From 69f0507e294dac6c68f3e7cc61ef682c01c21c2b Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 11 Apr 2023 11:30:57 +0800
Subject: [PATCH 01/17] Remove obsolete entries

Bug: 269218638
Bug: 269218638
Bug: 269370106
Bug: 268411073
Bug: 276385941
Bug: 276385941
Bug: 268147283
Bug: 269045042
Bug: 238263438
Bug: 238143262
Bug: 264483156
Bug: 264483673
Bug: 269045042
Bug: 270247432
Test: adb bugreport
Change-Id: I29268e10a370146b5d3405edfdec35645a3adc35
Merged-In: If99cfe07ec85c285d2acdc712d5120c7ee6f06d9
---
 tracking_denials/bug_map      | 16 ----------------
 tracking_denials/dumpstate.te |  4 ----
 2 files changed, 20 deletions(-)
 delete mode 100644 tracking_denials/dumpstate.te

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 2c22c60c..1eb8c777 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,22 +1,6 @@
-dump_lsi radio_vendor_data_file file b/269218638
-dump_lsi vendor_slog_file file b/269218638
-dump_modem radio_vendor_data_file file b/269370106
-dump_pixel_metrics sysfs file b/268411073
-dump_ramdump radio_vendor_data_file file b/276385941
-dump_ramdump vendor_camera_data_file file b/276385941
-dump_sensors radio_vendor_data_file file b/277528855
-dump_sensors vendor_camera_data_file file b/277528855
-dump_stm sysfs_spi dir b/268147283
-dump_trusty radio_vendor_data_file file b/269045042
-dumpstate app_zygote process b/238263438
-dumpstate hal_input_processor_default process b/238143262
-dumpstate system_data_file dir b/264483156
-dumpstate system_data_file dir b/264483673
 hal_camera_default boot_status_prop file b/275002227
 hal_camera_default edgetpu_app_service service_manager b/275002227
 hal_drm_default default_prop file b/232714489
-hal_dumpstate_default dump_lsi process b/269045042
-hal_dumpstate_default dump_thermal process b/270247432
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/238263568
 incidentd incidentd anon_inode b/268146971
diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
deleted file mode 100644
index 7f51e2b5..00000000
--- a/tracking_denials/dumpstate.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/185723618
-dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
-# b/277155042
-dontaudit dumpstate default_android_service:service_manager { find };

From e10e3380327b78a8ce17e5887d40fdeaa7a4199d Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 13 Apr 2023 09:34:11 +0800
Subject: [PATCH 02/17] Update error on ROM 9930000

Bug: 277989397
Bug: 277155042
Bug: 277989067
Test: scanBugreport
Change-Id: I38a3f852e2f5f0f6895db15141825909361a267d
---
 tracking_denials/bug_map                  | 1 +
 tracking_denials/dumpstate.te             | 4 ++++
 tracking_denials/hal_dumpstate_default.te | 2 ++
 3 files changed, 7 insertions(+)
 create mode 100644 tracking_denials/dumpstate.te
 create mode 100644 tracking_denials/hal_dumpstate_default.te

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 1eb8c777..ed8da81d 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,4 @@
+dump_stm sysfs_spi dir b/277989397
 hal_camera_default boot_status_prop file b/275002227
 hal_camera_default edgetpu_app_service service_manager b/275002227
 hal_drm_default default_prop file b/232714489
diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
new file mode 100644
index 00000000..6025bd5d
--- /dev/null
+++ b/tracking_denials/dumpstate.te
@@ -0,0 +1,4 @@
+# b/277155042
+dontaudit dumpstate app_zygote:process { signal };
+dontaudit dumpstate default_android_service:service_manager { find };
+dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
new file mode 100644
index 00000000..dbcd88e9
--- /dev/null
+++ b/tracking_denials/hal_dumpstate_default.te
@@ -0,0 +1,2 @@
+# b/277989067
+dontaudit hal_dumpstate_default vendor_shell_exec:file { execute_no_trans };

From 3055e06f0a3610c510dec974a6853ce3b0196aee Mon Sep 17 00:00:00 2001
From: martinwu <martinwu@google.com>
Date: Mon, 24 Apr 2023 16:26:22 +0000
Subject: [PATCH 03/17] [TSV2] Remove tcpdump sepolicy from gs101 and move
 sepolicy to gs-common

Bug: 264490014
Test: 1. Enable tcpdump_logger always-on function
      2. Dump bugreport
      3. Pull dumpstate_board.bin and chagne it to zip
      4. Unzip dumpstate_board.zip and check if tcpdump files
         are there.
Change-Id: Iea67de1e645592c6993a3ee6f2ca8e6bf3c6c949
---
 whitechapel/vendor/google/file.te       | 3 ---
 whitechapel/vendor/google/file_contexts | 1 -
 2 files changed, 4 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index bae11314..d8cce99a 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -92,9 +92,6 @@ type persist_modem_file, file_type, vendor_persist_type;
 type modem_img_file, contextmount_type, file_type, vendor_file_type;
 allow modem_img_file self:filesystem associate;
 
-# TCP logging
-type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
-
 # Pca
 type sysfs_pca, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 232d332f..961d9c27 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -243,7 +243,6 @@
 
 # TCP logging
 /vendor/bin/tcpdump_logger          u:object_r:tcpdump_logger_exec:s0
-/data/vendor/tcpdump_logger(/.*)?   u:object_r:tcpdump_vendor_data_file:s0
 
 # modem_svc_sit files
 /vendor/bin/modem_svc_sit           u:object_r:modem_svc_sit_exec:s0

From 7c2e5a665a2b5692cc241752e7d02b9078fb0cdc Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Thu, 4 May 2023 13:53:09 +0000
Subject: [PATCH 04/17] Add sepolicy for aidl bt extension hal

Bug: 274906319
Bug: 282685427
Test: make sepolicy and manual test
Change-Id: I6aa9ebe87c743ceb09067a581f64f6cdc0b7d335
Merged-In: I6aa9ebe87c743ceb09067a581f64f6cdc0b7d335
---
 raven-sepolicy.mk           | 2 ++
 raven/cccdk_timesync_app.te | 1 +
 2 files changed, 3 insertions(+)
 create mode 100644 raven-sepolicy.mk
 create mode 100644 raven/cccdk_timesync_app.te

diff --git a/raven-sepolicy.mk b/raven-sepolicy.mk
new file mode 100644
index 00000000..91d85cd4
--- /dev/null
+++ b/raven-sepolicy.mk
@@ -0,0 +1,2 @@
+# Ravne only sepolicy
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/raven
diff --git a/raven/cccdk_timesync_app.te b/raven/cccdk_timesync_app.te
new file mode 100644
index 00000000..1a4264db
--- /dev/null
+++ b/raven/cccdk_timesync_app.te
@@ -0,0 +1 @@
+allow vendor_cccdktimesync_app hal_bluetooth_coexistence_service:service_manager find;

From 677d3faab4e290676addcfeccad8f199aa24bc8f Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Thu, 8 Jun 2023 13:46:00 +0000
Subject: [PATCH 05/17] Add bluetooth extension related sepolicy

Bug: 286371097
Test: make
Change-Id: Ic252f91c56672b270d24863c5ed617f0fc9cb4e7
Merged-In: Ic0dab76988ee80cae72091d6e8eb0e97c651e594
---
 oriole-sepolicy.mk        | 2 ++
 oriole/grilservice_app.te | 2 ++
 raven/grilservice_app.te  | 2 ++
 3 files changed, 6 insertions(+)
 create mode 100644 oriole-sepolicy.mk
 create mode 100644 oriole/grilservice_app.te
 create mode 100644 raven/grilservice_app.te

diff --git a/oriole-sepolicy.mk b/oriole-sepolicy.mk
new file mode 100644
index 00000000..a4f28b2a
--- /dev/null
+++ b/oriole-sepolicy.mk
@@ -0,0 +1,2 @@
+# Oriole only sepolicy
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/oriole
diff --git a/oriole/grilservice_app.te b/oriole/grilservice_app.te
new file mode 100644
index 00000000..c5b61460
--- /dev/null
+++ b/oriole/grilservice_app.te
@@ -0,0 +1,2 @@
+allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;
+
diff --git a/raven/grilservice_app.te b/raven/grilservice_app.te
new file mode 100644
index 00000000..c5b61460
--- /dev/null
+++ b/raven/grilservice_app.te
@@ -0,0 +1,2 @@
+allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;
+

From 68893eb7e3a1b1f778537108aa536cc53c8e5dd0 Mon Sep 17 00:00:00 2001
From: Samuel Huang <shengsiang@google.com>
Date: Wed, 28 Jun 2023 06:02:13 +0000
Subject: [PATCH 06/17] Create telephony.ril.silent_reset system_ext property
 for RILD restart

RILD listens for changes to this property. If the value changes to 1,
RILD will restart itself and set this property back to 0.

The TelephonyGoogle app will set this property to 1 when it receives a
request from the SCONE app. Since TelephonyGoogle runs in the
com.android.phone process, we also need to give the radio domain
permission to set the telephony.ril.silent_reset property.

Bug: 286476107
Test: manual
Change-Id: I9f41aab747c075dd3a20d66f011e10ffee5a7608
---
 system_ext/private/property_contexts | 3 +++
 system_ext/public/property.te        | 7 +++++++
 whitechapel/vendor/google/radio.te   | 2 ++
 whitechapel/vendor/google/rild.te    | 2 ++
 4 files changed, 14 insertions(+)

diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
index 790ba63b..b8f09520 100644
--- a/system_ext/private/property_contexts
+++ b/system_ext/private/property_contexts
@@ -9,3 +9,6 @@ persist.bootanim.color4     u:object_r:bootanim_system_prop:s0     exact    int
 
 # Properties for euicc
 persist.modem.esim_profiles_exist            u:object_r:esim_modem_prop:s0    exact    string
+
+# Telephony
+telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool
\ No newline at end of file
diff --git a/system_ext/public/property.te b/system_ext/public/property.te
index bb07d927..1abcc84a 100644
--- a/system_ext/public/property.te
+++ b/system_ext/public/property.te
@@ -3,3 +3,10 @@ system_vendor_config_prop(fingerprint_ghbm_prop)
 
 # eSIM properties
 system_vendor_config_prop(esim_modem_prop)
+
+# Telephony
+system_public_prop(telephony_ril_prop)
+
+userdebug_or_eng(`
+  set_prop(shell, telephony_ril_prop)
+')
\ No newline at end of file
diff --git a/whitechapel/vendor/google/radio.te b/whitechapel/vendor/google/radio.te
index baa356bd..a604c720 100644
--- a/whitechapel/vendor/google/radio.te
+++ b/whitechapel/vendor/google/radio.te
@@ -1,3 +1,5 @@
+set_prop(radio, telephony_ril_prop)
+
 allow radio hal_exynos_rild_hwservice:hwservice_manager find;
 allow radio proc_vendor_sched:dir r_dir_perms;
 allow radio proc_vendor_sched:file w_file_perms;
diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te
index 5108b452..e578ec4c 100644
--- a/whitechapel/vendor/google/rild.te
+++ b/whitechapel/vendor/google/rild.te
@@ -7,6 +7,8 @@ set_prop(rild, vendor_sys_default_prop)
 get_prop(rild, sota_prop)
 get_prop(rild, system_boot_reason_prop)
 
+set_prop(rild, telephony_ril_prop)
+
 allow rild proc_net:file rw_file_perms;
 allow rild radio_vendor_data_file:dir create_dir_perms;
 allow rild radio_vendor_data_file:file create_file_perms;

From 73a74266f9e22ea26aee40133805c695dca62752 Mon Sep 17 00:00:00 2001
From: Patty Huang <plhuang@google.com>
Date: Wed, 28 Jun 2023 22:18:38 +0800
Subject: [PATCH 07/17] Allow bthal to access vendor bluetooth folder

Bug: 289055382
Test: enable vendor debug log and check the vendor snoop log contain the
vendor log

Change-Id: I25d7080f89ef1ca5836315097eab3c2916c9f4c0
---
 whitechapel/vendor/google/file.te                  | 3 +++
 whitechapel/vendor/google/file_contexts            | 1 +
 whitechapel/vendor/google/hal_bluetooth_btlinux.te | 3 +++
 3 files changed, 7 insertions(+)
 create mode 100644 whitechapel/vendor/google/hal_bluetooth_btlinux.te

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index d8cce99a..8eec86af 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -55,6 +55,9 @@ type sysfs_fingerprint, sysfs_type, fs_type;
 # CHRE
 type chre_socket, file_type;
 
+# BT
+type vendor_bt_data_file, file_type, data_file_type;
+
 # IOMMU
 type sysfs_iommu, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 961d9c27..ce7e5631 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -153,6 +153,7 @@
 
 # data files
 /data/vendor/mediadrm(/.*)?  u:object_r:mediadrm_vendor_data_file:s0
+/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0
 
 # Camera
 /vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google  u:object_r:hal_camera_default_exec:s0
diff --git a/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
new file mode 100644
index 00000000..851dc894
--- /dev/null
+++ b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
@@ -0,0 +1,3 @@
+allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms;
+allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms;
+

From 31e0460cba60100db6fa29d76c921e24a147c2cd Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Wed, 5 Jul 2023 08:06:25 +0000
Subject: [PATCH 08/17] Revert "Update SELinux error"

This reverts commit 12abc8ef4aa73a849d72f13ab18bf901b2543703.

Bug: 287169829
Change-Id: If92a6a0fc90d70a49999ce6004bcbd5d58565e51
---
 tracking_denials/bug_map | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 69c51137..03d8f7b9 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -22,5 +22,4 @@ incidentd debugfs_wakeup_sources file b/238263568
 incidentd incidentd anon_inode b/268146971
 rfsd vendor_rild_prop property_service b/269218654
 su modem_img_file filesystem b/238825802
-system_app proc_pagetypeinfo file b/287169829
 system_server system_userdir_file dir b/281814691

From ddefd11361a16d04d713e47c319cc600de1c161f Mon Sep 17 00:00:00 2001
From: Renato Grottesi <otaner@google.com>
Date: Thu, 13 Jul 2023 18:46:26 +0000
Subject: [PATCH 09/17] Remove settings for old ArmNN HIDL backend

Compile ArmNN shim over the support library.

Remove SELinux permissions and settings for the old HIDL backend.
The AIDL settings will be in the gs-common folder.

Test: Local run of CtsNNAPITestCases
Test: Local run of VtsHalNeuralnetworksTargetTest
Test: Local run of MLTS Benchmark
Bug: 283724775
Merged-In: Ib72308547f08bc21a5a205ec158e297cb8fe9083
Change-Id: Ic75d022824bd62bef48a8b0db80237b1370ac570
---
 neuralnetworks/file_contexts               | 1 -
 neuralnetworks/hal_neuralnetworks_armnn.te | 9 ---------
 2 files changed, 10 deletions(-)
 delete mode 100644 neuralnetworks/file_contexts
 delete mode 100644 neuralnetworks/hal_neuralnetworks_armnn.te

diff --git a/neuralnetworks/file_contexts b/neuralnetworks/file_contexts
deleted file mode 100644
index fc151ab9..00000000
--- a/neuralnetworks/file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
diff --git a/neuralnetworks/hal_neuralnetworks_armnn.te b/neuralnetworks/hal_neuralnetworks_armnn.te
deleted file mode 100644
index c9872853..00000000
--- a/neuralnetworks/hal_neuralnetworks_armnn.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type hal_neuralnetworks_armnn, domain;
-hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks)
-
-type hal_neuralnetworks_armnn_exec, vendor_file_type, exec_type, file_type;
-
-allow hal_neuralnetworks_armnn gpu_device:chr_file rw_file_perms;
-
-init_daemon_domain(hal_neuralnetworks_armnn)
-

From 6efcea55dcf824f144c3c5b56a4f071402765d7f Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Fri, 14 Jul 2023 20:16:05 +0800
Subject: [PATCH 10/17] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 291237382
Change-Id: Ie3f2e61a1103edcaeffb985a926de1480f2ea7ef
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 03d8f7b9..9d1293e6 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -23,3 +23,4 @@ incidentd incidentd anon_inode b/268146971
 rfsd vendor_rild_prop property_service b/269218654
 su modem_img_file filesystem b/238825802
 system_server system_userdir_file dir b/281814691
+system_suspend sysfs_aoc dir b/291237382

From 3c8d114e48a75505a39138a640c8731ab2e8340b Mon Sep 17 00:00:00 2001
From: Utku Utkan <utkan@google.com>
Date: Tue, 11 Jul 2023 17:44:08 -0700
Subject: [PATCH 11/17] Introduce CameraServices seinfo tag for
 PixelCameraServices

Bug: 287069860
Test: m && flashall && check against 'avc: denied' errors
Change-Id: I9e9d3914499550d9e9b6c8ea7c4a7cabd9e9a5dd
---
 whitechapel/vendor/google/keys.conf           | 3 +++
 whitechapel/vendor/google/mac_permissions.xml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf
index fb6e52b6..3c9dee72 100644
--- a/whitechapel/vendor/google/keys.conf
+++ b/whitechapel/vendor/google/keys.conf
@@ -6,3 +6,6 @@ ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb
 
 [@EUICCSUPPORTPIXEL]
 ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
+
+[@CAMERASERVICES]
+ALL : vendor/google/dev-keystore/certs/com_google_android_apps_camera_services/com_google_android_apps_camera_services.x509.pem
diff --git a/whitechapel/vendor/google/mac_permissions.xml b/whitechapel/vendor/google/mac_permissions.xml
index 6cb7113c..b51e565e 100644
--- a/whitechapel/vendor/google/mac_permissions.xml
+++ b/whitechapel/vendor/google/mac_permissions.xml
@@ -30,4 +30,7 @@
     <signer signature="@EUICCSUPPORTPIXEL" >
         <seinfo value="EuiccSupportPixel" />
     </signer>
+    <signer signature="@CAMERASERVICES" >
+      <seinfo value="CameraServices" />
+    </signer>
 </policy>

From 722322664c17b91280253c68cd65ef77b7af3cd2 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Wed, 19 Jul 2023 01:15:07 +0000
Subject: [PATCH 12/17] Revert "Introduce CameraServices seinfo tag for
 PixelCameraServices"

Revert submission 24056607-pixel-camera-services-extensions-sepolicy

Reason for revert: build breakage on git_main-without-vendor

Reverted changes: /q/submissionid:24056607-pixel-camera-services-extensions-sepolicy

Change-Id: I0654c7c4ef296b4594db86cc8af5a73627e2b7d7
---
 whitechapel/vendor/google/keys.conf           | 3 ---
 whitechapel/vendor/google/mac_permissions.xml | 3 ---
 2 files changed, 6 deletions(-)

diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf
index 3c9dee72..fb6e52b6 100644
--- a/whitechapel/vendor/google/keys.conf
+++ b/whitechapel/vendor/google/keys.conf
@@ -6,6 +6,3 @@ ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb
 
 [@EUICCSUPPORTPIXEL]
 ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
-
-[@CAMERASERVICES]
-ALL : vendor/google/dev-keystore/certs/com_google_android_apps_camera_services/com_google_android_apps_camera_services.x509.pem
diff --git a/whitechapel/vendor/google/mac_permissions.xml b/whitechapel/vendor/google/mac_permissions.xml
index b51e565e..6cb7113c 100644
--- a/whitechapel/vendor/google/mac_permissions.xml
+++ b/whitechapel/vendor/google/mac_permissions.xml
@@ -30,7 +30,4 @@
     <signer signature="@EUICCSUPPORTPIXEL" >
         <seinfo value="EuiccSupportPixel" />
     </signer>
-    <signer signature="@CAMERASERVICES" >
-      <seinfo value="CameraServices" />
-    </signer>
 </policy>

From e10372e111cb83fedfc7993460f8b5322de5e087 Mon Sep 17 00:00:00 2001
From: Utku Utkan <utkan@google.com>
Date: Wed, 19 Jul 2023 02:47:43 +0000
Subject: [PATCH 13/17] Revert^2 "Introduce CameraServices seinfo tag for
 PixelCameraServices"

Revert submission 24122569-revert-24056607-pixel-camera-services-extensions-sepolicy-OFSULTXSBL

Reason for revert: Relanding the original topic after copying the certificates under `device/google` for `without-vendor` branches

Reverted changes: /q/submissionid:24122569-revert-24056607-pixel-camera-services-extensions-sepolicy-OFSULTXSBL

Bug: 287069860
Test: m && flashall
Change-Id: Icf52453dc2a0a4d60958b8fe76509f385ac6fae2
---
 ...ogle_android_apps_camera_services.x509.pem | 30 +++++++++++++++++++
 whitechapel/vendor/google/keys.conf           |  3 ++
 whitechapel/vendor/google/mac_permissions.xml |  3 ++
 3 files changed, 36 insertions(+)
 create mode 100644 whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem

diff --git a/whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem b/whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem
new file mode 100644
index 00000000..7b8c5b22
--- /dev/null
+++ b/whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIGCzCCA/OgAwIBAgIVAIHtywgrR7O/EgQ+PeYSfHDaUDt8MA0GCSqGSIb3DQEBCwUAMIGUMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU
+MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxMDAuBgNVBAMMJ2NvbV9nb29n
+bGVfYW5kcm9pZF9hcHBzX2NhbWVyYV9zZXJ2aWNlczAgFw0yMTA2MzAyMzI2MThaGA8yMDUxMDYz
+MDIzMjYxOFowgZQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
+b3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEwMC4G
+A1UEAwwnY29tX2dvb2dsZV9hbmRyb2lkX2FwcHNfY2FtZXJhX3NlcnZpY2VzMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAof2MqYxoQkV05oUZULYlNLDIJKryWjC8ha300YUktBNNVBSP
+1y33+ZTBldm7drcBGo54S1JE1lCIP1dMxby0rNTJ8/Zv2bMVMjXX0haF5vULt64itDcR0SqUDfFR
+UsHapPVmRmMpDOMOUYUbN7gjU7iYAc9oWBo6BFfckdpwwKfzYY/sgieen1E/MN7Zpzmefct3WDU5
+4Dc8mpoNsen3oqquieYAgv9FOw5gCIgsDaOfYFBgvAE08Pqo3J/zU6dAuqUJztNH8EhgTNbcaNVL
+jCmofa+iIAjSpmP69jcgaUyfmH0EE3/m55qouVRJzqARvmEO/M7LEr3n1ZKKhDZdO6TJysMzP9g8
+pONPO8/3hTQ+GP+7fOQooNQJEGNgJuZOHSyNL/8nGCgHBZKgZdZPKk8HV2M578UDf8yNyV5AYpx0
+VK1JdoBtNMzp0cv7Q6TTugIuDEzT3jmgGGp6WmXE6B9dJOq+cnVC7cSYva8wctFS3RpoqT79vkW3
+A7g2b26bM5GMQ8KcGC4qm4pJkrX5kKZWZGWXjm0F8gRJQ5D0S/AcUw3B+sG/AmfQzLm8SCK36HhO
+sFnPsQJ/VdL7kg9HHWrQYVexNaQnD/QLOCenk09COUzSwexws+kQhUH45OSbQFjOJwPbS4YAn9qV
+eV+DPlvemZEFYF5+MVlDwOGQ3JsCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtjMO
+nlaC4nsk4PwT+fcIYpg52JQwHwYDVR0jBBgwFoAUtjMOnlaC4nsk4PwT+fcIYpg52JQwDQYJKoZI
+hvcNAQELBQADggIBABhYDqPD2yWiXNCVtHk6h7Kb2H2U3rc8G7Or1/mwrXSCEgqHnCkpiWeb1h/5
+YNS9fRrexQD+O0hukCpjvIFccQvk8EkZdWpn4kDlrUqfakWpASzlwEqRviS31Hiybn/+QUpYuDTm
+FYorrHzDzPiNttzxVK0ENt4T4ETDWVqiGB7tbTlLPr6tz/oxDjRH8y4iS/For7SkfdI512txJgDr
+njvRVY9WJykySs+AAqwS1PIMXGoI03UmLJUsFNUjHehaqguPS1uiewlKiQq07blWbnQXdcyH7QTI
+hOUPY2rRBh8ciXu4L0Uk4To7+DP/8nHSGC7qXPvP6W3gqW1hj0d6GviMEfJ9fBSUEzaCRF3aL/5e
+JOGQQKxh7Jsl/zZs4+MYg0Q2cyg/BQVNNOhESG4et4OV5go9W+1oAy20FV0NgtdPoeb9ABNoi4T3
+IrKLgxOsbACpoDt3zPhncqiJhX3feFtyVV4oRiylydiiYO927qNdfMGmcnGFSG4814kUxSdpkoCA
+V7WCQD42zfBYj4pkdZwiJW4yZSaPWN/Eodi3PBsV+10Y1O1WOvebJuTGmcvWWMCPGtFQJDijUy4H
+r8rDe3ZmRGQ+vEGPJZC8nx9+qxLQ314ZCzdS0R1HwRRuOji3fCSCnaPQuCFe3YlzhB2j6fRGNf7F
+DB17LhMLl0GxX9j1
+-----END CERTIFICATE-----
diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf
index fb6e52b6..0693d7c5 100644
--- a/whitechapel/vendor/google/keys.conf
+++ b/whitechapel/vendor/google/keys.conf
@@ -6,3 +6,6 @@ ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb
 
 [@EUICCSUPPORTPIXEL]
 ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
+
+[@CAMERASERVICES]
+ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem
diff --git a/whitechapel/vendor/google/mac_permissions.xml b/whitechapel/vendor/google/mac_permissions.xml
index 6cb7113c..b51e565e 100644
--- a/whitechapel/vendor/google/mac_permissions.xml
+++ b/whitechapel/vendor/google/mac_permissions.xml
@@ -30,4 +30,7 @@
     <signer signature="@EUICCSUPPORTPIXEL" >
         <seinfo value="EuiccSupportPixel" />
     </signer>
+    <signer signature="@CAMERASERVICES" >
+      <seinfo value="CameraServices" />
+    </signer>
 </policy>

From d9478e1c21bcff60f25d605c25df71f11ac5792d Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Fri, 21 Jul 2023 14:46:14 +0900
Subject: [PATCH 14/17] Move coredomain seapp contexts to system_ext

Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble
violation.

Bug: 280547417
Test: TH
Change-Id: I68d6564ca9e5ba77d3562b6c73b32cd1713001f7
---
 ambient/seapp_contexts                   | 2 --
 system_ext/private/seapp_contexts        | 9 +++++++++
 whitechapel/vendor/google/seapp_contexts | 6 ------
 3 files changed, 9 insertions(+), 8 deletions(-)
 delete mode 100644 ambient/seapp_contexts

diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
deleted file mode 100644
index 8024688c..00000000
--- a/ambient/seapp_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-# Domain for Exo app
-user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 8c2178a8..234cccaf 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -1,2 +1,11 @@
 # Domain for EuiccGoogle
 user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
+
+# Domain for Exo app
+user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
+
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index e724de28..7711c447 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -24,18 +24,12 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
-
 # Domain for omadm
 user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
 
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
 
-# Domain for connectivity monitor
-user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
 # RIL Config Service
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
 

From 53081f7032713f6879e36b3872dc9ce1f0a66d7e Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Fri, 28 Jul 2023 06:02:59 +0000
Subject: [PATCH 15/17] Revert "Move coredomain seapp contexts to system_ext"

This reverts commit d9478e1c21bcff60f25d605c25df71f11ac5792d.

Reason for revert: breaking build. b/293539702

Change-Id: Ie8a66971fcf249c9d08b4898e24b962d6aaf3ce6
---
 ambient/seapp_contexts                   | 2 ++
 system_ext/private/seapp_contexts        | 9 ---------
 whitechapel/vendor/google/seapp_contexts | 6 ++++++
 3 files changed, 8 insertions(+), 9 deletions(-)
 create mode 100644 ambient/seapp_contexts

diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
new file mode 100644
index 00000000..8024688c
--- /dev/null
+++ b/ambient/seapp_contexts
@@ -0,0 +1,2 @@
+# Domain for Exo app
+user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 234cccaf..8c2178a8 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -1,11 +1,2 @@
 # Domain for EuiccGoogle
 user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
-
-# Domain for Exo app
-user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
-
-# Domain for connectivity monitor
-user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 7711c447..e724de28 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -24,12 +24,18 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
+
 # Domain for omadm
 user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
 
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
 
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
 # RIL Config Service
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
 

From 87b9095bd5d9811c0b37887e980b057453894dea Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Fri, 4 Aug 2023 14:26:21 +0900
Subject: [PATCH 16/17] Move coredomain seapp ctx and types to system_ext

Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble
violation.

Bug: 280547417
Test: build bluejay and boot test
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fb3a11636618dbb044e567716ff2984b25117bc5)
Merged-In: I48441749de4eb1de90ce5a307b1d47ae3cb9592d
Change-Id: I48441749de4eb1de90ce5a307b1d47ae3cb9592d
---
 system_ext/private/con_monitor.te             |  7 +++++++
 system_ext/private/hbmsvmanager_app.te        | 11 +++++++++++
 system_ext/private/seapp_contexts             |  6 ++++++
 system_ext/public/con_monitor.te              |  2 ++
 system_ext/public/hbmsvmanager_app.te         |  1 +
 whitechapel/vendor/google/con_monitor.te      | 11 -----------
 whitechapel/vendor/google/hbmsvmanager_app.te | 15 ---------------
 whitechapel/vendor/google/seapp_contexts      |  6 ------
 8 files changed, 27 insertions(+), 32 deletions(-)
 create mode 100644 system_ext/private/con_monitor.te
 create mode 100644 system_ext/private/hbmsvmanager_app.te
 create mode 100644 system_ext/public/con_monitor.te
 create mode 100644 system_ext/public/hbmsvmanager_app.te

diff --git a/system_ext/private/con_monitor.te b/system_ext/private/con_monitor.te
new file mode 100644
index 00000000..c68ec1f8
--- /dev/null
+++ b/system_ext/private/con_monitor.te
@@ -0,0 +1,7 @@
+typeattribute con_monitor_app coredomain;
+
+app_domain(con_monitor_app)
+
+set_prop(con_monitor_app, radio_prop)
+allow con_monitor_app app_api_service:service_manager find;
+allow con_monitor_app radio_service:service_manager find;
diff --git a/system_ext/private/hbmsvmanager_app.te b/system_ext/private/hbmsvmanager_app.te
new file mode 100644
index 00000000..6f5ff7ac
--- /dev/null
+++ b/system_ext/private/hbmsvmanager_app.te
@@ -0,0 +1,11 @@
+typeattribute hbmsvmanager_app coredomain;
+
+app_domain(hbmsvmanager_app);
+
+allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
+allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
+
+# Standard system services
+allow hbmsvmanager_app app_api_service:service_manager find;
+
+allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 8c2178a8..6ac71499 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -1,2 +1,8 @@
 # Domain for EuiccGoogle
 user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
+
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
diff --git a/system_ext/public/con_monitor.te b/system_ext/public/con_monitor.te
new file mode 100644
index 00000000..6a4d1dac
--- /dev/null
+++ b/system_ext/public/con_monitor.te
@@ -0,0 +1,2 @@
+# ConnectivityMonitor app
+type con_monitor_app, domain;
diff --git a/system_ext/public/hbmsvmanager_app.te b/system_ext/public/hbmsvmanager_app.te
new file mode 100644
index 00000000..4fcf2bdb
--- /dev/null
+++ b/system_ext/public/hbmsvmanager_app.te
@@ -0,0 +1 @@
+type hbmsvmanager_app, domain;
diff --git a/whitechapel/vendor/google/con_monitor.te b/whitechapel/vendor/google/con_monitor.te
index ab17c826..32c2056d 100644
--- a/whitechapel/vendor/google/con_monitor.te
+++ b/whitechapel/vendor/google/con_monitor.te
@@ -1,13 +1,2 @@
-# ConnectivityMonitor app
-type con_monitor_app, domain, coredomain;
-
-# TODO(b/296512193): move con_monitor_app out of vendor sepolicy
-typeattribute con_monitor_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(con_monitor_app)
-
-set_prop(con_monitor_app, radio_prop)
-allow con_monitor_app app_api_service:service_manager find;
-allow con_monitor_app radio_service:service_manager find;
 allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
 allow con_monitor_app radio_vendor_data_file:file create_file_perms;
diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te
index 2acbaa8a..bbedea8c 100644
--- a/whitechapel/vendor/google/hbmsvmanager_app.te
+++ b/whitechapel/vendor/google/hbmsvmanager_app.te
@@ -1,17 +1,2 @@
-type hbmsvmanager_app, domain, coredomain;
-
-# TODO(b/296512193): move hbmsvmanager_app out of vendor sepolicy
-typeattribute hbmsvmanager_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(hbmsvmanager_app);
-
-allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
-allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
-
 allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
 binder_call(hbmsvmanager_app, hal_graphics_composer_default)
-
-# Standard system services
-allow hbmsvmanager_app app_api_service:service_manager find;
-
-allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index e724de28..7711c447 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -24,18 +24,12 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
-
 # Domain for omadm
 user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
 
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
 
-# Domain for connectivity monitor
-user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
 # RIL Config Service
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
 

From 7e9c67cf47f6ef5d7f8e1f0244c4c0eb01079604 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Tue, 5 Sep 2023 03:33:31 +0000
Subject: [PATCH 17/17] Remove obsolete exo sepolicy

They are not used anymore.

Bug: 296512193
Test: m selinux_policy
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:567ce923337337ccbba3a6d81ee437571c9025ea)
Merged-In: If1e70eb34f5225e1df329df31fbc7439c9e4fa4b
Change-Id: If1e70eb34f5225e1df329df31fbc7439c9e4fa4b
---
 ambient/exo_app.te     | 24 ------------------------
 ambient/seapp_contexts |  2 --
 2 files changed, 26 deletions(-)
 delete mode 100644 ambient/exo_app.te
 delete mode 100644 ambient/seapp_contexts

diff --git a/ambient/exo_app.te b/ambient/exo_app.te
deleted file mode 100644
index 9b4fd0b6..00000000
--- a/ambient/exo_app.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type exo_app, coredomain, domain;
-
-# TODO(b/296512193): move exo_app out of vendor sepolicy
-typeattribute exo_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(exo_app)
-net_domain(exo_app)
-
-allow exo_app app_api_service:service_manager find;
-allow exo_app audioserver_service:service_manager find;
-allow exo_app cameraserver_service:service_manager find;
-allow exo_app mediaserver_service:service_manager find;
-allow exo_app radio_service:service_manager find;
-allow exo_app fwk_stats_service:service_manager find;
-allow exo_app mediametrics_service:service_manager find;
-allow exo_app virtual_device_service:service_manager find;
-allow exo_app gpu_device:dir search;
-
-allow exo_app uhid_device:chr_file rw_file_perms;
-
-binder_call(exo_app, statsd)
-binder_use(exo_app)
-
-get_prop(exo_app, device_config_runtime_native_boot_prop)
diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
deleted file mode 100644
index 8024688c..00000000
--- a/ambient/seapp_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-# Domain for Exo app
-user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all