Merge "Allow camera hal to read serialno."
diff --git a/private/apexd.te b/private/apexd.te
index 3282cfc..54af86a 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -46,11 +46,11 @@
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
# allow apexd to unlink apex files in /data/apex/active
-# note that apexd won't be able to unlink files in /data/pkg_staging/session_XXXX,
+# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
allow apexd staging_data_file:file unlink;
-# allow apexd to read files from /data/pkg_staging and hardlink them to /data/apex.
+# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
@@ -80,6 +80,10 @@
# not covered by rollback manager.
set_prop(apexd, powerctl_prop)
+# Find the vold service, and call into vold to manage FS checkpoints
+allow apexd vold_service:service_manager find;
+binder_call(apexd, vold)
+
# Apex pre- & post-install permission.
# Allow self-execute for the fork mount helper.
diff --git a/private/art_apex_boot_integrity.te b/private/art_apex_boot_integrity.te
index 14feee6..ba02083 100644
--- a/private/art_apex_boot_integrity.te
+++ b/private/art_apex_boot_integrity.te
@@ -1,5 +1,5 @@
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
+# This command set checks the integrity of boot classpath ART
+# artifacts in /data, potentially removing them.
type art_apex_boot_integrity, domain, coredomain;
type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type;
@@ -23,12 +23,6 @@
# Fsverity in the same domain.
allow art_apex_boot_integrity system_file:file execute_no_trans;
# Fsverity work.
-allowxperm art_apex_boot_integrity ota_data_file:file ioctl {
+allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-
-allow art_apex_boot_integrity kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
- allow art_apex_boot_integrity su:key search;
-')
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
index 40b09d2..575e0bf 100644
--- a/private/art_apex_postinstall.te
+++ b/private/art_apex_postinstall.te
@@ -29,9 +29,3 @@
allowxperm art_apex_postinstall ota_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-
-allow art_apex_postinstall kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
- allow art_apex_postinstall su:key search;
-')
diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
index 99341ec..e6a8475 100644
--- a/private/art_apex_preinstall.te
+++ b/private/art_apex_preinstall.te
@@ -31,9 +31,3 @@
allowxperm art_apex_preinstall ota_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-
-allow art_apex_preinstall kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
- allow art_apex_preinstall su:key search;
-')
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index d8c6e0a..94f3a9d 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -31,6 +31,7 @@
bpfloader_exec
broadcastradio_service
cgroup_bpf
+ charger_exec
color_display_service
content_capture_service
crossprofileapps_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index fbd26a1..5c04fcd 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -29,6 +29,7 @@
bpfloader
bpfloader_exec
cgroup_bpf
+ charger_exec
color_display_service
content_capture_service
crossprofileapps_service
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index ac3ab2a..29efc22 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1377,6 +1377,7 @@
(typeattributeset priv_app_28_0 (priv_app))
(typeattributeset proc_28_0
( proc
+ proc_fs_verity
proc_keys
proc_pressure_cpu
proc_pressure_io
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 1b76c38..d9e5755 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -28,6 +28,7 @@
bugreport_service
cgroup_desc_file
cgroup_rc_file
+ charger_exec
content_capture_service
content_suggestions_service
cpu_variant_prop
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 4c0aa18..adc46a1 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -1,7 +1,7 @@
typeattribute crash_dump coredomain;
-# Crash dump does not need to access the GPU.
-dontaudit crash_dump gpu_device:chr_file *;
+# Crash dump does not need to access devices passed across exec().
+dontaudit crash_dump dev_type:chr_file { read write };
allow crash_dump {
domain
diff --git a/private/domain.te b/private/domain.te
index d6b233f..537e61b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -73,6 +73,15 @@
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
+# Allow access to fsverity keyring.
+allow domain kernel:key search;
+# Allow access to keys in the fsverity keyring that were installed at boot.
+allow domain mini-keyctl:key search;
+# For testing purposes, allow access to keys installed with su.
+userdebug_or_eng(`
+ allow domain su:key search;
+')
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
diff --git a/private/file_contexts b/private/file_contexts
index f81f399..91d4484 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -14,9 +14,7 @@
/verity_key u:object_r:rootfs:s0
# Executables
-/charger u:object_r:rootfs:s0
/init u:object_r:init_exec:s0
-/system/bin/init u:object_r:init_exec:s0
/sbin(/.*)? u:object_r:rootfs:s0
# For kernel modules
@@ -36,6 +34,7 @@
# Symlinks
/bin u:object_r:rootfs:s0
/bugreports u:object_r:rootfs:s0
+/charger u:object_r:rootfs:s0
/d u:object_r:rootfs:s0
/etc u:object_r:rootfs:s0
/sdcard u:object_r:rootfs:s0
@@ -189,11 +188,13 @@
/system/bin/ashmemd u:object_r:ashmemd_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
+/system/bin/charger u:object_r:charger_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/init u:object_r:init_exec:s0
/system/bin/mini-keyctl -- u:object_r:mini-keyctl_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
@@ -280,8 +281,6 @@
/system/bin/install-recovery\.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
-# patchoat executable has (essentially) the same requirements as dex2oat.
-/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
@@ -458,7 +457,7 @@
/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
-/data/pkg_staging(/.*)? u:object_r:staging_data_file:s0
+/data/app-staging(/.*)? u:object_r:staging_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 20ec084..def17aa 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -37,6 +37,7 @@
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
diff --git a/private/init.te b/private/init.te
index 5b1ebc8..374b207 100644
--- a/private/init.te
+++ b/private/init.te
@@ -3,14 +3,16 @@
tmpfs_domain(init)
# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, healthd)
domain_trans(init, rootfs, slideshow)
+domain_auto_trans(init, charger_exec, charger)
domain_auto_trans(init, e2fs_exec, e2fs)
domain_auto_trans(init, bpfloader_exec, bpfloader)
recovery_only(`
+ # Files in recovery image are labeled as rootfs.
domain_trans(init, rootfs, adbd)
+ domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, recovery)
')
diff --git a/private/system_server.te b/private/system_server.te
index 082351d..ab4a07c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -476,7 +476,7 @@
allow system_server zoneinfo_data_file:dir create_dir_perms;
allow system_server zoneinfo_data_file:file create_file_perms;
-# Manage /data/pkg_staging.
+# Manage /data/app-staging.
allow system_server staging_data_file:dir create_dir_perms;
allow system_server staging_data_file:file create_file_perms;
@@ -809,11 +809,6 @@
allowxperm system_server apk_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-# Allow system process to access the keyring.
-allow system_server kernel:key search;
-userdebug_or_eng(`
- allow system_server su:key search;
-')
# Postinstall
#
diff --git a/public/charger.te b/public/charger.te
index 7145548..238b413 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -1,6 +1,5 @@
-# charger seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
type charger, domain;
+type charger_exec, system_file_type, exec_type, file_type;
# Write to /dev/kmsg
allow charger kmsg_device:chr_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index d7c4cab..883f4a3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -24,6 +24,7 @@
type proc_diskstats, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
+type proc_fs_verity, fs_type, proc_type;
type proc_hostname, fs_type, proc_type;
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
@@ -279,7 +280,7 @@
type dhcp_data_file, file_type, data_file_type, core_data_file_type;
# /data/server_configurable_flags
type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
-# /data/pkg_staging
+# /data/app-staging
type staging_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
diff --git a/public/init.te b/public/init.te
index 88e8dba..2b85053 100644
--- a/public/init.te
+++ b/public/init.te
@@ -538,6 +538,9 @@
# Allow init to write to /proc/sys/vm/overcommit_memory
allow init proc_overcommit_memory:file { write };
+# Allow init to write to /proc/sys/fs/verity/require_signatures
+allow init proc_fs_verity:file w_file_perms;
+
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
diff --git a/public/property_contexts b/public/property_contexts
index 2589941..4216116 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -334,7 +334,7 @@
ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
-ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact int
+ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact enum default legacy AP-assisted
ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
diff --git a/public/vold.te b/public/vold.te
index cb21b83..c7d69be 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -290,8 +290,15 @@
neverallow { domain -vold -init } restorecon_prop:property_service set;
-# Only system_server and vdc can interact with vold over binder
-neverallow { domain -system_server -vdc -vold -update_verifier } vold_service:service_manager find;
+neverallow {
+ domain
+ -system_server
+ -vdc
+ -vold
+ -update_verifier
+ -apexd
+} vold_service:service_manager find;
+
neverallow vold {
domain
-ashmemd