-allow init debugfs_wifi_tracing:file w_file_perms;
-
-# chown/chmod on pseudo files.
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
-
-# init should not be able to read or open generic devices
-# TODO: auditing to see if this can be deleted entirely
-allow init {
- dev_type
- -kmem_device
- -port_device
- -device
- -vndbinder_device
- }:chr_file { read open };
-auditallow init {
- dev_type
- -alarm_device
- -ashmem_device
- -binder_device
- -console_device
- -device
- -devpts
- -dm_device
- -hwbinder_device
- -hw_random_device
- -keychord_device
- -kmem_device
- -kmsg_device
- -null_device
- -owntty_device
- -port_device
- -ptmx_device
- -random_device
- -zero_device
-}:chr_file { read open };
-
-# chown/chmod on devices.
-allow init { dev_type -kmem_device -port_device }:chr_file setattr;
-
-# Unlabeled file access for upgrades from 4.2.
-allow init unlabeled:dir { create_dir_perms relabelfrom };
-allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-
-# Any operation that can modify the kernel ring buffer, e.g. clear
-# or a read that consumes the messages that were read.
-allow init kernel:system syslog_mod;
-allow init self:capability2 syslog;
-
-# Set usermodehelpers and /proc security settings.
-allow init usermodehelper:file rw_file_perms;
-allow init proc_security:file rw_file_perms;
-
-# Write to /proc/sys/kernel/panic_on_oops.
-r_dir_file(init, proc)
-allow init proc:file w_file_perms;
-
-# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(init, proc_net)
-allow init proc_net:file w_file_perms;
-allow init self:capability net_admin;
-
-# Write to /proc/sysrq-trigger.
-allow init proc_sysrq:file w_file_perms;
-
-# Read /proc/stat for bootchart.
-allow init proc_stat:file r_file_perms;
-
-# Reboot.
-allow init self:capability sys_boot;
-
-# Write to sysfs nodes.
-allow init sysfs_type:dir r_dir_perms;
-allow init sysfs_type:lnk_file read;
-allow init sysfs_type:file rw_file_perms;
-
-# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
-# Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
-allow init misc_logd_file:file { open create getattr setattr write };
-
-# Support "adb shell stop"
-allow init self:capability kill;
-allow init domain:process { sigkill signal };
-
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
-# Init creates vold's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init vold_data_file:dir { open create read getattr setattr search };
-allow init vold_data_file:file { getattr };
-
-# Init creates /data/local/tmp at boot
-allow init shell_data_file:dir { open create read getattr setattr search };
-allow init shell_data_file:file { getattr };
-
-# Set UID, GID, and adjust capability bounding set for services.
-allow init self:capability { setuid setgid setpcap };
-
-# For bootchart to read the /proc/$pid/cmdline file of each process,
-# we need to have following line to allow init to have access
-# to different domains.
-r_dir_file(init, domain)
-
-# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
-# setexec is for services with seclabel options.
-# setfscreate is for labeling directories and socket files.
-# setsockcreate is for labeling local/unix domain sockets.
-allow init self:process { setexec setfscreate setsockcreate };
-
-# Get file context
-allow init file_contexts_file:file r_file_perms;
-
-# sepolicy access
-allow init sepolicy_file:file r_file_perms;
-
-# Perform SELinux access checks on setting properties.
-selinux_check_access(init)
-
-# Ask the kernel for the new context on services to label their sockets.
-allow init kernel:security compute_create;
-
-# Create sockets for the services.
-allow init domain:unix_stream_socket { create bind };
-allow init domain:unix_dgram_socket { create bind };
-
-# Create /data/property and files within it.
-allow init property_data_file:dir create_dir_perms;
-allow init property_data_file:file create_file_perms;
-
-# Set any property.
-allow init property_type:property_service set;
-
-# Send an SELinux userspace denial to the kernel audit subsystem,
-# so it can be picked up and processed by logd. These denials are
-# generated when an attempt to set a property is denied by policy.
-allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
-allow init self:capability audit_write;
-
-# Run "ifup lo" to bring up the localhost interface
-allow init self:udp_socket { create ioctl };
-# in addition to unpriv ioctls granted to all domains, init also needs:
-allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
-allow init self:capability net_raw;
-
-# This line seems suspect, as it should not really need to
-# set scheduling parameters for a kernel domain task.
-allow init kernel:process setsched;
-
-# swapon() needs write access to swap device
-# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
-allow init swap_block_device:blk_file rw_file_perms;
-
-# Read from /dev/hw_random if present.
-# system/core/init/init.c - mix_hwrng_into_linux_rng_action
-allow init hw_random_device:chr_file r_file_perms;
-
-# Create and access /dev files without a specific type,
-# e.g. /dev/.coldboot_done, /dev/.booting
-# TODO: Move these files into their own type unless they are
-# only ever accessed by init.
-allow init device:file create_file_perms;
-
-# keychord configuration
-allow init self:capability sys_tty_config;
-allow init keychord_device:chr_file rw_file_perms;
-
-# Access device mapper for setting up dm-verity
-allow init dm_device:chr_file rw_file_perms;
-allow init dm_device:blk_file rw_file_perms;
-
-# Access metadata block device for storing dm-verity state
-allow init metadata_block_device:blk_file rw_file_perms;
-
-# Read /sys/fs/pstore/console-ramoops to detect restarts caused
-# by dm-verity detecting corrupted blocks
-allow init pstorefs:dir search;
-allow init pstorefs:file r_file_perms;
-allow init kernel:system syslog_read;
-
-# linux keyring configuration
-allow init init:key { write search setattr };
-
-# Allow init to create /data/unencrypted
-allow init unencrypted_data_file:dir create_dir_perms;
-
-# Allow init to write to /proc/sys/vm/overcommit_memory
-allow init proc_overcommit_memory:file { write };
-
-unix_socket_connect(init, vold, vold)
-
-# Raw writes to misc block device
-allow init misc_block_device:blk_file w_file_perms;
-
-r_dir_file(init, system_file)
-r_dir_file(init, vendor_file_type)
-allow init proc_meminfo:file r_file_perms;
-
-allow init system_data_file:file { getattr read };
-allow init system_data_file:lnk_file r_file_perms;
-
-# For init to be able to run shell scripts from vendor
-allow init vendor_shell_exec:file execute;
-
-###
-### neverallow rules
-###
-
-# The init domain is only entered via an exec based transition from the
-# kernel domain, never via setcon().
-neverallow domain init:process dyntransition;
-neverallow { domain -kernel } init:process transition;
-neverallow init { file_type fs_type -init_exec }:file entrypoint;
-
-# Never read/follow symlinks created by shell or untrusted apps.
-neverallow init shell_data_file:lnk_file read;
-neverallow init app_data_file:lnk_file read;
-
-# init should never execute a program without changing to another domain.
-neverallow init { file_type fs_type }:file execute_no_trans;
-
-# Init never adds or uses services via service_manager.
-neverallow init service_manager_type:service_manager { add find };
-neverallow init servicemanager:service_manager list;
-
-# Init should not be creating subdirectories in /data/local/tmp
-neverallow init shell_data_file:dir { write add_name remove_name };
diff --git a/prebuilts/api/26.0/public/inputflinger.te b/prebuilts/api/26.0/public/inputflinger.te
deleted file mode 100644
index e5f12a0c154fdc398a898dfdc1dde1f9d11c5ec5..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/inputflinger.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# inputflinger
-type inputflinger, domain;
-type inputflinger_exec, exec_type, file_type;
-
-binder_use(inputflinger)
-binder_service(inputflinger)
-
-binder_call(inputflinger, system_server)
-
-wakelock_use(inputflinger)
-
-add_service(inputflinger, inputflinger_service)
-allow inputflinger input_device:dir r_dir_perms;
-allow inputflinger input_device:chr_file rw_file_perms;
-
-r_dir_file(inputflinger, cgroup)
diff --git a/prebuilts/api/26.0/public/install_recovery.te b/prebuilts/api/26.0/public/install_recovery.te
deleted file mode 100644
index 21156634d9cd63d12fa980ba7721a8ea83766341..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/install_recovery.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# service flash_recovery in init.rc
-type install_recovery, domain;
-type install_recovery_exec, exec_type, file_type;
-
-allow install_recovery self:capability dac_override;
-
-# /system/bin/install-recovery.sh is a shell script.
-# Needs to execute /system/bin/sh
-allow install_recovery shell_exec:file rx_file_perms;
-
-# Execute /system/bin/applypatch
-allow install_recovery system_file:file rx_file_perms;
-not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
-
-allow install_recovery toolbox_exec:file rx_file_perms;
-
-# Update the recovery block device based off a diff of the boot block device
-allow install_recovery block_device:dir search;
-allow install_recovery boot_block_device:blk_file r_file_perms;
-allow install_recovery recovery_block_device:blk_file rw_file_perms;
-
-# Create and delete /cache/saved.file
-allow install_recovery cache_file:dir rw_dir_perms;
-allow install_recovery cache_file:file create_file_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/prebuilts/api/26.0/public/installd.te b/prebuilts/api/26.0/public/installd.te
deleted file mode 100644
index 939a4810ac088dd3c76e1db1859f021cb99b8410..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/installd.te
+++ /dev/null
@@ -1,159 +0,0 @@
-# installer daemon
-type installd, domain;
-type installd_exec, exec_type, file_type;
-typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
-
-# Allow labeling of files under /data/app/com.example/oat/
-allow installd dalvikcache_data_file:dir relabelto;
-allow installd dalvikcache_data_file:file { relabelto link };
-
-# Allow movement of APK files between volumes
-allow installd apk_data_file:dir { create_dir_perms relabelfrom };
-allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-
-allow installd asec_apk_file:file r_file_perms;
-allow installd apk_tmp_file:file { r_file_perms unlink };
-allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
-allow installd oemfs:dir r_dir_perms;
-allow installd oemfs:file r_file_perms;
-allow installd cgroup:dir create_dir_perms;
-allow installd cgroup:{ file lnk_file } create_file_perms;
-allow installd mnt_expand_file:dir { search getattr };
-# Check validity of SELinux context before use.
-selinux_check_context(installd)
-
-r_dir_file(installd, rootfs)
-# Scan through APKs in /system/app and /system/priv-app
-r_dir_file(installd, system_file)
-# Scan through APKs in /vendor/app
-r_dir_file(installd, vendor_app_file)
-# Scan through Runtime Resource Overlay APKs in /vendor/overlay
-r_dir_file(installd, vendor_overlay_file)
-# Get file context
-allow installd file_contexts_file:file r_file_perms;
-# Get seapp_context
-allow installd seapp_contexts_file:file r_file_perms;
-
-# Search /data/app-asec and stat files in it.
-allow installd asec_image_file:dir search;
-allow installd asec_image_file:file getattr;
-
-# Create /data/user and /data/user/0 if necessary.
-# Also required to initially create /data/data subdirectories
-# and lib symlinks before the setfilecon call. May want to
-# move symlink creation after setfilecon in installd.
-allow installd system_data_file:dir create_dir_perms;
-allow installd system_data_file:lnk_file { create setattr unlink };
-
-# Upgrade /data/media for multi-user if necessary.
-allow installd media_rw_data_file:dir create_dir_perms;
-allow installd media_rw_data_file:file { getattr unlink };
-# restorecon new /data/media directory.
-allow installd system_data_file:dir relabelfrom;
-allow installd media_rw_data_file:dir relabelto;
-
-# Delete /data/media files through sdcardfs, instead of going behind its back
-allow installd tmpfs:dir r_dir_perms;
-allow installd storage_file:dir search;
-allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
-allow installd sdcardfs:file { getattr unlink };
-
-# Upgrade /data/misc/keychain for multi-user if necessary.
-allow installd misc_user_data_file:dir create_dir_perms;
-allow installd misc_user_data_file:file create_file_perms;
-allow installd keychain_data_file:dir create_dir_perms;
-allow installd keychain_data_file:file {r_file_perms unlink};
-
-# Create /data/.layout_version.* file
-allow installd install_data_file:file create_file_perms;
-
-# Create files under /data/dalvik-cache.
-allow installd dalvikcache_data_file:dir create_dir_perms;
-allow installd dalvikcache_data_file:file create_file_perms;
-allow installd dalvikcache_data_file:lnk_file getattr;
-
-# Create files under /data/resource-cache.
-allow installd resourcecache_data_file:dir rw_dir_perms;
-allow installd resourcecache_data_file:file create_file_perms;
-
-# Upgrade from unlabeled userdata.
-# Just need enough to remove and/or relabel it.
-allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
-allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
-# Read pkg.apk file for input during dexopt.
-allow installd unlabeled:file r_file_perms;
-
-# Upgrade from before system_app_data_file was used for system UID apps.
-# Just need enough to relabel it and to unlink removed package files.
-# Directory access covered by earlier rule above.
-allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
-
-# Manage /data/data subdirectories, including initially labeling them
-# upon creation via setfilecon or running restorecon_recursive,
-# setting owner/mode, creating symlinks within them, and deleting them
-# upon package uninstall.
-# Types extracted from seapp_contexts type= fields.
-allow installd {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
-}:dir { create_dir_perms relabelfrom relabelto };
-
-allow installd {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
-}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
-
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_data_file:dir create_dir_perms;
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:dir rmdir;
-allow installd user_profile_data_file:file unlink;
-
-# Files created/updated by profman dumps.
-allow installd profman_dump_data_file:dir { search add_name write };
-allow installd profman_dump_data_file:file { create setattr open write };
-
-# Create and use pty created by android_fork_execvp().
-allow installd devpts:chr_file rw_file_perms;
-
-# execute toybox for app relocation
-allow installd toolbox_exec:file rx_file_perms;
-
-# Allow installd to publish a binder service and make binder calls.
-binder_use(installd)
-add_service(installd, installd_service)
-allow installd dumpstate:fifo_file { getattr write };
-
-# Allow installd to call into the system server so it can check permissions.
-binder_call(installd, system_server)
-allow installd permission_service:service_manager find;
-
-# Allow installd to read and write quotas
-allow installd block_device:dir { search };
-allow installd labeledfs:filesystem { quotaget quotamod };
-
-# Allow installd to delete from /data/preloads when trimming data caches
-# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
-allow installd preloads_data_file:file { r_file_perms unlink };
-allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-allow installd preloads_media_file:file { r_file_perms unlink };
-allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
-
-###
-### Neverallow rules
-###
-
-# only system_server, installd and dumpstate may interact with installd over binder
-neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
-neverallow { domain -system_server -dumpstate } installd:binder call;
-neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/prebuilts/api/26.0/public/ioctl_defines b/prebuilts/api/26.0/public/ioctl_defines
deleted file mode 100644
index a1cd0b9a0439f43cec30b5d722709a0cc3d48f8b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/ioctl_defines
+++ /dev/null
@@ -1,2694 +0,0 @@
-define(`FIBMAP', `0x00000001')
-define(`FIGETBSZ', `0x00000002')
-define(`FDCLRPRM', `0x00000241')
-define(`FDMSGON', `0x00000245')
-define(`FDMSGOFF', `0x00000246')
-define(`FDFMTBEG', `0x00000247')
-define(`FDFMTEND', `0x00000249')
-define(`FDSETEMSGTRESH', `0x0000024a')
-define(`FDFLUSH', `0x0000024b')
-define(`FDRESET', `0x00000254')
-define(`FDWERRORCLR', `0x00000256')
-define(`FDRAWCMD', `0x00000258')
-define(`FDTWADDLE', `0x00000259')
-define(`FDEJECT', `0x0000025a')
-define(`HDIO_GETGEO', `0x00000301')
-define(`HDIO_GET_UNMASKINTR', `0x00000302')
-define(`HDIO_GET_MULTCOUNT', `0x00000304')
-define(`HDIO_GET_QDMA', `0x00000305')
-define(`HDIO_SET_XFER', `0x00000306')
-define(`HDIO_OBSOLETE_IDENTITY', `0x00000307')
-define(`HDIO_GET_KEEPSETTINGS', `0x00000308')
-define(`HDIO_GET_32BIT', `0x00000309')
-define(`HDIO_GET_NOWERR', `0x0000030a')
-define(`HDIO_GET_DMA', `0x0000030b')
-define(`HDIO_GET_NICE', `0x0000030c')
-define(`HDIO_GET_IDENTITY', `0x0000030d')
-define(`HDIO_GET_WCACHE', `0x0000030e')
-define(`HDIO_GET_ACOUSTIC', `0x0000030f')
-define(`HDIO_GET_ADDRESS', `0x00000310')
-define(`HDIO_GET_BUSSTATE', `0x0000031a')
-define(`HDIO_TRISTATE_HWIF', `0x0000031b')
-define(`HDIO_DRIVE_RESET', `0x0000031c')
-define(`HDIO_DRIVE_TASKFILE', `0x0000031d')
-define(`HDIO_DRIVE_TASK', `0x0000031e')
-define(`HDIO_DRIVE_CMD', `0x0000031f')
-define(`HDIO_SET_MULTCOUNT', `0x00000321')
-define(`HDIO_SET_UNMASKINTR', `0x00000322')
-define(`HDIO_SET_KEEPSETTINGS', `0x00000323')
-define(`HDIO_SET_32BIT', `0x00000324')
-define(`HDIO_SET_NOWERR', `0x00000325')
-define(`HDIO_SET_DMA', `0x00000326')
-define(`HDIO_SET_PIO_MODE', `0x00000327')
-define(`HDIO_SCAN_HWIF', `0x00000328')
-define(`HDIO_SET_NICE', `0x00000329')
-define(`HDIO_UNREGISTER_HWIF', `0x0000032a')
-define(`HDIO_SET_WCACHE', `0x0000032b')
-define(`HDIO_SET_ACOUSTIC', `0x0000032c')
-define(`HDIO_SET_BUSSTATE', `0x0000032d')
-define(`HDIO_SET_QDMA', `0x0000032e')
-define(`HDIO_SET_ADDRESS', `0x0000032f')
-define(`IOCTL_VMCI_VERSION', `0x0000079f')
-define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0')
-define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4')
-define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5')
-define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6')
-define(`IOCTL_VMCI_VERSION2', `0x000007a7')
-define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8')
-define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9')
-define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa')
-define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab')
-define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac')
-define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af')
-define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0')
-define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1')
-define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2')
-define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3')
-define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4')
-define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8')
-define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9')
-define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9')
-define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb')
-define(`RAID_AUTORUN', `0x00000914')
-define(`CLEAR_ARRAY', `0x00000920')
-define(`HOT_REMOVE_DISK', `0x00000922')
-define(`SET_DISK_INFO', `0x00000924')
-define(`WRITE_RAID_INFO', `0x00000925')
-define(`UNPROTECT_ARRAY', `0x00000926')
-define(`PROTECT_ARRAY', `0x00000927')
-define(`HOT_ADD_DISK', `0x00000928')
-define(`SET_DISK_FAULTY', `0x00000929')
-define(`HOT_GENERATE_ERROR', `0x0000092a')
-define(`STOP_ARRAY', `0x00000932')
-define(`STOP_ARRAY_RO', `0x00000933')
-define(`RESTART_ARRAY_RW', `0x00000934')
-define(`BLKROSET', `0x0000125d')
-define(`BLKROGET', `0x0000125e')
-define(`BLKRRPART', `0x0000125f')
-define(`BLKGETSIZE', `0x00001260')
-define(`BLKFLSBUF', `0x00001261')
-define(`BLKRASET', `0x00001262')
-define(`BLKRAGET', `0x00001263')
-define(`BLKFRASET', `0x00001264')
-define(`BLKFRAGET', `0x00001265')
-define(`BLKSECTSET', `0x00001266')
-define(`BLKSECTGET', `0x00001267')
-define(`BLKSSZGET', `0x00001268')
-define(`BLKPG', `0x00001269')
-define(`BLKTRACESTART', `0x00001274')
-define(`BLKTRACESTOP', `0x00001275')
-define(`BLKTRACETEARDOWN', `0x00001276')
-define(`BLKDISCARD', `0x00001277')
-define(`BLKIOMIN', `0x00001278')
-define(`BLKIOOPT', `0x00001279')
-define(`BLKALIGNOFF', `0x0000127a')
-define(`BLKPBSZGET', `0x0000127b')
-define(`BLKDISCARDZEROES', `0x0000127c')
-define(`BLKSECDISCARD', `0x0000127d')
-define(`BLKROTATIONAL', `0x0000127e')
-define(`BLKZEROOUT', `0x0000127f')
-define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03')
-define(`SG_SET_TIMEOUT', `0x00002201')
-define(`SG_GET_TIMEOUT', `0x00002202')
-define(`SG_EMULATED_HOST', `0x00002203')
-define(`SG_SET_TRANSFORM', `0x00002204')
-define(`SG_GET_TRANSFORM', `0x00002205')
-define(`SG_GET_COMMAND_Q', `0x00002270')
-define(`SG_SET_COMMAND_Q', `0x00002271')
-define(`SG_GET_RESERVED_SIZE', `0x00002272')
-define(`SG_SET_RESERVED_SIZE', `0x00002275')
-define(`SG_GET_SCSI_ID', `0x00002276')
-define(`SG_SET_FORCE_LOW_DMA', `0x00002279')
-define(`SG_GET_LOW_DMA', `0x0000227a')
-define(`SG_SET_FORCE_PACK_ID', `0x0000227b')
-define(`SG_GET_PACK_ID', `0x0000227c')
-define(`SG_GET_NUM_WAITING', `0x0000227d')
-define(`SG_SET_DEBUG', `0x0000227e')
-define(`SG_GET_SG_TABLESIZE', `0x0000227f')
-define(`SG_GET_VERSION_NUM', `0x00002282')
-define(`SG_NEXT_CMD_LEN', `0x00002283')
-define(`SG_SCSI_RESET', `0x00002284')
-define(`SG_IO', `0x00002285')
-define(`SG_GET_REQUEST_TABLE', `0x00002286')
-define(`SG_SET_KEEP_ORPHAN', `0x00002287')
-define(`SG_GET_KEEP_ORPHAN', `0x00002288')
-define(`SG_GET_ACCESS_COUNT', `0x00002289')
-define(`FW_CDEV_IOC_GET_SPEED', `0x00002311')
-define(`PERF_EVENT_IOC_ENABLE', `0x00002400')
-define(`PERF_EVENT_IOC_DISABLE', `0x00002401')
-define(`PERF_EVENT_IOC_REFRESH', `0x00002402')
-define(`PERF_EVENT_IOC_RESET', `0x00002403')
-define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405')
-define(`SNAPSHOT_FREEZE', `0x00003301')
-define(`SNAPSHOT_UNFREEZE', `0x00003302')
-define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304')
-define(`SNAPSHOT_FREE', `0x00003305')
-define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309')
-define(`SNAPSHOT_S2RAM', `0x0000330b')
-define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f')
-define(`SNAPSHOT_POWER_OFF', `0x00003310')
-define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312')
-define(`VFIO_GET_API_VERSION', `0x00003b64')
-define(`VFIO_CHECK_EXTENSION', `0x00003b65')
-define(`VFIO_SET_IOMMU', `0x00003b66')
-define(`VFIO_GROUP_GET_STATUS', `0x00003b67')
-define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68')
-define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69')
-define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a')
-define(`VFIO_DEVICE_GET_INFO', `0x00003b6b')
-define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c')
-define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d')
-define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e')
-define(`VFIO_DEVICE_RESET', `0x00003b6f')
-define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70')
-define(`VFIO_IOMMU_GET_INFO', `0x00003b70')
-define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70')
-define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71')
-define(`VFIO_IOMMU_MAP_DMA', `0x00003b71')
-define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72')
-define(`VFIO_IOMMU_ENABLE', `0x00003b73')
-define(`VFIO_IOMMU_DISABLE', `0x00003b74')
-define(`VFIO_EEH_PE_OP', `0x00003b79')
-define(`AGPIOC_ACQUIRE', `0x00004101')
-define(`APM_IOC_STANDBY', `0x00004101')
-define(`AGPIOC_RELEASE', `0x00004102')
-define(`APM_IOC_SUSPEND', `0x00004102')
-define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a')
-define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112')
-define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122')
-define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140')
-define(`SNDRV_PCM_IOCTL_RESET', `0x00004141')
-define(`SNDRV_PCM_IOCTL_START', `0x00004142')
-define(`SNDRV_PCM_IOCTL_DROP', `0x00004143')
-define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144')
-define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147')
-define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148')
-define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161')
-define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200')
-define(`PMU_IOC_SLEEP', `0x00004200')
-define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201')
-define(`CCISS_REVALIDVOLS', `0x0000420a')
-define(`CCISS_DEREGDISK', `0x0000420c')
-define(`CCISS_REGNEWD', `0x0000420e')
-define(`CCISS_RESCANDISK', `0x00004210')
-define(`SNDCTL_COPR_RESET', `0x00004300')
-define(`SNDRV_COMPRESS_PAUSE', `0x00004330')
-define(`SNDRV_COMPRESS_RESUME', `0x00004331')
-define(`SNDRV_COMPRESS_START', `0x00004332')
-define(`SNDRV_COMPRESS_STOP', `0x00004333')
-define(`SNDRV_COMPRESS_DRAIN', `0x00004334')
-define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335')
-define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336')
-define(`IOCTL_EVTCHN_RESET', `0x00004505')
-define(`FBIOGET_VSCREENINFO', `0x00004600')
-define(`FBIOPUT_VSCREENINFO', `0x00004601')
-define(`FBIOGET_FSCREENINFO', `0x00004602')
-define(`FBIOGETCMAP', `0x00004604')
-define(`FBIOPUTCMAP', `0x00004605')
-define(`FBIOPAN_DISPLAY', `0x00004606')
-define(`FBIOGET_CON2FBMAP', `0x0000460f')
-define(`FBIOPUT_CON2FBMAP', `0x00004610')
-define(`FBIOBLANK', `0x00004611')
-define(`FBIO_ALLOC', `0x00004613')
-define(`FBIO_FREE', `0x00004614')
-define(`FBIOGET_GLYPH', `0x00004615')
-define(`FBIOGET_HWCINFO', `0x00004616')
-define(`FBIOPUT_MODEINFO', `0x00004617')
-define(`FBIOGET_DISPINFO', `0x00004618')
-define(`FBIO_WAITEVENT', `0x00004688')
-define(`GSMIOC_DISABLE_NET', `0x00004703')
-define(`HIDIOCAPPLICATION', `0x00004802')
-define(`HIDIOCINITREPORT', `0x00004805')
-define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812')
-define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814')
-define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815')
-define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816')
-define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821')
-define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840')
-define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880')
-define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881')
-define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882')
-define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882')
-define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883')
-define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9')
-define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa')
-define(`IIOCNETAIF', `0x00004901')
-define(`IIOCNETDIF', `0x00004902')
-define(`IIOCNETSCF', `0x00004903')
-define(`IIOCNETGCF', `0x00004904')
-define(`IIOCNETANM', `0x00004905')
-define(`IIOCNETDNM', `0x00004906')
-define(`IIOCNETGNM', `0x00004907')
-define(`IIOCGETSET', `0x00004908')
-define(`IIOCSETSET', `0x00004909')
-define(`IIOCSETVER', `0x0000490a')
-define(`IIOCNETHUP', `0x0000490b')
-define(`IIOCSETGST', `0x0000490c')
-define(`IIOCSETBRJ', `0x0000490d')
-define(`IIOCSIGPRF', `0x0000490e')
-define(`IIOCGETPRF', `0x0000490f')
-define(`IIOCSETPRF', `0x00004910')
-define(`IIOCGETMAP', `0x00004911')
-define(`IIOCSETMAP', `0x00004912')
-define(`IIOCNETASL', `0x00004913')
-define(`IIOCNETDIL', `0x00004914')
-define(`IIOCGETCPS', `0x00004915')
-define(`IIOCGETDVR', `0x00004916')
-define(`IIOCNETLCR', `0x00004917')
-define(`IIOCNETDWRSET', `0x00004918')
-define(`IIOCNETALN', `0x00004920')
-define(`IIOCNETDLN', `0x00004921')
-define(`IIOCNETGPN', `0x00004922')
-define(`IIOCDBGVAR', `0x0000497f')
-define(`IIOCDRVCTL', `0x00004980')
-define(`ION_IOC_TEST_SET_FD', `0x000049f0')
-define(`KIOCSOUND', `0x00004b2f')
-define(`KDMKTONE', `0x00004b30')
-define(`KDGETLED', `0x00004b31')
-define(`KDSETLED', `0x00004b32')
-define(`KDGKBTYPE', `0x00004b33')
-define(`KDADDIO', `0x00004b34')
-define(`KDDELIO', `0x00004b35')
-define(`KDENABIO', `0x00004b36')
-define(`KDDISABIO', `0x00004b37')
-define(`KDSETMODE', `0x00004b3a')
-define(`KDGETMODE', `0x00004b3b')
-define(`KDMAPDISP', `0x00004b3c')
-define(`KDUNMAPDISP', `0x00004b3d')
-define(`GIO_SCRNMAP', `0x00004b40')
-define(`PIO_SCRNMAP', `0x00004b41')
-define(`KDGKBMODE', `0x00004b44')
-define(`KDSKBMODE', `0x00004b45')
-define(`KDGKBENT', `0x00004b46')
-define(`KDSKBENT', `0x00004b47')
-define(`KDGKBSENT', `0x00004b48')
-define(`KDSKBSENT', `0x00004b49')
-define(`KDGKBDIACR', `0x00004b4a')
-define(`KDSKBDIACR', `0x00004b4b')
-define(`KDGETKEYCODE', `0x00004b4c')
-define(`KDSETKEYCODE', `0x00004b4d')
-define(`KDSIGACCEPT', `0x00004b4e')
-define(`KDKBDREP', `0x00004b52')
-define(`GIO_FONT', `0x00004b60')
-define(`PIO_FONT', `0x00004b61')
-define(`KDGKBMETA', `0x00004b62')
-define(`KDSKBMETA', `0x00004b63')
-define(`KDGKBLED', `0x00004b64')
-define(`KDSKBLED', `0x00004b65')
-define(`GIO_UNIMAP', `0x00004b66')
-define(`PIO_UNIMAP', `0x00004b67')
-define(`PIO_UNIMAPCLR', `0x00004b68')
-define(`GIO_UNISCRNMAP', `0x00004b69')
-define(`PIO_UNISCRNMAP', `0x00004b6a')
-define(`GIO_FONTX', `0x00004b6b')
-define(`PIO_FONTX', `0x00004b6c')
-define(`PIO_FONTRESET', `0x00004b6d')
-define(`GIO_CMAP', `0x00004b70')
-define(`PIO_CMAP', `0x00004b71')
-define(`KDFONTOP', `0x00004b72')
-define(`KDGKBDIACRUC', `0x00004bfa')
-define(`KDSKBDIACRUC', `0x00004bfb')
-define(`LOOP_SET_FD', `0x00004c00')
-define(`LOOP_CLR_FD', `0x00004c01')
-define(`LOOP_SET_STATUS', `0x00004c02')
-define(`LOOP_GET_STATUS', `0x00004c03')
-define(`LOOP_SET_STATUS64', `0x00004c04')
-define(`LOOP_GET_STATUS64', `0x00004c05')
-define(`LOOP_CHANGE_FD', `0x00004c06')
-define(`LOOP_SET_CAPACITY', `0x00004c07')
-define(`LOOP_CTL_ADD', `0x00004c80')
-define(`LOOP_CTL_REMOVE', `0x00004c81')
-define(`LOOP_CTL_GET_FREE', `0x00004c82')
-define(`MTDFILEMODE', `0x00004d13')
-define(`NVME_IOCTL_ID', `0x00004e40')
-define(`UBI_IOCVOLRMBLK', `0x00004f08')
-define(`OMAPFB_SYNC_GFX', `0x00004f25')
-define(`OMAPFB_VSYNC', `0x00004f26')
-define(`OMAPFB_WAITFORVSYNC', `0x00004f39')
-define(`OMAPFB_WAITFORGO', `0x00004f3c')
-define(`SNDCTL_DSP_RESET', `0x00005000')
-define(`SNDCTL_DSP_SYNC', `0x00005001')
-define(`SNDCTL_DSP_POST', `0x00005008')
-define(`SNDCTL_DSP_NONBLOCK', `0x0000500e')
-define(`SNDCTL_DSP_SETSYNCRO', `0x00005015')
-define(`SNDCTL_DSP_SETDUPLEX', `0x00005016')
-define(`SNDCTL_SEQ_RESET', `0x00005100')
-define(`SNDCTL_SEQ_SYNC', `0x00005101')
-define(`SNDCTL_SEQ_PANIC', `0x00005111')
-define(`RFKILL_IOCTL_NOINPUT', `0x00005201')
-define(`RNDZAPENTCNT', `0x00005204')
-define(`RNDCLEARPOOL', `0x00005206')
-define(`CDROMPAUSE', `0x00005301')
-define(`CDROMRESUME', `0x00005302')
-define(`CDROMPLAYMSF', `0x00005303')
-define(`CDROMPLAYTRKIND', `0x00005304')
-define(`CDROMREADTOCHDR', `0x00005305')
-define(`CDROMREADTOCENTRY', `0x00005306')
-define(`CDROMSTOP', `0x00005307')
-define(`CDROMSTART', `0x00005308')
-define(`CDROMEJECT', `0x00005309')
-define(`CDROMVOLCTRL', `0x0000530a')
-define(`CDROMSUBCHNL', `0x0000530b')
-define(`CDROMREADMODE2', `0x0000530c')
-define(`CDROMREADMODE1', `0x0000530d')
-define(`CDROMREADAUDIO', `0x0000530e')
-define(`CDROMEJECT_SW', `0x0000530f')
-define(`CDROMMULTISESSION', `0x00005310')
-define(`CDROM_GET_MCN', `0x00005311')
-define(`CDROMRESET', `0x00005312')
-define(`CDROMVOLREAD', `0x00005313')
-define(`CDROMREADRAW', `0x00005314')
-define(`CDROMREADCOOKED', `0x00005315')
-define(`CDROMSEEK', `0x00005316')
-define(`CDROMPLAYBLK', `0x00005317')
-define(`CDROMREADALL', `0x00005318')
-define(`CDROMCLOSETRAY', `0x00005319')
-define(`CDROMGETSPINDOWN', `0x0000531d')
-define(`CDROMSETSPINDOWN', `0x0000531e')
-define(`CDROM_SET_OPTIONS', `0x00005320')
-define(`CDROM_CLEAR_OPTIONS', `0x00005321')
-define(`CDROM_SELECT_SPEED', `0x00005322')
-define(`CDROM_SELECT_DISC', `0x00005323')
-define(`CDROM_MEDIA_CHANGED', `0x00005325')
-define(`CDROM_DRIVE_STATUS', `0x00005326')
-define(`CDROM_DISC_STATUS', `0x00005327')
-define(`CDROM_CHANGER_NSLOTS', `0x00005328')
-define(`CDROM_LOCKDOOR', `0x00005329')
-define(`CDROM_DEBUG', `0x00005330')
-define(`CDROM_GET_CAPABILITY', `0x00005331')
-define(`SCSI_IOCTL_DOORLOCK', `0x00005380')
-define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381')
-define(`CDROMAUDIOBUFSIZ', `0x00005382')
-define(`SCSI_IOCTL_GET_IDLUN', `0x00005382')
-define(`SCSI_IOCTL_PROBE_HOST', `0x00005385')
-define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386')
-define(`SCSI_IOCTL_GET_PCI', `0x00005387')
-define(`DVD_READ_STRUCT', `0x00005390')
-define(`DVD_WRITE_STRUCT', `0x00005391')
-define(`DVD_AUTH', `0x00005392')
-define(`CDROM_SEND_PACKET', `0x00005393')
-define(`CDROM_NEXT_WRITABLE', `0x00005394')
-define(`CDROM_LAST_WRITTEN', `0x00005395')
-define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401))
-define(`SNDCTL_TMR_START', `0x00005402')
-define(`TCSETS', `0x00005402')
-define(`SNDCTL_TMR_STOP', `0x00005403')
-define(`TCSETSW', `0x00005403')
-define(`SNDCTL_TMR_CONTINUE', `0x00005404')
-define(`TCSETSF', `0x00005404')
-define(`TCGETA', `0x00005405')
-define(`TCSETA', `0x00005406')
-define(`TCSETAW', `0x00005407')
-define(`TCSETAF', `0x00005408')
-define(`TCSBRK', `0x00005409')
-define(`TCXONC', `0x0000540a')
-define(`TCFLSH', `0x0000540b')
-define(`TIOCEXCL', `0x0000540c')
-define(`TIOCNXCL', `0x0000540d')
-define(`TIOCSCTTY', `0x0000540e')
-define(`TIOCGPGRP', `0x0000540f')
-define(`TIOCSPGRP', `0x00005410')
-define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
-define(`TIOCSTI', `0x00005412')
-define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413))
-define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414))
-define(`TIOCMGET', `0x00005415')
-define(`TIOCMBIS', `0x00005416')
-define(`TIOCMBIC', `0x00005417')
-define(`TIOCMSET', `0x00005418')
-define(`TIOCGSOFTCAR', `0x00005419')
-define(`TIOCSSOFTCAR', `0x0000541a')
-define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b))
-define(`TIOCLINUX', `0x0000541c')
-define(`TIOCCONS', `0x0000541d')
-define(`TIOCGSERIAL', `0x0000541e')
-define(`TIOCSSERIAL', `0x0000541f')
-define(`TIOCPKT', `0x00005420')
-define(`FIONBIO', `0x00005421')
-define(`TIOCNOTTY', `0x00005422')
-define(`TIOCSETD', `0x00005423')
-define(`TIOCGETD', `0x00005424')
-define(`TCSBRKP', `0x00005425')
-define(`TIOCSBRK', `0x00005427')
-define(`TIOCCBRK', `0x00005428')
-define(`TIOCGSID', `0x00005429')
-define(`TIOCGRS485', `0x0000542e')
-define(`TIOCSRS485', `0x0000542f')
-define(`TCGETX', `0x00005432')
-define(`TCSETX', `0x00005433')
-define(`TCSETXF', `0x00005434')
-define(`TCSETXW', `0x00005435')
-define(`TIOCVHANGUP', `0x00005437')
-define(`FIONCLEX', `0x00005450')
-define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451))
-define(`FIOASYNC', `0x00005452')
-define(`TIOCSERCONFIG', `0x00005453')
-define(`TIOCSERGWILD', `0x00005454')
-define(`TIOCSERSWILD', `0x00005455')
-define(`TIOCGLCKTRMIOS', `0x00005456')
-define(`TIOCSLCKTRMIOS', `0x00005457')
-define(`TIOCSERGSTRUCT', `0x00005458')
-define(`TIOCSERGETLSR', `0x00005459')
-define(`TIOCSERGETMULTI', `0x0000545a')
-define(`TIOCSERSETMULTI', `0x0000545b')
-define(`TIOCMIWAIT', `0x0000545c')
-define(`TIOCGICOUNT', `0x0000545d')
-define(`FIOQSIZE', `0x00005460')
-define(`SNDRV_TIMER_IOCTL_START', `0x000054a0')
-define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1')
-define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2')
-define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3')
-define(`UI_DEV_CREATE', `0x00005501')
-define(`UI_DEV_DESTROY', `0x00005502')
-define(`USBDEVFS_DISCARDURB', `0x0000550b')
-define(`USBDEVFS_RESET', `0x00005514')
-define(`USBDEVFS_DISCONNECT', `0x00005516')
-define(`USBDEVFS_CONNECT', `0x00005517')
-define(`VT_OPENQRY', `0x00005600')
-define(`VIDIOC_RESERVED', `0x00005601')
-define(`VT_GETMODE', `0x00005601')
-define(`VT_SETMODE', `0x00005602')
-define(`VT_GETSTATE', `0x00005603')
-define(`VT_SENDSIG', `0x00005604')
-define(`VT_RELDISP', `0x00005605')
-define(`VT_ACTIVATE', `0x00005606')
-define(`VT_WAITACTIVE', `0x00005607')
-define(`VT_DISALLOCATE', `0x00005608')
-define(`VT_RESIZE', `0x00005609')
-define(`VT_RESIZEX', `0x0000560a')
-define(`VT_LOCKSWITCH', `0x0000560b')
-define(`VT_UNLOCKSWITCH', `0x0000560c')
-define(`VT_GETHIFONTMASK', `0x0000560d')
-define(`VT_WAITEVENT', `0x0000560e')
-define(`VT_SETACTIVATE', `0x0000560f')
-define(`VIDIOC_LOG_STATUS', `0x00005646')
-define(`ADV7842_CMD_RAM_TEST', `0x000056c0')
-define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01')
-define(`USBTMC_IOCTL_CLEAR', `0x00005b02')
-define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03')
-define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04')
-define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06')
-define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07')
-define(`ANDROID_ALARM_WAIT', `0x00006101')
-define(`NS_ADJBUFLEV', `0x00006163')
-define(`SIOCSIFATMTCP', `0x00006180')
-define(`ATMTCP_CREATE', `0x0000618e')
-define(`ATMTCP_REMOVE', `0x0000618f')
-define(`ATMLEC_CTRL', `0x000061d0')
-define(`ATMLEC_DATA', `0x000061d1')
-define(`ATMLEC_MCAST', `0x000061d2')
-define(`ATMMPC_CTRL', `0x000061d8')
-define(`ATMMPC_DATA', `0x000061d9')
-define(`SIOCMKCLIP', `0x000061e0')
-define(`ATMARPD_CTRL', `0x000061e1')
-define(`ATMARP_MKIP', `0x000061e2')
-define(`ATMARP_SETENTRY', `0x000061e3')
-define(`ATMARP_ENCAP', `0x000061e5')
-define(`ATMSIGD_CTRL', `0x000061f0')
-define(`BT819_FIFO_RESET_LOW', `0x00006200')
-define(`BT819_FIFO_RESET_HIGH', `0x00006201')
-define(`CM_IOCSRDR', `0x00006303')
-define(`CM_IOCARDOFF', `0x00006304')
-define(`BC_REGISTER_LOOPER', `0x0000630b')
-define(`BC_ENTER_LOOPER', `0x0000630c')
-define(`BC_EXIT_LOOPER', `0x0000630d')
-define(`CHIOINITELEM', `0x00006311')
-define(`DRM_IOCTL_SET_MASTER', `0x0000641e')
-define(`DRM_IOCTL_DROP_MASTER', `0x0000641f')
-define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430')
-define(`DRM_IOCTL_AGP_RELEASE', `0x00006431')
-define(`DRM_IOCTL_I915_FLUSH', `0x00006441')
-define(`DRM_IOCTL_R128_CCE_START', `0x00006441')
-define(`DRM_IOCTL_RADEON_CP_START', `0x00006441')
-define(`DRM_IOCTL_I915_FLIP', `0x00006442')
-define(`DRM_IOCTL_MGA_RESET', `0x00006442')
-define(`DRM_IOCTL_I810_FLUSH', `0x00006443')
-define(`DRM_IOCTL_MGA_SWAP', `0x00006443')
-define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443')
-define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443')
-define(`DRM_IOCTL_I810_GETAGE', `0x00006444')
-define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444')
-define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444')
-define(`DRM_IOCTL_RADEON_RESET', `0x00006445')
-define(`DRM_IOCTL_I810_SWAP', `0x00006446')
-define(`DRM_IOCTL_R128_RESET', `0x00006446')
-define(`DRM_IOCTL_R128_SWAP', `0x00006447')
-define(`DRM_IOCTL_RADEON_SWAP', `0x00006447')
-define(`DRM_IOCTL_I810_DOCOPY', `0x00006448')
-define(`DRM_IOCTL_VIA_FLUSH', `0x00006449')
-define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a')
-define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b')
-define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d')
-define(`DRM_IOCTL_I810_FLIP', `0x0000644e')
-define(`DRM_IOCTL_RADEON_FLIP', `0x00006452')
-define(`DRM_IOCTL_R128_FLIP', `0x00006453')
-define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458')
-define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458')
-define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459')
-define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a')
-define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500')
-define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
-define(`GADGETFS_FIFO_STATUS', `0x00006701')
-define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
-define(`GADGETFS_FIFO_FLUSH', `0x00006702')
-define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
-define(`GADGETFS_CLEAR_HALT', `0x00006703')
-define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
-define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
-define(`HPET_IE_ON', `0x00006801')
-define(`HPET_IE_OFF', `0x00006802')
-define(`HPET_EPI', `0x00006804')
-define(`HPET_DPI', `0x00006805')
-define(`LIRC_NOTIFY_DECODE', `0x00006920')
-define(`LIRC_SETUP_START', `0x00006921')
-define(`LIRC_SETUP_END', `0x00006922')
-define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00')
-define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01')
-define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02')
-define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03')
-define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04')
-define(`KYRO_IOCTL_STRIDE', `0x00006b05')
-define(`HSC_RESET', `0x00006b10')
-define(`HSC_SET_PM', `0x00006b11')
-define(`HSC_SEND_BREAK', `0x00006b12')
-define(`MMTIMER_GETOFFSET', `0x00006d00')
-define(`MGSL_IOCSTXIDLE', `0x00006d02')
-define(`MGSL_IOCGTXIDLE', `0x00006d03')
-define(`MGSL_IOCTXENABLE', `0x00006d04')
-define(`MMTIMER_GETBITS', `0x00006d04')
-define(`MGSL_IOCRXENABLE', `0x00006d05')
-define(`MGSL_IOCTXABORT', `0x00006d06')
-define(`MMTIMER_MMAPAVAIL', `0x00006d06')
-define(`MGSL_IOCGSTATS', `0x00006d07')
-define(`MGSL_IOCLOOPTXDONE', `0x00006d09')
-define(`MGSL_IOCSIF', `0x00006d0a')
-define(`MGSL_IOCGIF', `0x00006d0b')
-define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f')
-define(`MGSL_IOCSXSYNC', `0x00006d13')
-define(`MGSL_IOCGXSYNC', `0x00006d14')
-define(`MGSL_IOCSXCTRL', `0x00006d15')
-define(`MGSL_IOCGXCTRL', `0x00006d16')
-define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03')
-define(`AUDIO_STOP', `0x00006f01')
-define(`AUDIO_PLAY', `0x00006f02')
-define(`AUDIO_PAUSE', `0x00006f03')
-define(`AUDIO_CONTINUE', `0x00006f04')
-define(`AUDIO_SELECT_SOURCE', `0x00006f05')
-define(`AUDIO_SET_MUTE', `0x00006f06')
-define(`AUDIO_SET_AV_SYNC', `0x00006f07')
-define(`AUDIO_SET_BYPASS_MODE', `0x00006f08')
-define(`AUDIO_CHANNEL_SELECT', `0x00006f09')
-define(`AUDIO_CLEAR_BUFFER', `0x00006f0c')
-define(`AUDIO_SET_ID', `0x00006f0d')
-define(`AUDIO_SET_STREAMTYPE', `0x00006f0f')
-define(`AUDIO_SET_EXT_ID', `0x00006f10')
-define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14')
-define(`VIDEO_STOP', `0x00006f15')
-define(`VIDEO_PLAY', `0x00006f16')
-define(`VIDEO_FREEZE', `0x00006f17')
-define(`VIDEO_CONTINUE', `0x00006f18')
-define(`VIDEO_SELECT_SOURCE', `0x00006f19')
-define(`VIDEO_SET_BLANK', `0x00006f1a')
-define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d')
-define(`VIDEO_FAST_FORWARD', `0x00006f1f')
-define(`VIDEO_SLOWMOTION', `0x00006f20')
-define(`VIDEO_CLEAR_BUFFER', `0x00006f22')
-define(`VIDEO_SET_ID', `0x00006f23')
-define(`VIDEO_SET_STREAMTYPE', `0x00006f24')
-define(`VIDEO_SET_FORMAT', `0x00006f25')
-define(`VIDEO_SET_SYSTEM', `0x00006f26')
-define(`DMX_START', `0x00006f29')
-define(`DMX_STOP', `0x00006f2a')
-define(`DMX_SET_BUFFER_SIZE', `0x00006f2d')
-define(`NET_REMOVE_IF', `0x00006f35')
-define(`VIDEO_SET_ATTRIBUTES', `0x00006f35')
-define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e')
-define(`FE_DISEQC_SEND_BURST', `0x00006f41')
-define(`FE_SET_TONE', `0x00006f42')
-define(`FE_SET_VOLTAGE', `0x00006f43')
-define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44')
-define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50')
-define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51')
-define(`CA_RESET', `0x00006f80')
-define(`RTC_AIE_ON', `0x00007001')
-define(`RTC_AIE_OFF', `0x00007002')
-define(`RTC_UIE_ON', `0x00007003')
-define(`PHN_NOT_OH', `0x00007004')
-define(`RTC_UIE_OFF', `0x00007004')
-define(`RTC_PIE_ON', `0x00007005')
-define(`RTC_PIE_OFF', `0x00007006')
-define(`RTC_WIE_ON', `0x0000700f')
-define(`RTC_WIE_OFF', `0x00007010')
-define(`RTC_VL_CLR', `0x00007014')
-define(`NVRAM_INIT', `0x00007040')
-define(`NVRAM_SETCKS', `0x00007041')
-define(`PPCLAIM', `0x0000708b')
-define(`PPRELEASE', `0x0000708c')
-define(`PPYIELD', `0x0000708d')
-define(`PPEXCL', `0x0000708f')
-define(`PHONE_CAPABILITIES', `0x00007180')
-define(`PHONE_RING', `0x00007183')
-define(`PHONE_HOOKSTATE', `0x00007184')
-define(`OLD_PHONE_RING_START', `0x00007187')
-define(`PHONE_RING_STOP', `0x00007188')
-define(`PHONE_REC_START', `0x0000718a')
-define(`PHONE_REC_STOP', `0x0000718b')
-define(`PHONE_REC_LEVEL', `0x0000718f')
-define(`PHONE_PLAY_START', `0x00007191')
-define(`PHONE_PLAY_STOP', `0x00007192')
-define(`PHONE_PLAY_LEVEL', `0x00007195')
-define(`PHONE_GET_TONE_ON_TIME', `0x0000719e')
-define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f')
-define(`PHONE_GET_TONE_STATE', `0x000071a0')
-define(`PHONE_BUSY', `0x000071a1')
-define(`PHONE_RINGBACK', `0x000071a2')
-define(`PHONE_DIALTONE', `0x000071a3')
-define(`PHONE_CPT_STOP', `0x000071a4')
-define(`PHONE_PSTN_GET_STATE', `0x000071a5')
-define(`PHONE_PSTN_LINETEST', `0x000071a8')
-define(`IXJCTL_DSP_RESET', `0x000071c0')
-define(`IXJCTL_DSP_IDLE', `0x000071c5')
-define(`IXJCTL_TESTRAM', `0x000071c6')
-define(`IXJCTL_AEC_STOP', `0x000071cc')
-define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd')
-define(`IXJCTL_PSTN_LINETEST', `0x000071d3')
-define(`IXJCTL_PLAY_CID', `0x000071d7')
-define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7')
-define(`BR_OK', `0x00007201')
-define(`BR_DEAD_REPLY', `0x00007205')
-define(`BR_TRANSACTION_COMPLETE', `0x00007206')
-define(`BR_NOOP', `0x0000720c')
-define(`BR_SPAWN_LOOPER', `0x0000720d')
-define(`BR_FINISHED', `0x0000720e')
-define(`BR_FAILED_REPLY', `0x00007211')
-define(`MEYEIOC_STILLCAPT', `0x000076c4')
-define(`ASHMEM_GET_SIZE', `0x00007704')
-define(`ASHMEM_GET_PROT_MASK', `0x00007706')
-define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
-define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a')
-define(`FIOSETOWN', `0x00008901')
-define(`SIOCSPGRP', `0x00008902')
-define(`FIOGETOWN', `0x00008903')
-define(`SIOCGPGRP', `0x00008904')
-define(`SIOCATMARK', `0x00008905')
-define(`SIOCGSTAMP', `0x00008906')
-define(`SIOCGSTAMPNS', `0x00008907')
-define(`SIOCADDRT', `0x0000890b')
-define(`SIOCDELRT', `0x0000890c')
-define(`SIOCRTMSG', `0x0000890d')
-define(`SIOCGIFNAME', `0x00008910')
-define(`SIOCSIFLINK', `0x00008911')
-define(`SIOCGIFCONF', `0x00008912')
-define(`SIOCGIFFLAGS', `0x00008913')
-define(`SIOCSIFFLAGS', `0x00008914')
-define(`SIOCGIFADDR', `0x00008915')
-define(`SIOCSIFADDR', `0x00008916')
-define(`SIOCGIFDSTADDR', `0x00008917')
-define(`SIOCSIFDSTADDR', `0x00008918')
-define(`SIOCGIFBRDADDR', `0x00008919')
-define(`SIOCSIFBRDADDR', `0x0000891a')
-define(`SIOCGIFNETMASK', `0x0000891b')
-define(`SIOCSIFNETMASK', `0x0000891c')
-define(`SIOCGIFMETRIC', `0x0000891d')
-define(`SIOCSIFMETRIC', `0x0000891e')
-define(`SIOCGIFMEM', `0x0000891f')
-define(`SIOCSIFMEM', `0x00008920')
-define(`SIOCGIFMTU', `0x00008921')
-define(`SIOCSIFMTU', `0x00008922')
-define(`SIOCSIFNAME', `0x00008923')
-define(`SIOCSIFHWADDR', `0x00008924')
-define(`SIOCGIFENCAP', `0x00008925')
-define(`SIOCSIFENCAP', `0x00008926')
-define(`SIOCGIFHWADDR', `0x00008927')
-define(`SIOCGIFSLAVE', `0x00008929')
-define(`SIOCSIFSLAVE', `0x00008930')
-define(`SIOCADDMULTI', `0x00008931')
-define(`SIOCDELMULTI', `0x00008932')
-define(`SIOCGIFINDEX', `0x00008933')
-define(`SIOCSIFPFLAGS', `0x00008934')
-define(`SIOCGIFPFLAGS', `0x00008935')
-define(`SIOCDIFADDR', `0x00008936')
-define(`SIOCSIFHWBROADCAST', `0x00008937')
-define(`SIOCGIFCOUNT', `0x00008938')
-define(`SIOCKILLADDR', `0x00008939')
-define(`SIOCGIFBR', `0x00008940')
-define(`SIOCSIFBR', `0x00008941')
-define(`SIOCGIFTXQLEN', `0x00008942')
-define(`SIOCSIFTXQLEN', `0x00008943')
-define(`SIOCETHTOOL', `0x00008946')
-define(`SIOCGMIIPHY', `0x00008947')
-define(`SIOCGMIIREG', `0x00008948')
-define(`SIOCSMIIREG', `0x00008949')
-define(`SIOCWANDEV', `0x0000894a')
-define(`SIOCOUTQNSD', `0x0000894b')
-define(`SIOCDARP', `0x00008953')
-define(`SIOCGARP', `0x00008954')
-define(`SIOCSARP', `0x00008955')
-define(`SIOCDRARP', `0x00008960')
-define(`SIOCGRARP', `0x00008961')
-define(`SIOCSRARP', `0x00008962')
-define(`SIOCGIFMAP', `0x00008970')
-define(`SIOCSIFMAP', `0x00008971')
-define(`SIOCADDDLCI', `0x00008980')
-define(`SIOCDELDLCI', `0x00008981')
-define(`SIOCGIFVLAN', `0x00008982')
-define(`SIOCSIFVLAN', `0x00008983')
-define(`SIOCBONDENSLAVE', `0x00008990')
-define(`SIOCBONDRELEASE', `0x00008991')
-define(`SIOCBONDSETHWADDR', `0x00008992')
-define(`SIOCBONDSLAVEINFOQUERY', `0x00008993')
-define(`SIOCBONDINFOQUERY', `0x00008994')
-define(`SIOCBONDCHANGEACTIVE', `0x00008995')
-define(`SIOCBRADDBR', `0x000089a0')
-define(`SIOCBRDELBR', `0x000089a1')
-define(`SIOCBRADDIF', `0x000089a2')
-define(`SIOCBRDELIF', `0x000089a3')
-define(`SIOCSHWTSTAMP', `0x000089b0')
-define(`SIOCGHWTSTAMP', `0x000089b1')
-define(`SIOCPROTOPRIVATE', `0x000089e0')
-define(`SIOCPROTOPRIVATE_1', `0x000089e1')
-define(`SIOCPROTOPRIVATE_2', `0x000089e2')
-define(`SIOCPROTOPRIVATE_3', `0x000089e3')
-define(`SIOCPROTOPRIVATE_4', `0x000089e4')
-define(`SIOCPROTOPRIVATE_5', `0x000089e5')
-define(`SIOCPROTOPRIVATE_6', `0x000089e6')
-define(`SIOCPROTOPRIVATE_7', `0x000089e7')
-define(`SIOCPROTOPRIVATE_8', `0x000089e8')
-define(`SIOCPROTOPRIVATE_9', `0x000089e9')
-define(`SIOCPROTOPRIVATE_A', `0x000089ea')
-define(`SIOCPROTOPRIVATE_B', `0x000089eb')
-define(`SIOCPROTOPRIVATE_C', `0x000089ec')
-define(`SIOCPROTOPRIVATE_D', `0x000089ed')
-define(`SIOCPROTOPRIVATE_E', `0x000089ee')
-define(`SIOCPROTOPRIVLAST', `0x000089ef')
-define(`SIOCDEVPRIVATE', `0x000089f0')
-define(`SIOCDEVPRIVATE_1', `0x000089f1')
-define(`SIOCDEVPRIVATE_2', `0x000089f2')
-define(`SIOCDEVPRIVATE_3', `0x000089f3')
-define(`SIOCDEVPRIVATE_4', `0x000089f4')
-define(`SIOCDEVPRIVATE_5', `0x000089f5')
-define(`SIOCDEVPRIVATE_6', `0x000089f6')
-define(`SIOCDEVPRIVATE_7', `0x000089f7')
-define(`SIOCDEVPRIVATE_8', `0x000089f8')
-define(`SIOCDEVPRIVATE_9', `0x000089f9')
-define(`SIOCDEVPRIVATE_A', `0x000089fa')
-define(`SIOCDEVPRIVATE_B', `0x000089fb')
-define(`SIOCDEVPRIVATE_C', `0x000089fc')
-define(`SIOCDEVPRIVATE_D', `0x000089fd')
-define(`SIOCDEVPRIVATE_E', `0x000089fe')
-define(`SIOCDEVPRIVLAST', `0x000089ff')
-define(`SIOCIWFIRST', `0x00008b00')
-define(`SIOCSIWCOMMIT', `0x00008b00')
-define(`SIOCGIWNAME', `0x00008b01')
-define(`SIOCSIWNWID', `0x00008b02')
-define(`SIOCGIWNWID', `0x00008b03')
-define(`SIOCSIWFREQ', `0x00008b04')
-define(`SIOCGIWFREQ', `0x00008b05')
-define(`SIOCSIWMODE', `0x00008b06')
-define(`SIOCGIWMODE', `0x00008b07')
-define(`SIOCSIWSENS', `0x00008b08')
-define(`SIOCGIWSENS', `0x00008b09')
-define(`SIOCSIWRANGE', `0x00008b0a')
-define(`SIOCGIWRANGE', `0x00008b0b')
-define(`SIOCSIWPRIV', `0x00008b0c')
-define(`SIOCGIWPRIV', `0x00008b0d')
-define(`SIOCSIWSTATS', `0x00008b0e')
-define(`SIOCGIWSTATS', `0x00008b0f')
-define(`SIOCSIWSPY', `0x00008b10')
-define(`SIOCGIWSPY', `0x00008b11')
-define(`SIOCSIWTHRSPY', `0x00008b12')
-define(`SIOCGIWTHRSPY', `0x00008b13')
-define(`SIOCSIWAP', `0x00008b14')
-define(`SIOCGIWAP', `0x00008b15')
-define(`SIOCSIWMLME', `0x00008b16')
-define(`SIOCGIWAPLIST', `0x00008b17')
-define(`SIOCSIWSCAN', `0x00008b18')
-define(`SIOCGIWSCAN', `0x00008b19')
-define(`SIOCSIWESSID', `0x00008b1a')
-define(`SIOCGIWESSID', `0x00008b1b')
-define(`SIOCSIWNICKN', `0x00008b1c')
-define(`SIOCGIWNICKN', `0x00008b1d')
-define(`SIOCSIWRATE', `0x00008b20')
-define(`SIOCGIWRATE', `0x00008b21')
-define(`SIOCSIWRTS', `0x00008b22')
-define(`SIOCGIWRTS', `0x00008b23')
-define(`SIOCSIWFRAG', `0x00008b24')
-define(`SIOCGIWFRAG', `0x00008b25')
-define(`SIOCSIWTXPOW', `0x00008b26')
-define(`SIOCGIWTXPOW', `0x00008b27')
-define(`SIOCSIWRETRY', `0x00008b28')
-define(`SIOCGIWRETRY', `0x00008b29')
-define(`SIOCSIWENCODE', `0x00008b2a')
-define(`SIOCGIWENCODE', `0x00008b2b')
-define(`SIOCSIWPOWER', `0x00008b2c')
-define(`SIOCGIWPOWER', `0x00008b2d')
-define(`SIOCSIWGENIE', `0x00008b30')
-define(`SIOCGIWGENIE', `0x00008b31')
-define(`SIOCSIWAUTH', `0x00008b32')
-define(`SIOCGIWAUTH', `0x00008b33')
-define(`SIOCSIWENCODEEXT', `0x00008b34')
-define(`SIOCGIWENCODEEXT', `0x00008b35')
-define(`SIOCSIWPMKSA', `0x00008b36')
-define(`SIOCIWFIRSTPRIV', `0x00008be0')
-define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
-define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
-define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
-define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
-define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
-define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
-define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
-define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
-define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
-define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
-define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
-define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
-define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
-define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
-define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
-define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
-define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
-define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
-define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
-define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
-define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
-define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
-define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
-define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
-define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
-define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
-define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
-define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
-define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
-define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
-define(`SIOCIWLASTPRIV', `0x00008bff')
-define(`AUTOFS_IOC_READY', `0x00009360')
-define(`AUTOFS_IOC_FAIL', `0x00009361')
-define(`AUTOFS_IOC_CATATONIC', `0x00009362')
-define(`BTRFS_IOC_TRANS_START', `0x00009406')
-define(`BTRFS_IOC_TRANS_END', `0x00009407')
-define(`BTRFS_IOC_SYNC', `0x00009408')
-define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c')
-define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e')
-define(`NBD_SET_SOCK', `0x0000ab00')
-define(`NBD_SET_BLKSIZE', `0x0000ab01')
-define(`NBD_SET_SIZE', `0x0000ab02')
-define(`NBD_DO_IT', `0x0000ab03')
-define(`NBD_CLEAR_SOCK', `0x0000ab04')
-define(`NBD_CLEAR_QUE', `0x0000ab05')
-define(`NBD_PRINT_DEBUG', `0x0000ab06')
-define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07')
-define(`NBD_DISCONNECT', `0x0000ab08')
-define(`NBD_SET_TIMEOUT', `0x0000ab09')
-define(`NBD_SET_FLAGS', `0x0000ab0a')
-define(`RAW_SETBIND', `0x0000ac00')
-define(`RAW_GETBIND', `0x0000ac01')
-define(`KVM_GET_API_VERSION', `0x0000ae00')
-define(`KVM_CREATE_VM', `0x0000ae01')
-define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01')
-define(`LOGGER_GET_LOG_LEN', `0x0000ae02')
-define(`KVM_CHECK_EXTENSION', `0x0000ae03')
-define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03')
-define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04')
-define(`LOGGER_FLUSH_LOG', `0x0000ae04')
-define(`LOGGER_GET_VERSION', `0x0000ae05')
-define(`KVM_S390_ENABLE_SIE', `0x0000ae06')
-define(`LOGGER_SET_VERSION', `0x0000ae06')
-define(`KVM_CREATE_VCPU', `0x0000ae41')
-define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44')
-define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45')
-define(`KVM_SET_TSS_ADDR', `0x0000ae47')
-define(`KVM_CREATE_IRQCHIP', `0x0000ae60')
-define(`KVM_CREATE_PIT', `0x0000ae64')
-define(`KVM_REINJECT_CONTROL', `0x0000ae71')
-define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78')
-define(`KVM_RUN', `0x0000ae80')
-define(`KVM_S390_INITIAL_RESET', `0x0000ae97')
-define(`KVM_NMI', `0x0000ae9a')
-define(`KVM_SET_TSC_KHZ', `0x0000aea2')
-define(`KVM_GET_TSC_KHZ', `0x0000aea3')
-define(`KVM_KVMCLOCK_CTRL', `0x0000aead')
-define(`VHOST_SET_OWNER', `0x0000af01')
-define(`VHOST_RESET_OWNER', `0x0000af02')
-define(`PPPOEIOCDFWD', `0x0000b101')
-define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
-define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
-define(`IOCTL_EVTCHN_UNBIND', `0x00044503')
-define(`IOCTL_EVTCHN_NOTIFY', `0x00044504')
-define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344')
-define(`MFB_SET_ALPHA', `0x40014d00')
-define(`MFB_SET_GAMMA', `0x40014d01')
-define(`MFB_SET_BRIGHTNESS', `0x40014d03')
-define(`SPI_IOC_WR_MODE', `0x40016b01')
-define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02')
-define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03')
-define(`PPWCONTROL', `0x40017084')
-define(`PPWDATA', `0x40017086')
-define(`PPWCTLONIRQ', `0x40017092')
-define(`PHONE_MAXRINGS', `0x40017185')
-define(`PHONE_PLAY_TONE', `0x4001719b')
-define(`SONYPI_IOCSBRT', `0x40017600')
-define(`SONYPI_IOCSBLUE', `0x40017609')
-define(`SONYPI_IOCSFAN', `0x4001760b')
-define(`ATM_SETBACKEND', `0x400261f2')
-define(`ATM_NEWBACKENDIF', `0x400261f3')
-define(`NCP_IOC_GETMOUNTUID', `0x40026e02')
-define(`AUDIO_SET_ATTRIBUTES', `0x40026f11')
-define(`DMX_ADD_PID', `0x40026f33')
-define(`DMX_REMOVE_PID', `0x40026f34')
-define(`PPFCONTROL', `0x4002708e')
-define(`PHONE_RING_CADENCE', `0x40027186')
-define(`SET_BITMAP_FILE', `0x4004092b')
-define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02')
-define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303')
-define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305')
-define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307')
-define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b')
-define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e')
-define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318')
-define(`BLKI2OSRSTRAT', `0x40043203')
-define(`BLKI2OSWSTRAT', `0x40043204')
-define(`SNAPSHOT_CREATE_IMAGE', `0x40043311')
-define(`PTP_ENABLE_PPS', `0x40043d04')
-define(`SYNC_IOC_WAIT', `0x40043e00')
-define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102')
-define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103')
-define(`AGPIOC_DEALLOCATE', `0x40044107')
-define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145')
-define(`SNDRV_PCM_IOCTL_LINK', `0x40044160')
-define(`CCISS_REGNEWDISK', `0x4004420d')
-define(`EVIOCRMFF', `0x40044581')
-define(`EVIOCGRAB', `0x40044590')
-define(`EVIOCREVOKE', `0x40044591')
-define(`EVIOCSCLOCKID', `0x400445a0')
-define(`FBIOPUT_CONTRAST', `0x40044602')
-define(`FBIPUT_BRIGHTNESS', `0x40044603')
-define(`FBIPUT_COLOR', `0x40044606')
-define(`FBIPUT_HSYNC', `0x40044609')
-define(`FBIPUT_VSYNC', `0x4004460a')
-define(`FBIO_WAITFORVSYNC', `0x40044620')
-define(`SSTFB_SET_VGAPASS', `0x400446dd')
-define(`HIDIOCSFLAG', `0x4004480f')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820')
-define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825')
-define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826')
-define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883')
-define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884')
-define(`HCIDEVUP', `0x400448c9')
-define(`HCIDEVDOWN', `0x400448ca')
-define(`HCIDEVRESET', `0x400448cb')
-define(`HCIDEVRESTAT', `0x400448cc')
-define(`HCISETRAW', `0x400448dc')
-define(`HCISETSCAN', `0x400448dd')
-define(`HCISETAUTH', `0x400448de')
-define(`HCISETENCRYPT', `0x400448df')
-define(`HCISETPTYPE', `0x400448e0')
-define(`HCISETLINKPOL', `0x400448e1')
-define(`HCISETLINKMODE', `0x400448e2')
-define(`HCISETACLMTU', `0x400448e3')
-define(`HCISETSCOMTU', `0x400448e4')
-define(`HCIBLOCKADDR', `0x400448e6')
-define(`HCIUNBLOCKADDR', `0x400448e7')
-define(`MFB_SET_PIXFMT', `0x40044d08')
-define(`OTPGETREGIONCOUNT', `0x40044d0e')
-define(`UBI_IOCEBER', `0x40044f01')
-define(`UBI_IOCEBCH', `0x40044f02')
-define(`UBI_IOCEBUNMAP', `0x40044f04')
-define(`OMAPFB_MIRROR', `0x40044f1f')
-define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28')
-define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b')
-define(`OMAPFB_LCD_TEST', `0x40044f2d')
-define(`OMAPFB_CTRL_TEST', `0x40044f2e')
-define(`SNDCTL_DSP_SETTRIGGER', `0x40045010')
-define(`SNDCTL_DSP_PROFILE', `0x40045017')
-define(`SNDCTL_DSP_SETSPDIF', `0x40045042')
-define(`SNDCTL_SEQ_PERCMODE', `0x40045106')
-define(`SNDCTL_SEQ_TESTMIDI', `0x40045108')
-define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109')
-define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d')
-define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f')
-define(`RNDADDTOENTCNT', `0x40045201')
-define(`SAA6588_CMD_CLOSE', `0x40045202')
-define(`RFCOMMCREATEDEV', `0x400452c8')
-define(`RFCOMMRELEASEDEV', `0x400452c9')
-define(`RFCOMMSTEALDLC', `0x400452dc')
-define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402')
-define(`SNDCTL_TMR_METRONOME', `0x40045407')
-define(`SNDCTL_TMR_SELECT', `0x40045408')
-define(`TIOCSPTLCK', `0x40045431')
-define(`TIOCSIG', `0x40045436')
-define(`TUNSETNOCSUM', `0x400454c8')
-define(`TUNSETDEBUG', `0x400454c9')
-define(`TUNSETIFF', `0x400454ca')
-define(`TUNSETPERSIST', `0x400454cb')
-define(`TUNSETOWNER', `0x400454cc')
-define(`TUNSETLINK', `0x400454cd')
-define(`TUNSETGROUP', `0x400454ce')
-define(`TUNSETOFFLOAD', `0x400454d0')
-define(`TUNSETTXFILTER', `0x400454d1')
-define(`TUNSETSNDBUF', `0x400454d4')
-define(`TUNSETVNETHDRSZ', `0x400454d8')
-define(`TUNSETQUEUE', `0x400454d9')
-define(`TUNSETIFINDEX', `0x400454da')
-define(`TUNSETVNETLE', `0x400454dc')
-define(`USBDEVFS_REAPURB32', `0x4004550c')
-define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d')
-define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542')
-define(`UI_SET_EVBIT', `0x40045564')
-define(`UI_SET_KEYBIT', `0x40045565')
-define(`UI_SET_RELBIT', `0x40045566')
-define(`UI_SET_ABSBIT', `0x40045567')
-define(`UI_SET_MSCBIT', `0x40045568')
-define(`UI_SET_LEDBIT', `0x40045569')
-define(`UI_SET_SNDBIT', `0x4004556a')
-define(`UI_SET_FFBIT', `0x4004556b')
-define(`UI_SET_SWBIT', `0x4004556d')
-define(`UI_SET_PROPBIT', `0x4004556e')
-define(`VIDIOC_OVERLAY', `0x4004560e')
-define(`VIDIOC_STREAMON', `0x40045612')
-define(`VIDIOC_STREAMOFF', `0x40045613')
-define(`VIDIOC_S_PRIORITY', `0x40045644')
-define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1')
-define(`SW_SYNC_IOC_INC', `0x40045701')
-define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730')
-define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731')
-define(`SONET_SETFRAMING', `0x40046115')
-define(`ATM_SETSC', `0x400461f1')
-define(`ATM_DROPPARTY', `0x400461f5')
-define(`BINDER_SET_MAX_THREADS', `0x40046205')
-define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
-define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
-define(`BINDER_THREAD_EXIT', `0x40046208')
-define(`BC_ACQUIRE_RESULT', `0x40046302')
-define(`BC_INCREFS', `0x40046304')
-define(`BC_ACQUIRE', `0x40046305')
-define(`CHIOSPICKER', `0x40046305')
-define(`BC_RELEASE', `0x40046306')
-define(`BC_DECREFS', `0x40046307')
-define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411')
-define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445')
-define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445')
-define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446')
-define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a')
-define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c')
-define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d')
-define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450')
-define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457')
-define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b')
-define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460')
-define(`VIDIOC_INT_RESET', `0x40046466')
-define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483')
-define(`FS_IOC32_SETFLAGS', `0x40046602')
-define(`LIRC_SET_SEND_MODE', `0x40046911')
-define(`LIRC_SET_REC_MODE', `0x40046912')
-define(`LIRC_SET_SEND_CARRIER', `0x40046913')
-define(`LIRC_SET_REC_CARRIER', `0x40046914')
-define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915')
-define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916')
-define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917')
-define(`LIRC_SET_REC_TIMEOUT', `0x40046918')
-define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919')
-define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a')
-define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b')
-define(`LIRC_SET_REC_FILTER', `0x4004691c')
-define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d')
-define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e')
-define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f')
-define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f')
-define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923')
-define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04')
-define(`SPI_IOC_WR_MODE32', `0x40046b05')
-define(`MSMFB_GRP_DISP', `0x40046d01')
-define(`MSMFB_BLIT', `0x40046d02')
-define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06')
-define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c')
-define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa')
-define(`UBI_IOCRMVOL', `0x40046f01')
-define(`DMX_SET_SOURCE', `0x40046f31')
-define(`UBI_IOCDET', `0x40046f41')
-define(`PPSETMODE', `0x40047080')
-define(`PPDATADIR', `0x40047090')
-define(`PPNEGOT', `0x40047091')
-define(`PPSETPHASE', `0x40047094')
-define(`PPSETFLAGS', `0x4004709b')
-define(`PHONE_REC_CODEC', `0x40047189')
-define(`PHONE_REC_DEPTH', `0x4004718c')
-define(`PHONE_FRAME', `0x4004718d')
-define(`PHONE_REC_VOLUME', `0x4004718e')
-define(`PHONE_PLAY_CODEC', `0x40047190')
-define(`PHONE_PLAY_DEPTH', `0x40047193')
-define(`PHONE_PLAY_VOLUME', `0x40047194')
-define(`PHONE_DTMF_OOB', `0x40047199')
-define(`PHONE_SET_TONE_ON_TIME', `0x4004719c')
-define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d')
-define(`PHONE_PSTN_SET_STATE', `0x400471a4')
-define(`PHONE_WINK_DURATION', `0x400471a6')
-define(`PHONE_VAD', `0x400471a9')
-define(`PHONE_WINK', `0x400471aa')
-define(`IXJCTL_GET_FILTER_HIST', `0x400471c8')
-define(`IXJCTL_AEC_START', `0x400471cb')
-define(`IXJCTL_SET_LED', `0x400471ce')
-define(`IXJCTL_MIXER', `0x400471cf')
-define(`IXJCTL_DAA_COEFF_SET', `0x400471d0')
-define(`IXJCTL_PORT', `0x400471d1')
-define(`IXJCTL_DAA_AGAIN', `0x400471d2')
-define(`IXJCTL_POTS_PSTN', `0x400471d5')
-define(`PHONE_REC_VOLUME_LINEAR', `0x400471db')
-define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc')
-define(`IXJCTL_HZ', `0x400471e0')
-define(`IXJCTL_RATE', `0x400471e1')
-define(`IXJCTL_DTMF_PRESCALE', `0x400471e8')
-define(`IXJCTL_SC_RXG', `0x400471ea')
-define(`IXJCTL_SC_TXG', `0x400471eb')
-define(`IXJCTL_INTERCOM_START', `0x400471fd')
-define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
-define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
-define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
-define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
-define(`FS_IOC32_SETVERSION', `0x40047602')
-define(`MEYEIOC_QBUF_CAPT', `0x400476c2')
-define(`OSIOCSNETADDR', `0x400489e0')
-define(`SIOCSNETADDR', `0x400489e0')
-define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366')
-define(`BTRFS_IOC_CLONE', `0x40049409')
-define(`BTRFS_IOC_BALANCE_CTL', `0x40049421')
-define(`KVM_INTERRUPT', `0x4004ae86')
-define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b')
-define(`KVM_SET_MP_STATE', `0x4004ae99')
-define(`VHOST_SET_LOG_FD', `0x4004af07')
-define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42')
-define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43')
-define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44')
-define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303')
-define(`SISFB_SET_TVPOSOFFSET', `0x4004f304')
-define(`SISFB_SET_LOCK', `0x4004f306')
-define(`GIGASET_BRKCHARS', `0x40064702')
-define(`MEYEIOC_S_PARAMS', `0x400676c1')
-define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f')
-define(`BLKBSZSET', `0x40081271')
-define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316')
-define(`PERF_EVENT_IOC_PERIOD', `0x40082404')
-define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406')
-define(`FBIO_RADEON_SET_MIRROR', `0x40084004')
-define(`AGPIOC_SETUP', `0x40084103')
-define(`AGPIOC_RESERVE', `0x40084104')
-define(`AGPIOC_PROTECT', `0x40084105')
-define(`AGPIOC_BIND', `0x40084108')
-define(`AGPIOC_UNBIND', `0x40084109')
-define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146')
-define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149')
-define(`PMU_IOC_SET_BACKLIGHT', `0x40084202')
-define(`CCISS_SETINTINFO', `0x40084203')
-define(`APEI_ERST_CLEAR_RECORD', `0x40084501')
-define(`EVIOCSREP', `0x40084503')
-define(`EVIOCSKEYCODE', `0x40084504')
-define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813')
-define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842')
-define(`MEMERASE', `0x40084d02')
-define(`MFB_SET_AOID', `0x40084d04')
-define(`MEMLOCK', `0x40084d05')
-define(`MEMUNLOCK', `0x40084d06')
-define(`MEMGETBADBLOCK', `0x40084d0b')
-define(`MEMSETBADBLOCK', `0x40084d0c')
-define(`UBI_IOCVOLUP', `0x40084f00')
-define(`UBI_IOCEBMAP', `0x40084f03')
-define(`OMAPFB_SETUP_MEM', `0x40084f37')
-define(`OMAPFB_QUERY_MEM', `0x40084f38')
-define(`OMAPFB_SET_TEARSYNC', `0x40084f3e')
-define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112')
-define(`RNDADDENTROPY', `0x40085203')
-define(`TFD_IOC_SET_TICKS', `0x40085400')
-define(`USBDEVFS_REAPURB', `0x4008550c')
-define(`USBDEVFS_REAPURBNDELAY', `0x4008550d')
-define(`USBDEVFS_CONNECTINFO', `0x40085511')
-define(`UI_SET_PHYS', `0x4008556c')
-define(`VIDIOC_S_STD', `0x40085618')
-define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1')
-define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
-define(`CM_IOCSPTS', `0x40086302')
-define(`BC_FREE_BUFFER', `0x40086303')
-define(`BC_ATTEMPT_ACQUIRE', `0x4008630a')
-define(`BC_DEAD_BINDER_DONE', `0x40086310')
-define(`CM_IOSDBGLVL', `0x400863fa')
-define(`DRM_IOCTL_MODESET_CTL', `0x40086408')
-define(`DRM_IOCTL_GEM_CLOSE', `0x40086409')
-define(`DRM_IOCTL_CONTROL', `0x40086414')
-define(`DRM_IOCTL_MOD_CTX', `0x40086422')
-define(`DRM_IOCTL_SWITCH_CTX', `0x40086424')
-define(`DRM_IOCTL_NEW_CTX', `0x40086425')
-define(`DRM_IOCTL_LOCK', `0x4008642a')
-define(`DRM_IOCTL_UNLOCK', `0x4008642b')
-define(`DRM_IOCTL_FINISH', `0x4008642c')
-define(`DRM_IOCTL_AGP_ENABLE', `0x40086432')
-define(`DRM_IOCTL_MGA_FLUSH', `0x40086441')
-define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442')
-define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442')
-define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443')
-define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444')
-define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445')
-define(`DRM_IOCTL_I915_SETPARAM', `0x40086447')
-define(`DRM_IOCTL_I915_FREE', `0x40086449')
-define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c')
-define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d')
-define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f')
-define(`DRM_IOCTL_RADEON_FREE', `0x40086454')
-define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456')
-define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464')
-define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e')
-define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f')
-define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482')
-define(`FS_IOC_SETFLAGS', `0x40086602')
-define(`HPET_IRQFREQ', `0x40086806')
-define(`MTIOCTOP', `0x40086d01')
-define(`NCP_IOC_GETMOUNTUID2', `0x40086e02')
-define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81')
-define(`NILFS_IOCTL_RESIZE', `0x40086e8b')
-define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8')
-define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa')
-define(`AUDIO_SET_MIXER', `0x40086f0e')
-define(`VIDEO_SET_SPU', `0x40086f32')
-define(`CA_SET_PID', `0x40086f87')
-define(`PHN_SET_REG', `0x40087001')
-define(`PHN_SET_REGS', `0x40087003')
-define(`PHN_SETREG', `0x40087006')
-define(`RTC_IRQP_SET', `0x4008700c')
-define(`RTC_EPOCH_SET', `0x4008700e')
-define(`PPS_SETPARAMS', `0x400870a2')
-define(`PPS_KC_BIND', `0x400870a5')
-define(`SPIOCSTYPE', `0x40087101')
-define(`PHONE_CAPABILITIES_CHECK', `0x40087182')
-define(`PHONE_RING_START', `0x40087187')
-define(`IXJCTL_SET_FILTER', `0x400871c7')
-define(`IXJCTL_INIT_TONE', `0x400871c9')
-define(`IXJCTL_TONE_CADENCE', `0x400871ca')
-define(`IXJCTL_FILTER_CADENCE', `0x400871d6')
-define(`IXJCTL_CIDCW', `0x400871d9')
-define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
-define(`IXJCTL_SIGCTL', `0x400871e9')
-define(`FS_IOC_SETVERSION', `0x40087602')
-define(`ASHMEM_SET_SIZE', `0x40087703')
-define(`ASHMEM_SET_PROT_MASK', `0x40087705')
-define(`ASHMEM_PIN', `0x40087707')
-define(`ASHMEM_UNPIN', `0x40087708')
-define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413')
-define(`BTRFS_IOC_WAIT_SYNC', `0x40089416')
-define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a')
-define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48')
-define(`KVM_S390_VCPU_FAULT', `0x4008ae52')
-define(`KVM_IRQ_LINE', `0x4008ae61')
-define(`KVM_SET_GSI_ROUTING', `0x4008ae6a')
-define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73')
-define(`KVM_SET_MSRS', `0x4008ae89')
-define(`KVM_SET_CPUID', `0x4008ae8a')
-define(`KVM_SET_CPUID2', `0x4008ae90')
-define(`KVM_SET_VAPIC_ADDR', `0x4008ae93')
-define(`KVM_S390_STORE_STATUS', `0x4008ae95')
-define(`KVM_X86_SETUP_MCE', `0x4008ae9c')
-define(`VHOST_SET_FEATURES', `0x4008af00')
-define(`VHOST_SET_MEM_TABLE', `0x4008af03')
-define(`VHOST_SET_LOG_BASE', `0x4008af04')
-define(`VHOST_SET_VRING_NUM', `0x4008af10')
-define(`VHOST_SET_VRING_BASE', `0x4008af12')
-define(`VHOST_SET_VRING_KICK', `0x4008af20')
-define(`VHOST_SET_VRING_CALL', `0x4008af21')
-define(`VHOST_SET_VRING_ERR', `0x4008af22')
-define(`VHOST_NET_SET_BACKEND', `0x4008af30')
-define(`PPPOEIOCSFWD', `0x4008b100')
-define(`IOW_WRITE', `0x4008c001')
-define(`IOW_READ', `0x4008c002')
-define(`REISERFS_IOC_UNPACK', `0x4008cd01')
-define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824')
-define(`FDFMTTRK', `0x400c0248')
-define(`RUN_ARRAY', `0x400c0930')
-define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d')
-define(`CAPI_REGISTER', `0x400c4301')
-define(`HIDIOCGREPORT', `0x400c4807')
-define(`HIDIOCSREPORT', `0x400c4808')
-define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822')
-define(`MFB_SET_CHROMA_KEY', `0x400c4d01')
-define(`OTPGETREGIONINFO', `0x400c4d0f')
-define(`UI_END_FF_ERASE', `0x400c55cb')
-define(`CHIOPOSITION', `0x400c6303')
-define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
-define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f')
-define(`DRM_IOCTL_I810_VERTEX', `0x400c6441')
-define(`DRM_IOCTL_I810_CLEAR', `0x400c6442')
-define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445')
-define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447')
-define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a')
-define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455')
-define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a')
-define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f')
-define(`I2OEVTREG', `0x400c690a')
-define(`HSC_SET_RX', `0x400c6b13')
-define(`HSC_GET_RX', `0x400c6b14')
-define(`NCP_IOC_GETROOT', `0x400c6e08')
-define(`UBI_IOCRSVOL', `0x400c6f02')
-define(`AUDIO_SET_KARAOKE', `0x400c6f12')
-define(`KVM_CREATE_SPAPR_TCE', `0x400caea8')
-define(`MBXFB_IOCS_REG', `0x400cf404')
-define(`FW_CDEV_IOC_START_ISO', `0x4010230a')
-define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317')
-define(`PTP_EXTTS_REQUEST', `0x40103d02')
-define(`CCISS_SETNODENAME', `0x40104205')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821')
-define(`MTRRIOC_ADD_ENTRY', `0x40104d00')
-define(`MTRRIOC_SET_ENTRY', `0x40104d01')
-define(`MTRRIOC_DEL_ENTRY', `0x40104d02')
-define(`MTRRIOC_KILL_ENTRY', `0x40104d04')
-define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05')
-define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06')
-define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07')
-define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09')
-define(`MEMERASE64', `0x40104d14')
-define(`UBI_IOCSETVOLPROP', `0x40104f06')
-define(`OMAPFB_SET_COLOR_KEY', `0x40104f32')
-define(`OMAPFB_GET_COLOR_KEY', `0x40104f33')
-define(`TUNATTACHFILTER', `0x401054d5')
-define(`TUNDETACHFILTER', `0x401054d6')
-define(`ANDROID_ALARM_SET_RTC', `0x40106105')
-define(`IDT77105_GETSTAT', `0x40106132')
-define(`IDT77105_GETSTATZ', `0x40106133')
-define(`ATM_GETSTAT', `0x40106150')
-define(`ATM_GETSTATZ', `0x40106151')
-define(`ATM_GETLOOP', `0x40106152')
-define(`ATM_SETLOOP', `0x40106153')
-define(`ATM_QUERYLOOP', `0x40106154')
-define(`ENI_MEMDUMP', `0x40106160')
-define(`HE_GET_REG', `0x40106160')
-define(`ZATM_GETPOOL', `0x40106161')
-define(`NS_SETBUFLEV', `0x40106162')
-define(`ZATM_GETPOOLZ', `0x40106162')
-define(`ZATM_SETPOOL', `0x40106163')
-define(`ENI_SETMULT', `0x40106167')
-define(`ATM_GETLINKRATE', `0x40106181')
-define(`ATM_GETNAMES', `0x40106183')
-define(`ATM_GETTYPE', `0x40106184')
-define(`ATM_GETESI', `0x40106185')
-define(`ATM_GETADDR', `0x40106186')
-define(`ATM_RSTADDR', `0x40106187')
-define(`ATM_ADDADDR', `0x40106188')
-define(`ATM_DELADDR', `0x40106189')
-define(`ATM_GETCIRANGE', `0x4010618a')
-define(`ATM_SETCIRANGE', `0x4010618b')
-define(`ATM_SETESI', `0x4010618c')
-define(`ATM_SETESIF', `0x4010618d')
-define(`ATM_ADDLECSADDR', `0x4010618e')
-define(`ATM_DELLECSADDR', `0x4010618f')
-define(`ATM_GETLECSADDR', `0x40106190')
-define(`ATM_ADDPARTY', `0x401061f4')
-define(`BC_INCREFS_DONE', `0x40106308')
-define(`CHIOGSTATUS', `0x40106308')
-define(`BC_ACQUIRE_DONE', `0x40106309')
-define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d')
-define(`DRM_IOCTL_SET_UNIQUE', `0x40106410')
-define(`DRM_IOCTL_FREE_BUFS', `0x4010641a')
-define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c')
-define(`DRM_IOCTL_AGP_BIND', `0x40106436')
-define(`DRM_IOCTL_AGP_UNBIND', `0x40106437')
-define(`DRM_IOCTL_SG_FREE', `0x40106439')
-define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441')
-define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442')
-define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445')
-define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445')
-define(`DRM_IOCTL_MGA_INDICES', `0x40106446')
-define(`DRM_IOCTL_I810_COPY', `0x40106447')
-define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448')
-define(`DRM_IOCTL_R128_VERTEX', `0x40106449')
-define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449')
-define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a')
-define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451')
-define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453')
-define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456')
-define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459')
-define(`TUNER_SET_CONFIG', `0x4010645c')
-define(`HSC_SET_TX', `0x40106b15')
-define(`HSC_GET_TX', `0x40106b16')
-define(`MGSL_IOCSGPIO', `0x40106d10')
-define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80')
-define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c')
-define(`VIDEO_STILLPICTURE', `0x40106f1e')
-define(`VIDEO_SET_HIGHLIGHT', `0x40106f27')
-define(`VIDEO_SET_SPU_PALETTE', `0x40106f33')
-define(`FE_SET_PROPERTY', `0x40106f52')
-define(`CA_SET_DESCR', `0x40106f86')
-define(`PPSETTIME', `0x40107096')
-define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
-define(`GENWQE_WRITE_REG64', `0x4010a51f')
-define(`GENWQE_WRITE_REG32', `0x4010a521')
-define(`GENWQE_WRITE_REG16', `0x4010a523')
-define(`KVM_GET_DIRTY_LOG', `0x4010ae42')
-define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67')
-define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68')
-define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74')
-define(`KVM_S390_INTERRUPT', `0x4010ae94')
-define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96')
-define(`KVM_DIRTY_TLB', `0x4010aeaa')
-define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab')
-define(`KVM_GET_ONE_REG', `0x4010aeab')
-define(`KVM_SET_ONE_REG', `0x4010aeac')
-define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823')
-define(`FDSETMAXERRS', `0x4014024c')
-define(`ADD_NEW_DISK', `0x40140921')
-define(`SNDCTL_COPR_WDATA', `0x40144304')
-define(`SNDCTL_COPR_WCODE', `0x40144305')
-define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f')
-define(`VIDIOC_S_CROP', `0x4014563c')
-define(`CHIOMOVE', `0x40146301')
-define(`DRM_IOCTL_MGA_CLEAR', `0x40146444')
-define(`DRM_IOCTL_R128_CLEAR', `0x40146448')
-define(`DRM_IOCTL_R128_INDICES', `0x4014644a')
-define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a')
-define(`DMX_SET_PES_FILTER', `0x40146f2c')
-define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304')
-define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f')
-define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310')
-define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150')
-define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152')
-define(`HIDIOCSUSAGE', `0x4018480c')
-define(`HIDIOCGCOLLECTIONINDEX', `0x40184810')
-define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07')
-define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0')
-define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f')
-define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443')
-define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444')
-define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447')
-define(`DRM_IOCTL_R128_BLIT', `0x4018644b')
-define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d')
-define(`UBI_IOCATT', `0x40186f40')
-define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429')
-define(`KVM_SET_MEMORY_REGION', `0x4018ae40')
-define(`KVM_S390_UCAS_MAP', `0x4018ae50')
-define(`KVM_S390_UCAS_UNMAP', `0x4018ae51')
-define(`KVM_SET_DEVICE_ATTR', `0x4018aee1')
-define(`KVM_GET_DEVICE_ATTR', `0x4018aee2')
-define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3')
-define(`MBXFB_IOCS_ALPHA', `0x4018f402')
-define(`BR2684_SETFILT', `0x401c6190')
-define(`CHIOEXCHANGE', `0x401c6302')
-define(`FDSETPRM', `0x40200242')
-define(`FDDEFPRM', `0x40200243')
-define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1')
-define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2')
-define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04')
-define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a')
-define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b')
-define(`DRM_IOCTL_MARK_BUFS', `0x40206417')
-define(`DRM_IOCTL_AGP_FREE', `0x40206435')
-define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441')
-define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443')
-define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445')
-define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448')
-define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b')
-define(`DRM_IOCTL_I810_MC', `0x4020644c')
-define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450')
-define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455')
-define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c')
-define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
-define(`OSD_SEND_CMD', `0x40206fa0')
-define(`RTC_PLL_SET', `0x40207012')
-define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
-define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
-define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
-define(`KVM_IRQFD', `0x4020ae76')
-define(`KVM_SIGNAL_MSI', `0x4020aea5')
-define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa')
-define(`KVM_ARM_VCPU_INIT', `0x4020aeae')
-define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314')
-define(`JSIOCSCORR', `0x40246a21')
-define(`FE_SET_FRONTEND', `0x40246f4c')
-define(`RTC_ALM_SET', `0x40247007')
-define(`RTC_SET_TIME', `0x4024700a')
-define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301')
-define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312')
-define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313')
-define(`EVIOCSKEYCODE_V2', `0x40284504')
-define(`SNDCTL_FM_LOAD_INSTR', `0x40285107')
-define(`DRM_IOCTL_RM_MAP', `0x4028641b')
-define(`DRM_IOCTL_R128_DEPTH', `0x4028644c')
-define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f')
-define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454')
-define(`PHN_SETREGS', `0x40287008')
-define(`RTC_WKALM_SET', `0x4028700f')
-define(`VHOST_SET_VRING_ADDR', `0x4028af11')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342')
-define(`TCSETS2', `0x402c542b')
-define(`TCSETSW2', `0x402c542c')
-define(`TCSETSF2', `0x402c542d')
-define(`VIDIOC_S_FREQUENCY', `0x402c5639')
-define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467')
-define(`EVIOCSFF', `0x40304580')
-define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42')
-define(`VIDIOC_S_FBUF', `0x4030560b')
-define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652')
-define(`CHIOSVOLTAG', `0x40306312')
-define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e')
-define(`MGSL_IOCSPARAMS', `0x40306d00')
-define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410')
-define(`BTRFS_IOC_SET_FEATURES', `0x40309439')
-define(`KVM_SET_CLOCK', `0x4030ae7b')
-define(`GSMIOC_ENABLE_NET', `0x40344702')
-define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410')
-define(`VIDIOC_S_AUDIO', `0x40345622')
-define(`VIDIOC_S_AUDOUT', `0x40345632')
-define(`DRM_IOCTL_MGA_BLIT', `0x40346448')
-define(`PTP_PEROUT_REQUEST', `0x40383d03')
-define(`VIDIOC_DBG_S_REGISTER', `0x4038564f')
-define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441')
-define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a')
-define(`DMX_SET_FILTER', `0x403c6f2b')
-define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e')
-define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514')
-define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515')
-define(`IVTV_IOC_DMA_FRAME', `0x404056c0')
-define(`BC_TRANSACTION', `0x40406300')
-define(`BC_REPLY', `0x40406301')
-define(`DRM_IOCTL_I810_INIT', `0x40406440')
-define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469')
-define(`JSIOCSAXMAP', `0x40406a31')
-define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c')
-define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70')
-define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72')
-define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75')
-define(`KVM_CREATE_PIT2', `0x4040ae77')
-define(`KVM_IOEVENTFD', `0x4040ae79')
-define(`KVM_X86_SET_MCE', `0x4040ae9e')
-define(`KVM_SET_VCPU_EVENTS', `0x4040aea0')
-define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4')
-define(`CXL_IOCTL_START_WORK', `0x4040ca00')
-define(`OMAPFB_SETUP_PLANE', `0x40444f34')
-define(`OMAPFB_QUERY_PLANE', `0x40444f35')
-define(`OMAPFB_UPDATE_WINDOW', `0x40444f36')
-define(`VIDIOC_S_MODULATOR', `0x40445637')
-define(`DRM_IOCTL_I915_INIT', `0x40446440')
-define(`SET_ARRAY_INFO', `0x40480923')
-define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830')
-define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404')
-define(`BTRFS_IOC_SEND', `0x40489426')
-define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b')
-define(`GSMIOC_SETCONF', `0x404c4701')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a')
-define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330')
-define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331')
-define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412')
-define(`VIDIOC_S_TUNER', `0x4054561e')
-define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c')
-define(`PTP_PIN_SETFUNC', `0x40603d07')
-define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346')
-define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440')
-define(`UI_END_FF_UPLOAD', `0x406855c9')
-define(`KVM_ENABLE_CAP', `0x4068aea3')
-define(`CHIOGELEM', `0x406c6310')
-define(`KVM_SET_PIT2', `0x4070aea0')
-define(`DRM_IOCTL_R128_INIT', `0x40786440')
-define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440')
-define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88')
-define(`FDSETDRVPRM', `0x40800290')
-define(`UBI_IOCVOLCRBLK', `0x40804f07')
-define(`DRM_IOCTL_MGA_INIT', `0x40806440')
-define(`KVM_PPC_GET_PVINFO', `0x4080aea1')
-define(`KVM_SET_DEBUGREGS', `0x4080aea2')
-define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac')
-define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312')
-define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333')
-define(`VIDIOC_S_JPEGCOMP', `0x408c563e')
-define(`KVM_SET_REGS', `0x4090ae82')
-define(`UBI_IOCMKVOL', `0x40986f00')
-define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321')
-define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323')
-define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311')
-define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40')
-define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41')
-define(`ASHMEM_SET_NAME', `0x41007701')
-define(`BTRFS_IOC_SET_FSLABEL', `0x41009432')
-define(`USBDEVFS_GETDRIVER', `0x41045508')
-define(`CA_SEND_MSG', `0x410c6f85')
-define(`KVM_SET_SREGS', `0x4138ae84')
-define(`KVM_SET_XCRS', `0x4188aea7')
-define(`KVM_SET_FPU', `0x41a0ae8d')
-define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811')
-define(`PTP_SYS_OFFSET', `0x43403d05')
-define(`JSIOCSBTNMAP', `0x44006a33')
-define(`KVM_SET_LAPIC', `0x4400ae8f')
-define(`BTRFS_IOC_SNAP_CREATE', `0x50009401')
-define(`BTRFS_IOC_DEFRAG', `0x50009402')
-define(`BTRFS_IOC_RESIZE', `0x50009403')
-define(`BTRFS_IOC_SCAN_DEV', `0x50009404')
-define(`BTRFS_IOC_ADD_DEV', `0x5000940a')
-define(`BTRFS_IOC_RM_DEV', `0x5000940b')
-define(`BTRFS_IOC_BALANCE', `0x5000940c')
-define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e')
-define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f')
-define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417')
-define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418')
-define(`KVM_SET_XSAVE', `0x5000aea5')
-define(`HIDIOCSUSAGES', `0x501c4814')
-define(`UBI_IOCRNVOL', `0x51106f03')
-define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811')
-define(`MFB_GET_ALPHA', `0x80014d00')
-define(`MFB_GET_GAMMA', `0x80014d01')
-define(`GADGET_GET_PRINTER_STATUS', `0x80016721')
-define(`JSIOCGAXES', `0x80016a11')
-define(`JSIOCGBUTTONS', `0x80016a12')
-define(`SPI_IOC_RD_MODE', `0x80016b01')
-define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02')
-define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03')
-define(`PPRSTATUS', `0x80017081')
-define(`PPRCONTROL', `0x80017083')
-define(`PPRDATA', `0x80017085')
-define(`SONYPI_IOCGBRT', `0x80017600')
-define(`SONYPI_IOCGBATFLAGS', `0x80017607')
-define(`SONYPI_IOCGBLUE', `0x80017608')
-define(`SONYPI_IOCGFAN', `0x8001760a')
-define(`SONYPI_IOCGTEMP', `0x8001760c')
-define(`CAPI_GET_ERRCODE', `0x80024321')
-define(`CAPI_INSTALLED', `0x80024322')
-define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820')
-define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0')
-define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e')
-define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f')
-define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47')
-define(`FE_READ_SNR', `0x80026f48')
-define(`SONYPI_IOCGBAT1CAP', `0x80027602')
-define(`SONYPI_IOCGBAT1REM', `0x80027603')
-define(`SONYPI_IOCGBAT2CAP', `0x80027604')
-define(`SONYPI_IOCGBAT2REM', `0x80027605')
-define(`MBXFB_IOCS_PLANEORDER', `0x8002f403')
-define(`BLKI2OGRSTRAT', `0x80043201')
-define(`BLKI2OGWSTRAT', `0x80043202')
-define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100')
-define(`CCISS_GETHEARTBEAT', `0x80044206')
-define(`CCISS_GETBUSTYPES', `0x80044207')
-define(`CCISS_GETFIRMVER', `0x80044208')
-define(`CCISS_GETDRIVVER', `0x80044209')
-define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300')
-define(`CAPI_GET_FLAGS', `0x80044323')
-define(`CAPI_SET_FLAGS', `0x80044324')
-define(`CAPI_CLR_FLAGS', `0x80044325')
-define(`CAPI_NCCI_OPENCOUNT', `0x80044326')
-define(`CAPI_NCCI_GETUNIT', `0x80044327')
-define(`EVIOCGVERSION', `0x80044501')
-define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
-define(`EVIOCGEFFECTS', `0x80044584')
-define(`FBIOGET_CONTRAST', `0x80044601')
-define(`FBIGET_BRIGHTNESS', `0x80044603')
-define(`FBIGET_COLOR', `0x80044605')
-define(`SSTFB_GET_VGAPASS', `0x800446dd')
-define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800')
-define(`HIDIOCGRDESCSIZE', `0x80044801')
-define(`HIDIOCGVERSION', `0x80044801')
-define(`HIDIOCGFLAG', `0x8004480e')
-define(`HDA_IOCTL_PVERSION', `0x80044810')
-define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840')
-define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880')
-define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884')
-define(`HCIGETDEVLIST', `0x800448d2')
-define(`HCIGETDEVINFO', `0x800448d3')
-define(`HCIGETCONNLIST', `0x800448d4')
-define(`HCIGETCONNINFO', `0x800448d5')
-define(`HCIGETAUTHINFO', `0x800448d7')
-define(`HCIINQUIRY', `0x800448f0')
-define(`ROCCATIOCGREPSIZE', `0x800448f1')
-define(`IMADDTIMER', `0x80044940')
-define(`IMDELTIMER', `0x80044941')
-define(`IMGETVERSION', `0x80044942')
-define(`IMGETCOUNT', `0x80044943')
-define(`IMGETDEVINFO', `0x80044944')
-define(`IMCTRLREQ', `0x80044945')
-define(`IMCLEAR_L2', `0x80044946')
-define(`IMHOLD_L1', `0x80044948')
-define(`MCE_GET_RECORD_LEN', `0x80044d01')
-define(`MCE_GET_LOG_LEN', `0x80044d02')
-define(`MCE_GETCLEAR_FLAGS', `0x80044d03')
-define(`MEMGETREGIONCOUNT', `0x80044d07')
-define(`MFB_GET_PIXFMT', `0x80044d08')
-define(`OTPSELECT', `0x80044d0d')
-define(`OSS_GETVERSION', `0x80044d76')
-define(`UBI_IOCEBISMAP', `0x80044f05')
-define(`SOUND_PCM_READ_RATE', `0x80045002')
-define(`SOUND_PCM_READ_BITS', `0x80045005')
-define(`SOUND_PCM_READ_CHANNELS', `0x80045006')
-define(`SOUND_PCM_READ_FILTER', `0x80045007')
-define(`SNDCTL_DSP_GETFMTS', `0x8004500b')
-define(`SNDCTL_DSP_GETCAPS', `0x8004500f')
-define(`SNDCTL_DSP_GETTRIGGER', `0x80045010')
-define(`SNDCTL_DSP_GETODELAY', `0x80045017')
-define(`SNDCTL_DSP_GETSPDIF', `0x80045043')
-define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104')
-define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105')
-define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a')
-define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b')
-define(`SNDCTL_SEQ_GETTIME', `0x80045113')
-define(`RNDGETENTCNT', `0x80045200')
-define(`SAA6588_CMD_READ', `0x80045203')
-define(`SAA6588_CMD_POLL', `0x80045204')
-define(`RFCOMMGETDEVLIST', `0x800452d2')
-define(`RFCOMMGETDEVINFO', `0x800452d3')
-define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300')
-define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301')
-define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400')
-define(`TIOCGPTN', `0x80045430')
-define(`TIOCGDEV', `0x80045432')
-define(`TIOCGPKT', `0x80045438')
-define(`TIOCGPTLCK', `0x80045439')
-define(`TIOCGEXCL', `0x80045440')
-define(`TUNGETFEATURES', `0x800454cf')
-define(`TUNGETIFF', `0x800454d2')
-define(`TUNGETSNDBUF', `0x800454d3')
-define(`TUNGETVNETHDRSZ', `0x800454d7')
-define(`TUNGETVNETLE', `0x800454dd')
-define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500')
-define(`USBDEVFS_RESETEP', `0x80045503')
-define(`USBDEVFS_SETCONFIGURATION', `0x80045505')
-define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f')
-define(`USBDEVFS_RELEASEINTERFACE', `0x80045510')
-define(`USBDEVFS_CLEAR_HALT', `0x80045515')
-define(`USBDEVFS_CLAIM_PORT', `0x80045518')
-define(`USBDEVFS_RELEASE_PORT', `0x80045519')
-define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a')
-define(`UI_GET_VERSION', `0x8004552d')
-define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530')
-define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1')
-define(`VIDIOC_G_INPUT', `0x80045626')
-define(`VIDIOC_G_OUTPUT', `0x8004562e')
-define(`VIDIOC_G_PRIORITY', `0x80045643')
-define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700')
-define(`WDIOC_GETSTATUS', `0x80045701')
-define(`WDIOC_GETBOOTSTATUS', `0x80045702')
-define(`WDIOC_GETTEMP', `0x80045703')
-define(`WDIOC_SETOPTIONS', `0x80045704')
-define(`WDIOC_KEEPALIVE', `0x80045705')
-define(`WDIOC_GETTIMEOUT', `0x80045707')
-define(`WDIOC_GETPRETIMEOUT', `0x80045709')
-define(`WDIOC_GETTIMELEFT', `0x8004570a')
-define(`SONET_GETDIAG', `0x80046114')
-define(`SONET_GETFRAMING', `0x80046116')
-define(`CHIOGPICKER', `0x80046304')
-define(`DRM_IOCTL_GET_MAGIC', `0x80046402')
-define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e')
-define(`FS_IOC32_GETFLAGS', `0x80046601')
-define(`LIRC_GET_FEATURES', `0x80046900')
-define(`LIRC_GET_SEND_MODE', `0x80046901')
-define(`LIRC_GET_REC_MODE', `0x80046902')
-define(`LIRC_GET_SEND_CARRIER', `0x80046903')
-define(`LIRC_GET_REC_CARRIER', `0x80046904')
-define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905')
-define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906')
-define(`LIRC_GET_REC_RESOLUTION', `0x80046907')
-define(`I2OVALIDATE', `0x80046908')
-define(`LIRC_GET_MIN_TIMEOUT', `0x80046908')
-define(`LIRC_GET_MAX_TIMEOUT', `0x80046909')
-define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a')
-define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b')
-define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c')
-define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d')
-define(`LIRC_GET_LENGTH', `0x8004690f')
-define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910')
-define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911')
-define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912')
-define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913')
-define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914')
-define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918')
-define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919')
-define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a')
-define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b')
-define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e')
-define(`I8K_BIOS_VERSION', `0x80046980')
-define(`I8K_MACHINE_ID', `0x80046981')
-define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990')
-define(`JSIOCGVERSION', `0x80046a01')
-define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04')
-define(`SPI_IOC_RD_MODE32', `0x80046b05')
-define(`UDF_GETEASIZE', `0x80046c40')
-define(`NCP_IOC_SIGN_WANTED', `0x80046e06')
-define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c')
-define(`SISFB_GET_INFO_OLD', `0x80046ef8')
-define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9')
-define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa')
-define(`AUDIO_GET_CAPABILITIES', `0x80046f0b')
-define(`VIDEO_GET_CAPABILITIES', `0x80046f21')
-define(`VIDEO_GET_FRAME_RATE', `0x80046f38')
-define(`FE_READ_STATUS', `0x80046f45')
-define(`FE_READ_BER', `0x80046f46')
-define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49')
-define(`RTC_VL_READ', `0x80047013')
-define(`PPCLRIRQ', `0x80047093')
-define(`PPGETMODES', `0x80047097')
-define(`PPGETMODE', `0x80047098')
-define(`PPGETPHASE', `0x80047099')
-define(`PPGETFLAGS', `0x8004709a')
-define(`PHONE_DTMF_READY', `0x80047196')
-define(`PHONE_GET_DTMF', `0x80047197')
-define(`PHONE_GET_DTMF_ASCII', `0x80047198')
-define(`PHONE_EXCEPTION', `0x8004719a')
-define(`IXJCTL_CARDTYPE', `0x800471c1')
-define(`IXJCTL_SERIAL', `0x800471c2')
-define(`IXJCTL_DSP_TYPE', `0x800471c3')
-define(`IXJCTL_DSP_VERSION', `0x800471c4')
-define(`IXJCTL_VMWI', `0x800471d8')
-define(`BR_ERROR', `0x80047200')
-define(`BR_ACQUIRE_RESULT', `0x80047204')
-define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
-define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
-define(`FS_IOC32_GETVERSION', `0x80047601')
-define(`MEYEIOC_STILLJCAPT', `0x800476c5')
-define(`OSIOCGNETADDR', `0x800489e1')
-define(`SIOCGNETADDR', `0x800489e1')
-define(`AUTOFS_IOC_PROTOVER', `0x80049363')
-define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367')
-define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370')
-define(`GENWQE_GET_CARD_STATE', `0x8004a524')
-define(`KVM_GET_MP_STATE', `0x8004ae98')
-define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01')
-define(`SISFB_GET_INFO_SIZE', `0x8004f300')
-define(`SISFB_GET_VBRSTATUS', `0x8004f302')
-define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303')
-define(`SISFB_GET_TVPOSOFFSET', `0x8004f304')
-define(`SONET_GETFRSENSE', `0x80066117')
-define(`MEYEIOC_G_PARAMS', `0x800676c0')
-define(`BLKBSZGET', `0x80081270')
-define(`BLKGETSIZE64', `0x80081272')
-define(`PERF_EVENT_IOC_ID', `0x80082407')
-define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e')
-define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313')
-define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314')
-define(`FBIO_RADEON_GET_MIRROR', `0x80084003')
-define(`AGPIOC_INFO', `0x80084100')
-define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121')
-define(`CCISS_GETPCIINFO', `0x80084201')
-define(`PMU_IOC_GET_BACKLIGHT', `0x80084201')
-define(`CCISS_GETINTINFO', `0x80084202')
-define(`PMU_IOC_GET_MODEL', `0x80084203')
-define(`PMU_IOC_HAS_ADB', `0x80084204')
-define(`PMU_IOC_CAN_SLEEP', `0x80084205')
-define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206')
-define(`EVIOCGID', `0x80084502')
-define(`EVIOCGREP', `0x80084503')
-define(`EVIOCGKEYCODE', `0x80084504')
-define(`FBIO_GETCONTROL2', `0x80084689')
-define(`HIDIOCGRAWINFO', `0x80084803')
-define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843')
-define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844')
-define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845')
-define(`AMDKFD_IOC_GET_VERSION', `0x80084b01')
-define(`MFB_GET_AOID', `0x80084d04')
-define(`MEMISLOCKED', `0x80084d17')
-define(`RNDGETPOOL', `0x80085202')
-define(`USBDEVFS_SETINTERFACE', `0x80085504')
-define(`USBDEVFS_DISCSIGNAL32', `0x8008550e')
-define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c')
-define(`USBDEVFS_FREE_STREAMS', `0x8008551d')
-define(`VIDIOC_G_STD', `0x80085617')
-define(`VIDIOC_QUERYSTD', `0x8008563f')
-define(`CM_IOCGSTATUS', `0x80086300')
-define(`DRM_IOCTL_I810_OV0INFO', `0x80086449')
-define(`FS_IOC_GETFLAGS', `0x80086601')
-define(`I2OPASSTHRU32', `0x8008690c')
-define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916')
-define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917')
-define(`I8K_POWER_STATUS', `0x80086982')
-define(`I8K_FN_STATUS', `0x80086983')
-define(`I8K_GET_TEMP', `0x80086984')
-define(`UDF_GETEABLOCK', `0x80086c41')
-define(`UDF_GETVOLIDENT', `0x80086c42')
-define(`MMTIMER_GETRES', `0x80086d01')
-define(`MMTIMER_GETFREQ', `0x80086d02')
-define(`MTIOCPOS', `0x80086d03')
-define(`MMTIMER_GETCOUNTER', `0x80086d09')
-define(`NILFS_IOCTL_SYNC', `0x80086e8a')
-define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8')
-define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9')
-define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb')
-define(`AUDIO_GET_PTS', `0x80086f13')
-define(`DMX_GET_CAPS', `0x80086f30')
-define(`VIDEO_GET_PTS', `0x80086f39')
-define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a')
-define(`CA_GET_DESCR_INFO', `0x80086f83')
-define(`RTC_IRQP_READ', `0x8008700b')
-define(`RTC_EPOCH_READ', `0x8008700d')
-define(`PPS_GETPARAMS', `0x800870a1')
-define(`PPS_GETCAP', `0x800870a3')
-define(`PHONE_CAPABILITIES_LIST', `0x80087181')
-define(`IXJCTL_CID', `0x800871d4')
-define(`IXJCTL_VERSION', `0x800871da')
-define(`IXJCTL_FRAMES_READ', `0x800871e2')
-define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3')
-define(`IXJCTL_READ_WAIT', `0x800871e4')
-define(`IXJCTL_WRITE_WAIT', `0x800871e5')
-define(`IXJCTL_DRYBUFFER_READ', `0x800871e6')
-define(`BR_DEAD_BINDER', `0x8008720f')
-define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210')
-define(`FS_IOC_GETVERSION', `0x80087601')
-define(`BTRFS_IOC_START_SYNC', `0x80089418')
-define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419')
-define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d')
-define(`KVM_ALLOCATE_RMA', `0x8008aea9')
-define(`VHOST_GET_FEATURES', `0x8008af00')
-define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
-define(`DMX_GET_PES_PIDS', `0x800a6f2f')
-define(`RAID_VERSION', `0x800c0910')
-define(`CCISS_GETLUNINFO', `0x800c4211')
-define(`OTPLOCK', `0x800c4d10')
-define(`OMAPFB_GET_CAPS', `0x800c4f2a')
-define(`SNDCTL_DSP_GETIPTR', `0x800c5011')
-define(`SNDCTL_DSP_GETOPTR', `0x800c5012')
-define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c')
-define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d')
-define(`NCP_IOC_SETROOT', `0x800c6e08')
-define(`VIDEO_GET_SIZE', `0x800c6f37')
-define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40')
-define(`CA_GET_SLOT_INFO', `0x800c6f82')
-define(`FDGETDRVTYP', `0x8010020f')
-define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c')
-define(`CCISS_GETNODENAME', `0x80104204')
-define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846')
-define(`ECCGETSTATS', `0x80104d12')
-define(`SNDCTL_DSP_GETOSPACE', `0x8010500c')
-define(`SNDCTL_DSP_GETISPACE', `0x8010500d')
-define(`SNDCTL_DSP_MAPINBUF', `0x80105013')
-define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014')
-define(`TUNGETFILTER', `0x801054db')
-define(`USBDEVFS_DISCSIGNAL', `0x8010550e')
-define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463')
-define(`I2OPASSTHRU', `0x8010690c')
-define(`MGSL_IOCGGPIO', `0x80106d11')
-define(`NCP_IOC_NCPREQUEST', `0x80106e01')
-define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a')
-define(`FE_GET_PROPERTY', `0x80106f53')
-define(`CA_GET_CAP', `0x80106f81')
-define(`OSD_GET_CAPABILITY', `0x80106fa1')
-define(`PPGETTIME', `0x80107095')
-define(`BR_INCREFS', `0x80107207')
-define(`BR_ACQUIRE', `0x80107208')
-define(`BR_RELEASE', `0x80107209')
-define(`BR_DECREFS', `0x8010720a')
-define(`GENWQE_READ_REG64', `0x8010a51e')
-define(`GENWQE_READ_REG32', `0x8010a520')
-define(`GENWQE_READ_REG16', `0x8010a522')
-define(`FDGETMAXERRS', `0x8014020e')
-define(`GET_DISK_INFO', `0x80140912')
-define(`SNDRV_COMPRESS_TSTAMP', `0x80144320')
-define(`CHIOGPARAMS', `0x80146306')
-define(`NCP_IOC_LOCKUNLOCK', `0x80146e07')
-define(`VIDEO_GET_STATUS', `0x80146f1b')
-define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132')
-define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151')
-define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153')
-define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841')
-define(`IMSETDEVNAME', `0x80184947')
-define(`OMAPFB_MEMORY_READ', `0x80184f3a')
-define(`HPET_INFO', `0x80186803')
-define(`NCP_IOC_SIGN_INIT', `0x80186e05')
-define(`NCP_IOC_SETOBJECTNAME', `0x80186e09')
-define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82')
-define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83')
-define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84')
-define(`BR_ATTEMPT_ACQUIRE', `0x8018720b')
-define(`BTRFS_IOC_GET_FEATURES', `0x80189439')
-define(`MBXFB_IOCG_ALPHA', `0x8018f401')
-define(`SNDRV_COMPRESS_AVAIL', `0x801c4321')
-define(`HIDIOCGDEVINFO', `0x801c4803')
-define(`FDGETPRM', `0x80200204')
-define(`FBIOGET_VBLANK', `0x80204612')
-define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847')
-define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8')
-define(`MEMGETINFO', `0x80204d01')
-define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d')
-define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f')
-define(`I2OGETIOPS', `0x80206900')
-define(`AUDIO_GET_STATUS', `0x80206f0a')
-define(`VIDEO_GET_EVENT', `0x80206f1c')
-define(`RTC_PLL_GET', `0x80207011')
-define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
-define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
-define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
-define(`SONET_GETSTAT', `0x80246110')
-define(`SONET_GETSTATZ', `0x80246111')
-define(`JSIOCGCORR', `0x80246a22')
-define(`FE_GET_FRONTEND', `0x80246f4d')
-define(`RTC_ALM_READ', `0x80247008')
-define(`RTC_RD_TIME', `0x80247009')
-define(`FDGETFDCSTAT', `0x80280215')
-define(`FDWERRORGET', `0x80280217')
-define(`EVIOCGKEYCODE_V2', `0x80284504')
-define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810')
-define(`WDIOC_GETSUPPORT', `0x80285700')
-define(`IPMICTL_SEND_COMMAND', `0x8028690d')
-define(`FE_GET_EVENT', `0x80286f4e')
-define(`RTC_WKALM_RD', `0x80287010')
-define(`IOW_GETINFO', `0x8028c003')
-define(`USBDEVFS_SUBMITURB32', `0x802a550a')
-define(`NCP_IOC_SETCHARSETS', `0x802a6e0b')
-define(`TCGETS2', `0x802c542a')
-define(`SOUND_OLD_MIXER_INFO', `0x80304d65')
-define(`VIDIOC_G_FBUF', `0x8030560a')
-define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915')
-define(`MGSL_IOCGPARAMS', `0x80306d01')
-define(`MTIOCGET', `0x80306d02')
-define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85')
-define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b')
-define(`KVM_GET_CLOCK', `0x8030ae7c')
-define(`VIDIOC_G_AUDIO', `0x80345621')
-define(`VIDIOC_G_AUDOUT', `0x80345631')
-define(`USBDEVFS_SUBMITURB', `0x8038550a')
-define(`DRM_IOCTL_AGP_INFO', `0x80386433')
-define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b')
-define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802')
-define(`JSIOCGAXMAP', `0x80406a32')
-define(`BR_TRANSACTION', `0x80407202')
-define(`BR_REPLY', `0x80407203')
-define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
-define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
-define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
-define(`GET_ARRAY_INFO', `0x80480911')
-define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
-define(`KVM_SET_PIT', `0x8048ae66')
-define(`GSMIOC_GETCONF', `0x804c4700')
-define(`FDGETDRVSTAT', `0x80500212')
-define(`FDPOLLDRVSTAT', `0x80500213')
-define(`PTP_CLOCK_GETCAPS', `0x80503d01')
-define(`SOUND_MIXER_INFO', `0x805c4d65')
-define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414')
-define(`VIDIOC_QUERYCAP', `0x80685600')
-define(`I2OEVTGET', `0x8068690b')
-define(`CHIOGVPARAMS', `0x80706313')
-define(`KVM_GET_PIT2', `0x8070ae9f')
-define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313')
-define(`FDGETDRVPRM', `0x80800211')
-define(`USBDEVFS_HUB_PORTINFO', `0x80805513')
-define(`KVM_GET_DEBUGREGS', `0x8080aea1')
-define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663')
-define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663')
-define(`VIDIOC_DQEVENT', `0x80885659')
-define(`VIDIOC_G_JPEGCOMP', `0x808c563d')
-define(`KVM_GET_REGS', `0x8090ae81')
-define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120')
-define(`FE_GET_INFO', `0x80a86f3d')
-define(`MEMGETOOBSEL', `0x80c84d0a')
-define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801')
-define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521')
-define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411')
-define(`DRM_IOCTL_GET_STATS', `0x80f86406')
-define(`ASHMEM_GET_NAME', `0x81007702')
-define(`BTRFS_IOC_GET_FSLABEL', `0x81009431')
-define(`HIDIOCGSTRING', `0x81044804')
-define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b')
-define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701')
-define(`CA_GET_MSG', `0x810c6f84')
-define(`AUTOFS_IOC_EXPIRE', `0x810c9365')
-define(`SISFB_GET_INFO', `0x811cf301')
-define(`SNDRV_PCM_IOCTL_INFO', `0x81204101')
-define(`KVM_GET_SREGS', `0x8138ae83')
-define(`ECCGETLAYOUT', `0x81484d11')
-define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501')
-define(`KVM_GET_XCRS', `0x8188aea6')
-define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06')
-define(`KVM_GET_FPU', `0x81a0ae8c')
-define(`KVM_SET_IRQCHIP', `0x8208ae63')
-define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201')
-define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202')
-define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6')
-define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840')
-define(`JSIOCGBTNMAP', `0x84006a34')
-define(`BTRFS_IOC_FS_INFO', `0x8400941f')
-define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422')
-define(`KVM_GET_LAPIC', `0x8400ae8e')
-define(`VIDEO_GET_NAVI', `0x84046f34')
-define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810')
-define(`VIDIOC_G_ENC_INDEX', `0x8818564c')
-define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842')
-define(`SNDCTL_COPR_RCVMSG', `0x8fa44309')
-define(`GET_BITMAP_FILE', `0x90000915')
-define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844')
-define(`BTRFS_IOC_DEVICES_READY', `0x90009427')
-define(`KVM_GET_XSAVE', `0x9000aea4')
-define(`HIDIOCGRDESC', `0x90044802')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343')
-define(`GADGET_SET_PRINTER_STATUS', `0xc0016722')
-define(`CAPI_GET_MANUFACTURER', `0xc0044306')
-define(`CAPI_GET_SERIAL', `0xc0044308')
-define(`GIGASET_REDIR', `0xc0044700')
-define(`GIGASET_CONFIG', `0xc0044701')
-define(`ION_IOC_FREE', `0xc0044901')
-define(`SOUND_MIXER_AGC', `0xc0044d67')
-define(`SOUND_MIXER_3DSE', `0xc0044d68')
-define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f')
-define(`SOUND_MIXER_PRIVATE2', `0xc0044d70')
-define(`SOUND_MIXER_PRIVATE3', `0xc0044d71')
-define(`SOUND_MIXER_PRIVATE4', `0xc0044d72')
-define(`SOUND_MIXER_PRIVATE5', `0xc0044d73')
-define(`SNDCTL_DSP_SPEED', `0xc0045002')
-define(`SNDCTL_DSP_STEREO', `0xc0045003')
-define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004')
-define(`SNDCTL_DSP_SETFMT', `0xc0045005')
-define(`SNDCTL_DSP_CHANNELS', `0xc0045006')
-define(`SOUND_PCM_WRITE_FILTER', `0xc0045007')
-define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009')
-define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a')
-define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040')
-define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041')
-define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103')
-define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e')
-define(`SNDCTL_TMR_TIMEBASE', `0xc0045401')
-define(`SNDCTL_TMR_TEMPO', `0xc0045405')
-define(`SNDCTL_TMR_SOURCE', `0xc0045406')
-define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516')
-define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540')
-define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0')
-define(`VIDIOC_S_INPUT', `0xc0045627')
-define(`VIDIOC_S_OUTPUT', `0xc004562f')
-define(`WDIOC_SETTIMEOUT', `0xc0045706')
-define(`WDIOC_SETPRETIMEOUT', `0xc0045708')
-define(`FIFREEZE', `0xc0045877')
-define(`FITHAW', `0xc0045878')
-define(`SONET_SETDIAG', `0xc0046112')
-define(`SONET_CLRDIAG', `0xc0046113')
-define(`BINDER_VERSION', `0xc0046209')
-define(`DRM_IOCTL_BLOCK', `0xc0046412')
-define(`DRM_IOCTL_UNBLOCK', `0xc0046413')
-define(`DRM_IOCTL_ADD_DRAW', `0xc0046427')
-define(`DRM_IOCTL_RM_DRAW', `0xc0046428')
-define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b')
-define(`DRM_IOCTL_MODE_RMFB', `0xc00464af')
-define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4')
-define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
-define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
-define(`MGSL_IOCWAITEVENT', `0xc0046d08')
-define(`TOSH_SMM', `0xc0047490')
-define(`MEYEIOC_SYNC', `0xc00476c3')
-define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
-define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02')
-define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7')
-define(`NET_ADD_IF', `0xc0066f34')
-define(`NET_GET_IF', `0xc0066f36')
-define(`AGPIOC_ALLOCATE', `0xc0084106')
-define(`HDA_IOCTL_VERB_WRITE', `0xc0084811')
-define(`HDA_IOCTL_GET_WCAP', `0xc0084812')
-define(`ION_IOC_MAP', `0xc0084902')
-define(`ION_IOC_SHARE', `0xc0084904')
-define(`ION_IOC_IMPORT', `0xc0084905')
-define(`ION_IOC_SYNC', `0xc0084907')
-define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03')
-define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a')
-define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b')
-define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c')
-define(`VIDIOC_G_CTRL', `0xc008561b')
-define(`VIDIOC_S_CTRL', `0xc008561c')
-define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7')
-define(`CM_IOCGATR', `0xc0086301')
-define(`CIOC_KERNEL_VERSION', `0xc008630a')
-define(`DRM_IOCTL_GEM_FLINK', `0xc008640a')
-define(`DRM_IOCTL_ADD_CTX', `0xc0086420')
-define(`DRM_IOCTL_RM_CTX', `0xc0086421')
-define(`DRM_IOCTL_GET_CTX', `0xc0086423')
-define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440')
-define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441')
-define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442')
-define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442')
-define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442')
-define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443')
-define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443')
-define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444')
-define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c')
-define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d')
-define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456')
-define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457')
-define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460')
-define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462')
-define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465')
-define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a')
-define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d')
-define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470')
-define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473')
-define(`I8K_GET_SPEED', `0xc0086985')
-define(`I8K_GET_FAN', `0xc0086986')
-define(`I8K_SET_FAN', `0xc0086987')
-define(`UDF_RELOCATE_BLOCKS', `0xc0086c43')
-define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa')
-define(`PHN_GET_REG', `0xc0087000')
-define(`PHN_GET_REGS', `0xc0087002')
-define(`PHN_GETREG', `0xc0087005')
-define(`PPS_FETCH', `0xc00870a4')
-define(`PHONE_QUERY_CODEC', `0xc00871a7')
-define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
-define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
-define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
-define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
-define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
-define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
-define(`KVM_IRQ_LINE_STATUS', `0xc008ae67')
-define(`KVM_GET_MSRS', `0xc008ae88')
-define(`KVM_GET_CPUID2', `0xc008ae91')
-define(`KVM_GET_REG_LIST', `0xc008aeb0')
-define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01')
-define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
-define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
-define(`VHOST_GET_VRING_BASE', `0xc008af12')
-define(`HIDIOCGREPORTINFO', `0xc00c4809')
-define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116')
-define(`USBDEVFS_IOCTL32', `0xc00c5512')
-define(`UI_BEGIN_FF_ERASE', `0xc00c55ca')
-define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d')
-define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e')
-define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b')
-define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f')
-define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463')
-define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466')
-define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468')
-define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469')
-define(`KVM_CREATE_DEVICE', `0xc00caee0')
-define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02')
-define(`MBXFB_IOCX_REG', `0xc00cf405')
-define(`CAPI_GET_VERSION', `0xc0104307')
-define(`CAPI_MANUFACTURER_CMD', `0xc0104320')
-define(`GIGASET_VERSION', `0xc0104703')
-define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801')
-define(`HIDIOCGCOLLECTIONINFO', `0xc0104811')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822')
-define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881')
-define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884')
-define(`ION_IOC_CUSTOM', `0xc0104906')
-define(`MEMWRITEOOB', `0xc0104d03')
-define(`MEMREADOOB', `0xc0104d04')
-define(`MEMGETREGIONINFO', `0xc0104d08')
-define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303')
-define(`USBDEVFS_CONTROL32', `0xc0105500')
-define(`USBDEVFS_BULK32', `0xc0105502')
-define(`USBDEVFS_IOCTL', `0xc0105512')
-define(`NS_GETPSTAT', `0xc0106161')
-define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401')
-define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403')
-define(`DRM_IOCTL_SET_VERSION', `0xc0106407')
-define(`DRM_IOCTL_GEM_OPEN', `0xc010640b')
-define(`DRM_IOCTL_GET_CAP', `0xc010640c')
-define(`DRM_IOCTL_INFO_BUFS', `0xc0106418')
-define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d')
-define(`DRM_IOCTL_RES_CTX', `0xc0106426')
-define(`DRM_IOCTL_SG_ALLOC', `0xc0106438')
-define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440')
-define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440')
-define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440')
-define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440')
-define(`DRM_IOCTL_QXL_MAP', `0xc0106441')
-define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442')
-define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443')
-define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443')
-define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444')
-define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444')
-define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444')
-define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445')
-define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446')
-define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446')
-define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447')
-define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447')
-define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449')
-define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449')
-define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a')
-define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b')
-define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d')
-define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f')
-define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451')
-define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452')
-define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453')
-define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b')
-define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461')
-define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462')
-define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464')
-define(`DRM_IOCTL_RADEON_INFO', `0xc0106467')
-define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c')
-define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c')
-define(`DRM_IOCTL_I915_REG_READ', `0xc0106471')
-define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab')
-define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac')
-define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3')
-define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5')
-define(`MGSL_IOCWAITGPIO', `0xc0106d12')
-define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a')
-define(`DMX_GET_STC', `0xc0106f32')
-define(`UVCIOC_CTRL_QUERY', `0xc0107521')
-define(`BTRFS_IOC_SPACE_INFO', `0xc0109414')
-define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428')
-define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03')
-define(`SNDCTL_COPR_RDATA', `0xc0144302')
-define(`SNDCTL_COPR_RCODE', `0xc0144303')
-define(`SNDCTL_COPR_RUN', `0xc0144306')
-define(`SNDCTL_COPR_HALT', `0xc0144307')
-define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401')
-define(`VIDIOC_REQBUFS', `0xc0145608')
-define(`VIDIOC_G_CROP', `0xc014563b')
-define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b')
-define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b')
-define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6')
-define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
-define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309')
-define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
-define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314')
-define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315')
-define(`HIDIOCGUSAGE', `0xc018480b')
-define(`HIDIOCGUCODE', `0xc018480d')
-define(`MTRRIOC_GET_ENTRY', `0xc0184d03')
-define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08')
-define(`MEMWRITEOOB64', `0xc0184d15')
-define(`MEMREADOOB64', `0xc0184d16')
-define(`USBDEVFS_CONTROL', `0xc0185500')
-define(`USBDEVFS_BULK', `0xc0185502')
-define(`PACKET_CTRL_CMD', `0xc0185801')
-define(`FITRIM', `0xc0185879')
-define(`DRM_IOCTL_MAP_BUFS', `0xc0186419')
-define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a')
-define(`DRM_IOCTL_I810_GETBUF', `0xc0186445')
-define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446')
-define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446')
-define(`DRM_IOCTL_I915_ALLOC', `0xc0186448')
-define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d')
-define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453')
-define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455')
-define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c')
-define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b')
-define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d')
-define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472')
-define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473')
-define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0')
-define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1')
-define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba')
-define(`I2OHRTGET', `0xc0186901')
-define(`I2OLCTGET', `0xc0186902')
-define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09')
-define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86')
-define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87')
-define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371')
-define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372')
-define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373')
-define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374')
-define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375')
-define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376')
-define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377')
-define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378')
-define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379')
-define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a')
-define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b')
-define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c')
-define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d')
-define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e')
-define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436')
-define(`KVM_TRANSLATE', `0xc018ae85')
-define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01')
-define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0')
-define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3')
-define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad')
-define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae')
-define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
-define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308')
-define(`ION_IOC_ALLOC', `0xc0204900')
-define(`VIDIOC_G_EXT_CTRLS', `0xc0205647')
-define(`VIDIOC_S_EXT_CTRLS', `0xc0205648')
-define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649')
-define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3')
-define(`X86_IOC_RDMSR_REGS', `0xc02063a0')
-define(`X86_IOC_WRMSR_REGS', `0xc02063a1')
-define(`DRM_IOCTL_ADD_BUFS', `0xc0206416')
-define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434')
-define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440')
-define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444')
-define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446')
-define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447')
-define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c')
-define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e')
-define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454')
-define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d')
-define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e')
-define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e')
-define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461')
-define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462')
-define(`DRM_IOCTL_RADEON_CS', `0xc0206466')
-define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4')
-define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5')
-define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2')
-define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6')
-define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9')
-define(`FS_IOC_FIEMAP', `0xc020660b')
-define(`GENWQE_PIN_MEM', `0xc020a528')
-define(`GENWQE_UNPIN_MEM', `0xc020a529')
-define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02')
-define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315')
-define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb')
-define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04')
-define(`FW_CDEV_IOC_GET_INFO', `0xc0282300')
-define(`SYNC_IOC_MERGE', `0xc0283e01')
-define(`SYNC_IOC_FENCE_INFO', `0xc0283e02')
-define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05')
-define(`VIDIOC_G_EDID', `0xc0285628')
-define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628')
-define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629')
-define(`VIDIOC_S_EDID', `0xc0285629')
-define(`VIDIOC_ENCODER_CMD', `0xc028564d')
-define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e')
-define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6')
-define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700')
-define(`DRM_IOCTL_GET_MAP', `0xc0286404')
-define(`DRM_IOCTL_GET_CLIENT', `0xc0286405')
-define(`DRM_IOCTL_ADD_MAP', `0xc0286415')
-define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444')
-define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461')
-define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472')
-define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484')
-define(`I2OPARMSET', `0xc0286903')
-define(`I2OPARMGET', `0xc0286904')
-define(`NCP_IOC_GET_FS_INFO', `0xc0286e04')
-define(`PHN_GETREGS', `0xc0287007')
-define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02')
-define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92')
-define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05')
-define(`FSL_HV_IOCTL_GETPROP', `0xc028af07')
-define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
-define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341')
-define(`VIDIOC_QUERYMENU', `0xc02c5625')
-define(`VIDIOC_G_FREQUENCY', `0xc02c5638')
-define(`VIDIOC_CROPCAP', `0xc02c563a')
-define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a')
-define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468')
-define(`MEMWRITE', `0xc0304d18')
-define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302')
-define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602')
-define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615')
-define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616')
-define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4')
-define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710')
-define(`BINDER_WRITE_READ', `0xc0306201')
-define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480')
-define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7')
-define(`I2OSWDL', `0xc0306905')
-define(`I2OSWUL', `0xc0306906')
-define(`I2OSWDEL', `0xc0306907')
-define(`I2OHTML', `0xc0306909')
-define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b')
-define(`IPMICTL_RECEIVE_MSG', `0xc030690c')
-define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04')
-define(`MBXFB_IOCX_OVERLAY', `0xc030f400')
-define(`VIDIOC_ENUMAUDIO', `0xc0345641')
-define(`VIDIOC_ENUMAUDOUT', `0xc0345642')
-define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b')
-define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03')
-define(`HIDIOCGFIELDINFO', `0xc038480a')
-define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b')
-define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c')
-define(`VIDIOC_DBG_G_REGISTER', `0xc0385650')
-define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1')
-define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720')
-define(`BTRFS_IOC_INO_PATHS', `0xc0389423')
-define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424')
-define(`GENWQE_SLU_UPDATE', `0xc038a550')
-define(`GENWQE_SLU_READ', `0xc038a551')
-define(`CAPI_GET_PROFILE', `0xc0404309')
-define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519')
-define(`VIDIOC_ENUM_FMT', `0xc0405602')
-define(`VIDIOC_EXPBUF', `0xc0405610')
-define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d')
-define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e')
-define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a')
-define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b')
-define(`VIDIOC_G_SELECTION', `0xc040565e')
-define(`VIDIOC_S_SELECTION', `0xc040565f')
-define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665')
-define(`DRM_IOCTL_VERSION', `0xc0406400')
-define(`DRM_IOCTL_DMA', `0xc0406429')
-define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481')
-define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0')
-define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa')
-define(`VIDIOC_QUERYCTRL', `0xc0445624')
-define(`VIDIOC_G_MODULATOR', `0xc0445636')
-define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8')
-define(`BLKTRACESETUP', `0xc0481273')
-define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831')
-define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41')
-define(`NVME_IOCTL_IO_CMD', `0xc0484e43')
-define(`VIDIOC_ENUMSTD', `0xc0485619')
-define(`VIDIOC_ENUMOUTPUT', `0xc0485630')
-define(`VIDIOC_DECODER_CMD', `0xc0485660')
-define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661')
-define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8')
-define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9')
-define(`VIDEO_COMMAND', `0xc0486f3b')
-define(`VIDEO_TRY_COMMAND', `0xc0486f3c')
-define(`KVM_GET_PIT', `0xc048ae65')
-define(`MMC_IOC_CMD', `0xc048b300')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349')
-define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5')
-define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350')
-define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405')
-define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510')
-define(`VIDIOC_ENUMINPUT', `0xc050561a')
-define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470')
-define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7')
-define(`VIDIOC_G_TUNER', `0xc054561d')
-define(`SISFB_COMMAND', `0xc054f305')
-define(`CCISS_PASSTHRU', `0xc058420b')
-define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02')
-define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b')
-define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f')
-define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604')
-define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605')
-define(`VIDIOC_QUERYBUF', `0xc0585609')
-define(`VIDIOC_QBUF', `0xc058560f')
-define(`VIDIOC_DQBUF', `0xc0585611')
-define(`VIDIOC_PREPARE_BUF', `0xc058565d')
-define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340')
-define(`PTP_PIN_GETFUNC', `0xc0603d06')
-define(`CCISS_BIG_PASSTHRU', `0xc0604212')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345')
-define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471')
-define(`UVCIOC_CTRL_MAP', `0xc0607520')
-define(`FBIO_CURSOR', `0xc0684608')
-define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8')
-define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1')
-define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2')
-define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2')
-define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411')
-define(`SNDCTL_MIDI_INFO', `0xc074510c')
-define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645')
-define(`SOUND_MIXER_ACCESS', `0xc0804d66')
-define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657')
-define(`VIDIOC_S_DV_TIMINGS', `0xc0845657')
-define(`VIDIOC_G_DV_TIMINGS', `0xc0845658')
-define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
-define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
-define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
-define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
-define(`SNDCTL_SYNTH_ID', `0xc08c5114')
-define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335')
-define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336')
-define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664')
-define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664')
-define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662')
-define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662')
-define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74')
-define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75')
-define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320')
-define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322')
-define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352')
-define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310')
-define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351')
-define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310')
-define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666')
-define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425')
-define(`VIDIOC_G_PARM', `0xc0cc5615')
-define(`VIDIOC_S_PARM', `0xc0cc5616')
-define(`VIDIOC_G_FMT', `0xc0d05604')
-define(`VIDIOC_S_FMT', `0xc0d05605')
-define(`VIDIOC_TRY_FMT', `0xc0d05640')
-define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667')
-define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532')
-define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533')
-define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403')
-define(`VIDIOC_CREATE_BUFS', `0xc100565c')
-define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00')
-define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541')
-define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511')
-define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517')
-define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518')
-define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531')
-define(`DM_VERSION', `0xc138fd00')
-define(`DM_REMOVE_ALL', `0xc138fd01')
-define(`DM_LIST_DEVICES', `0xc138fd02')
-define(`DM_DEV_CREATE', `0xc138fd03')
-define(`DM_DEV_REMOVE', `0xc138fd04')
-define(`DM_DEV_RENAME', `0xc138fd05')
-define(`DM_DEV_SUSPEND', `0xc138fd06')
-define(`DM_DEV_STATUS', `0xc138fd07')
-define(`DM_DEV_WAIT', `0xc138fd08')
-define(`DM_TABLE_LOAD', `0xc138fd09')
-define(`DM_TABLE_CLEAR', `0xc138fd0a')
-define(`DM_TABLE_DEPS', `0xc138fd0b')
-define(`DM_TABLE_STATUS', `0xc138fd0c')
-define(`DM_LIST_VERSIONS', `0xc138fd0d')
-define(`DM_TARGET_MSG', `0xc138fd0e')
-define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f')
-define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812')
-define(`KVM_GET_IRQCHIP', `0xc208ae62')
-define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110')
-define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111')
-define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1')
-define(`BTRFS_IOC_SCRUB', `0xc400941b')
-define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d')
-define(`BTRFS_IOC_BALANCE_V2', `0xc4009420')
-define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434')
-define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512')
-define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513')
-define(`BTRFS_IOC_DEV_REPLACE', `0xca289435')
-define(`SNDCTL_COPR_SENDMSG', `0xcfa44308')
-define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115')
-define(`SNDCTL_COPR_LOAD', `0xcfb04301')
-define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411')
-define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412')
-define(`BTRFS_IOC_DEV_INFO', `0xd000941e')
-define(`HIDIOCGUSAGES', `0xd01c4813')
-define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
-define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
-define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
-define(`PPPIOCGL2TPSTATS', `0x7436')
-define(`PPPIOCGCHAN', `0x7437')
-define(`PPPIOCATTCHAN', `0x7438')
-define(`PPPIOCDISCONN', `0x7439')
-define(`PPPIOCCONNECT', `0x743a')
-define(`PPPIOCSMRRU', `0x743b')
-define(`PPPIOCDETACH', `0x743c')
-define(`PPPIOCATTACH', `0x743d')
-define(`PPPIOCNEWUNIT', `0x743e')
-define(`PPPIOCGIDLE', `0x743f')
-define(`PPPIOCSDEBUG', `0x7440')
-define(`PPPIOCGDEBUG', `0x7441')
-define(`PPPIOCSACTIVE', `0x7446')
-define(`PPPIOCSPASS', `0x7447')
-define(`PPPIOCSNPMODE', `0x744b')
-define(`PPPIOCGNPMODE', `0x744c')
-define(`PPPIOCSCOMPRESS', `0x744d')
-define(`PPPIOCXFERUNIT', `0x744e')
-define(`PPPIOCSXASYNCMAP', `0x744f')
-define(`PPPIOCGXASYNCMAP', `0x7450')
-define(`PPPIOCSMAXCID', `0x7451')
-define(`PPPIOCSMRU', `0x7452')
-define(`PPPIOCGMRU', `0x7453')
-define(`PPPIOCSRASYNCMAP', `0x7454')
-define(`PPPIOCGRASYNCMAP', `0x7455')
-define(`PPPIOCGUNIT', `0x7456')
-define(`PPPIOCSASYNCMAP', `0x7457')
-define(`PPPIOCGASYNCMAP', `0x7458')
-define(`PPPIOCSFLAGS', `0x7459')
-define(`PPPIOCGFLAGS', `0x745a')
-define(`PPPIOCGCALLINFO', `0x7480')
-define(`PPPIOCBUNDLE', `0x7481')
-define(`PPPIOCGMPFLAGS', `0x7482')
-define(`PPPIOCSMPFLAGS', `0x7483')
-define(`PPPIOCSMPMTU', `0x7484')
-define(`PPPIOCSMPMRU', `0x7485')
-define(`PPPIOCGCOMPRESSORS', `0x7486')
-define(`PPPIOCSCOMPRESSOR', `0x7487')
-define(`PPPIOCGIFNAME', `0x7488')
diff --git a/prebuilts/api/26.0/public/ioctl_macros b/prebuilts/api/26.0/public/ioctl_macros
deleted file mode 100644
index f7081d5762252427145ff6b9605942725c110d5b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/ioctl_macros
+++ /dev/null
@@ -1,68 +0,0 @@
-# socket ioctls allowed to unprivileged apps
-define(`unpriv_sock_ioctls', `
-{
-# Socket ioctls for gathering information about the interface
-SIOCGSTAMP SIOCGSTAMPNS
-SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
-SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
-# Wireless extension ioctls. Primarily get functions.
-SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
-SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
-SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
-}')
-
-# socket ioctls never allowed to unprivileged apps
-define(`priv_sock_ioctls', `
-{
-# qualcomm rmnet ioctls
-WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
-# socket ioctls
-SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
-SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
-SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
-SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
-SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
-SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
-SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
-SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
-SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
-SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
-# device and protocol specific ioctls
-SIOCDEVPRIVATE-SIOCDEVPRIVLAST
-SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
-# Wireless extension ioctls
-SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
-SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
-SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
-SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
-SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
-SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
-# Dev private ioctl i.e. hardware specific ioctls
-SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
-}')
-
-# commonly used ioctls on unix sockets
-define(`unpriv_unix_sock_ioctls', `{
- TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
-}')
-
-# commonly used TTY ioctls
-# merge with unpriv_unix_sock_ioctls?
-define(`unpriv_tty_ioctls', `{
- TIOCOUTQ FIOCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW
- TCFLSH TIOCSPGRP TIOCGPGRP
-}')
-
-# point to point ioctls
-define(`ppp_ioctls', `{
-PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
-PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
-PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
-PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
-PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
-PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
-PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
-PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
-PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
-PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
-}')
diff --git a/prebuilts/api/26.0/public/isolated_app.te b/prebuilts/api/26.0/public/isolated_app.te
deleted file mode 100644
index a907dacc2a8619268c80987fb66820143f9a0679..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/isolated_app.te
+++ /dev/null
@@ -1,9 +0,0 @@
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-
-type isolated_app, domain;
diff --git a/prebuilts/api/26.0/public/kernel.te b/prebuilts/api/26.0/public/kernel.te
deleted file mode 100644
index 9537c0dfaf4f8c4feec5ec47f24e62a28fba12a6..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/kernel.te
+++ /dev/null
@@ -1,103 +0,0 @@
-# Life begins with the kernel.
-type kernel, domain, mlstrustedsubject;
-
-allow kernel self:capability sys_nice;
-
-# Root fs.
-r_dir_file(kernel, rootfs)
-r_dir_file(kernel, proc)
-
-# Get SELinux enforcing status.
-allow kernel selinuxfs:dir r_dir_perms;
-allow kernel selinuxfs:file r_file_perms;
-
-# Get file contexts during first stage
-allow kernel file_contexts_file:file r_file_perms;
-
-# Allow init relabel itself.
-allow kernel rootfs:file relabelfrom;
-allow kernel init_exec:file relabelto;
-# TODO: investigate why we need this.
-allow kernel init:process share;
-
-# cgroup filesystem initialization prior to setting the cgroup root directory label.
-allow kernel unlabeled:dir search;
-
-# Mount usbfs.
-allow kernel usbfs:filesystem mount;
-allow kernel usbfs:dir search;
-
-# Initial setenforce by init prior to switching to init domain.
-# We use dontaudit instead of allow to prevent a kernel spawned userspace
-# process from turning off SELinux once enabled.
-dontaudit kernel self:security setenforce;
-
-# Write to /proc/1/oom_adj prior to switching to init domain.
-allow kernel self:capability sys_resource;
-
-# Init reboot before switching selinux domains under certain error
-# conditions. Allow it.
-# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
-# remount filesystems read-only. /data is not mounted at this point,
-# so we could ignore this. For now, we allow it.
-allow kernel self:capability sys_boot;
-allow kernel proc_sysrq:file w_file_perms;
-
-# Allow writing to /dev/kmsg which was created prior to loading policy.
-allow kernel tmpfs:chr_file write;
-
-# Set checkreqprot by init.rc prior to switching to init domain.
-allow kernel selinuxfs:file write;
-allow kernel self:security setcheckreqprot;
-
-# MTP sync (b/15835289)
-# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel priv_app:fd use;
-allow kernel sdcard_type:file { read write };
-
-# Allow the kernel to read OBB files from app directories. (b/17428116)
-# Kernel thread "loop0" reads a vold supplied file descriptor.
-# Fixes CTS tests:
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
-allow kernel vold:fd use;
-allow kernel app_data_file:file read;
-allow kernel asec_image_file:file read;
-
-# Allow reading loop device in update_engine_unittests. (b/28319454)
-userdebug_or_eng(`
- allow kernel update_engine_data_file:file read;
- allow kernel nativetest_data_file:file read;
-')
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow kernel media_rw_data_file:dir create_dir_perms;
-allow kernel media_rw_data_file:file create_file_perms;
-
-# Access to /data/misc/vold/virtual_disk.
-allow kernel vold_data_file:file read;
-
-###
-### neverallow rules
-###
-
-# The initial task starts in the kernel domain (assigned via
-# initial_sid_contexts), but nothing ever transitions to it.
-neverallow * kernel:process { transition dyntransition };
-
-# The kernel domain is never entered via an exec, nor should it
-# ever execute a program outside the rootfs without changing to another domain.
-# If you encounter an execute_no_trans denial on the kernel domain, then
-# possible causes include:
-# - The program is a kernel usermodehelper. In this case, define a domain
-# for the program and domain_auto_trans() to it.
-# - You are running an exploit which switched to the init task credentials
-# and is then trying to exec a shell or other program. You lose!
-neverallow kernel *:file { entrypoint execute_no_trans };
-
-# the kernel should not be accessing files owned by other users.
-# Instead of adding dac_{read_search,override}, fix the unix permissions
-# on files being accessed.
-neverallow kernel self:capability { dac_override dac_read_search };
diff --git a/prebuilts/api/26.0/public/keystore.te b/prebuilts/api/26.0/public/keystore.te
deleted file mode 100644
index ee5e6757456e4c9316d76316e0e8e1e2b4ba5cd0..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/keystore.te
+++ /dev/null
@@ -1,34 +0,0 @@
-type keystore, domain;
-type keystore_exec, exec_type, file_type;
-
-# keystore daemon
-typeattribute keystore mlstrustedsubject;
-binder_use(keystore)
-binder_service(keystore)
-binder_call(keystore, system_server)
-
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-
-add_service(keystore, keystore_service)
-allow keystore sec_key_att_app_id_provider_service:service_manager find;
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
-
-r_dir_file(keystore, cgroup)
-
-###
-### Neverallow rules
-###
-### Protect ourself from others
-###
-
-neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow { domain -keystore -init } keystore_data_file:dir *;
-neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-
-neverallow * keystore:process ptrace;
diff --git a/prebuilts/api/26.0/public/lmkd.te b/prebuilts/api/26.0/public/lmkd.te
deleted file mode 100644
index f4e6c2d57091273592e66cabbcfa5f51bac20b32..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/lmkd.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# lmkd low memory killer daemon
-type lmkd, domain, mlstrustedsubject;
-type lmkd_exec, exec_type, file_type;
-
-allow lmkd self:capability { dac_override sys_resource kill };
-
-# lmkd locks itself in memory, to prevent it from being
-# swapped out and unable to kill other memory hogs.
-# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
-# b/16236289
-allow lmkd self:capability ipc_lock;
-
-## Open and write to /proc/PID/oom_score_adj
-## TODO: maybe scope this down?
-r_dir_file(lmkd, appdomain)
-allow lmkd appdomain:file write;
-r_dir_file(lmkd, system_server)
-allow lmkd system_server:file write;
-
-## Writes to /sys/module/lowmemorykiller/parameters/minfree
-r_dir_file(lmkd, sysfs_type)
-allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-
-# Send kill signals
-allow lmkd appdomain:process sigkill;
-
-# Clean up old cgroups
-allow lmkd cgroup:dir { remove_name rmdir };
-
-# Set self to SCHED_FIFO
-allow lmkd self:capability sys_nice;
-
-allow lmkd proc_zoneinfo:file r_file_perms;
-
-### neverallow rules
-
-# never honor LD_PRELOAD
-neverallow * lmkd:process noatsecure;
diff --git a/prebuilts/api/26.0/public/logd.te b/prebuilts/api/26.0/public/logd.te
deleted file mode 100644
index 62bff9739669d93285384bf45aec7bf382edb37c..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/logd.te
+++ /dev/null
@@ -1,73 +0,0 @@
-# android user-space log manager
-type logd, domain, mlstrustedsubject;
-type logd_exec, exec_type, file_type;
-
-# Read access to pseudo filesystems.
-r_dir_file(logd, cgroup)
-r_dir_file(logd, proc)
-r_dir_file(logd, proc_meminfo)
-r_dir_file(logd, proc_net)
-
-allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
-allow logd self:capability2 syslog;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-allow logd kernel:system syslog_read;
-allow logd kmsg_device:chr_file w_file_perms;
-allow logd system_data_file:{ file lnk_file } r_file_perms;
-allow logd pstorefs:dir search;
-allow logd pstorefs:file r_file_perms;
-userdebug_or_eng(`
- # Access to /data/misc/logd/event-log-tags
- allow logd misc_logd_file:dir r_dir_perms;
- allow logd misc_logd_file:file rw_file_perms;
-')
-allow logd runtime_event_log_tags_file:file rw_file_perms;
-
-# Access device logging gating property
-get_prop(logd, device_logging_prop)
-
-r_dir_file(logd, domain)
-
-allow logd kernel:system syslog_mod;
-
-control_logd(logd)
-read_runtime_log_tags(logd)
-
-allow runtime_event_log_tags_file tmpfs:filesystem associate;
-# Typically harmlessly blindly trying to access via liblog
-# event tag mapping while in the untrusted_app domain.
-# Access for that domain is controlled and gated via the
-# event log tag service (albeit at a performance penalty,
-# expected to be locally cached).
-dontaudit domain runtime_event_log_tags_file:file { open read };
-
-###
-### Neverallow rules
-###
-### logd should NEVER do any of this
-
-# Block device access.
-neverallow logd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logd domain:process ptrace;
-
-# ... and nobody may ptrace me (except on userdebug or eng builds)
-neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
-
-# Write to /system.
-neverallow logd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
-
-# Only init is allowed to enter the logd domain via exec()
-neverallow { domain -init } logd:process transition;
-neverallow * logd:process dyntransition;
-
-# protect the event-log-tags file
-neverallow {
- domain
- -init
- -logd
-} runtime_event_log_tags_file:file no_w_file_perms;
diff --git a/prebuilts/api/26.0/public/logpersist.te b/prebuilts/api/26.0/public/logpersist.te
deleted file mode 100644
index 7536cb84d853fd5abe88d8b65faee0ba18b5d942..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/logpersist.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# android debug logging, logpersist domains
-type logpersist, domain;
-
-###
-### Neverallow rules
-###
-### logpersist should NEVER do any of this
-
-# Block device access.
-neverallow logpersist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logpersist domain:process ptrace;
-
-# Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write;
-
-# Only init should be allowed to enter the logpersist domain via exec()
-# Following is a list of debug domains we know that transition to logpersist
-# neverallow_with_undefined_domains {
-# domain
-# -init # goldfish, logcatd, raft
-# -mmi # bat, mtp8996, msmcobalt
-# -system_app # Smith.apk
-# } logpersist:process transition;
-neverallow * logpersist:process dyntransition;
diff --git a/prebuilts/api/26.0/public/mdnsd.te b/prebuilts/api/26.0/public/mdnsd.te
deleted file mode 100644
index ef7b065d875658cb229e0153d4cb5c266159d0e9..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/mdnsd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# mdns daemon
-type mdnsd, domain;
diff --git a/prebuilts/api/26.0/public/mediacodec.te b/prebuilts/api/26.0/public/mediacodec.te
deleted file mode 100644
index 5ca41fcf11719b2812a70d775ce1b7b1cec3547d..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/mediacodec.te
+++ /dev/null
@@ -1,67 +0,0 @@
-# mediacodec - audio and video codecs live here
-type mediacodec, domain;
-type mediacodec_exec, exec_type, vendor_file_type, file_type;
-
-typeattribute mediacodec mlstrustedsubject;
-
-# TODO(b/36375899) attributize this domain appropriately as hal_omx
-# and use macro hal_server_domain
-get_prop(mediacodec, hwservicemanager_prop)
-
-# can route /dev/binder traffic to /dev/vndbinder
-vndbinder_use(mediacodec)
-
-not_full_treble(`
- # on legacy devices, continue to allow /dev/binder traffic
- binder_use(mediacodec)
- binder_service(mediacodec)
- add_service(mediacodec, mediacodec_service)
- allow mediacodec mediametrics_service:service_manager find;
- allow mediacodec surfaceflinger_service:service_manager find;
-')
-binder_call(mediacodec, binderservicedomain)
-binder_call(mediacodec, appdomain)
-
-# Allow mediacodec access to composer sync fences
-allow mediacodec hal_graphics_composer:fd use;
-
-allow mediacodec gpu_device:chr_file rw_file_perms;
-allow mediacodec video_device:chr_file rw_file_perms;
-allow mediacodec video_device:dir search;
-allow mediacodec ion_device:chr_file rw_file_perms;
-allow mediacodec hal_camera:fd use;
-
-crash_dump_fallback(mediacodec)
-
-add_hwservice(mediacodec, hal_omx_hwservice)
-
-hal_client_domain(mediacodec, hal_allocator)
-
-# allocate and use graphic buffers
-hal_client_domain(mediacodec, hal_graphics_allocator)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to mediacodec via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediacodec bufferhubd:fd use;
-
-###
-### neverallow rules
-###
-
-# mediacodec should never execute any executable without a
-# domain transition
-neverallow mediacodec { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/26.0/public/mediadrmserver.te b/prebuilts/api/26.0/public/mediadrmserver.te
deleted file mode 100644
index cef81212abb52691f8e5f7b3f4c835e593346448..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/mediadrmserver.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# mediadrmserver - mediadrm daemon
-type mediadrmserver, domain;
-type mediadrmserver_exec, exec_type, file_type;
-
-typeattribute mediadrmserver mlstrustedsubject;
-
-net_domain(mediadrmserver)
-binder_use(mediadrmserver)
-binder_call(mediadrmserver, binderservicedomain)
-binder_call(mediadrmserver, appdomain)
-binder_service(mediadrmserver)
-hal_client_domain(mediadrmserver, hal_drm)
-
-add_service(mediadrmserver, mediadrmserver_service)
-allow mediadrmserver mediaserver_service:service_manager find;
-allow mediadrmserver mediametrics_service:service_manager find;
-allow mediadrmserver processinfo_service:service_manager find;
-allow mediadrmserver surfaceflinger_service:service_manager find;
-allow mediadrmserver system_file:dir r_dir_perms;
-
-add_service(mediadrmserver, mediacasserver_service)
-
-binder_call(mediadrmserver, mediacodec)
-###
-### neverallow rules
-###
-
-# mediadrmserver should never execute any executable without a
-# domain transition
-neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/26.0/public/mediaextractor.te b/prebuilts/api/26.0/public/mediaextractor.te
deleted file mode 100644
index 94824b75e8fa8a063d84e533cf0cc4b2100d96bd..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/mediaextractor.te
+++ /dev/null
@@ -1,50 +0,0 @@
-# mediaextractor - multimedia daemon
-type mediaextractor, domain;
-type mediaextractor_exec, exec_type, file_type;
-
-typeattribute mediaextractor mlstrustedsubject;
-
-binder_use(mediaextractor)
-binder_call(mediaextractor, binderservicedomain)
-binder_call(mediaextractor, appdomain)
-binder_service(mediaextractor)
-
-add_service(mediaextractor, mediaextractor_service)
-allow mediaextractor mediametrics_service:service_manager find;
-allow mediaextractor mediacasserver_service:service_manager find;
-
-allow mediaextractor system_server:fd use;
-
-r_dir_file(mediaextractor, cgroup)
-allow mediaextractor proc_meminfo:file r_file_perms;
-
-crash_dump_fallback(mediaextractor)
-
-# allow mediaextractor read permissions for file sources
-allow mediaextractor media_rw_data_file:file { getattr read };
-allow mediaextractor app_data_file:file { getattr read };
-
-# Read resources from open apk files passed over Binder
-allow mediaextractor apk_data_file:file { read getattr };
-allow mediaextractor asec_apk_file:file { read getattr };
-allow mediaextractor ringtone_file:file { read getattr };
-
-###
-### neverallow rules
-###
-
-# mediaextractor should never execute any executable without a
-# domain transition
-neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/26.0/public/mediametrics.te b/prebuilts/api/26.0/public/mediametrics.te
deleted file mode 100644
index 4c10d878cdc5b610ec88b311bd58b58db4d3c06a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/mediametrics.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# mediametrics - daemon for collecting media.metrics data
-type mediametrics, domain;
-type mediametrics_exec, exec_type, file_type;
-
-
-binder_use(mediametrics)
-binder_call(mediametrics, binderservicedomain)
-binder_service(mediametrics)
-
-add_service(mediametrics, mediametrics_service)
-
-allow mediametrics system_server:fd use;
-
-r_dir_file(mediametrics, cgroup)
-allow mediametrics proc_meminfo:file r_file_perms;
-
-# allows interactions with dumpsys to GMScore
-allow mediametrics app_data_file:file write;
-
-###
-### neverallow rules
-###
-
-# mediametrics should never execute any executable without a
-# domain transition
-neverallow mediametrics { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/26.0/public/mediaserver.te b/prebuilts/api/26.0/public/mediaserver.te
deleted file mode 100644
index 6efaf0fdf4d640578345f64472a46eb1872796b9..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/mediaserver.te
+++ /dev/null
@@ -1,150 +0,0 @@
-# mediaserver - multimedia daemon
-type mediaserver, domain;
-type mediaserver_exec, exec_type, file_type;
-
-typeattribute mediaserver mlstrustedsubject;
-
-# TODO(b/36375899): replace with hal_client_domain macro on hal_omx
-typeattribute mediaserver halclientdomain;
-
-net_domain(mediaserver)
-
-r_dir_file(mediaserver, sdcard_type)
-r_dir_file(mediaserver, cgroup)
-
-# stat /proc/self
-allow mediaserver proc:lnk_file getattr;
-
-# open /vendor/lib/mediadrm
-allow mediaserver system_file:dir r_dir_perms;
-
-userdebug_or_eng(`
- # ptrace to processes in the same domain for memory leak detection
- allow mediaserver self:process ptrace;
-')
-
-binder_use(mediaserver)
-binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, appdomain)
-binder_service(mediaserver)
-
-allow mediaserver media_data_file:dir create_dir_perms;
-allow mediaserver media_data_file:file create_file_perms;
-allow mediaserver app_data_file:dir search;
-allow mediaserver app_data_file:file rw_file_perms;
-allow mediaserver sdcard_type:file write;
-allow mediaserver gpu_device:chr_file rw_file_perms;
-allow mediaserver video_device:dir r_dir_perms;
-allow mediaserver video_device:chr_file rw_file_perms;
-
-set_prop(mediaserver, audio_prop)
-
-# XXX Label with a specific type?
-allow mediaserver sysfs:file r_file_perms;
-
-# Read resources from open apk files passed over Binder.
-allow mediaserver apk_data_file:file { read getattr };
-allow mediaserver asec_apk_file:file { read getattr };
-allow mediaserver ringtone_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow mediaserver radio_data_file:file { read getattr };
-
-# Use pipes passed over Binder from app domains.
-allow mediaserver appdomain:fifo_file { getattr read write };
-
-allow mediaserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow mediaserver system_server:fifo_file r_file_perms;
-
-r_dir_file(mediaserver, media_rw_data_file)
-
-# Grant access to read files on appfuse.
-allow mediaserver app_fuse_file:file { read getattr };
-
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow mediaserver qtaguid_proc:file rw_file_perms;
-allow mediaserver qtaguid_device:chr_file r_file_perms;
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(mediaserver, drmserver, drmserver)
-
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(mediaserver, bluetooth, bluetooth)
-
-add_service(mediaserver, mediaserver_service)
-allow mediaserver activity_service:service_manager find;
-allow mediaserver appops_service:service_manager find;
-allow mediaserver audioserver_service:service_manager find;
-allow mediaserver cameraserver_service:service_manager find;
-allow mediaserver batterystats_service:service_manager find;
-allow mediaserver drmserver_service:service_manager find;
-allow mediaserver mediaextractor_service:service_manager find;
-allow mediaserver mediacodec_service:service_manager find;
-allow mediaserver mediametrics_service:service_manager find;
-allow mediaserver media_session_service:service_manager find;
-allow mediaserver permission_service:service_manager find;
-allow mediaserver power_service:service_manager find;
-allow mediaserver processinfo_service:service_manager find;
-allow mediaserver scheduling_policy_service:service_manager find;
-allow mediaserver surfaceflinger_service:service_manager find;
-
-# for ModDrm/MediaPlayer
-allow mediaserver mediadrmserver_service:service_manager find;
-
-# For interfacing with OMX HAL
-allow mediaserver hidl_token_hwservice:hwservice_manager find;
-
-# /oem access
-allow mediaserver oemfs:dir search;
-allow mediaserver oemfs:file r_file_perms;
-
-use_drmservice(mediaserver)
-allow mediaserver drmserver:drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-};
-
-# only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow mediaserver media_rw_data_file:dir create_dir_perms;
-allow mediaserver media_rw_data_file:file create_file_perms;
-
-# Access to media in /data/preloads
-allow mediaserver preloads_media_file:file { getattr read ioctl };
-
-allow mediaserver ion_device:chr_file r_file_perms;
-allow mediaserver hal_graphics_allocator:fd use;
-allow mediaserver hal_graphics_composer:fd use;
-allow mediaserver hal_camera:fd use;
-
-allow mediaserver system_server:fd use;
-
-hal_client_domain(mediaserver, hal_allocator)
-
-binder_call(mediaserver, mediacodec)
-
-###
-### neverallow rules
-###
-
-# mediaserver should never execute any executable without a
-# domain transition
-neverallow mediaserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/26.0/public/modprobe.te b/prebuilts/api/26.0/public/modprobe.te
deleted file mode 100644
index 3ed320e5b3b632e092785f11875d6ea6a76ba76a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/modprobe.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type modprobe, domain;
-
-allow modprobe proc_modules:file r_file_perms;
-allow modprobe self:capability sys_module;
-allow modprobe kernel:key search;
-recovery_only(`
- allow modprobe rootfs:system module_load;
- allow modprobe rootfs:file r_file_perms;
-')
-allow modprobe { system_file }:system module_load;
-r_dir_file(modprobe, { system_file })
diff --git a/prebuilts/api/26.0/public/mtp.te b/prebuilts/api/26.0/public/mtp.te
deleted file mode 100644
index a77624064677516b6531cc1a1ba1333b744b4772..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/mtp.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# vpn tunneling protocol manager
-type mtp, domain;
-type mtp_exec, exec_type, file_type;
-
-net_domain(mtp)
-
-# pptp policy
-allow mtp self:socket create_socket_perms_no_ioctl;
-allow mtp self:capability net_raw;
-allow mtp ppp:process signal;
-allow mtp vpn_data_file:dir search;
diff --git a/prebuilts/api/26.0/public/net.te b/prebuilts/api/26.0/public/net.te
deleted file mode 100644
index 7e00ed845cf8428e275716393fb33a707da074e6..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/net.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# Network types
-type node, node_type;
-type netif, netif_type;
-type port, port_type;
diff --git a/prebuilts/api/26.0/public/netd.te b/prebuilts/api/26.0/public/netd.te
deleted file mode 100644
index 691887fcd39e56743135d50fb66b5d054e3c6850..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/netd.te
+++ /dev/null
@@ -1,110 +0,0 @@
-# network manager
-type netd, domain, mlstrustedsubject;
-type netd_exec, exec_type, file_type;
-
-net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
-allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(netd, cgroup)
-allow netd system_server:fd use;
-
-allow netd self:capability { net_admin net_raw kill };
-# Note: fsetid is deliberately not included above. fsetid checks are
-# triggered by chmod on a directory or file owned by a group other
-# than one of the groups assigned to the current process to see if
-# the setgid bit should be cleared, regardless of whether the setgid
-# bit was even set. We do not appear to truly need this capability
-# for netd to operate.
-dontaudit netd self:capability fsetid;
-
-allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_route_socket nlmsg_write;
-allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
-allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-allow netd shell_exec:file rx_file_perms;
-allow netd system_file:file x_file_perms;
-not_full_treble(`allow netd vendor_file:file x_file_perms;')
-allow netd devpts:chr_file rw_file_perms;
-
-# Acquire advisory lock on /system/etc/xtables.lock
-allow netd system_file:file lock;
-
-r_dir_file(netd, proc_net)
-# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file rw_file_perms;
-
-# Enables PppController and interface enumeration (among others)
-r_dir_file(netd, sysfs_type)
-# Allows setting interface MTU
-allow netd sysfs:file write;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow netd sysfs_usb:file write;
-
-# TODO: netd previously thought it needed these permissions to do WiFi related
-# work. However, after all the WiFi stuff is gone, we still need them.
-# Why?
-allow netd self:capability { dac_override chown };
-
-# Needed to update /data/misc/net/rt_tables
-allow netd net_data_file:file create_file_perms;
-allow netd net_data_file:dir rw_dir_perms;
-allow netd self:capability fowner;
-
-# Allow netd to spawn dnsmasq in it's own domain
-allow netd dnsmasq:process signal;
-
-# Allow netd to start clatd in its own domain
-allow netd clatd:process signal;
-
-set_prop(netd, ctl_mdnsd_prop)
-
-# Allow netd to publish a binder service and make binder calls.
-binder_use(netd)
-add_service(netd, netd_service)
-allow netd dumpstate:fifo_file { getattr write };
-
-# Allow netd to call into the system server so it can check permissions.
-allow netd system_server:binder call;
-allow netd permission_service:service_manager find;
-
-# Allow netd to talk to the framework service which collects netd events.
-allow netd netd_listener_service:service_manager find;
-
-# Allow netd to operate on sockets that are passed to it.
-allow netd netdomain:{
- tcp_socket
- udp_socket
- rawip_socket
- tun_socket
-} { read write getattr setattr getopt setopt };
-allow netd netdomain:fd use;
-
-# give netd permission to read and write netlink xfrm
-allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
-
-###
-### Neverallow rules
-###
-### netd should NEVER do any of this
-
-# Block device access.
-neverallow netd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow netd { domain }:process ptrace;
-
-# Write to /system.
-neverallow netd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
-
-# only system_server, dumpstate and netd may interact with netd over binder
-neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
-neverallow { domain -system_server -dumpstate } netd:binder call;
-neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/prebuilts/api/26.0/public/netutils_wrapper.te b/prebuilts/api/26.0/public/netutils_wrapper.te
deleted file mode 100644
index c844762c8cae0c244d0ad3f828e6ce34d3b3475f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/netutils_wrapper.te
+++ /dev/null
@@ -1,4 +0,0 @@
-type netutils_wrapper, domain;
-type netutils_wrapper_exec, exec_type, file_type;
-
-neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/prebuilts/api/26.0/public/neverallow_macros b/prebuilts/api/26.0/public/neverallow_macros
deleted file mode 100644
index e2b6ed1af12264899c24eaf7e96e81e38fd8c2d7..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/neverallow_macros
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Common neverallow permissions
-define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
-define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
-define(`no_x_file_perms', `{ execute execute_no_trans }')
-define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
-
-#####################################
-# neverallow_establish_socket_comms(src, dst)
-# neverallow src domain establishing socket connections to dst domain.
-#
-define(`neverallow_establish_socket_comms', `
- neverallow $1 $2:socket_class_set { connect sendto };
- neverallow $1 $2:unix_stream_socket connectto;
-')
diff --git a/prebuilts/api/26.0/public/nfc.te b/prebuilts/api/26.0/public/nfc.te
deleted file mode 100644
index e3a03e7968a3c8346c821ba3dc9a26cd5e8b3736..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/nfc.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# nfc subsystem
-type nfc, domain;
diff --git a/prebuilts/api/26.0/public/otapreopt_chroot.te b/prebuilts/api/26.0/public/otapreopt_chroot.te
deleted file mode 100644
index c071f447f15e529a6505d74e766fdbea336a9b20..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/otapreopt_chroot.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# otapreopt_chroot executable
-type otapreopt_chroot, domain;
-type otapreopt_chroot_exec, exec_type, file_type;
-
-# Chroot preparation and execution.
-# We need to create an unshared mount namespace, and then mount /data.
-allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot self:capability { sys_admin sys_chroot };
-
-# This is required to mount /vendor.
-allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem mount;
-# Mounting /vendor can have this side-effect. Ignore denial.
-dontaudit otapreopt_chroot kernel:process setsched;
-
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
-allow otapreopt_chroot postinstall:fd use;
-allow otapreopt_chroot update_engine:fd use;
-allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/prebuilts/api/26.0/public/otapreopt_slot.te b/prebuilts/api/26.0/public/otapreopt_slot.te
deleted file mode 100644
index 6551864c34463246023dd1f0e9bfb3f782329a28..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/otapreopt_slot.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# otapreopt_slot
-#
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-type otapreopt_slot, domain, mlstrustedsubject;
-type otapreopt_slot_exec, exec_type, file_type;
-
-
-# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
-# the directory afterwards. For logging of aggregate size, we need getattr.
-allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
-allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
-# (du follows symlinks)
-allow otapreopt_slot ota_data_file:lnk_file read;
-
-# Delete old content of the dalvik-cache.
-allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
-allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
-allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow otapreopt_slot shell_exec:file rx_file_perms;
-
-# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
-# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
-allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/prebuilts/api/26.0/public/performanced.te b/prebuilts/api/26.0/public/performanced.te
deleted file mode 100644
index 3d3fadb3989b54e9e81daf6995289faf6b791afb..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/performanced.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# performanced
-type performanced, domain, mlstrustedsubject;
-type performanced_exec, exec_type, file_type;
-
-pdx_server(performanced, performance_client)
-
-# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
-allow performanced self:capability { setuid setgid sys_nice };
-
-# Access /proc to validate we're only affecting threads in the same thread group.
-# Performanced also shields unbound kernel threads. It scans every task in the
-# root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
-dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
-
-# Access /dev/cpuset/cpuset.cpus
-r_dir_file(performanced, cgroup)
diff --git a/prebuilts/api/26.0/public/perfprofd.te b/prebuilts/api/26.0/public/perfprofd.te
deleted file mode 100644
index bfb8693fa47d8e98181656bae333410bee868d52..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/perfprofd.te
+++ /dev/null
@@ -1,59 +0,0 @@
-# perfprofd - perf profile collection daemon
-type perfprofd, domain;
-type perfprofd_exec, exec_type, file_type;
-
-userdebug_or_eng(`
-
- typeattribute perfprofd coredomain;
- typeattribute perfprofd mlstrustedsubject;
-
- # perfprofd needs to control CPU hot-plug in order to avoid kernel
- # perfevents problems in cases where CPU goes on/off during measurement;
- # this means read access to /sys/devices/system/cpu/possible
- # and read/write access to /sys/devices/system/cpu/cpu*/online
- allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
-
- # perfprofd checks for the existence of and then invokes simpleperf;
- # simpleperf retains perfprofd domain after exec
- allow perfprofd system_file:file rx_file_perms;
-
- # perfprofd reads a config file from /data/data/com.google.android.gms/files
- allow perfprofd app_data_file:file r_file_perms;
- allow perfprofd app_data_file:dir search;
- allow perfprofd self:capability { dac_override };
-
- # perfprofd opens a file for writing in /data/misc/perfprofd
- allow perfprofd perfprofd_data_file:file create_file_perms;
- allow perfprofd perfprofd_data_file:dir rw_dir_perms;
-
- # perfprofd uses the system log
- read_logd(perfprofd);
- write_logd(perfprofd);
-
- # perfprofd inspects /sys/power/wake_unlock
- wakelock_use(perfprofd);
-
- # simpleperf uses ioctl() to turn on kernel perf events measurements
- allow perfprofd self:capability sys_admin;
-
- # simpleperf needs to examine /proc to collect task/thread info
- r_dir_file(perfprofd, domain)
-
- # simpleperf needs to access /proc/<pid>/exec
- allow perfprofd self:capability { sys_resource sys_ptrace };
- neverallow perfprofd domain:process ptrace;
-
- # simpleperf needs open/read any file that turns up in a profile
- # to see whether it has a build ID
- allow perfprofd exec_type:file r_file_perms;
-
- # simpleperf examines debugfs on startup to collect tracepoint event types
- allow perfprofd debugfs_tracing:file r_file_perms;
-
- # simpleperf is going to execute "sleep"
- allow perfprofd toolbox_exec:file rx_file_perms;
-
- # needed for simpleperf on some kernels
- allow perfprofd self:capability ipc_lock;
-
-')
diff --git a/prebuilts/api/26.0/public/platform_app.te b/prebuilts/api/26.0/public/platform_app.te
deleted file mode 100644
index 9b1faf0f6a9149a5f0944eec43f0194a4aef02fe..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/platform_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### Apps signed with the platform key.
-###
-
-type platform_app, domain;
diff --git a/prebuilts/api/26.0/public/postinstall.te b/prebuilts/api/26.0/public/postinstall.te
deleted file mode 100644
index 7fd4dc61183db9d44b5968b631ebe62bead6c271..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/postinstall.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# Domain where the postinstall program runs during the update.
-# Extend the permissions in this domain to allow this program to access other
-# files needed by the specific device on your device's sepolicy directory.
-type postinstall, domain;
-
-# Allow postinstall to write to its stdout/stderr when redirected via pipes to
-# update_engine.
-allow postinstall update_engine_common:fd use;
-allow postinstall update_engine_common:fifo_file rw_file_perms;
-
-# Allow postinstall to read and execute directories and files in the same
-# mounted location.
-allow postinstall postinstall_file:file rx_file_perms;
-allow postinstall postinstall_file:lnk_file r_file_perms;
-allow postinstall postinstall_file:dir r_dir_perms;
-
-# Allow postinstall to execute the shell or other system executables.
-allow postinstall shell_exec:file rx_file_perms;
-allow postinstall system_file:file rx_file_perms;
-allow postinstall toolbox_exec:file rx_file_perms;
-
-#
-# For OTA dexopt.
-#
-
-# Allow postinstall scripts to talk to the system server.
-binder_use(postinstall)
-binder_call(postinstall, system_server)
-
-# Need to talk to the otadexopt service.
-allow postinstall otadexopt_service:service_manager find;
-
-# No domain other than update_engine and recovery (via update_engine_sideload)
-# should transition to postinstall, as it is only meant to run during the
-# update.
-neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
diff --git a/prebuilts/api/26.0/public/postinstall_dexopt.te b/prebuilts/api/26.0/public/postinstall_dexopt.te
deleted file mode 100644
index 0ce617b81ade45d07b70b3b699303be16eca1582..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/postinstall_dexopt.te
+++ /dev/null
@@ -1,57 +0,0 @@
-# Domain for the otapreopt executable, running under postinstall_dexopt
-#
-# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
-# this is derived and adapted from installd.te.
-
-type postinstall_dexopt, domain;
-
-allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
-
-allow postinstall_dexopt postinstall_file:filesystem getattr;
-allow postinstall_dexopt postinstall_file:dir { getattr search };
-allow postinstall_dexopt postinstall_file:lnk_file read;
-allow postinstall_dexopt proc:file { getattr open read };
-allow postinstall_dexopt tmpfs:file read;
-
-# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
-# here and having to relabel the directory.
-
-# Read app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, apk_data_file)
-# Read vendor app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, vendor_app_file)
-# Access to app oat directory.
-r_dir_file(postinstall_dexopt, dalvikcache_data_file)
-
-# Read profile data.
-allow postinstall_dexopt user_profile_data_file:dir { getattr search };
-allow postinstall_dexopt user_profile_data_file:file r_file_perms;
-
-# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
-allow postinstall_dexopt ota_data_file:dir create_dir_perms;
-allow postinstall_dexopt ota_data_file:file create_file_perms;
-allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
-
-# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
-# TODO: See whether we can apply ota_data_file?
-allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
-allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
-
-# Allow labeling of files under /data/app/com.example/oat/
-# TODO: Restrict to .b suffix?
-allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
-allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
-
-# Check validity of SELinux context before use.
-selinux_check_context(postinstall_dexopt)
-selinux_check_access(postinstall_dexopt)
-
-
-# Postinstall wants to know about our child.
-allow postinstall_dexopt postinstall:process sigchld;
-
-# Allow otapreopt to use file descriptors from otapreopt_chroot.
-# TODO: Probably we can actually close file descriptors...
-allow postinstall_dexopt otapreopt_chroot:fd use;
-
-allow postinstall_dexopt cpuctl_device:dir search;
diff --git a/prebuilts/api/26.0/public/ppp.te b/prebuilts/api/26.0/public/ppp.te
deleted file mode 100644
index 04e17f57ad708feced020739dd45d421f472d6a9..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/ppp.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# Point to Point Protocol daemon
-type ppp, domain;
-type ppp_device, dev_type;
-type ppp_exec, exec_type, file_type;
-
-net_domain(ppp)
-
-r_dir_file(ppp, proc_net)
-
-allow ppp mtp:socket rw_socket_perms;
-
-# ioctls needed for VPN.
-allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
-allowxperm ppp mtp:socket ioctl ppp_ioctls;
-
-allow ppp mtp:unix_dgram_socket rw_socket_perms;
-allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:capability net_admin;
-allow ppp system_file:file rx_file_perms;
-not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;
diff --git a/prebuilts/api/26.0/public/preopt2cachename.te b/prebuilts/api/26.0/public/preopt2cachename.te
deleted file mode 100644
index 49df647250f0f26cfd7b26052b0effc88f67c0c2..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/preopt2cachename.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# preopt2cachename executable
-#
-# This executable translates names from the preopted versions the build system
-# creates to the names the runtime expects in the data directory.
-type preopt2cachename, domain;
-type preopt2cachename_exec, exec_type, file_type;
-
-# Allow write to stdout.
-allow preopt2cachename cppreopts:fd use;
-allow preopt2cachename cppreopts:fifo_file { getattr read write };
-
-# Allow write to logcat.
-allow preopt2cachename proc_net:file r_file_perms;
diff --git a/prebuilts/api/26.0/public/priv_app.te b/prebuilts/api/26.0/public/priv_app.te
deleted file mode 100644
index 0761fc30f88ff713c127b5ce3d105ae9072e807f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/priv_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### A domain for further sandboxing privileged apps.
-###
-
-type priv_app, domain;
diff --git a/prebuilts/api/26.0/public/profman.te b/prebuilts/api/26.0/public/profman.te
deleted file mode 100644
index a5c18b51d8b51ad4311f5c0ba0bae54743e4d176..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/profman.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# profman
-type profman, domain;
-type profman_exec, exec_type, file_type;
-
-allow profman user_profile_data_file:file { getattr read write lock };
-
-# Dumping profile info opens the application APK file for pretty printing.
-allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { read };
-allow profman oemfs:file { read };
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-allow profman tmpfs:file { read };
-allow profman profman_dump_data_file:file { write };
-
-allow profman installd:fd use;
-
-# Allow profman to analyze profiles for the secondary dex files. These
-# are application dex files reported back to the framework when using
-# BaseDexClassLoader.
-allow profman app_data_file:file { getattr read write lock };
-
-###
-### neverallow rules
-###
-
-neverallow profman app_data_file:notdevfile_class_set open;
diff --git a/prebuilts/api/26.0/public/property.te b/prebuilts/api/26.0/public/property.te
deleted file mode 100644
index d6fa8680152157be6f43680be33592e120f47bff..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/property.te
+++ /dev/null
@@ -1,89 +0,0 @@
-type asan_reboot_prop, property_type;
-type audio_prop, property_type, core_property_type;
-type boottime_prop, property_type;
-type bluetooth_prop, property_type;
-type config_prop, property_type, core_property_type;
-type cppreopt_prop, property_type, core_property_type;
-type ctl_bootanim_prop, property_type;
-type ctl_bugreport_prop, property_type;
-type ctl_console_prop, property_type;
-type ctl_default_prop, property_type;
-type ctl_dumpstate_prop, property_type;
-type ctl_fuse_prop, property_type;
-type ctl_mdnsd_prop, property_type;
-type ctl_rildaemon_prop, property_type;
-type dalvik_prop, property_type, core_property_type;
-type debuggerd_prop, property_type, core_property_type;
-type debug_prop, property_type, core_property_type;
-type default_prop, property_type, core_property_type;
-type device_logging_prop, property_type;
-type dhcp_prop, property_type, core_property_type;
-type dumpstate_options_prop, property_type;
-type dumpstate_prop, property_type, core_property_type;
-type ffs_prop, property_type, core_property_type;
-type fingerprint_prop, property_type, core_property_type;
-type firstboot_prop, property_type;
-type hwservicemanager_prop, property_type;
-type logd_prop, property_type, core_property_type;
-type logpersistd_logging_prop, property_type;
-type log_prop, property_type, log_property_type;
-type log_tag_prop, property_type, log_property_type;
-type mmc_prop, property_type;
-type net_dns_prop, property_type;
-type net_radio_prop, property_type, core_property_type;
-type nfc_prop, property_type, core_property_type;
-type overlay_prop, property_type;
-type pan_result_prop, property_type, core_property_type;
-type persist_debug_prop, property_type, core_property_type;
-type persistent_properties_ready_prop, property_type;
-type powerctl_prop, property_type, core_property_type;
-type radio_prop, property_type, core_property_type;
-type restorecon_prop, property_type, core_property_type;
-type safemode_prop, property_type;
-type serialno_prop, property_type;
-type shell_prop, property_type, core_property_type;
-type system_prop, property_type, core_property_type;
-type system_radio_prop, property_type, core_property_type;
-type vold_prop, property_type, core_property_type;
-type wifi_log_prop, property_type, log_property_type;
-type wifi_prop, property_type;
-
-allow property_type tmpfs:filesystem associate;
-
-###
-### Neverallow rules
-###
-
-# core_property_type should not be used for new properties or
-# device specific properties. Properties with this attribute
-# are readable to everyone, which is overly broad and should
-# be avoided.
-# New properties should have appropriate read / write access
-# control rules written.
-
-neverallow * {
- core_property_type
- -audio_prop
- -config_prop
- -cppreopt_prop
- -dalvik_prop
- -debuggerd_prop
- -debug_prop
- -default_prop
- -dhcp_prop
- -dumpstate_prop
- -ffs_prop
- -fingerprint_prop
- -logd_prop
- -net_radio_prop
- -nfc_prop
- -pan_result_prop
- -persist_debug_prop
- -powerctl_prop
- -radio_prop
- -restorecon_prop
- -shell_prop
- -system_prop
- -system_radio_prop
- -vold_prop
-}:file no_rw_file_perms;
diff --git a/prebuilts/api/26.0/public/racoon.te b/prebuilts/api/26.0/public/racoon.te
deleted file mode 100644
index 00744d8f10a0de919c1ffe1838ec5c72d68a6b89..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/racoon.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# IKE key management daemon
-type racoon, domain;
-type racoon_exec, exec_type, file_type;
-
-typeattribute racoon mlstrustedsubject;
-
-net_domain(racoon)
-allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
-
-binder_use(racoon)
-
-allow racoon tun_device:chr_file r_file_perms;
-allow racoon cgroup:dir { add_name create };
-allow racoon kernel:system module_request;
-
-allow racoon self:key_socket create_socket_perms_no_ioctl;
-allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:capability { net_admin net_bind_service net_raw };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon system_file:file rx_file_perms;
-not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
-allow racoon vpn_data_file:file create_file_perms;
-allow racoon vpn_data_file:dir w_dir_perms;
-
-use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
- get
- sign
- verify
-};
diff --git a/prebuilts/api/26.0/public/radio.te b/prebuilts/api/26.0/public/radio.te
deleted file mode 100644
index 6f29a705d362c185412e02b36e02e46610fb8d7f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/radio.te
+++ /dev/null
@@ -1,39 +0,0 @@
-# phone subsystem
-type radio, domain, mlstrustedsubject;
-
-net_domain(radio)
-bluetooth_domain(radio)
-binder_service(radio)
-
-# Talks to rild via the rild socket only for devices without full treble
-not_full_treble(`unix_socket_connect(radio, rild, rild)')
-
-# Data file accesses.
-allow radio radio_data_file:dir create_dir_perms;
-allow radio radio_data_file:notdevfile_class_set create_file_perms;
-
-allow radio alarm_device:chr_file rw_file_perms;
-
-allow radio net_data_file:dir search;
-allow radio net_data_file:file r_file_perms;
-
-# Property service
-set_prop(radio, radio_prop)
-set_prop(radio, net_radio_prop)
-
-# ctl interface
-set_prop(radio, ctl_rildaemon_prop)
-
-add_service(radio, radio_service)
-allow radio audioserver_service:service_manager find;
-allow radio cameraserver_service:service_manager find;
-allow radio drmserver_service:service_manager find;
-allow radio mediaserver_service:service_manager find;
-allow radio nfc_service:service_manager find;
-allow radio surfaceflinger_service:service_manager find;
-allow radio app_api_service:service_manager find;
-allow radio system_api_service:service_manager find;
-
-# Perform HwBinder IPC.
-hwbinder_use(radio)
-hal_client_domain(radio, hal_telephony)
diff --git a/prebuilts/api/26.0/public/recovery.te b/prebuilts/api/26.0/public/recovery.te
deleted file mode 100644
index f55dc8a5dbde4dfe8df8edac045c0ccf484adcd0..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/recovery.te
+++ /dev/null
@@ -1,143 +0,0 @@
-# recovery console (used in recovery init.rc for /sbin/recovery)
-
-# Declare the domain unconditionally so we can always reference it
-# in neverallow rules.
-type recovery, domain;
-
-# But the allow rules are only included in the recovery policy.
-# Otherwise recovery is only allowed the domain rules.
-recovery_only(`
- # Allow recovery to perform an update as update_engine would do.
- typeattribute recovery update_engine_common;
- # Recovery can only use HALs in passthrough mode
- passthrough_hal_client_domain(recovery, hal_bootctl)
-
- allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
-
- # Set security contexts on files that are not known to the loaded policy.
- allow recovery self:capability2 mac_admin;
-
- # Run helpers from / or /system without changing domain.
- allow recovery rootfs:file execute_no_trans;
- allow recovery system_file:file execute_no_trans;
- allow recovery toolbox_exec:file rx_file_perms;
-
- # Mount filesystems.
- allow recovery rootfs:dir mounton;
- allow recovery fs_type:filesystem ~relabelto;
- allow recovery unlabeled:filesystem ~relabelto;
- allow recovery contextmount_type:filesystem relabelto;
-
- # Create and relabel files and directories under /system.
- allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
-
- # We may be asked to set an SELinux label for a type not known to the
- # currently loaded policy. Allow it.
- allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
- # Get file contexts
- allow recovery file_contexts_file:file r_file_perms;
-
- # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
- # support to OTAs. However, that code has a bug. When an update occurs,
- # some directories are inappropriately labeled as exec_type. This is
- # only transient, and subsequent steps in the OTA script correct this
- # mistake. New devices are moving to block based OTAs, so this is not
- # worth fixing. b/15575013
- allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
-
- # Write to /proc/sys/vm/drop_caches
- allow recovery proc_drop_caches:file w_file_perms;
-
- # Read kernel config through libvintf for OTA matching
- allow recovery config_gz:file { open read getattr };
-
- # Write to /sys/class/android_usb/android0/enable.
- # TODO: create more specific label?
- allow recovery sysfs:file w_file_perms;
-
- # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
- allow recovery sysfs_devices_system_cpu:file w_file_perms;
-
- allow recovery sysfs_batteryinfo:file r_file_perms;
-
- # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
- # control backlight brightness.
- allow recovery sysfs_leds:dir r_dir_perms;
- allow recovery sysfs_leds:file rw_file_perms;
- allow recovery sysfs_leds:lnk_file read;
-
- allow recovery kernel:system syslog_read;
-
- # Access /dev/usb-ffs/adb/ep0
- allow recovery functionfs:dir search;
- allow recovery functionfs:file rw_file_perms;
-
- # Required to e.g. wipe userdata/cache.
- allow recovery device:dir r_dir_perms;
- allow recovery block_device:dir r_dir_perms;
- allow recovery dev_type:blk_file rw_file_perms;
-
- # GUI
- allow recovery graphics_device:chr_file rw_file_perms;
- allow recovery graphics_device:dir r_dir_perms;
- allow recovery input_device:dir r_dir_perms;
- allow recovery input_device:chr_file r_file_perms;
- allow recovery tty_device:chr_file rw_file_perms;
-
- # Create /tmp/recovery.log and execute /tmp/update_binary.
- allow recovery tmpfs:file { create_file_perms x_file_perms };
- allow recovery tmpfs:dir create_dir_perms;
-
- # Manage files on /cache and /cache/recovery
- allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
- allow recovery { cache_file cache_recovery_file }:file create_file_perms;
-
- # Read /sys/class/thermal/*/temp for thermal info.
- r_dir_file(recovery, sysfs_thermal)
-
- # Read files on /oem.
- r_dir_file(recovery, oemfs);
-
- # Reboot the device
- set_prop(recovery, powerctl_prop)
-
- # Start/stop adbd via ctl.start adbd
- set_prop(recovery, ctl_default_prop)
-
- # Read serial number of the device from system properties
- get_prop(recovery, serialno_prop)
-
- # Use setfscreatecon() to label files for OTA updates.
- allow recovery self:process setfscreate;
-
- # Allow recovery to create a fuse filesystem, and read files from it.
- allow recovery fuse_device:chr_file rw_file_perms;
- allow recovery fuse:dir r_dir_perms;
- allow recovery fuse:file r_file_perms;
-
- wakelock_use(recovery)
-
- # This line seems suspect, as it should not really need to
- # set scheduling parameters for a kernel domain task.
- allow recovery kernel:process setsched;
-')
-
-###
-### neverallow rules
-###
-
-# Recovery should never touch /data.
-#
-# In particular, if /data is encrypted, it is not accessible
-# to recovery anyway.
-#
-# For now, we only enforce write/execute restrictions, as domain.te
-# contains a number of read-only rules that apply to all
-# domains, including recovery.
-#
-# TODO: tighten this up further.
-neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
-neverallow recovery data_file_type:dir no_w_dir_perms;
diff --git a/prebuilts/api/26.0/public/recovery_persist.te b/prebuilts/api/26.0/public/recovery_persist.te
deleted file mode 100644
index 091d3001a04eda7a2e46336783455aeeb405c8ba..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/recovery_persist.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# android recovery persistent log manager
-type recovery_persist, domain;
-type recovery_persist_exec, exec_type, file_type;
-
-allow recovery_persist pstorefs:dir search;
-allow recovery_persist pstorefs:file r_file_perms;
-
-allow recovery_persist recovery_data_file:file create_file_perms;
-allow recovery_persist recovery_data_file:dir create_dir_perms;
-
-###
-### Neverallow rules
-###
-### recovery_persist should NEVER do any of this
-
-# Block device access.
-neverallow recovery_persist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_persist domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_persist system_file:dir_file_class_set write;
-
-# Write to files in /data/data
-neverallow recovery_persist { app_data_file system_data_file }:dir_file_class_set write;
-
diff --git a/prebuilts/api/26.0/public/recovery_refresh.te b/prebuilts/api/26.0/public/recovery_refresh.te
deleted file mode 100644
index 602ed51d7cb5e75e90af276c7b5041f11a950c10..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/recovery_refresh.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# android recovery refresh log manager
-type recovery_refresh, domain;
-type recovery_refresh_exec, exec_type, file_type;
-
-allow recovery_refresh pstorefs:dir search;
-allow recovery_refresh pstorefs:file r_file_perms;
-# NB: domain inherits write_logd which hands us write to pmsg_device
-
-###
-### Neverallow rules
-###
-### recovery_refresh should NEVER do any of this
-
-# Block device access.
-neverallow recovery_refresh dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_refresh domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_refresh system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file system_data_file }:dir_file_class_set write;
diff --git a/prebuilts/api/26.0/public/rild.te b/prebuilts/api/26.0/public/rild.te
deleted file mode 100644
index 14420dffb5d976f54a3034700add458a19423d3d..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/rild.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# rild - radio interface layer daemon
-type rild, domain;
-hal_server_domain(rild, hal_telephony)
-
-net_domain(rild)
-allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
-
-allow rild self:netlink_route_socket nlmsg_write;
-allow rild kernel:system module_request;
-allow rild self:capability { setpcap setgid setuid net_admin net_raw };
-allow rild alarm_device:chr_file rw_file_perms;
-allow rild cgroup:dir create_dir_perms;
-allow rild cgroup:{ file lnk_file } r_file_perms;
-allow rild radio_device:chr_file rw_file_perms;
-allow rild radio_device:blk_file r_file_perms;
-allow rild mtd_device:dir search;
-allow rild efs_file:dir create_dir_perms;
-allow rild efs_file:file create_file_perms;
-allow rild shell_exec:file rx_file_perms;
-allow rild bluetooth_efs_file:file r_file_perms;
-allow rild bluetooth_efs_file:dir r_dir_perms;
-allow rild radio_data_file:dir rw_dir_perms;
-allow rild radio_data_file:file create_file_perms;
-allow rild sdcard_type:dir r_dir_perms;
-allow rild system_data_file:dir r_dir_perms;
-allow rild system_data_file:file r_file_perms;
-allow rild system_file:file x_file_perms;
-
-# property service
-set_prop(rild, radio_prop)
-
-allow rild tty_device:chr_file rw_file_perms;
-
-# Allow rild to create and use netlink sockets.
-allow rild self:netlink_socket create_socket_perms_no_ioctl;
-allow rild self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow rild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Access to wake locks
-wakelock_use(rild)
-
-r_dir_file(rild, proc)
-r_dir_file(rild, proc_net)
-r_dir_file(rild, sysfs_type)
-r_dir_file(rild, system_file)
-
-# granting the ioctl permission for rild should be device specific
-allow rild self:socket create_socket_perms_no_ioctl;
-
diff --git a/prebuilts/api/26.0/public/roles b/prebuilts/api/26.0/public/roles
deleted file mode 100644
index ca9293439ae9ccc02da1b764fb6b9d3751308c10..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/roles
+++ /dev/null
@@ -1 +0,0 @@
-role r types domain;
diff --git a/prebuilts/api/26.0/public/runas.te b/prebuilts/api/26.0/public/runas.te
deleted file mode 100644
index 7a7febfc04f870ae3b93333e73c3ddd52dcde814..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/runas.te
+++ /dev/null
@@ -1,37 +0,0 @@
-type runas, domain, mlstrustedsubject;
-type runas_exec, exec_type, file_type;
-
-allow runas adbd:process sigchld;
-allow runas adbd:unix_stream_socket { read write };
-allow runas shell:fd use;
-allow runas shell:fifo_file { read write };
-allow runas shell:unix_stream_socket { read write };
-allow runas devpts:chr_file { read write ioctl };
-allow runas shell_data_file:file { read write };
-
-# run-as reads package information.
-allow runas system_data_file:file r_file_perms;
-
-# run-as checks and changes to the app data dir.
-dontaudit runas self:capability dac_override;
-allow runas app_data_file:dir { getattr search };
-
-# run-as switches to the app UID/GID.
-allow runas self:capability { setuid setgid };
-
-# run-as switches to the app security context.
-selinux_check_context(runas) # validate context
-allow runas self:process setcurrent;
-allow runas non_system_app_set:process dyntransition; # setcon
-
-# runas/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow runas seapp_contexts_file:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow runas self:capability ~{ setuid setgid };
-neverallow runas self:capability2 *;
diff --git a/prebuilts/api/26.0/public/sdcardd.te b/prebuilts/api/26.0/public/sdcardd.te
deleted file mode 100644
index 47a2f80611516032ba54c033b6081a025a1d236d..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/sdcardd.te
+++ /dev/null
@@ -1,43 +0,0 @@
-type sdcardd, domain;
-type sdcardd_exec, exec_type, file_type;
-
-allow sdcardd cgroup:dir create_dir_perms;
-allow sdcardd fuse_device:chr_file rw_file_perms;
-allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
-allow sdcardd sdcardfs:filesystem remount;
-allow sdcardd tmpfs:dir r_dir_perms;
-allow sdcardd mnt_media_rw_file:dir r_dir_perms;
-allow sdcardd storage_file:dir search;
-allow sdcardd storage_stub_file:dir { search mounton };
-allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
-
-allow sdcardd sdcard_type:dir create_dir_perms;
-allow sdcardd sdcard_type:file create_file_perms;
-
-allow sdcardd media_rw_data_file:dir create_dir_perms;
-allow sdcardd media_rw_data_file:file create_file_perms;
-
-# Read /data/system/packages.list.
-allow sdcardd system_data_file:file r_file_perms;
-
-# Read /data/.layout_version
-allow sdcardd install_data_file:file r_file_perms;
-
-# Allow stdin/out back to vold
-allow sdcardd vold:fd use;
-allow sdcardd vold:fifo_file { read write getattr };
-
-# Allow running on top of expanded storage
-allow sdcardd mnt_expand_file:dir search;
-
-# access /proc/filesystems
-allow sdcardd proc:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# The sdcard daemon should no longer be started from init
-neverallow init sdcardd_exec:file execute;
-neverallow init sdcardd:process { transition dyntransition };
diff --git a/prebuilts/api/26.0/public/service.te b/prebuilts/api/26.0/public/service.te
deleted file mode 100644
index da540dbf538c851d758fb792beb01c3511154755..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/service.te
+++ /dev/null
@@ -1,147 +0,0 @@
-type audioserver_service, service_manager_type;
-type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
-type bluetooth_service, service_manager_type;
-type cameraserver_service, service_manager_type;
-type default_android_service, service_manager_type;
-type drmserver_service, service_manager_type;
-type dumpstate_service, service_manager_type;
-type fingerprintd_service, service_manager_type;
-type hal_fingerprint_service, service_manager_type;
-type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, service_manager_type;
-type inputflinger_service, service_manager_type;
-type incident_service, service_manager_type;
-type installd_service, service_manager_type;
-type keystore_service, service_manager_type;
-type mediaserver_service, service_manager_type;
-type mediametrics_service, service_manager_type;
-type mediaextractor_service, service_manager_type;
-type mediacodec_service, service_manager_type;
-type mediadrmserver_service, service_manager_type;
-type mediacasserver_service, service_manager_type;
-type netd_service, service_manager_type;
-type nfc_service, service_manager_type;
-type radio_service, service_manager_type;
-type storaged_service, service_manager_type;
-type surfaceflinger_service, service_manager_type;
-type system_app_service, service_manager_type;
-type update_engine_service, service_manager_type;
-type virtual_touchpad_service, service_manager_type;
-type vr_hwc_service, service_manager_type;
-
-# system_server_services broken down
-type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type battery_service, system_server_service, service_manager_type;
-type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type cameraproxy_service, system_server_service, service_manager_type;
-type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type contexthub_service, app_api_service, system_server_service, service_manager_type;
-type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type commontime_management_service, system_server_service, service_manager_type;
-type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
-# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
-type coverage_service, system_server_service, service_manager_type;
-type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
-type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type devicestoragemonitor_service, system_server_service, service_manager_type;
-type diskstats_service, system_api_service, system_server_service, service_manager_type;
-type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netd_listener_service, system_server_service, service_manager_type;
-type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type ethernet_service, app_api_service, system_server_service, service_manager_type;
-type fingerprint_service, app_api_service, system_server_service, service_manager_type;
-type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
-type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hardware_service, system_server_service, service_manager_type;
-type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
-type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type lock_settings_service, system_api_service, system_server_service, service_manager_type;
-type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type meminfo_service, system_api_service, system_server_service, service_manager_type;
-type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type network_score_service, system_api_service, system_server_service, service_manager_type;
-type network_time_update_service, system_server_service, service_manager_type;
-type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type oem_lock_service, system_api_service, system_server_service, service_manager_type;
-type otadexopt_service, system_server_service, service_manager_type;
-type overlay_service, system_server_service, service_manager_type;
-type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
-type pinner_service, system_server_service, service_manager_type;
-type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type processinfo_service, system_server_service, service_manager_type;
-type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type recovery_service, system_server_service, service_manager_type;
-type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type samplingprofiler_service, system_server_service, service_manager_type;
-type scheduling_policy_service, system_server_service, service_manager_type;
-type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
-type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type serial_service, system_api_service, system_server_service, service_manager_type;
-type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type shortcut_service, app_api_service, system_server_service, service_manager_type;
-type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type task_service, system_server_service, service_manager_type;
-type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type trust_service, app_api_service, system_server_service, service_manager_type;
-type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type updatelock_service, system_api_service, system_server_service, service_manager_type;
-type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type usb_service, app_api_service, system_server_service, service_manager_type;
-type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vr_manager_service, system_server_service, service_manager_type;
-type wallpaper_service, app_api_service, system_server_service, service_manager_type;
-type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type wifip2p_service, app_api_service, system_server_service, service_manager_type;
-type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
-type wifi_service, app_api_service, system_server_service, service_manager_type;
-type wificond_service, service_manager_type;
-type wifiaware_service, app_api_service, system_server_service, service_manager_type;
-type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/26.0/public/servicemanager.te b/prebuilts/api/26.0/public/servicemanager.te
deleted file mode 100644
index 3cf5a464d7445f1e616f77b6a12bdf1b436bd861..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/servicemanager.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# servicemanager - the Binder context manager
-type servicemanager, domain, mlstrustedsubject;
-type servicemanager_exec, exec_type, file_type;
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager {
- domain
- -init
- -hwservicemanager
- -vndservicemanager
-}:binder transfer;
-
-# Access to all (system and vendor) service_contexts
-# TODO(b/36866029) access to nonplat_service_contexts
-# should not be allowed on full treble devices
-allow servicemanager service_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(servicemanager)
diff --git a/prebuilts/api/26.0/public/sgdisk.te b/prebuilts/api/26.0/public/sgdisk.te
deleted file mode 100644
index 3007398783ac3ed427f653098985d0a98788cca1..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/sgdisk.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# sgdisk called from vold
-type sgdisk, domain;
-type sgdisk_exec, exec_type, file_type;
-
-# Allowed to read/write low-level partition tables
-allow sgdisk block_device:dir search;
-allow sgdisk vold_device:blk_file rw_file_perms;
-
-# Inherit and use pty created by android_fork_execvp()
-allow sgdisk devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow sgdisk vold:fd use;
-allow sgdisk vold:fifo_file { read write getattr };
-
-# Used to probe kernel to reload partition tables
-allow sgdisk self:capability sys_admin;
-
-# Only allow entry from vold
-neverallow { domain -vold } sgdisk:process transition;
-neverallow * sgdisk:process dyntransition;
-neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/prebuilts/api/26.0/public/shared_relro.te b/prebuilts/api/26.0/public/shared_relro.te
deleted file mode 100644
index 91cf44d0244adc49669c7f98fee241445f37c27b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/shared_relro.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain;
-
-# Grant write access to the shared relro files/directory.
-allow shared_relro shared_relro_file:dir rw_dir_perms;
-allow shared_relro shared_relro_file:file create_file_perms;
-
-# Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro webviewupdate_service:service_manager find;
diff --git a/prebuilts/api/26.0/public/shell.te b/prebuilts/api/26.0/public/shell.te
deleted file mode 100644
index 1fb896a7d48ef4e4cd0d8605a1aa7033a84952e7..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/shell.te
+++ /dev/null
@@ -1,184 +0,0 @@
-# Domain for shell processes spawned by ADB or console service.
-type shell, domain, mlstrustedsubject;
-type shell_exec, exec_type, file_type;
-
-# Create and use network sockets.
-net_domain(shell)
-
-# logcat
-read_logd(shell)
-control_logd(shell)
-# logcat -L (directly, or via dumpstate)
-allow shell pstorefs:dir search;
-allow shell pstorefs:file r_file_perms;
-
-# Root fs.
-allow shell rootfs:dir r_dir_perms;
-
-# read files in /data/anr
-allow shell anr_data_file:dir r_dir_perms;
-allow shell anr_data_file:file r_file_perms;
-
-# Access /data/local/tmp.
-allow shell shell_data_file:dir create_dir_perms;
-allow shell shell_data_file:file create_file_perms;
-allow shell shell_data_file:file rx_file_perms;
-allow shell shell_data_file:lnk_file create_file_perms;
-
-# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
-
-# Read/execute files in /data/nativetest
-userdebug_or_eng(`
- allow shell nativetest_data_file:dir r_dir_perms;
- allow shell nativetest_data_file:file rx_file_perms;
-')
-
-# adb bugreport
-unix_socket_connect(shell, dumpstate, dumpstate)
-
-allow shell devpts:chr_file rw_file_perms;
-allow shell tty_device:chr_file rw_file_perms;
-allow shell console_device:chr_file rw_file_perms;
-allow shell input_device:dir r_dir_perms;
-allow shell input_device:chr_file rw_file_perms;
-r_dir_file(shell, system_file)
-allow shell system_file:file x_file_perms;
-allow shell toolbox_exec:file rx_file_perms;
-allow shell shell_exec:file rx_file_perms;
-allow shell zygote_exec:file rx_file_perms;
-
-r_dir_file(shell, apk_data_file)
-
-# Set properties.
-set_prop(shell, shell_prop)
-set_prop(shell, ctl_bugreport_prop)
-set_prop(shell, ctl_dumpstate_prop)
-set_prop(shell, dumpstate_prop)
-set_prop(shell, debug_prop)
-set_prop(shell, powerctl_prop)
-set_prop(shell, log_tag_prop)
-set_prop(shell, wifi_log_prop)
-# adjust is_loggable properties
-userdebug_or_eng(`set_prop(shell, log_prop)')
-# logpersist script
-userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-
-userdebug_or_eng(`
- # "systrace --boot" support - allow boottrace service to run
- allow shell boottrace_data_file:dir rw_dir_perms;
- allow shell boottrace_data_file:file create_file_perms;
- set_prop(shell, persist_debug_prop)
-')
-
-# Read device's serial number from system properties
-get_prop(shell, serialno_prop)
-
-# Read state of logging-related properties
-get_prop(shell, device_logging_prop)
-
-# allow shell access to services
-allow shell servicemanager:service_manager list;
-# don't allow shell to access GateKeeper service
-# TODO: why is this so broad? Tightening candidate? It needs at list:
-# - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
-allow shell dumpstate:binder call;
-
-# allow shell to get information from hwservicemanager
-# for instance, listing hardware services with lshal
-hwbinder_use(shell)
-allow shell hwservicemanager:hwservice_manager list;
-
-# allow shell to look through /proc/ for ps, top, netstat
-r_dir_file(shell, proc)
-r_dir_file(shell, proc_net)
-allow shell proc_interrupts:file r_file_perms;
-allow shell proc_meminfo:file r_file_perms;
-allow shell proc_stat:file r_file_perms;
-allow shell proc_timer:file r_file_perms;
-allow shell proc_zoneinfo:file r_file_perms;
-r_dir_file(shell, cgroup)
-allow shell domain:dir { search open read getattr };
-allow shell domain:{ file lnk_file } { open read getattr };
-
-# statvfs() of /proc and other labeled filesystems
-# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
-allow shell { proc labeledfs }:filesystem getattr;
-
-# stat() of /dev
-allow shell device:dir getattr;
-
-# allow shell to read /proc/pid/attr/current for ps -Z
-allow shell domain:process getattr;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow shell selinuxfs:dir r_dir_perms;
-allow shell selinuxfs:file r_file_perms;
-
-# enable shell domain to read/write files/dirs for bootchart data
-# User will creates the start and stop file via adb shell
-# and read other files created by init process under /data/bootchart
-allow shell bootchart_data_file:dir rw_dir_perms;
-allow shell bootchart_data_file:file create_file_perms;
-
-# Make sure strace works for the non-privileged shell user
-allow shell self:process ptrace;
-
-# allow shell to get battery info
-allow shell sysfs_batteryinfo:file r_file_perms;
-allow shell sysfs:dir r_dir_perms;
-
-# Allow access to ion memory allocation device.
-allow shell ion_device:chr_file rw_file_perms;
-
-#
-# filesystem test for insecure chr_file's is done
-# via a host side test
-#
-allow shell dev_type:dir r_dir_perms;
-allow shell dev_type:chr_file getattr;
-
-# /dev/fd is a symlink
-allow shell proc:lnk_file getattr;
-
-#
-# filesystem test for insucre blk_file's is done
-# via hostside test
-#
-allow shell dev_type:blk_file getattr;
-
-# read selinux policy files
-allow shell file_contexts_file:file r_file_perms;
-allow shell property_contexts_file:file r_file_perms;
-allow shell seapp_contexts_file:file r_file_perms;
-allow shell service_contexts_file:file r_file_perms;
-allow shell sepolicy_file:file r_file_perms;
-
-###
-### Neverallow rules
-###
-
-# Do not allow shell to hard link to any files.
-# In particular, if shell hard links to app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure the shell user never has this
-# capability.
-neverallow shell file_type:file link;
-
-# Do not allow privileged socket ioctl commands
-neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
-# limit shell access to sensitive char drivers to
-# only getattr required for host side test.
-neverallow shell {
- fuse_device
- hw_random_device
- kmem_device
- port_device
-}:chr_file ~getattr;
-
-# Limit shell to only getattr on blk devices for host side tests.
-neverallow shell dev_type:blk_file ~getattr;
diff --git a/prebuilts/api/26.0/public/slideshow.te b/prebuilts/api/26.0/public/slideshow.te
deleted file mode 100644
index 86d4bff2e32746b180a43f2b0d44924acfb1819d..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/slideshow.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# slideshow seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type slideshow, domain;
-
-allow slideshow kmsg_device:chr_file rw_file_perms;
-wakelock_use(slideshow)
-allow slideshow device:dir r_dir_perms;
-allow slideshow self:capability sys_tty_config;
-allow slideshow graphics_device:dir r_dir_perms;
-allow slideshow graphics_device:chr_file rw_file_perms;
-allow slideshow input_device:dir r_dir_perms;
-allow slideshow input_device:chr_file r_file_perms;
-allow slideshow tty_device:chr_file rw_file_perms;
-
diff --git a/prebuilts/api/26.0/public/su.te b/prebuilts/api/26.0/public/su.te
deleted file mode 100644
index 8ddd1622459af1ac864e90686680e91396cb3045..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/su.te
+++ /dev/null
@@ -1,53 +0,0 @@
-# All types must be defined regardless of build variant to ensure
-# policy compilation succeeds with userdebug/user combination at boot
-type su, domain;
-
-# File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
-
-userdebug_or_eng(`
- # Domain used for su processes, as well as for adbd and adb shell
- # after performing an adb root command. The domain definition is
- # wrapped to ensure that it does not exist at all on -user builds.
- typeattribute su mlstrustedsubject;
-
- # Add su to various domains
- net_domain(su)
-
- # grant su access to vndbinder
- vndbinder_use(su)
-
- dontaudit su self:capability_class_set *;
- dontaudit su kernel:security *;
- dontaudit su kernel:system *;
- dontaudit su self:memprotect *;
- dontaudit su domain:process *;
- dontaudit su domain:fd *;
- dontaudit su domain:dir *;
- dontaudit su domain:lnk_file *;
- dontaudit su domain:{ fifo_file file } *;
- dontaudit su domain:socket_class_set *;
- dontaudit su domain:ipc_class_set *;
- dontaudit su domain:key *;
- dontaudit su fs_type:filesystem *;
- dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
- dontaudit su node_type:node *;
- dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
- dontaudit su netif_type:netif *;
- dontaudit su port_type:socket_class_set *;
- dontaudit su port_type:{ tcp_socket dccp_socket } *;
- dontaudit su domain:peer *;
- dontaudit su domain:binder *;
- dontaudit su property_type:property_service *;
- dontaudit su property_type:file *;
- dontaudit su service_manager_type:service_manager *;
- dontaudit su hwservice_manager_type:hwservice_manager *;
- dontaudit su vndservice_manager_type:service_manager *;
- dontaudit su servicemanager:service_manager list;
- dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su vndservicemanager:service_manager list;
- dontaudit su keystore:keystore_key *;
- dontaudit su domain:drmservice *;
- dontaudit su unlabeled:filesystem *;
- dontaudit su postinstall_file:filesystem *;
-')
diff --git a/prebuilts/api/26.0/public/surfaceflinger.te b/prebuilts/api/26.0/public/surfaceflinger.te
deleted file mode 100644
index ae00287d82ed4d41c8fff97dc18b04f887b407bb..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/surfaceflinger.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# surfaceflinger - display compositor service
-type surfaceflinger, domain;
diff --git a/prebuilts/api/26.0/public/system_app.te b/prebuilts/api/26.0/public/system_app.te
deleted file mode 100644
index 023058ee0f0f2220e94101cdbe92fafeff4bfbfd..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/system_app.te
+++ /dev/null
@@ -1,7 +0,0 @@
-###
-### Apps that run with the system UID, e.g. com.android.system.ui,
-### com.android.settings. These are not as privileged as the system
-### server.
-###
-
-type system_app, domain;
diff --git a/prebuilts/api/26.0/public/system_server.te b/prebuilts/api/26.0/public/system_server.te
deleted file mode 100644
index 805d6175d614d8cc474fde51ea31a86fbb672c3d..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/system_server.te
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-type system_server, domain;
diff --git a/prebuilts/api/26.0/public/te_macros b/prebuilts/api/26.0/public/te_macros
deleted file mode 100644
index d65eb889ca28da46c9f285780e9df1c7facd049a..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/te_macros
+++ /dev/null
@@ -1,572 +0,0 @@
-#####################################
-# domain_trans(olddomain, type, newdomain)
-# Allow a transition from olddomain to newdomain
-# upon executing a file labeled with type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use domain_auto_trans
-# if that is what you want.
-#
-define(`domain_trans', `
-# Old domain may exec the file and transition to the new domain.
-allow $1 $2:file { getattr open read execute };
-allow $1 $3:process transition;
-# New domain is entered by executing the file.
-allow $3 $2:file { entrypoint open read execute getattr };
-# New domain can send SIGCHLD to its caller.
-ifelse($1, `init', `', `allow $3 $1:process sigchld;')
-# Enable AT_SECURE, i.e. libc secure mode.
-dontaudit $1 $3:process noatsecure;
-# XXX dontaudit candidate but requires further study.
-allow $1 $3:process { siginh rlimitinh };
-')
-
-#####################################
-# domain_auto_trans(olddomain, type, newdomain)
-# Automatically transition from olddomain to newdomain
-# upon executing a file labeled with type.
-#
-define(`domain_auto_trans', `
-# Allow the necessary permissions.
-domain_trans($1,$2,$3)
-# Make the transition occur by default.
-type_transition $1 $2:process $3;
-')
-
-#####################################
-# file_type_trans(domain, dir_type, file_type)
-# Allow domain to create a file labeled file_type in a
-# directory labeled dir_type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use file_type_auto_trans
-# if that is what you want.
-#
-define(`file_type_trans', `
-# Allow the domain to add entries to the directory.
-allow $1 $2:dir ra_dir_perms;
-# Allow the domain to create the file.
-allow $1 $3:notdevfile_class_set create_file_perms;
-allow $1 $3:dir create_dir_perms;
-')
-
-#####################################
-# file_type_auto_trans(domain, dir_type, file_type)
-# Automatically label new files with file_type when
-# they are created by domain in directories labeled dir_type.
-#
-define(`file_type_auto_trans', `
-# Allow the necessary permissions.
-file_type_trans($1, $2, $3)
-# Make the transition occur by default.
-type_transition $1 $2:dir $3;
-type_transition $1 $2:notdevfile_class_set $3;
-')
-
-#####################################
-# r_dir_file(domain, type)
-# Allow the specified domain to read directories, files
-# and symbolic links of the specified type.
-define(`r_dir_file', `
-allow $1 $2:dir r_dir_perms;
-allow $1 $2:{ file lnk_file } r_file_perms;
-')
-
-#####################################
-# tmpfs_domain(domain)
-# Define and allow access to a unique type for
-# this domain when creating tmpfs / shmem / ashmem files.
-define(`tmpfs_domain', `
-type $1_tmpfs, file_type;
-type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write getattr };
-allow $1 tmpfs:dir { getattr search };
-')
-
-# pdx macros for IPC. pdx is a high-level name which contains transport-specific
-# rules from underlying transport (e.g. UDS-based implementation).
-
-#####################################
-# pdx_service_attributes(service)
-# Defines type attribute used to identify various service-related types.
-define(`pdx_service_attributes', `
-attribute pdx_$1_endpoint_dir_type;
-attribute pdx_$1_endpoint_socket_type;
-attribute pdx_$1_channel_socket_type;
-attribute pdx_$1_server_type;
-')
-
-#####################################
-# pdx_service_socket_types(service, endpoint_dir_t)
-# Define types for endpoint and channel sockets.
-define(`pdx_service_socket_types', `
-typeattribute $2 pdx_$1_endpoint_dir_type;
-type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
-type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
-')
-
-#####################################
-# pdx_server(server_domain, service)
-define(`pdx_server', `
-# Mark the server domain as a PDX server.
-typeattribute $1 pdx_$2_server_type;
-# Allow the init process to create the initial endpoint socket.
-allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
-# Allow the server domain to use the endpoint socket and accept connections on it.
-# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
-# than we need (e.g. we don"t need "bind" or "connect").
-allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
-# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
-allow $1 self:process setsockcreate;
-# Allow the server domain to create a client channel socket.
-allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
-# Prevent other processes from claiming to be a server for the same service.
-neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
-')
-
-#####################################
-# pdx_connect(client, service)
-define(`pdx_connect', `
-# Allow client to open the service endpoint file.
-allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
-allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
-# Allow the client to connect to endpoint socket.
-allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
-')
-
-#####################################
-# pdx_use(client, service)
-define(`pdx_use', `
-# Allow the client to use the PDX channel socket.
-# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
-# than we need (e.g. we don"t need "bind" or "connect").
-allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
-# Client needs to use an channel event fd from the server.
-allow $1 pdx_$2_server_type:fd use;
-# Servers may receive sync fences, gralloc buffers, etc, from clients.
-# This could be tightened on a per-server basis, but keeping track of service
-# clients is error prone.
-allow pdx_$2_server_type $1:fd use;
-')
-
-#####################################
-# pdx_client(client, service)
-define(`pdx_client', `
-pdx_connect($1, $2)
-pdx_use($1, $2)
-')
-
-#####################################
-# init_daemon_domain(domain)
-# Set up a transition from init to the daemon domain
-# upon executing its binary.
-define(`init_daemon_domain', `
-domain_auto_trans(init, $1_exec, $1)
-tmpfs_domain($1)
-')
-
-#####################################
-# app_domain(domain)
-# Allow a base set of permissions required for all apps.
-define(`app_domain', `
-typeattribute $1 appdomain;
-# Label ashmem objects with our own unique type.
-tmpfs_domain($1)
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file execute;
-')
-
-#####################################
-# untrusted_app_domain(domain)
-# Allow a base set of permissions required for all untrusted apps.
-define(`untrusted_app_domain', `
-typeattribute $1 untrusted_app_all;
-')
-
-#####################################
-# net_domain(domain)
-# Allow a base set of permissions required for network access.
-define(`net_domain', `
-typeattribute $1 netdomain;
-')
-
-#####################################
-# bluetooth_domain(domain)
-# Allow a base set of permissions required for bluetooth access.
-define(`bluetooth_domain', `
-typeattribute $1 bluetoothdomain;
-')
-
-#####################################
-# hal_server_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to offer a
-# HAL implementation of the specified type over HwBinder.
-#
-# For example, default implementation of Foo HAL:
-# type hal_foo_default, domain;
-# hal_server_domain(hal_foo_default, hal_foo)
-#
-define(`hal_server_domain', `
-typeattribute $1 halserverdomain;
-typeattribute $1 $2_server;
-typeattribute $1 $2;
-')
-
-#####################################
-# hal_client_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to be a
-# client of a HAL of the specified type.
-#
-# For example, make some_domain a client of Foo HAL:
-# hal_client_domain(some_domain, hal_foo)
-#
-define(`hal_client_domain', `
-typeattribute $1 halclientdomain;
-typeattribute $1 $2_client;
-
-# TODO(b/34170079): Make the inclusion of the rules below conditional also on
-# non-Treble devices. For now, on non-Treble device, always grant clients of a
-# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
-not_full_treble(`
-typeattribute $1 $2;
-# Find passthrough HAL implementations
-allow $2 system_file:dir r_dir_perms;
-allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute };
-')
-')
-
-#####################################
-# passthrough_hal_client_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to be a
-# client of a passthrough HAL of the specified type.
-#
-# For example, make some_domain a client of passthrough Foo HAL:
-# passthrough_hal_client_domain(some_domain, hal_foo)
-#
-define(`passthrough_hal_client_domain', `
-typeattribute $1 halclientdomain;
-typeattribute $1 $2_client;
-typeattribute $1 $2;
-# Find passthrough HAL implementations
-allow $2 system_file:dir r_dir_perms;
-allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute };
-')
-
-#####################################
-# unix_socket_connect(clientdomain, socket, serverdomain)
-# Allow a local socket connection from clientdomain via
-# socket to serverdomain.
-#
-# Note: If you see denial records that distill to the
-# following allow rules:
-# allow clientdomain property_socket:sock_file write;
-# allow clientdomain init:unix_stream_socket connectto;
-# allow clientdomain something_prop:property_service set;
-#
-# This sequence is indicative of attempting to set a property.
-# use set_prop(sourcedomain, targetproperty)
-#
-define(`unix_socket_connect', `
-ifelse($2, `property', `
- ifelse($3,`init', `
- print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
- ')
-')
-__unix_socket_connect__($1, $2, $3)
-')
-
-define(`__unix_socket_connect__', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_stream_socket connectto;
-')
-
-#####################################
-# set_prop(sourcedomain, targetproperty)
-# Allows source domain to set the
-# targetproperty.
-#
-define(`set_prop', `
-__unix_socket_connect__($1, property, init)
-allow $1 $2:property_service set;
-get_prop($1, $2)
-')
-
-#####################################
-# get_prop(sourcedomain, targetproperty)
-# Allows source domain to read the
-# targetproperty.
-#
-define(`get_prop', `
-allow $1 $2:file r_file_perms;
-')
-
-#####################################
-# unix_socket_send(clientdomain, socket, serverdomain)
-# Allow a local socket send from clientdomain via
-# socket to serverdomain.
-define(`unix_socket_send', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_dgram_socket sendto;
-')
-
-#####################################
-# binder_use(domain)
-# Allow domain to use Binder IPC.
-define(`binder_use', `
-# Call the servicemanager and transfer references to it.
-allow $1 servicemanager:binder { call transfer };
-# servicemanager performs getpidcon on clients.
-allow servicemanager $1:dir search;
-allow servicemanager $1:file { read open };
-allow servicemanager $1:process getattr;
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-# all domains in domain.te.
-')
-
-#####################################
-# hwbinder_use(domain)
-# Allow domain to use HwBinder IPC.
-define(`hwbinder_use', `
-# Call the hwservicemanager and transfer references to it.
-allow $1 hwservicemanager:binder { call transfer };
-# Allow hwservicemanager to send out callbacks
-allow hwservicemanager $1:binder { call transfer };
-# hwservicemanager performs getpidcon on clients.
-allow hwservicemanager $1:dir search;
-allow hwservicemanager $1:file { read open };
-allow hwservicemanager $1:process getattr;
-# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
-# all domains in domain.te.
-')
-
-#####################################
-# vndbinder_use(domain)
-# Allow domain to use Binder IPC.
-define(`vndbinder_use', `
-# Talk to the vndbinder device node
-allow $1 vndbinder_device:chr_file rw_file_perms;
-# Call the vndservicemanager and transfer references to it.
-allow $1 vndservicemanager:binder { call transfer };
-# vndservicemanager performs getpidcon on clients.
-allow vndservicemanager $1:dir search;
-allow vndservicemanager $1:file { read open };
-allow vndservicemanager $1:process getattr;
-')
-
-#####################################
-# binder_call(clientdomain, serverdomain)
-# Allow clientdomain to perform binder IPC to serverdomain.
-define(`binder_call', `
-# Call the server domain and optionally transfer references to it.
-allow $1 $2:binder { call transfer };
-# Allow the serverdomain to transfer references to the client on the reply.
-allow $2 $1:binder transfer;
-# Receive and use open files from the server.
-allow $1 $2:fd use;
-')
-
-#####################################
-# binder_service(domain)
-# Mark a domain as being a Binder service domain.
-# Used to allow binder IPC to the various system services.
-define(`binder_service', `
-typeattribute $1 binderservicedomain;
-')
-
-#####################################
-# wakelock_use(domain)
-# Allow domain to manage wake locks
-define(`wakelock_use', `
-# Access /sys/power/wake_lock and /sys/power/wake_unlock
-allow $1 sysfs_wake_lock:file rw_file_perms;
-# Accessing these files requires CAP_BLOCK_SUSPEND
-allow $1 self:capability2 block_suspend;
-')
-
-#####################################
-# selinux_check_access(domain)
-# Allow domain to check SELinux permissions via selinuxfs.
-define(`selinux_check_access', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
-allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
-')
-
-#####################################
-# selinux_check_context(domain)
-# Allow domain to check SELinux contexts via selinuxfs.
-define(`selinux_check_context', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
-allow $1 kernel:security check_context;
-')
-
-#####################################
-# create_pty(domain)
-# Allow domain to create and use a pty, isolated from any other domain ptys.
-define(`create_pty', `
-# Each domain gets a unique devpts type.
-type $1_devpts, fs_type;
-# Label the pty with the unique type when created.
-type_transition $1 devpts:chr_file $1_devpts;
-# Allow use of the pty after creation.
-allow $1 $1_devpts:chr_file { open getattr read write ioctl };
-allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
-# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
-# allowed to everyone via domain.te.
-')
-
-#####################################
-# Non system_app application set
-#
-define(`non_system_app_set', `{ appdomain -system_app }')
-
-#####################################
-# Recovery only
-# SELinux rules which apply only to recovery mode
-#
-define(`recovery_only', ifelse(target_recovery, `true', $1, ))
-
-#####################################
-# Full TREBLE only
-# SELinux rules which apply only to full TREBLE devices
-#
-define(`full_treble_only', ifelse(target_full_treble, `true', $1,
-ifelse(target_full_treble, `cts',
-# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# Not full TREBLE
-# SELinux rules which apply only to devices which are not full TREBLE devices
-#
-define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
-
-#####################################
-# Userdebug or eng builds
-# SELinux rules which apply only to userdebug or eng builds
-#
-define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
-
-#####################################
-# asan builds
-# SELinux rules which apply only to asan builds
-#
-define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
-
-####################################
-# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
-#
-define(`crash_dump_fallback', `
-userdebug_or_eng(`
- allow $1 su:fifo_file append;
-')
-allow $1 anr_data_file:file append;
-allow $1 dumpstate:fd use;
-# TODO: Figure out why write is needed and remove.
-allow $1 dumpstate:fifo_file { append write };
-allow $1 tombstoned:unix_stream_socket connectto;
-allow $1 tombstoned:fd use;
-allow $1 tombstoned_crash_socket:sock_file write;
-allow $1 tombstone_data_file:file append;
-')
-
-#####################################
-# WITH_DEXPREOPT builds
-# SELinux rules which apply only when pre-opting.
-#
-define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
-
-#####################################
-# write_logd(domain)
-# Ability to write to android log
-# daemon via sockets
-define(`write_logd', `
-unix_socket_send($1, logdw, logd)
-allow $1 pmsg_device:chr_file w_file_perms;
-')
-
-#####################################
-# read_logd(domain)
-# Ability to run logcat and read from android
-# log daemon via sockets
-define(`read_logd', `
-allow $1 logcat_exec:file rx_file_perms;
-unix_socket_connect($1, logdr, logd)
-')
-
-#####################################
-# read_runtime_log_tags(domain)
-# ability to directly map the runtime event log tags
-define(`read_runtime_log_tags', `
-allow $1 runtime_event_log_tags_file:file r_file_perms;
-')
-
-#####################################
-# control_logd(domain)
-# Ability to control
-# android log daemon via sockets
-define(`control_logd', `
-# Group AID_LOG checked by filesystem & logd
-# to permit control commands
-unix_socket_connect($1, logd, logd)
-')
-
-#####################################
-# use_keystore(domain)
-# Ability to use keystore.
-# Keystore is requires the following permissions
-# to call getpidcon.
-define(`use_keystore', `
- allow keystore $1:dir search;
- allow keystore $1:file { read open };
- allow keystore $1:process getattr;
- allow $1 keystore_service:service_manager find;
- binder_call($1, keystore)
-')
-
-###########################################
-# use_drmservice(domain)
-# Ability to use DrmService which requires
-# DrmService to call getpidcon.
-define(`use_drmservice', `
- allow drmserver $1:dir search;
- allow drmserver $1:file { read open };
- allow drmserver $1:process getattr;
-')
-
-###########################################
-# add_service(domain, service)
-# Ability for domain to add a service to service_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-define(`add_service', `
- allow $1 $2:service_manager { add find };
- neverallow { domain -$1 } $2:service_manager add;
- neverallow $1 unlabeled:service_manager add; #TODO: b/62658302
-')
-
-###########################################
-# add_hwservice(domain, service)
-# Ability for domain to add a service to hwservice_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-define(`add_hwservice', `
- allow $1 $2:hwservice_manager { add find };
- allow $1 hidl_base_hwservice:hwservice_manager add;
- neverallow { domain -$1 } $2:hwservice_manager add;
- neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302
-')
-
-##########################################
-# print a message with a trailing newline
-# print(`args')
-define(`print', `errprint(`m4: '__file__: __line__`: $*
-')')
diff --git a/prebuilts/api/26.0/public/tee.te b/prebuilts/api/26.0/public/tee.te
deleted file mode 100644
index f023d5c239350e9fea693a0057f497a7b7f502ee..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/tee.te
+++ /dev/null
@@ -1,7 +0,0 @@
-##
-# trusted execution environment (tee) daemon
-#
-type tee, domain;
-
-# Device(s) for communicating with the TEE
-type tee_device, dev_type;
diff --git a/prebuilts/api/26.0/public/tombstoned.te b/prebuilts/api/26.0/public/tombstoned.te
deleted file mode 100644
index 37243bb6661071f14915d9d47475399b232f5bc0..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/tombstoned.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# debugger interface
-type tombstoned, domain, mlstrustedsubject;
-type tombstoned_exec, exec_type, file_type;
-
-# Write to arbitrary pipes given to us.
-allow tombstoned domain:fd use;
-allow tombstoned domain:fifo_file write;
-
-allow tombstoned domain:dir r_dir_perms;
-allow tombstoned domain:file r_file_perms;
-allow tombstoned tombstone_data_file:dir rw_dir_perms;
-allow tombstoned tombstone_data_file:file create_file_perms;
-allow tombstoned anr_data_file:file { getattr append };
-
-# TODO: Find out why this is happening.
-allow tombstoned anr_data_file:file write;
-auditallow tombstoned anr_data_file:file write;
diff --git a/prebuilts/api/26.0/public/toolbox.te b/prebuilts/api/26.0/public/toolbox.te
deleted file mode 100644
index 59c3a9c73cfe2686245515d7baa91576fe9a3c54..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/toolbox.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# Any toolbox command run by init.
-# At present, the only known usage is for running mkswap via fs_mgr.
-# Do NOT use this domain for toolbox when run by any other domain.
-type toolbox, domain;
-type toolbox_exec, exec_type, file_type;
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow toolbox tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow toolbox devpts:chr_file { read write getattr ioctl };
-
-# mkswap-specific.
-# Read/write block devices used for swap partitions.
-# Assign swap_block_device type any such partition in your
-# device/<vendor>/<product>/sepolicy/file_contexts file.
-allow toolbox block_device:dir search;
-allow toolbox swap_block_device:blk_file rw_file_perms;
-
-# Only allow entry from init via the toolbox binary.
-neverallow { domain -init } toolbox:process transition;
-neverallow * toolbox:process dyntransition;
-neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
diff --git a/prebuilts/api/26.0/public/tzdatacheck.te b/prebuilts/api/26.0/public/tzdatacheck.te
deleted file mode 100644
index 93ae1652973296cd7eaa49da7f2c1755a3b8baec..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/tzdatacheck.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# The tzdatacheck command run by init.
-type tzdatacheck, domain;
-type tzdatacheck_exec, exec_type, file_type;
-
-allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
-allow tzdatacheck zoneinfo_data_file:file unlink;
diff --git a/prebuilts/api/26.0/public/ueventd.te b/prebuilts/api/26.0/public/ueventd.te
deleted file mode 100644
index 4c77e11ea3868efa7eb1235974966ca851fd8d69..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/ueventd.te
+++ /dev/null
@@ -1,56 +0,0 @@
-# ueventd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type ueventd, domain;
-
-# Write to /dev/kmsg.
-allow ueventd kmsg_device:chr_file rw_file_perms;
-
-allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
-allow ueventd device:file create_file_perms;
-
-r_dir_file(ueventd, sysfs_type)
-r_dir_file(ueventd, rootfs)
-allow ueventd sysfs:file w_file_perms;
-allow ueventd sysfs_usb:file w_file_perms;
-allow ueventd sysfs_hwrandom:file w_file_perms;
-allow ueventd sysfs_zram_uevent:file w_file_perms;
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
-allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
-allow ueventd tmpfs:chr_file rw_file_perms;
-allow ueventd dev_type:dir create_dir_perms;
-allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { getattr create setattr unlink };
-allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow ueventd efs_file:dir search;
-allow ueventd efs_file:file r_file_perms;
-
-# Get SELinux enforcing status.
-r_dir_file(ueventd, selinuxfs)
-
-# Access for /vendor/ueventd.rc and /vendor/firmware
-r_dir_file(ueventd, vendor_file)
-
-# Get file contexts for new device nodes
-allow ueventd file_contexts_file:file r_file_perms;
-
-# Use setfscreatecon() to label /dev directories and files.
-allow ueventd self:process setfscreate;
-
-#####
-##### neverallow rules
-#####
-
-# ueventd must never set properties, otherwise deadlocks may occur.
-# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
-# No writing to the property socket, connecting to init, or setting properties.
-neverallow ueventd property_socket:sock_file write;
-neverallow ueventd init:unix_stream_socket connectto;
-neverallow ueventd property_type:property_service set;
-
-# Restrict ueventd access on block devices to maintenence operations.
-neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-
-# Only relabelto as we would never want to relabelfrom kmem_device or port_device
-neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
diff --git a/prebuilts/api/26.0/public/uncrypt.te b/prebuilts/api/26.0/public/uncrypt.te
deleted file mode 100644
index 7ae7d396e4262f1db11f947dab49cfcbeace53b2..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/uncrypt.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# uncrypt
-type uncrypt, domain, mlstrustedsubject;
-type uncrypt_exec, exec_type, file_type;
-
-allow uncrypt self:capability dac_override;
-
-# Read OTA zip file from /data/data/com.google.android.gsf/app_download
-r_dir_file(uncrypt, app_data_file)
-
-userdebug_or_eng(`
- # For debugging, allow /data/local/tmp access
- r_dir_file(uncrypt, shell_data_file)
-')
-
-# Read /cache/recovery/command
-# Read /cache/recovery/uncrypt_file
-allow uncrypt cache_recovery_file:dir rw_dir_perms;
-allow uncrypt cache_recovery_file:file create_file_perms;
-
-# Read OTA zip file at /data/ota_package/.
-allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
-
-# Write to /dev/socket/uncrypt
-unix_socket_connect(uncrypt, uncrypt, uncrypt)
-
-# Set a property to reboot the device.
-set_prop(uncrypt, powerctl_prop)
-
-# Raw writes to block device
-allow uncrypt self:capability sys_rawio;
-allow uncrypt misc_block_device:blk_file w_file_perms;
-allow uncrypt block_device:dir r_dir_perms;
-
-# Access userdata block device.
-allow uncrypt userdata_block_device:blk_file w_file_perms;
-
-r_dir_file(uncrypt, rootfs)
diff --git a/prebuilts/api/26.0/public/untrusted_app.te b/prebuilts/api/26.0/public/untrusted_app.te
deleted file mode 100644
index 6f29396c3fd53ab3985775ed2a750e5a6ffdd162..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/untrusted_app.te
+++ /dev/null
@@ -1,19 +0,0 @@
-###
-### Untrusted apps.
-###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-type untrusted_app, domain;
diff --git a/prebuilts/api/26.0/public/untrusted_app_25.te b/prebuilts/api/26.0/public/untrusted_app_25.te
deleted file mode 100644
index 4ca6e313447a9cd5c01253bd124cd5062fbeab44..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/untrusted_app_25.te
+++ /dev/null
@@ -1,20 +0,0 @@
-###
-### Untrusted apps.
-###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-type untrusted_app_25, domain;
-
diff --git a/prebuilts/api/26.0/public/untrusted_v2_app.te b/prebuilts/api/26.0/public/untrusted_v2_app.te
deleted file mode 100644
index ac82f15310e4a832a332ac98129937301184469b..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/untrusted_v2_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### Untrusted v2 sandbox apps.
-###
-
-type untrusted_v2_app, domain;
diff --git a/prebuilts/api/26.0/public/update_engine.te b/prebuilts/api/26.0/public/update_engine.te
deleted file mode 100644
index b8f0035bdb33d89712930cd04cd9e57196876c73..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/update_engine.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# Domain for update_engine daemon.
-type update_engine, domain, update_engine_common;
-type update_engine_exec, exec_type, file_type;
-
-net_domain(update_engine);
-
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
-# sockets.
-allow update_engine qtaguid_proc:file rw_file_perms;
-allow update_engine qtaguid_device:chr_file r_file_perms;
-
-# Following permissions are needed for update_engine.
-allow update_engine self:process { setsched };
-allow update_engine self:capability { fowner sys_admin };
-allow update_engine kmsg_device:chr_file w_file_perms;
-allow update_engine update_engine_exec:file rx_file_perms;
-wakelock_use(update_engine);
-
-# Ignore these denials.
-dontaudit update_engine kernel:process setsched;
-
-# Allow using persistent storage in /data/misc/update_engine.
-allow update_engine update_engine_data_file:dir { create_dir_perms };
-allow update_engine update_engine_data_file:file { create_file_perms };
-
-# Don't allow kernel module loading, just silence the logs.
-dontaudit update_engine kernel:system module_request;
-
-# Register the service to perform Binder IPC.
-binder_use(update_engine)
-add_service(update_engine, update_engine_service)
-
-# Allow update_engine to call the callback function provided by priv_app.
-binder_call(update_engine, priv_app)
-
-# Read OTA zip file at /data/ota_package/.
-allow update_engine ota_package_file:file r_file_perms;
-allow update_engine ota_package_file:dir r_dir_perms;
-
-# Use Boot Control HAL
-hal_client_domain(update_engine, hal_bootctl)
diff --git a/prebuilts/api/26.0/public/update_engine_common.te b/prebuilts/api/26.0/public/update_engine_common.te
deleted file mode 100644
index 8e454cc0e49a980b7a08e774a9e6366e5a1a006f..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/update_engine_common.te
+++ /dev/null
@@ -1,42 +0,0 @@
-# update_engine payload application permissions. These are shared between the
-# background daemon and the recovery tool to sideload an update.
-
-# Allow update_engine to reach block devices in /dev/block.
-allow update_engine_common block_device:dir search;
-
-# Allow read/write on system and boot partitions.
-allow update_engine_common boot_block_device:blk_file rw_file_perms;
-allow update_engine_common system_block_device:blk_file rw_file_perms;
-
-# Allow to set recovery options in the BCB. Used to trigger factory reset when
-# the update to an older version (channel change) or incompatible version
-# requires it.
-allow update_engine_common misc_block_device:blk_file rw_file_perms;
-
-# Allow update_engine_common to mount on the /postinstall directory and reset the
-# labels on the mounted filesystem to postinstall_file.
-allow update_engine_common postinstall_mnt_dir:dir mounton;
-allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine_common labeledfs:filesystem relabelfrom;
-
-# Allow update_engine_common to read and execute postinstall_file.
-allow update_engine_common postinstall_file:file rx_file_perms;
-allow update_engine_common postinstall_file:lnk_file r_file_perms;
-allow update_engine_common postinstall_file:dir r_dir_perms;
-
-
-# A postinstall program is typically a shell script (with a #!), so we allow
-# to execute those.
-allow update_engine_common shell_exec:file rx_file_perms;
-
-# Allow update_engine_common to suspend, resume and kill the postinstall program.
-allow update_engine_common postinstall:process { signal sigstop sigkill };
-
-# access /proc/misc
-# Access is also granted to proc:file, but it is likely unneeded
-# due to the more specific grant to proc_misc immediately below.
-allow update_engine proc:file r_file_perms; # delete candidate
-allow update_engine proc_misc:file r_file_perms;
-
-# read directories on /system and /vendor
-allow update_engine system_file:dir r_dir_perms;
diff --git a/prebuilts/api/26.0/public/update_verifier.te b/prebuilts/api/26.0/public/update_verifier.te
deleted file mode 100644
index 4d4e1f9ec025e281ffac902c7d9a672215459551..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/update_verifier.te
+++ /dev/null
@@ -1,19 +0,0 @@
-# update_verifier
-type update_verifier, domain;
-type update_verifier_exec, exec_type, file_type;
-
-# Allow update_verifier to reach block devices in /dev/block.
-allow update_verifier block_device:dir search;
-
-# Read care map in /data/ota_package/.
-allow update_verifier ota_package_file:dir r_dir_perms;
-allow update_verifier ota_package_file:file r_file_perms;
-
-# Read all blocks in dm wrapped system partition.
-allow update_verifier dm_device:blk_file r_file_perms;
-
-# Allow update_verifier to reboot the device.
-set_prop(update_verifier, powerctl_prop)
-
-# Use Boot Control HAL
-hal_client_domain(update_verifier, hal_bootctl)
diff --git a/prebuilts/api/26.0/public/vdc.te b/prebuilts/api/26.0/public/vdc.te
deleted file mode 100644
index 53d7bbe2cf7a099955b962e6a4d1728eee87418d..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/vdc.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# vdc spawned from init for the following services:
-# defaultcrypto
-# encrypt
-#
-# We also transition into this domain from dumpstate, when
-# collecting bug reports.
-
-type vdc, domain;
-type vdc_exec, exec_type, file_type;
-
-unix_socket_connect(vdc, vold, vold)
-
-# vdc sends information back to dumpstate when "adb bugreport" is used
-allow vdc dumpstate:fd use;
-allow vdc dumpstate:unix_stream_socket { read write getattr };
-
-# vdc information is written to shell owned bugreport files
-allow vdc shell_data_file:file { write getattr };
-
-# Why?
-allow vdc dumpstate:unix_dgram_socket { read write };
-
-# vdc can be invoked with logwrapper, so let it write to pty
-allow vdc devpts:chr_file rw_file_perms;
-
-# vdc writes directly to kmsg during the boot process
-allow vdc kmsg_device:chr_file w_file_perms;
diff --git a/prebuilts/api/26.0/public/vendor_shell.te b/prebuilts/api/26.0/public/vendor_shell.te
deleted file mode 100644
index b33054290f7091e36066ed3e415d6249a723919e..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/vendor_shell.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# vendor shell MUST never run as interactive or login shell.
-# vendor shell CAN never be traisitioned to by any process, so it is
-# only intended by shell script interpreter.
-type vendor_shell_exec, exec_type, vendor_file_type, file_type;
diff --git a/prebuilts/api/26.0/public/vendor_toolbox.te b/prebuilts/api/26.0/public/vendor_toolbox.te
deleted file mode 100644
index eb292cafb3645847e5f04afe78f198c9eb019e11..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/vendor_toolbox.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# Toolbox installation for vendor binaries / scripts
-# Non-vendor processes are not allowed to execute the binary
-# and is always executed without transition.
-type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
-
-# Do not allow domains to transition to vendor toolbox
-# or read, execute the vendor_toolbox file.
-full_treble_only(`
- # Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
- neverallow {
- coredomain
- -init
- -modprobe
- } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
-')
diff --git a/prebuilts/api/26.0/public/virtual_touchpad.te b/prebuilts/api/26.0/public/virtual_touchpad.te
deleted file mode 100644
index c2800e3efecb9c580863aa8d59fcd68745ae5a52..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/virtual_touchpad.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type virtual_touchpad, domain;
-type virtual_touchpad_exec, exec_type, file_type;
-
-binder_use(virtual_touchpad)
-binder_service(virtual_touchpad)
-add_service(virtual_touchpad, virtual_touchpad_service)
-
-# Needed to check app permissions.
-binder_call(virtual_touchpad, system_server)
-
-# Requires access to /dev/uinput to create and feed the virtual device.
-allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow virtual_touchpad permission_service:service_manager find;
diff --git a/prebuilts/api/26.0/public/vndservice.te b/prebuilts/api/26.0/public/vndservice.te
deleted file mode 100644
index 0d309bf71510428f71fe0f336d1ff3f023418dd4..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/vndservice.te
+++ /dev/null
@@ -1 +0,0 @@
-type default_android_vndservice, vndservice_manager_type;
diff --git a/prebuilts/api/26.0/public/vndservicemanager.te b/prebuilts/api/26.0/public/vndservicemanager.te
deleted file mode 100644
index 6b9f73dc00b51adcf9a2f31713e285c009490a78..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/vndservicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# vndservicemanager - the Binder context manager for vendor processes
-type vndservicemanager, domain;
diff --git a/prebuilts/api/26.0/public/vold.te b/prebuilts/api/26.0/public/vold.te
deleted file mode 100644
index 81ee28c479dbb49039cbd22d58bc2289898ebe52..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/vold.te
+++ /dev/null
@@ -1,187 +0,0 @@
-# volume manager
-type vold, domain;
-type vold_exec, exec_type, file_type;
-
-# Read already opened /cache files.
-allow vold cache_file:dir r_dir_perms;
-allow vold cache_file:file { getattr read };
-allow vold cache_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(vold, proc)
-r_dir_file(vold, proc_net)
-r_dir_file(vold, sysfs_type)
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file w_file_perms;
-allow vold sysfs_usb:file w_file_perms;
-allow vold sysfs_zram_uevent:file w_file_perms;
-
-r_dir_file(vold, rootfs)
-allow vold proc_meminfo:file r_file_perms;
-
-#Get file contexts
-allow vold file_contexts_file:file r_file_perms;
-
-# Allow us to jump into execution domains of above tools
-allow vold self:process setexec;
-
-# For sgdisk launched through popen()
-allow vold shell_exec:file rx_file_perms;
-
-typeattribute vold mlstrustedsubject;
-allow vold self:process setfscreate;
-allow vold system_file:file x_file_perms;
-not_full_treble(`allow vold vendor_file:file x_file_perms;')
-allow vold block_device:dir create_dir_perms;
-allow vold device:dir write;
-allow vold devpts:chr_file rw_file_perms;
-allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton; # TODO: deprecated in M
-allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
-allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
-allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
-
-# Manage locations where storage is mounted
-allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
-allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
-
-# Access to storage that backs emulated FUSE daemons for migration optimization
-allow vold media_rw_data_file:dir create_dir_perms;
-allow vold media_rw_data_file:file create_file_perms;
-
-# Allow mounting of storage devices
-allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
-
-# Manage per-user primary symlinks
-allow vold mnt_user_file:dir create_dir_perms;
-allow vold mnt_user_file:lnk_file create_file_perms;
-
-# Allow to create and mount expanded storage
-allow vold mnt_expand_file:dir { create_dir_perms mounton };
-allow vold apk_data_file:dir { create getattr setattr };
-allow vold shell_data_file:dir { create getattr setattr };
-
-allow vold tmpfs:filesystem { mount unmount };
-allow vold tmpfs:dir create_dir_perms;
-allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow vold app_data_file:dir search;
-allow vold app_data_file:file rw_file_perms;
-allow vold loop_control_device:chr_file rw_file_perms;
-allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
-allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
-allow vold dm_device:chr_file rw_file_perms;
-allow vold dm_device:blk_file rw_file_perms;
-# For vold Process::killProcessesWithOpenFiles function.
-allow vold domain:dir r_dir_perms;
-allow vold domain:{ file lnk_file } r_file_perms;
-allow vold domain:process { signal sigkill };
-allow vold self:capability { sys_ptrace kill };
-
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
-
-allow vold kmsg_device:chr_file rw_file_perms;
-
-# Run fsck in the fsck domain.
-allow vold fsck_exec:file { r_file_perms execute };
-
-# Log fsck results
-allow vold fscklogs:dir rw_dir_perms;
-allow vold fscklogs:file create_file_perms;
-
-#
-# Rules to support encrypted fs support.
-#
-
-# Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount };
-
-# Access /efs/userdata_footer.
-# XXX Split into a separate type?
-allow vold efs_file:file rw_file_perms;
-
-# Create and mount on /data/tmp_mnt and management of expansion mounts
-allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
-
-# Set scheduling policy of kernel processes
-allow vold kernel:process setsched;
-
-# Property Service
-set_prop(vold, vold_prop)
-set_prop(vold, powerctl_prop)
-set_prop(vold, ctl_fuse_prop)
-set_prop(vold, restorecon_prop)
-
-# ASEC
-allow vold asec_image_file:file create_file_perms;
-allow vold asec_image_file:dir rw_dir_perms;
-allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
-allow vold asec_public_file:dir { relabelto setattr };
-allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
-allow vold asec_public_file:file { relabelto setattr };
-# restorecon files in asec containers created on 4.2 or earlier.
-allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
-allow vold unlabeled:file { r_file_perms setattr relabelfrom };
-
-# Handle wake locks (used for device encryption)
-wakelock_use(vold)
-
-# talk to batteryservice
-binder_use(vold)
-binder_call(vold, healthd)
-
-# talk to keymaster
-hal_client_domain(vold, hal_keymaster)
-
-# Access userdata block device.
-allow vold userdata_block_device:blk_file rw_file_perms;
-
-# Access metadata block device used for encryption meta-data.
-allow vold metadata_block_device:blk_file rw_file_perms;
-
-# Allow vold to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file } create_file_perms;
-allow vold unencrypted_data_file:dir create_dir_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow vold proc_drop_caches:file w_file_perms;
-
-# Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir create_dir_perms;
-allow vold vold_data_file:file create_file_perms;
-
-# linux keyring configuration
-allow vold init:key { write search setattr };
-allow vold vold:key { write search setattr };
-
-# vold temporarily changes its priority when running benchmarks
-allow vold self:capability sys_nice;
-
-# vold needs to chroot into app namespaces to remount when runtime permissions change
-allow vold self:capability sys_chroot;
-allow vold storage_file:dir mounton;
-
-# For AppFuse.
-allow vold fuse_device:chr_file rw_file_perms;
-allow vold fuse:filesystem { relabelfrom };
-allow vold app_fusefs:filesystem { relabelfrom relabelto };
-allow vold app_fusefs:filesystem { mount unmount };
-
-# MoveTask.cpp executes cp and rm
-allow vold toolbox_exec:file rx_file_perms;
-
-# Prepare profile dir for users.
-allow vold user_profile_data_file:dir create_dir_perms;
-
-# Raw writes to misc block device
-allow vold misc_block_device:blk_file w_file_perms;
-
-neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -vold -init } vold_data_file:dir *;
-neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
-neverallow { domain -vold -init } restorecon_prop:property_service set;
-
-neverallow vold fsck_exec:file execute_no_trans;
diff --git a/prebuilts/api/26.0/public/vr_hwc.te b/prebuilts/api/26.0/public/vr_hwc.te
deleted file mode 100644
index c05dd638ad10c26854a72ef393626a213f1be641..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/vr_hwc.te
+++ /dev/null
@@ -1,31 +0,0 @@
-type vr_hwc, domain;
-type vr_hwc_exec, exec_type, file_type;
-
-# Get buffer metadata.
-hal_client_domain(vr_hwc, hal_graphics_allocator)
-
-binder_use(vr_hwc)
-binder_service(vr_hwc)
-
-binder_call(vr_hwc, surfaceflinger)
-# Needed to check for app permissions.
-binder_call(vr_hwc, system_server)
-
-add_service(vr_hwc, vr_hwc_service)
-
-# Hosts the VR HWC implementation and provides a simple Binder interface for VR
-# Window Manager to receive the layers/buffers.
-hwbinder_use(vr_hwc)
-
-# Load vendor libraries.
-allow vr_hwc system_file:dir r_dir_perms;
-
-allow vr_hwc ion_device:chr_file r_file_perms;
-
-# Allow connection to VR DisplayClient to get the primary display metadata
-# (ie: size).
-pdx_client(vr_hwc, display_client)
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow vr_hwc permission_service:service_manager find;
diff --git a/prebuilts/api/26.0/public/watchdogd.te b/prebuilts/api/26.0/public/watchdogd.te
deleted file mode 100644
index 00292a9a9914311711ad4ab7e785a89134659b20..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/watchdogd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# watchdogd seclabel is specified in init.<board>.rc
-type watchdogd, domain;
-allow watchdogd watchdog_device:chr_file rw_file_perms;
-allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/26.0/public/webview_zygote.te b/prebuilts/api/26.0/public/webview_zygote.te
deleted file mode 100644
index 5d19b32265cc75ed30d13950779b6d80ba7a1e5c..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/webview_zygote.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# webview_zygote is an auxiliary zygote process that is used to spawn
-# isolated_app processes for rendering untrusted web content.
-
-type webview_zygote, domain;
-type webview_zygote_exec, exec_type, file_type;
diff --git a/prebuilts/api/26.0/public/wificond.te b/prebuilts/api/26.0/public/wificond.te
deleted file mode 100644
index c91053e72a9c8e17bbb01b1adb8bf217660037aa..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/wificond.te
+++ /dev/null
@@ -1,35 +0,0 @@
-# wificond
-type wificond, domain;
-type wificond_exec, exec_type, file_type;
-
-binder_use(wificond)
-binder_call(wificond, system_server)
-
-add_service(wificond, wificond_service)
-
-set_prop(wificond, wifi_prop)
-set_prop(wificond, ctl_default_prop)
-
-# create sockets to set interfaces up and down
-allow wificond self:udp_socket create_socket_perms;
-# setting interface state up/down is a privileged ioctl
-allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
-allow wificond self:capability { net_admin net_raw };
-# allow wificond to speak to nl80211 in the kernel
-allow wificond self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-r_dir_file(wificond, proc_net)
-
-# wificond writes out configuration files for wpa_supplicant/hostapd.
-# wificond also reads pid files out of this directory
-allow wificond wifi_data_file:dir rw_dir_perms;
-allow wificond wifi_data_file:file create_file_perms;
-
-# allow wificond to check permission for dumping logs
-allow wificond permission_service:service_manager find;
-
-# dumpstate support
-allow wificond dumpstate:fd use;
-allow wificond dumpstate:fifo_file write;
diff --git a/prebuilts/api/26.0/public/zygote.te b/prebuilts/api/26.0/public/zygote.te
deleted file mode 100644
index 83c42efb0ea9b0d1b7c4f5302433bfc639dde204..0000000000000000000000000000000000000000
--- a/prebuilts/api/26.0/public/zygote.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# zygote
-type zygote, domain;
-type zygote_exec, exec_type, file_type;