goldfish: add sepolicies
This is copied from build/make/target/generic/sepolicy
and build/make/target/generic_x86/sepolicy
at the following cl:
commit cfbe8cf3bb1a302c8e41caed528c2d8ea6c70d4b
Merge: 0f494a025 0047dbed1
Author: Yi Kong <yikong@google.com>
Date: Wed Jun 13 02:10:12 2018 +0000
Merge "Fix CLANG_EXTERNAL_CFLAGS logic"
BUG: 110030159
Change-Id: I121a20c2e24f020921045463d5043b634ffbe7c2
diff --git a/sepolicy/common/OWNERS b/sepolicy/common/OWNERS
new file mode 100644
index 0000000..ff29677
--- /dev/null
+++ b/sepolicy/common/OWNERS
@@ -0,0 +1,8 @@
+alanstokes@google.com
+bowgotsai@google.com
+jbires@google.com
+jeffv@google.com
+jgalenson@google.com
+sspatil@google.com
+tomcherry@google.com
+trong@google.com
diff --git a/sepolicy/common/adbd.te b/sepolicy/common/adbd.te
new file mode 100644
index 0000000..9546c1a
--- /dev/null
+++ b/sepolicy/common/adbd.te
@@ -0,0 +1 @@
+set_prop(adbd, ctl_mdnsd_prop);
diff --git a/sepolicy/common/audioserver.te b/sepolicy/common/audioserver.te
new file mode 100644
index 0000000..c3c4a3a
--- /dev/null
+++ b/sepolicy/common/audioserver.te
@@ -0,0 +1 @@
+allow audioserver bootanim:binder call;
diff --git a/sepolicy/common/bootanim.te b/sepolicy/common/bootanim.te
new file mode 100644
index 0000000..bc84ee7
--- /dev/null
+++ b/sepolicy/common/bootanim.te
@@ -0,0 +1,9 @@
+allow bootanim self:process execmem;
+allow bootanim ashmem_device:chr_file execute;
+#TODO: This can safely be ignored until b/62954877 is fixed
+dontaudit bootanim system_data_file:dir read;
+
+allow bootanim graphics_device:chr_file { read ioctl open };
+
+typeattribute bootanim system_writes_vendor_properties_violators;
+set_prop(bootanim, qemu_prop)
diff --git a/sepolicy/common/cameraserver.te b/sepolicy/common/cameraserver.te
new file mode 100644
index 0000000..6cf5d6a
--- /dev/null
+++ b/sepolicy/common/cameraserver.te
@@ -0,0 +1,2 @@
+allow cameraserver system_file:dir { open read };
+allow cameraserver hal_allocator:fd use;
diff --git a/sepolicy/common/createns.te b/sepolicy/common/createns.te
new file mode 100644
index 0000000..1eaf9ef
--- /dev/null
+++ b/sepolicy/common/createns.te
@@ -0,0 +1,14 @@
+# Network namespace creation
+type createns, domain;
+type createns_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(createns)
+
+allow createns self:capability { sys_admin net_raw setuid setgid };
+allow createns varrun_file:dir { add_name search write };
+allow createns varrun_file:file { create mounton open read write };
+
+#Allow createns itself to be run by init in its own domain
+domain_auto_trans(goldfish_setup, createns_exec, createns);
+allow createns goldfish_setup:fd use;
+
diff --git a/sepolicy/common/device.te b/sepolicy/common/device.te
new file mode 100644
index 0000000..d129441
--- /dev/null
+++ b/sepolicy/common/device.te
@@ -0,0 +1 @@
+type qemu_device, dev_type, mlstrustedobject;
diff --git a/sepolicy/common/dhcpclient.te b/sepolicy/common/dhcpclient.te
new file mode 100644
index 0000000..df71fca
--- /dev/null
+++ b/sepolicy/common/dhcpclient.te
@@ -0,0 +1,20 @@
+# DHCP client
+type dhcpclient, domain;
+type dhcpclient_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(dhcpclient)
+net_domain(dhcpclient)
+
+allow dhcpclient execns:fd use;
+
+set_prop(dhcpclient, net_eth0_prop);
+allow dhcpclient self:capability { net_admin net_raw };
+allow dhcpclient self:udp_socket create;
+allow dhcpclient self:netlink_route_socket { write nlmsg_write };
+allow dhcpclient varrun_file:dir search;
+allow dhcpclient self:packet_socket { create bind write read };
+allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS
+ SIOCSIFADDR
+ SIOCSIFNETMASK
+ SIOCSIFMTU
+ SIOCGIFHWADDR };
diff --git a/sepolicy/common/dhcpserver.te b/sepolicy/common/dhcpserver.te
new file mode 100644
index 0000000..7e8ba26
--- /dev/null
+++ b/sepolicy/common/dhcpserver.te
@@ -0,0 +1,12 @@
+# DHCP server
+type dhcpserver, domain;
+type dhcpserver_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(dhcpserver)
+net_domain(dhcpserver)
+
+allow dhcpserver execns:fd use;
+
+get_prop(dhcpserver, net_eth0_prop);
+allow dhcpserver self:udp_socket { ioctl create setopt bind };
+allow dhcpserver self:capability { net_raw net_bind_service };
diff --git a/sepolicy/common/domain.te b/sepolicy/common/domain.te
new file mode 100644
index 0000000..3706dba
--- /dev/null
+++ b/sepolicy/common/domain.te
@@ -0,0 +1,3 @@
+allow domain qemu_device:chr_file rw_file_perms;
+
+get_prop(domain, qemu_prop)
diff --git a/sepolicy/common/execns.te b/sepolicy/common/execns.te
new file mode 100644
index 0000000..dc6c424
--- /dev/null
+++ b/sepolicy/common/execns.te
@@ -0,0 +1,27 @@
+# Network namespace transitions
+type execns, domain;
+type execns_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(execns)
+
+allow execns varrun_file:dir search;
+allow execns varrun_file:file r_file_perms;
+allow execns self:capability { sys_admin setuid setgid };
+allow execns nsfs:file { open read };
+
+#Allow execns itself to be run by init in its own domain
+domain_auto_trans(init, execns_exec, execns);
+
+# Allow dhcpclient to be run by execns in its own domain
+domain_auto_trans(execns, dhcpclient_exec, dhcpclient);
+
+# Allow dhcpserver to be run by execns in its own domain
+domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
+
+# Allow hostapd_nohidl to be run by execns in its own domain
+domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl);
+
+# Allow execns to read createns proc file to get the namespace file
+allow execns createns:file read;
+allow execns createns:dir search;
+allow execns createns:lnk_file read;
diff --git a/sepolicy/common/file.te b/sepolicy/common/file.te
new file mode 100644
index 0000000..b0aa217
--- /dev/null
+++ b/sepolicy/common/file.te
@@ -0,0 +1,4 @@
+type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type varrun_file, file_type, data_file_type, mlstrustedobject;
+type mediadrm_vendor_data_file, file_type, data_file_type;
+type nsfs, fs_type;
diff --git a/sepolicy/common/file_contexts b/sepolicy/common/file_contexts
new file mode 100644
index 0000000..7cd79fe
--- /dev/null
+++ b/sepolicy/common/file_contexts
@@ -0,0 +1,47 @@
+# goldfish
+/dev/block/mtdblock0 u:object_r:system_block_device:s0
+/dev/block/mtdblock1 u:object_r:userdata_block_device:s0
+/dev/block/mtdblock2 u:object_r:cache_block_device:s0
+
+# ranchu
+/dev/block/vda u:object_r:system_block_device:s0
+/dev/block/vdb u:object_r:cache_block_device:s0
+/dev/block/vdc u:object_r:userdata_block_device:s0
+/dev/block/vdd u:object_r:metadata_block_device:s0
+/dev/block/vde u:object_r:system_block_device:s0
+
+/dev/goldfish_pipe u:object_r:qemu_device:s0
+/dev/goldfish_sync u:object_r:qemu_device:s0
+/dev/qemu_.* u:object_r:qemu_device:s0
+/dev/ttyGF[0-9]* u:object_r:serial_device:s0
+/dev/ttyS2 u:object_r:console_device:s0
+/vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0
+/vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0
+/vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0
+/vendor/bin/qemu-props u:object_r:qemu_props_exec:s0
+/vendor/bin/createns u:object_r:createns_exec:s0
+/vendor/bin/execns u:object_r:execns_exec:s0
+/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0
+/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0
+/vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0
+/vendor/bin/hostapd_nohidl u:object_r:hostapd_nohidl_exec:s0
+
+/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0
+
+/vendor/lib(64)?/hw/gralloc\.ranchu\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/gralloc\.goldfish\.default\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libEGL_emulation\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv1_CM_emulation\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv2_emulation\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libEGL_swiftshader\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv1_CM_swiftshader\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv2_swiftshader\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libOpenglSystemCommon\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/lib_renderControl_enc\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv1_enc\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv2_enc\.so u:object_r:same_process_hal_file:s0
+
+# data
+/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
+/data/vendor/var/run(/.*)? u:object_r:varrun_file:s0
+
diff --git a/sepolicy/common/genfs_contexts b/sepolicy/common/genfs_contexts
new file mode 100644
index 0000000..1b81626
--- /dev/null
+++ b/sepolicy/common/genfs_contexts
@@ -0,0 +1,20 @@
+# On the emulator, device tree dir is configured to be
+# /sys/bus/platform/devices/ANDR0001:00/properties/android/ which is a symlink to
+# /sys/devices/platform/ANDR0001:00/properties/android/
+genfscon sysfs /devices/platform/ANDR0001:00/properties/android u:object_r:sysfs_dt_firmware_android:s0
+
+# We expect /sys/class/power_supply/* and everything it links to to be labeled
+# as sysfs_batteryinfo.
+genfscon sysfs /devices/platform/GFSH0001:00/power_supply u:object_r:sysfs_batteryinfo:s0
+
+# /sys/class/rtc
+genfscon sysfs /devices/pnp0/00:00/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/GFSH0007:00/rtc u:object_r:sysfs_rtc:s0
+
+# /sys/class/net
+genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0
+
+# /proc/<pid>/ns
+genfscon nsfs / u:object_r:nsfs:s0
diff --git a/sepolicy/common/goldfish_setup.te b/sepolicy/common/goldfish_setup.te
new file mode 100644
index 0000000..3041436
--- /dev/null
+++ b/sepolicy/common/goldfish_setup.te
@@ -0,0 +1,47 @@
+# goldfish-setup service: runs init.goldfish.sh script
+type goldfish_setup, domain;
+type goldfish_setup_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(goldfish_setup)
+
+# TODO(b/79502552): Invalid property access from emulator vendor
+#set_prop(goldfish_setup, debug_prop);
+allow goldfish_setup self:capability { net_admin net_raw };
+allow goldfish_setup self:udp_socket { create ioctl };
+allow goldfish_setup vendor_toolbox_exec:file execute_no_trans;
+allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls;
+wakelock_use(goldfish_setup);
+allow goldfish_setup vendor_shell_exec:file { rx_file_perms };
+
+# Set system properties to start services
+set_prop(goldfish_setup, ctl_default_prop);
+
+# Set up WiFi
+allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read };
+allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow goldfish_setup self:capability { sys_module sys_admin };
+allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name };
+allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink };
+allow goldfish_setup execns_exec:file rx_file_perms;
+allow goldfish_setup proc_net:file rw_file_perms;
+allow goldfish_setup proc:file r_file_perms;
+allow goldfish_setup nsfs:file r_file_perms;
+allow goldfish_setup system_data_file:dir getattr;
+allow goldfish_setup kernel:system module_request;
+set_prop(goldfish_setup, qemu_prop);
+get_prop(goldfish_setup, net_share_prop);
+# Allow goldfish_setup to run /system/bin/ip and /system/bin/iw
+allow goldfish_setup system_file:file execute_no_trans;
+# Allow goldfish_setup to run init.wifi.sh
+allow goldfish_setup goldfish_setup_exec:file execute_no_trans;
+#Allow goldfish_setup to run createns in its own domain
+domain_auto_trans(goldfish_setup, createns_exec, createns);
+# iw
+allow goldfish_setup sysfs:file { read open };
+# iptables
+allow goldfish_setup system_file:file lock;
+allow goldfish_setup self:rawip_socket { create getopt setopt };
+# Allow goldfish_setup to read createns proc file to get the namespace file
+allow goldfish_setup createns:file { read };
+allow goldfish_setup createns:dir { search };
+allow goldfish_setup createns:lnk_file { read };
diff --git a/sepolicy/common/hal_camera_default.te b/sepolicy/common/hal_camera_default.te
new file mode 100644
index 0000000..eb88c36
--- /dev/null
+++ b/sepolicy/common/hal_camera_default.te
@@ -0,0 +1,3 @@
+vndbinder_use(hal_camera_default);
+allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
+hal_client_domain(hal_camera_default, hal_graphics_composer)
diff --git a/sepolicy/common/hal_cas_default.te b/sepolicy/common/hal_cas_default.te
new file mode 100644
index 0000000..3ed3bee
--- /dev/null
+++ b/sepolicy/common/hal_cas_default.te
@@ -0,0 +1 @@
+vndbinder_use(hal_cas_default);
diff --git a/sepolicy/common/hal_drm_default.te b/sepolicy/common/hal_drm_default.te
new file mode 100644
index 0000000..5a07433
--- /dev/null
+++ b/sepolicy/common/hal_drm_default.te
@@ -0,0 +1,2 @@
+vndbinder_use(hal_drm_default);
+hal_client_domain(hal_drm_default, hal_graphics_composer)
diff --git a/sepolicy/common/hal_drm_widevine.te b/sepolicy/common/hal_drm_widevine.te
new file mode 100644
index 0000000..d49000d
--- /dev/null
+++ b/sepolicy/common/hal_drm_widevine.te
@@ -0,0 +1,14 @@
+# define SELinux domain
+type hal_drm_widevine, domain;
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_drm_widevine)
+
+allow hal_drm mediacodec:fd use;
+allow hal_drm { appdomain -isolated_app }:fd use;
+
+vndbinder_use(hal_drm_widevine);
+hal_client_domain(hal_drm_widevine, hal_graphics_composer);
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
diff --git a/sepolicy/common/hal_fingerprint_default.te b/sepolicy/common/hal_fingerprint_default.te
new file mode 100644
index 0000000..e5b06f1
--- /dev/null
+++ b/sepolicy/common/hal_fingerprint_default.te
@@ -0,0 +1,5 @@
+# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
+# hal_fingerprint no longer directly accesses fingerprintd_data_file.
+typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
+allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
+allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms;
diff --git a/sepolicy/common/hal_gnss_default.te b/sepolicy/common/hal_gnss_default.te
new file mode 100644
index 0000000..0dd3d03
--- /dev/null
+++ b/sepolicy/common/hal_gnss_default.te
@@ -0,0 +1,3 @@
+#============= hal_gnss_default ==============
+allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write };
+
diff --git a/sepolicy/common/hal_graphics_allocator_default.te b/sepolicy/common/hal_graphics_allocator_default.te
new file mode 100644
index 0000000..0c8e27d
--- /dev/null
+++ b/sepolicy/common/hal_graphics_allocator_default.te
@@ -0,0 +1,2 @@
+allow hal_graphics_allocator_default graphics_device:dir search;
+allow hal_graphics_allocator_default graphics_device:chr_file { ioctl open read write };
diff --git a/sepolicy/common/hal_graphics_composer_default.te b/sepolicy/common/hal_graphics_composer_default.te
new file mode 100644
index 0000000..034bdef
--- /dev/null
+++ b/sepolicy/common/hal_graphics_composer_default.te
@@ -0,0 +1,3 @@
+#============= hal_graphics_composer_default ==============
+allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write };
+
diff --git a/sepolicy/common/hal_wifi_default.te b/sepolicy/common/hal_wifi_default.te
new file mode 100644
index 0000000..de4b996
--- /dev/null
+++ b/sepolicy/common/hal_wifi_default.te
@@ -0,0 +1 @@
+allow hal_wifi_default hal_wifi_default:netlink_route_socket { create bind write read nlmsg_read };
diff --git a/sepolicy/common/healthd.te b/sepolicy/common/healthd.te
new file mode 100644
index 0000000..ced6704
--- /dev/null
+++ b/sepolicy/common/healthd.te
@@ -0,0 +1,2 @@
+# Allow to read /sys/class/power_supply directory
+allow healthd sysfs:dir r_dir_perms;
diff --git a/sepolicy/common/hostapd_nohidl.te b/sepolicy/common/hostapd_nohidl.te
new file mode 100644
index 0000000..add648a
--- /dev/null
+++ b/sepolicy/common/hostapd_nohidl.te
@@ -0,0 +1,16 @@
+type hostapd_nohidl, domain;
+type hostapd_nohidl_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hostapd_nohidl)
+net_domain(hostapd_nohidl)
+
+allow hostapd_nohidl execns:fd use;
+
+allow hostapd_nohidl self:capability { net_admin net_raw };
+allow hostapd_nohidl self:netlink_generic_socket { bind create getattr read setopt write };
+allow hostapd_nohidl self:netlink_route_socket nlmsg_write;
+allow hostapd_nohidl self:packet_socket { create setopt };
+allowxperm hostapd_nohidl self:udp_socket ioctl priv_sock_ioctls;
+
+# hostapd will attempt to search sysfs but it's not needed and will spam the log
+dontaudit hostapd_nohidl sysfs_net:dir search;
diff --git a/sepolicy/common/init.te b/sepolicy/common/init.te
new file mode 100644
index 0000000..84a4e8d
--- /dev/null
+++ b/sepolicy/common/init.te
@@ -0,0 +1,2 @@
+allow init tmpfs:lnk_file create_file_perms;
+dontaudit init kernel:system module_request;
diff --git a/sepolicy/common/ipv6proxy.te b/sepolicy/common/ipv6proxy.te
new file mode 100644
index 0000000..22976fe
--- /dev/null
+++ b/sepolicy/common/ipv6proxy.te
@@ -0,0 +1,16 @@
+# IPv6 proxying
+type ipv6proxy, domain;
+type ipv6proxy_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(ipv6proxy)
+net_domain(ipv6proxy)
+
+# Allow ipv6proxy to be run by execns in its own domain
+domain_auto_trans(execns, ipv6proxy_exec, ipv6proxy);
+allow ipv6proxy execns:fd use;
+
+allow ipv6proxy self:capability { sys_admin sys_module net_admin net_raw };
+allow ipv6proxy self:packet_socket { bind create read };
+allow ipv6proxy self:netlink_route_socket nlmsg_write;
+allow ipv6proxy varrun_file:dir search;
+allowxperm ipv6proxy self:udp_socket ioctl { SIOCSIFFLAGS SIOCGIFHWADDR };
diff --git a/sepolicy/common/logpersist.te b/sepolicy/common/logpersist.te
new file mode 100644
index 0000000..3fc0250
--- /dev/null
+++ b/sepolicy/common/logpersist.te
@@ -0,0 +1,13 @@
+# goldfish logcat service: runs logcat -Q in logpersist domain
+
+# See global logcat.te/logpersist.te, only set for eng & userdebug,
+# allow for all builds in a non-conflicting manner.
+
+domain_auto_trans(init, logcat_exec, logpersist)
+
+# Read from logd.
+unix_socket_connect(logpersist, logdr, logd)
+
+# Write to /dev/ttyS2 and /dev/ttyGF2.
+allow logpersist serial_device:chr_file { write open };
+get_prop(logpersist, qemu_cmdline)
diff --git a/sepolicy/common/mediacodec.te b/sepolicy/common/mediacodec.te
new file mode 100644
index 0000000..acf4e59
--- /dev/null
+++ b/sepolicy/common/mediacodec.te
@@ -0,0 +1 @@
+allow mediacodec system_file:dir { open read };
diff --git a/sepolicy/common/netd.te b/sepolicy/common/netd.te
new file mode 100644
index 0000000..09a28b9
--- /dev/null
+++ b/sepolicy/common/netd.te
@@ -0,0 +1,3 @@
+dontaudit netd self:capability sys_module;
+#TODO: This can safely be ignored until b/62954877 is fixed
+dontaudit netd kernel:system module_request;
diff --git a/sepolicy/common/priv_app.te b/sepolicy/common/priv_app.te
new file mode 100644
index 0000000..3d16f32
--- /dev/null
+++ b/sepolicy/common/priv_app.te
@@ -0,0 +1,5 @@
+#TODO: b/62908025
+dontaudit priv_app firstboot_prop:file { getattr open };
+dontaudit priv_app device:dir { open read };
+dontaudit priv_app proc_interrupts:file { getattr open read };
+dontaudit priv_app proc_modules:file { getattr open read };
diff --git a/sepolicy/common/property.te b/sepolicy/common/property.te
new file mode 100644
index 0000000..3593a39
--- /dev/null
+++ b/sepolicy/common/property.te
@@ -0,0 +1,5 @@
+type qemu_prop, property_type;
+type qemu_cmdline, property_type;
+type radio_noril_prop, property_type;
+type net_eth0_prop, property_type;
+type net_share_prop, property_type;
diff --git a/sepolicy/common/property_contexts b/sepolicy/common/property_contexts
new file mode 100644
index 0000000..f7a241c
--- /dev/null
+++ b/sepolicy/common/property_contexts
@@ -0,0 +1,8 @@
+qemu. u:object_r:qemu_prop:s0
+qemu.cmdline u:object_r:qemu_cmdline:s0
+vendor.qemu u:object_r:qemu_prop:s0
+ro.emu. u:object_r:qemu_prop:s0
+ro.emulator. u:object_r:qemu_prop:s0
+ro.radio.noril u:object_r:radio_noril_prop:s0
+net.eth0. u:object_r:net_eth0_prop:s0
+net.shared_net_ip u:object_r:net_share_prop:s0
diff --git a/sepolicy/common/qemu_props.te b/sepolicy/common/qemu_props.te
new file mode 100644
index 0000000..b3e2d95
--- /dev/null
+++ b/sepolicy/common/qemu_props.te
@@ -0,0 +1,10 @@
+# qemu-props service: Sets system properties on boot.
+type qemu_props, domain;
+type qemu_props_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(qemu_props)
+
+set_prop(qemu_props, qemu_prop)
+# TODO(b/79502552): Invalid property access from emulator vendor
+#set_prop(qemu_props, qemu_cmdline)
+set_prop(qemu_props, qemu_cmdline)
diff --git a/sepolicy/common/radio.te b/sepolicy/common/radio.te
new file mode 100644
index 0000000..742d3b2
--- /dev/null
+++ b/sepolicy/common/radio.te
@@ -0,0 +1,3 @@
+# Allow the radio to read these properties, they only have an SELinux label in
+# the emulator.
+get_prop(radio, net_eth0_prop);
diff --git a/sepolicy/common/rild.te b/sepolicy/common/rild.te
new file mode 100644
index 0000000..ea18373
--- /dev/null
+++ b/sepolicy/common/rild.te
@@ -0,0 +1,3 @@
+# Allow rild to read these properties, they only have an SELinux label in the
+# emulator.
+get_prop(rild, net_eth0_prop);
diff --git a/sepolicy/common/shell.te b/sepolicy/common/shell.te
new file mode 100644
index 0000000..b246d7e
--- /dev/null
+++ b/sepolicy/common/shell.te
@@ -0,0 +1 @@
+allow shell serial_device:chr_file rw_file_perms;
diff --git a/sepolicy/common/surfaceflinger.te b/sepolicy/common/surfaceflinger.te
new file mode 100644
index 0000000..2bba8a7
--- /dev/null
+++ b/sepolicy/common/surfaceflinger.te
@@ -0,0 +1,5 @@
+allow surfaceflinger self:process execmem;
+allow surfaceflinger ashmem_device:chr_file execute;
+
+typeattribute surfaceflinger system_writes_vendor_properties_violators;
+set_prop(surfaceflinger, qemu_prop)
diff --git a/sepolicy/common/system_server.te b/sepolicy/common/system_server.te
new file mode 100644
index 0000000..dd70b12
--- /dev/null
+++ b/sepolicy/common/system_server.te
@@ -0,0 +1 @@
+get_prop(system_server, radio_noril_prop)
diff --git a/sepolicy/common/vendor_init.te b/sepolicy/common/vendor_init.te
new file mode 100644
index 0000000..b18d391
--- /dev/null
+++ b/sepolicy/common/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, qemu_prop)
diff --git a/sepolicy/common/vold.te b/sepolicy/common/vold.te
new file mode 100644
index 0000000..5f3bdd4
--- /dev/null
+++ b/sepolicy/common/vold.te
@@ -0,0 +1 @@
+dontaudit vold kernel:system module_request;
diff --git a/sepolicy/common/zygote.te b/sepolicy/common/zygote.te
new file mode 100644
index 0000000..da403b5
--- /dev/null
+++ b/sepolicy/common/zygote.te
@@ -0,0 +1,5 @@
+typeattribute zygote system_writes_vendor_properties_violators;
+set_prop(zygote, qemu_prop)
+# TODO (b/63631799) fix this access
+# Suppress denials to storage. Webview zygote should not be accessing.
+dontaudit webview_zygote mnt_expand_file:dir getattr;