SELinux Treble
SELinux Treble
Overview 3
Design goals 3
About SELinux 5
SELinux files 8
SELinux initialization 8
File contexts 9
Property contexts 9
02/13/2018 1
02/13/2018 2
© 2017 Google, Inc. All Rights Reserved. No express or implied warranties are provided for herein. All specifications are subject to
change and any expected future products, features or functionality will be provided on an if and when available basis.
Overview
This document describes SELinux changes and customizations designed to support
modularity and updatability of SELinux policy in Android 8.0. The goal of these changes is
to enable System on Chip (SoC) vendors and Original Device Manufacturer (ODM) partners
to customize SELinux settings in an isolated manner without cross-partition modifications.
Design goals
The SELinux policy build flow for Android 4.4 through Android 7.0 merged all sepolicy
fragments (platform and non-platform) then generated monolithic files in the root
directory. However, this flow contradicts the primary goal of Android 8.0 architecture,
which is to allow partners to update their parts of the policy, build their images
(vendor.img, boot.img, etc), then update those images independent of the platform or
vice versa (i.e., perform a platform update without updating partner images).
● Policy Modularization. In Android 4.4 through Android 7.0, most SELinux files resided
in r
ootfs, thus SoC vendors and the ODM partners modified boot.img (for non-A/B
devices) or system.img (for A/B devices) every time policy was modified. The Android
8.0 model provides a method for vendors and partners to change only their partitions
when they need to modify their portions of the SELinux policy.
02/13/2018 3
Figure 1. Android partitions.
02/13/2018 4
Prior to Android 8.0, the vendor, odm, and oem images were optional; files belonging to
these images were placed in boot.img or s ystem.img with symlinks (such as / vendor >
/system/vendor) when absent. Android 8.0 makes the vendor partition mandatory.
The goal is to modularize Android partitions and make them interchangeable by defining a
core, standard interface between the Android Platform (on s ystem.img) and
vendor-provided code. This standard interface enables the Android Platform to be updated
without affecting the SoC and ODM partitions. For example, it should be possible to
upgrade a device system.img from Android 8.0 to Android P while other images (such as
vendor.img, odm.img, etc.) remain at Android 8.0. This modularity enables timely
Android platform upgrades (such as monthly security updates) without requiring SoC/ODM
partners to update SoC- and device-specific code.
About SELinux
SELinux is a labeling system that controls the permissions (read/write, etc.) a subject
context has over a target object such as directory/device/file/process/socket/.
(For an analogy, refer to Y
our visual how-to guide for SELinux policy enforcement.)
Each process and object has an associated label, which is also called a c
ontext. Contexts
are comprised of a user, a role, a type and an multi-level-security (MLS) portion:
● The label of an o
bject is usually decided by the corresponding security-contexts files.
SELinux policy also contains the rules that state how each domain may access each object.
In Android 4.4 → Android 7.0, SELinux policy files (sepolicy, file_contexts.bin,
property_contexts etc) are included the rootfs image as follows:
/
.
.
├── file_contexts.bin (file_contexts pre-N)
├── property_contexts
├── seapp_contexts
├── sepolicy
├── service_contexts
.
These files contain SELinux policy rules and labels from all development participants,
including ODM, SoC, and AOSP. In Android 8.0, these files are modular.
02/13/2018 5
● external/selinux: External SELinux project, used to build HOST command line utilities to
compile SELinux policy and labels.
○ external/selinux/libsepol:
■ chkcon: Determine if a security context is valid for a given binary policy (host
executable).
For example, a SoC vendor and an ODM might each add a directory, one for the
SoC-specific settings and another for device-specific settings, to generate the final SELinux
configurations for a given device:
● BOARD_SEPOLICY_DIRS += device/$SoC/common/sepolicy
● BOARD_SEPOLICY_DIRS += device/$SoC/$DEVICE/sepolicy
The content of f
ile_contexts files in s
ystem/sepolicy and BOARD_SEPOLICY_DIRS
are concatenated to generate the f
ile_contexts.bin on the device:
02/13/2018 6
● For each file (e.g., security_classes), its content is the concatenation of the files
with the same name under s ystem/sepolicy/ and BOARDS_SEPOLICY_DIRS.
● The policy.conf is sent to SELinux compiler for syntax checking and compiled into
binary format as sepolicy on the device.
02/13/2018 7
SELinux files
Android devices typically contain the following SELinux-related files:
● selinux_version
● file_contexts
● property_contexts
● seapp_contexts
● service_contexts
● system/etc/mac_permissions.xml
SELinux initialization
When the system boots up, SELinux is in permissive mode (and not in e nforcing mode). The
init process performs the following tasks:
To shorten the boot time, perform the re-exec() on the init process as soon as possible.
As modularized SELinux policy files are stored on partner partitions (e.g. /vendor), the init
process must mount the system and vendor partitions earlier so it can read SELinux files
02/13/2018 8
from those partitions and merge them with core SELinux files in the system directory
(before loading them into the kernel). For details, refer to the c hange that mounts these
partitions earlier.
File contexts
Android 8.0 introduces the following changes for f
ile_contexts:
○ Plat_file_contexts
○ Nonplat_file_contexts
■ Device-specific f
ile_context built by combining file_contexts found in
the directories pointed to by B
OARD_SEPOLICY_DIRS in the device’s
Boardconfig.mk files.
Property contexts
In Android 8.0, the p
roperty_contexts is split between two files:
● plat_property_contexts
02/13/2018 9
● nonplat_property_contexts
Service contexts
In Android 8.0, the s
ervice_contexts is split between the following files:
● plat_service_contexts
○ Android platform-specific s
ervice_context for the servicemanager. The
service_context has no device-specific labels.
● nonplat_service_contexts
○ Although servicemanager looks for this file at boot time, for a fully compliant
TREBLE device, the n
onplat_service_contexts MUST not exist. This is because
all interaction between v endor and system processes MUST go through
hwservicemanager/h wbinder.
● plat_hwservice_contexts
● nonplat_hwservice_contexts
02/13/2018 10
● vndservice_contexts
Seapp contexts
In Android 8.0, the s
eapp_contexts is split between two files:
● plat_seapp_contexts
● nonplat_seapp_contexts
MAC permissions
In Android 8.0, the m
ac_permissions.xml is split between two files:
● Platform m
ac_permissions.xml
02/13/2018 11
● Non-Platform m
ac_permissions.xml
● Processes that need access t o the unsuccessfully applied label will lose access to the
resource.
● Processes that gain access to the file may break because the wrong device node was
created.
System properties also have potential for naming collisions that could result in undefined
behavior on the system (as well as for SELinux labeling). Collisions between platform and
vendor labels can occur for any object that has an SELinux label, including properties,
services, processes, files, and sockets. To avoid these issues, clearly define ownership of
these objects.
Type/attribute namespacing
SELinux does not allow multiple declarations of the same type/attribute. Policy with
duplicate declarations will fail to compilation. To avoid type and attribute name collisions,
all non-platform declarations should be namespace starting with np_.
foo.xxx → vendor.foo.xxx
02/13/2018 12
ro.foo.xxx → ro.vendor.foo.xxx
persist.foo.xxx → persist.vendor.foo.xxx
This naming convention is r ecommended in Android 8.0 and will be enforced in Android P.
File ownership
Preventing collisions for files is challenging because platform and vendor policy both
commonly provide labels for all filesystems. Unlike type naming, namespacing of files is not
practical since many of them are created by the kernel. Instead, we need to enumerate
over the different filesystems and provide rules as to where the platform and vendor policy
may provide labels. For Android 8.0, these are recommendations without technical
enforcement. In the future, these recommendations will be enforced by the Vendor Test
Suite (VTS).
System (/system)
Only the system image must provide labels for /system components through
file_contexts, service_contexts etc. If labels for /system components are added in
/vendor policy, a framework-only OTA update may not be possible.
Vendor (/vendor)
The AOSP SELinux policy already labels parts of v endor partition the platform interacts
with, which enables writing SELinux rules for platform processes to be able to talk and/or
access parts of v
endor partition. Examples:
● vendor_file must be the default label in for all files in vendor partition. The
platform policy requires this to access passthrough HAL implementations.
● All new e
xec_types added in v
endor partition through vendor SEPolicy must have
02/13/2018 13
● To avoid conflicts with future platform/framework updates, avoid labelling files other
than e
xec_types in vendor partition.
● All library dependencies for AOSP-identified same process HALs must be labelled as
same_process_hal_file.
Procfs (/proc)
Files in /proc may be labeled using only the g
enfscon label. In Android 7.0, both the
platform and vendor policy used genfscon to label files in procfs.
Debugfs (/sys/kernel/debug)
Debugfs can be labeled in both file_contexts and genfscon. In Android 7.0, both
platform and vendor label d
ebugfs.
Tracefs (/sys/kernel/debug/tracing)
Tracefs can be labeled in both file_contexts and genfscon. In Android 7.0, only the
platform labels tracefs.
Sysfs (/sys)
Files in /sys may be labeled using both file_contexts and genfscon. In Android 7.0,
both platform and vendor use file_contexts and genfscon to label files in sysfs.
Recommendation: The platform may label only the select files listed below:
/sys/class/leds/
/sys/devices/system/cpu(/.*)?
u:object_r:sysfs_devices_system_cpu:s0
/sys/devices/virtual/block/zram\d+(/.*)?
u:object_r:sysfs_zram:s0
/sys/devices/virtual/block/zram\d+/uevent
u:object_r:sysfs_zram_uevent:s0
02/13/2018 14
/sys/devices/virtual/misc/hw_random(/.*)?
u:object_r:sysfs_hwrandom:s0
/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
/sys/module/lowmemorykiller(/.*)? --
u:object_r:sysfs_lowmemorykiller:s0
/sys/devices/virtual/timed_output/vibrator/enable
u:object_r:sysfs_vibrator:s0
tmpfs (/dev)
Files in /dev may be labeled in file_contexts. In Android 7.0, both platform and vendor
label files here.
Rootfs (/)
Files in / may be labeled in file_contexts. In Android 7.0, both platform and vendor
label files here.
Data (/data)
Data is labeled through a combination of f
ile_contexts and seapp_contexts.
02/13/2018 15
The platform public sepolicy includes everything defined under s ystem/sepolicy/public. The
platform can assume the types and attributes defined under public policy are stable APIs
for a given platform version. This forms the part of the sepolicy that is exported by
platform on which non-platform (i.e. device) policy developers may write additional
device-specific policy.
Types are versioned according to the version of the policy that non-platform files are
written against, defined by the PLATFORM_SEPOLICY_VERSION build variable. The
versioned public policy is then included with the non-platform policy and (in its original
form) in the platform policy. Thus, the final policy includes the private platform policy, the
current platform’s public sepolicy, the device-specific policy, and the versioned public policy
corresponding to the platform version against which the device policy was written.
Location Contains
02/13/2018 16
The build system takes this policy and produces platform and non-platform policy
components on the system partition and vendor partition, respectively. Steps include:
2. Versioning the policy provided by public as part of the vendor policy. Done by using the
produced public CIL policy to inform the combined public + vendor +
BOARD_SEPOLICY_DIRS policy as to which parts must be turned into attributes that will
be linked to the platform policy.
3. Creating a mapping file linking the platform and non-platform parts. Initially, this just
links the types from the public policy with the corresponding attributes in the vendor
policy; later it will also provide the basis for the file maintained in future platform
versions, enabling compatibility with vendor policy targeting this platform version.
Policy compatibility
This section describes the design for handling the policy compatibility issues with platform
OTAs, where new platform SELinux settings may differ from old vendor SELinux settings.
The design considers a binary distinction between platform and non-platform; the scheme
becomes more complicated if non-platform partitions generate dependencies, such as
platform < v
endor < o
em. While the Android 8.0 model handles separation between the
SoC (vendor) and the ODM (odm) partitions, the working model for SE policy is that the SoC
and ODM policy is a single piece.
Goals Assumptions
● Align with and enable Android 8.0 ● Vendor update may never go up a version
architecture goals. before the platform, i.e. the platform
02/13/2018 17
● Ensure vendor code continues to version is the same or newer than that on
work after platform update. vendor.
● Ability to deprecate/change policy. ● A set window of versions must be
● No required knowledge of specific supported.
version changes for policy
development. ● Vendor policy version is made available to
determine the platform policy to be
● Enable and encourage vendor delivered; this is similar to determining
policy customization and Vendor Native Development Kit (VNDK)
specification. compatibility and needs.
SELinux global policy is divided into private and public components based on the Android
8.0 model. Public components consist of the policy and associated infrastructure, which are
guaranteed to be available for a platform version. This policy will be exposed to vendor
policy writers to enable vendors to build a vendor policy file, which when combined with
the platform-provided policy, results in a fully-functional policy for a device.
● For ease of policy writing, exported types will be transformed into v ersioned attributes
as part of the policy build process. Public types may also be used directly in labeling
decisions provided by vendor contexts files.
Compatibility attributes
SELinux policy is an interaction between source and target types for specific object classes
and permissions. Every object (processes, files, etc.) affected by SELinux policy may have
only one type, but that type may have multiple attributes.
target_class permission(s);
allow source_type target_type:
This works because the policy was written with knowledge of all types. However, if the
vendor policy and platform policy use specific types, and the label of a specific object
changes in only one of those policies, the other may contain policy that gained or lost
02/13/2018 18
File_contexts:
/sys/A u:object_r:sysfs:s0
Platform: allow p_domain sysfs:class perm;
Vendor: allow v_domain sysfs:class perm;
File_contexts:
/sys/A u:object_r:sysfs_A:s0
Although the vendor policy would remain the same, the v_domain would lose access due
to the lack of policy for the new sysfs_A type.
By defining a policy in terms of attributes, we can give the underlying object a type that has
an attribute corresponding to policy for both the platform and vendor code. This can be
done for all types to effectively create an attribute-policy wherein concrete types are never
used. In practice, this is required only for the portions of policy that overlap between
platform and vendor, which are defined and provided as p latform public policy that gets
built as part of the vendor policy.
Defining public policy as versioned attributes satisfies two policy compatibility goals:
● Ensure Vendor code continues to work after platform update. Achieved by adding
attributes to concrete types for objects corresponding to those on which vendor code
relied, preserving access.
● Ability to deprecate policy. Achieved b y clearly delineating policy sets into attributes
that can be removed as soon as the version to which they correspond no longer is
supported. Development can continue in the platform, knowing the old policy is still
present in the vendor policy and will be automatically removed when/if it upgrades.
Policy writability
To meet the goal of not requiring knowledge of specific version changes for policy
development, Android 8.0 includes a mapping between platform-public policy types and
their attributes. We do this by mapping type f oo to attribute foo_vN, where N is the
version targeted. vN corresponds to the PLATFORM_SEPOLICY_VERSION build variable and
is of the form MM.nn, where MM corresponds to the platform SDK number and N N is a
platform sepolicy specific version.
Attributes in public policy are not versioned, but rather exist as an API on which platform
and vendor policy can build to keep the interface between the two partitions stable. Both
02/13/2018 19
platform and vendor policy writers can continue to write policy as it is written today.
As vendor policy is never ahead of the platform, it should not be concerned with prior
versions. However, platform policy will need to know how far back vendor policy is, include
attributes to its types, and set policy corresponding to versioned attributes.
Policy diffs
Automatically creating attributes by adding _
vN to the end of each type does nothing
without mapping of attributes to types across version diffs. We need to maintain a
mapping between versions for attributes and a mapping of types to those attributes. This is
done in the aforementioned mapping files with statements, such as (CIL):
Platform upgrades
The following section details scenarios for platform upgrades.
Same types
This scenario occurs when an object does not change labels in policy versions. This is the
same for source and target types and can be seen with / dev/binder, which is labeled
binder_device across all releases. It is represented in transformed policy as:
binder_device_v1 … binder_device_vN
02/13/2018 20
(typeattribute binder_device_v1)
(allow binder_device_v1 …)
(typeattribute binder_device_v2)
(allow binder_device_v2 …)
New types
This scenario occurs when the platform has added a new type, which can happen when
adding new features or during policy hardening.
● New feature. When the type is labeling an object that was previously non-existent
(such as a new service process), the vendor code did not previously interact with it
directly so no corresponding policy exists. The new attribute corresponding to the type
does not have an attribute in the previous version, and so would not need an entry in
the mapping file targeting that version.
● Policy hardening. When the type represents policy hardening, the new type attribute
must link back to a chain of attributes corresponding to the previous one (similar to
the previous example changing /sys/A from s ysfs to sysfs_A). Vendor code would
rely on a rule enabling access to s
ysfs, and would need to include it as an attribute of
the new type
02/13/2018 21
(typeattribute sysfs_v1)
(allow … sysfs_v1 …)
(typeattribute sysfs_A_v2)
(allow … sysfs_A_v2 …)
(typeattribute sysfs_v2)
(allow … sysfs_v2 …)
Removed types
This (rare) scenario occurs when a type is removed, which can happen when the underlying
object:
During policy loosening, a type is removed and the object labeled with that type is given a
different, already-existing label. This represents a merging of attribute mappings: The
vendor code must still be able to access the underlying object by the attribute it used to
posses, but the rest of the system must now be able to access it with its new attribute.
If the attribute to which it has been switched is new, then relabeling is the same as in the
new type case, except that when an existing label is used, the addition of the old attribute
new type would cause other objects also labeled with this type to be newly accessible. This
is essentially what is done by the platform, though, and is deemed to be an acceptable
tradeoff to maintain compatibility.
(typeattribute sysfs_v1)
(allow … sysfs_v1 …)
02/13/2018 22
(typeattribute sysfs_A_v1)
(allow … sysfs_A_v1 …)
(typeattribute sysfs_v1)
(allow … sysfs_v1 …)
(typeattribute sysfs_v2)
(allow … sysfs_v2 …)
(type foo) #needed in case vendors used the foo label on objects
(typeattributeset foo_v1 (foo))
02/13/2018 23
(typeattribute foo_v1)
(allow foo …)
(typeattribute sysfs_v1)
(allow sysfs_v1 …)
(typeattribute sysfs_v2)
(allow sysfs_v2 …)
New class/permissions
This scenario occurs when a platform upgrade introduces new policy components that do
not exist in previous versions. For example, when we added the servicemanager object
manager that created the add, find, and list permissions, vendor daemons wanting to
register with the servicemanager would have needed permissions that were not
available. In Android 8.0, only the platform policy may add new classes and permissions.
To allow all domains that could have been created or extended by vendor policy to use the
new class without obstruction, the platform policy needs to include a rule similar to:
This may even require policy allowing access for all interface (public policy) types, to be
sure vendor image gains access. If this results in unacceptable security policy (as it may
have with the servicemanager changes), a vendor upgrade could potentially be forced.
Removed class/permissions
This scenario occurs when an object manager is removed (such as the Z ygoteConnection
object manager) and should not cause issues. The object manager class and permissions
could remain defined in policy until the vendor version no longer uses it. This would be
done by adding the definitions to the corresponding mapping file.
02/13/2018 24
As vendor policy is always the oldest on the device, there is no need to automatically
convert all vendor types to attributes in policy. The platform does not rely on anything
labeled in vendor policy because the platform has no knowledge of it; however, the
platform will provide the attributes and public types it uses to interact with objects labeled
with these types (such as domain, s ysfs_type, etc.). For the platform to continue to
interact correctly with these objects, the attributes and types must be appropriately applied
and specific rules may need to be added to the customizable domains (such as i nit).
Platform-public policy
The platform-public policy is the heart of conforming to the Android 8.0 architecture model
without simply maintaining the union of platform policies from v1 and v2. Vendors will be
exposed to a subset of platform policy that contains useable types and attributes and rules
on those types and attributes which then becomes part of vendor policy (i.e.
nonplat_sepolicy.cil).
Types and rules will be automatically translated in the vendor-generated policy into
attribute_vN such that all platform-provided types are versioned attributes (however
attributes are not versioned). The platform is responsible for mapping the concrete types it
provides into the appropriate attributes to ensure that vendor policy continues to function
and that the rules provided for a particular version are included. The combination of
platform-public policy and vendor policy should satisfy the Android 8.0 architecture model
goal of allowing independent platform and vendor builds.
Maintaining a goal to hide version information from the policy writer means automatically
generating the versioned attributes and assigning them to the appropriate types. In the
common case of static types, this is straightforward: t
ype_foo_v2 maps to t
ype_foo_v1.
Version uprevs
For simplicity, we uprev the platform sepolicy version when a new release branch is cut. As
described above, the version number is contained in P LATFORM_SEPOLICY_VERSION and
02/13/2018 25
is of the form MM.nn, where MM corresponds to the SDK value and n n is a private value
maintained in /platform/system/sepolicy. For example, 1 9.0 for Kitkat, 21.0 for
Lollipop, 22.0 for Lollipop-MR1 23.0 for Marshmallow, 2
4.0 for Nougat, 25.0 for
Nougat-MR1, and 26.0 for O. An MR bump to O necessitating an incompatible change in
system/sepolicy/public but not an API bump could then result in releasing a new
version: 2 6.1. The version present in a development branch is a
never-to-be-used-in-shipping-devices 1 0000.0.
We may deprecate oldest version when upreving. For example, in Marshmallow, we may
support LMP-MR1 (v23), LMP (v22), and KK (19.0). When Nougat (25.0) is released, we
may drop KK (19.0). For input on when to deprecate a version X, we may collect the
number of devices with vendor policies running on X which can still receive major platform
update without vendor update. If the number is less than a certain threshold, then we
deprecate X.
This was confirmed to be an issue in Android, so c hanges were made to Android 8.0 to
remove attributes added to the policy by the policy compiler, as well as to remove unused
attributes. These changes resolved performance regressions.
Customizing SEPolicy
The split of SELinux policy and automatic versioning of public types allows policy writers to
write policy for their customizations to Android in the framework as well as the vendor
implementation. However, to not break the Design goals, the design has limitations and
imposes rules to be followed when customizing policy for an Android device.
This section provides guidelines for partner SELinux policy in Android 8.0, including details
on Android Open Source Project (AOSP) SEPolicy and SEPolicy extensions.
Policy placement
In Android 7.0, partners could add policy to BOARD_SEPOLICY_DIRS, including policy meant
to augment AOSP policy across different device types. In Android 8.0, adding a policy to
BOARD_SEPOLICY_DIRS places the policy only in the vendor image.
02/13/2018 26
vendor-image-only extensions
Example: Adding a new service to v
ndservicemanager from the vendor image that
supports processes from the vendor image.
02/13/2018 27
system-image-only extensions
Example: Adding a new service (registered with servicemanager) that is accessed only by
other processes from the system image.
Add this policy to s ystem/sepolicy/private. You can add extra processes or objects to
enable functionality in a partner system image, provided those new bits don’t need to
interact with new components on the vendor image (specifically, such processes or objects
must fully function without policy from the vendor image). The policy exported by
system/sepolicy/public is available here just as it is for vendor-image-only extensions.
This policy is part of the system image and could be updated in a framework-only OTA, but
will not be present when using the reference AOSP system image.
Policy for interaction between system and vendor must be included in the
device/XXX/YYY/sepolicy directory shipped on the vendor partition. This is similar to
the above scenario of adding vendor-image support to work with the reference AOSP
image, except the modified AOSP components may also require additional policy to
properly operate with the rest of the system partition (which is fine as long as they still
have the public AOSP type labels).
02/13/2018 28
Similar to the AOSP-extensions example, policy for interactions between system and
vendor must go in the device/XXX/YYY/sepolicy directory shipped on the vendor
partition (to ensure the system policy has no knowledge of vendor-specific details). You can
add new public types that extend the policy in system/sepolicy/public; this should be
done only in addition to the existing AOSP policy, i.e. do not remove AOSP public policy.
The new public types can then be used for policy in system/sepolicy/private and in
device/XXX/YYY/sepolicy.
02/13/2018 29
Similar to n
ew (non-AOSP) system and vendor components interaction, except the new
system type is introduced in a framework-only OTA. Although the new type could be added
to the policy in system/sepolicy/public, the existing vendor policy has no knowledge
of the new type as it is tracking only the Android 8.0 system public policy. AOSP handles
this by exposing vendor-provided resources via an attribute (e.g. h al_foo attribute) but as
attribute partner extensions are not supported in system/sepolicy/public, this
method is unavailable to vendor policy. Access must be provided by a previously-existing
public type.
Example: A change to a system process (AOSP or non-AOSP) must change how it interacts
with new, non-AOSP vendor component.
The policy on the system image must be written without knowledge of specific vendor
customizations. Policy concerning specific interfaces in AOSP is thus exposed via attributes
in system/sepolicy/public so that vendor policy can opt-in to future system policy which
uses these attributes. However, a ttribute extensions in system/sepolicy/public are
not supported, so all policy dictating how the system components interact with new
vendor components (and which is not handled by attributes already present in AOSP
system/sepolicy/public) must be in d evice/XXX/YYY/sepolicy. This means that
system types cannot change the access allowed to vendor types as part of a
framework-only OTA.
02/13/2018 30