commit 01e277bd5cece12be72ce655292880f8cdb42b63
author Inseob Kim <inseob@google.com> Fri Jun 19 01:25:10 2020 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Jun 19 01:25:10 2020 +0000
tree 0d3a46f96d57be80748b0263382b7d0b4b5ca783
parent 9df1b495071a6c404d2448ef15ee3c6c60c3b83c
parent b85a74f3f02958ac31c41393318c4fae9bb9b410

Merge "Relabel minui properties as recovery_config_prop"

Android.mk

diff --git a/Android.mk b/Android.mk
index 37dee73..b667fd2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -346,6 +346,7 @@
     vendor_property_contexts \
     vendor_property_contexts_test \
     vendor_seapp_contexts \
+    vendor_service_contexts \
     vendor_hwservice_contexts \
     vendor_hwservice_contexts_test \
     vndservice_contexts \

prebuilts/api/30.0/private/bpfloader.te

diff --git a/prebuilts/api/30.0/private/bpfloader.te b/prebuilts/api/30.0/private/bpfloader.te
index 249f3df..74a8e25 100644
--- a/prebuilts/api/30.0/private/bpfloader.te
+++ b/prebuilts/api/30.0/private/bpfloader.te
@@ -5,7 +5,7 @@
 
 # These permissions are required to pin ebpf maps & programs.
 allow bpfloader fs_bpf:dir { search write add_name };
-allow bpfloader fs_bpf:file { create setattr };
+allow bpfloader fs_bpf:file { create setattr read };
 
 # Allow bpfloader to create bpf maps and programs.
 allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };

prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil

diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index f69037c..8dc585a 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -121,6 +121,7 @@
     vendor_boringssl_self_test
     vendor_install_recovery
     vendor_install_recovery_exec
+    vendor_service_contexts_file
     vendor_socket_hook_prop
     vendor_socket_hook_prop
     virtual_ab_prop))

prebuilts/api/30.0/private/file_contexts

diff --git a/prebuilts/api/30.0/private/file_contexts b/prebuilts/api/30.0/private/file_contexts
index b86d9a2..4b0cab7 100644
--- a/prebuilts/api/30.0/private/file_contexts
+++ b/prebuilts/api/30.0/private/file_contexts
@@ -378,7 +378,9 @@
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
 
-/(vendor|system/vendor)/etc/selinux/(vendor|nonplat)_service_contexts u:object_r:nonplat_service_contexts_file:s0
+/(vendor|system/vendor)/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+
+/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
 
 /(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
 

prebuilts/api/30.0/private/mediaprovider_app.te

diff --git a/prebuilts/api/30.0/private/mediaprovider_app.te b/prebuilts/api/30.0/private/mediaprovider_app.te
index 335c1b6..5881255 100644
--- a/prebuilts/api/30.0/private/mediaprovider_app.te
+++ b/prebuilts/api/30.0/private/mediaprovider_app.te
@@ -27,6 +27,10 @@
 # Talk to the GPU service
 binder_call(mediaprovider_app, gpuservice)
 
+# Talk to statsd
+allow mediaprovider_app statsmanager_service:service_manager find;
+binder_call(mediaprovider_app, statsd)
+
 # read pipe-max-size configuration
 allow mediaprovider_app proc_pipe_conf:file r_file_perms;
 

prebuilts/api/30.0/private/system_server.te

diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 8c7afab..66c46ed 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -208,6 +208,7 @@
 binder_call(system_server, dumpstate)
 binder_call(system_server, fingerprintd)
 binder_call(system_server, gatekeeperd)
+binder_call(system_server, gpuservice)
 binder_call(system_server, idmap)
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)

prebuilts/api/30.0/public/domain.te

diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index ed4aded..8cb4950 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -1005,6 +1005,7 @@
     -vendor_app_file
     -vendor_apex_file
     -vendor_configs_file
+    -vendor_service_contexts_file
     -vendor_framework_file
     -vendor_idc_file
     -vendor_keychars_file

prebuilts/api/30.0/public/file.te

diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index dffa5a3..e7b3050 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -507,6 +507,9 @@
 # service_contexts file
 type service_contexts_file, system_file_type, file_type;
 
+# vendor service_contexts file
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
 # nonplat service_contexts file (only accessible on non full-treble devices)
 type nonplat_service_contexts_file, vendor_file_type, file_type;
 

prebuilts/api/30.0/public/servicemanager.te

diff --git a/prebuilts/api/30.0/public/servicemanager.te b/prebuilts/api/30.0/public/servicemanager.te
index 85777f5..63fc227 100644
--- a/prebuilts/api/30.0/public/servicemanager.te
+++ b/prebuilts/api/30.0/public/servicemanager.te
@@ -18,6 +18,9 @@
 }:binder transfer;
 
 allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;
+
 # nonplat_service_contexts only accessible on non full-treble devices
 not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
 

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index b31fe18..7c88be2 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -5,7 +5,7 @@
 
 # These permissions are required to pin ebpf maps & programs.
 allow bpfloader fs_bpf:dir { search write add_name };
-allow bpfloader fs_bpf:file { create setattr };
+allow bpfloader fs_bpf:file { create setattr read };
 
 # Allow bpfloader to create bpf maps and programs.
 allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };

private/compat/29.0/29.0.ignore.cil

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index a3b05ad..7d5a04f 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -122,6 +122,7 @@
     vendor_boringssl_self_test
     vendor_install_recovery
     vendor_install_recovery_exec
+    vendor_service_contexts_file
     vendor_socket_hook_prop
     vendor_socket_hook_prop
     virtual_ab_prop))

private/compat/30.0/30.0.ignore.cil

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 8a6c602..2c4dce1 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -7,4 +7,6 @@
   ( new_objects
     apex_info_file
     debugfs_kprobes
-    gnss_device))
+    gnss_device
+    mediatranscoding_tmpfs))
+

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index ca3220c..75bca42 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -380,7 +380,9 @@
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
 
-/(vendor|system/vendor)/etc/selinux/(vendor|nonplat)_service_contexts u:object_r:nonplat_service_contexts_file:s0
+/(vendor|system/vendor)/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+
+/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
 
 /(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
 

private/mediaprovider_app.te

diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 9afbadd..6cf9dba 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -27,6 +27,10 @@
 # Talk to the GPU service
 binder_call(mediaprovider_app, gpuservice)
 
+# Talk to statsd
+allow mediaprovider_app statsmanager_service:service_manager find;
+binder_call(mediaprovider_app, statsd)
+
 # read pipe-max-size configuration
 allow mediaprovider_app proc_pipe_conf:file r_file_perms;
 

private/mediaserver.te

diff --git a/private/mediaserver.te b/private/mediaserver.te
index 1691da5..fa2fc08 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -11,8 +11,6 @@
 hal_client_domain(mediaserver, hal_omx)
 hal_client_domain(mediaserver, hal_codec2)
 
-allow mediaserver mediatranscoding_service:service_manager find;
-
 set_prop(mediaserver, audio_prop)
 
 get_prop(mediaserver, media_config_prop)

private/mediatranscoding.te

diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index e0ad84c..0163f13 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -1,3 +1,49 @@
+# mediatranscoding - daemon for transcoding video and image.
+type mediatranscoding_exec, system_file_type, exec_type, file_type;
+type mediatranscoding_tmpfs, file_type;
 typeattribute mediatranscoding coredomain;
 
 init_daemon_domain(mediatranscoding)
+tmpfs_domain(mediatranscoding)
+allow mediatranscoding appdomain_tmpfs:file { getattr map read write };
+
+binder_use(mediatranscoding)
+binder_call(mediatranscoding, binderservicedomain)
+binder_call(mediatranscoding, appdomain)
+binder_service(mediatranscoding)
+
+add_service(mediatranscoding, mediatranscoding_service)
+
+hal_client_domain(mediatranscoding, hal_graphics_allocator)
+hal_client_domain(mediatranscoding, hal_configstore)
+hal_client_domain(mediatranscoding, hal_omx)
+hal_client_domain(mediatranscoding, hal_codec2)
+
+allow mediatranscoding mediaserver_service:service_manager find;
+allow mediatranscoding mediametrics_service:service_manager find;
+allow mediatranscoding mediaextractor_service:service_manager find;
+
+allow mediatranscoding system_server:fd use;
+allow mediatranscoding activity_service:service_manager find;
+
+# allow mediatranscoding service read/write permissions for file sources
+allow mediatranscoding sdcardfs:file { getattr read write };
+allow mediatranscoding media_rw_data_file:file { getattr read write };
+allow mediatranscoding apk_data_file:file { getattr read };
+allow mediatranscoding shell_data_file:file { getattr read write };
+
+# mediatranscoding should never execute any executable without a
+# domain transition
+neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index 7794ee8..d5b8d3f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -157,6 +157,9 @@
 allow priv_app apex_data_file:dir search;
 allow priv_app staging_data_file:file r_file_perms;
 
+# allow priv app to access the system app data files for ContentProvider case.
+allow priv_app system_app_data_file:file { read getattr };
+
 ###
 ### neverallow rules
 ###

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index e71e847..88e7228 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -208,6 +208,7 @@
 binder_call(system_server, dumpstate)
 binder_call(system_server, fingerprintd)
 binder_call(system_server, gatekeeperd)
+binder_call(system_server, gpuservice)
 binder_call(system_server, idmap)
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 3baf482..4d5a394 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1026,6 +1026,7 @@
     -vendor_app_file
     -vendor_apex_file
     -vendor_configs_file
+    -vendor_service_contexts_file
     -vendor_framework_file
     -vendor_idc_file
     -vendor_keychars_file

public/file.te

diff --git a/public/file.te b/public/file.te
index 523390c..4c5b541 100644
--- a/public/file.te
+++ b/public/file.te
@@ -511,6 +511,9 @@
 # service_contexts file
 type service_contexts_file, system_file_type, file_type;
 
+# vendor service_contexts file
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
 # nonplat service_contexts file (only accessible on non full-treble devices)
 type nonplat_service_contexts_file, vendor_file_type, file_type;
 

public/init.te

diff --git a/public/init.te b/public/init.te
index 1390e9e..7dc522a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -376,6 +376,7 @@
   proc_cmdline
   proc_kmsg
   proc_net
+  proc_pagetypeinfo
   proc_qtaguid_stat
   proc_slabinfo
   proc_sysrq

public/mediatranscoding.te

diff --git a/public/mediatranscoding.te b/public/mediatranscoding.te
index 2e539df..82d4045 100644
--- a/public/mediatranscoding.te
+++ b/public/mediatranscoding.te
@@ -1,34 +1,3 @@
 # mediatranscoding - daemon for transcoding video and image.
 type mediatranscoding, domain;
-type mediatranscoding_exec, system_file_type, exec_type, file_type;
 
-binder_use(mediatranscoding)
-binder_call(mediatranscoding, binderservicedomain)
-binder_service(mediatranscoding)
-
-add_service(mediatranscoding, mediatranscoding_service)
-
-allow mediatranscoding system_server:fd use;
-allow mediatranscoding activity_service:service_manager find;
-allow mediatranscoding untrusted_app:binder call;
-
-# allow mediatranscoding service read/write permissions for file sources
-allow mediatranscoding sdcardfs:file { getattr read write };
-allow mediatranscoding media_rw_data_file:file { getattr read write };
-allow mediatranscoding apk_data_file:file { getattr read };
-
-# mediatranscoding should never execute any executable without a
-# domain transition
-neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;

public/servicemanager.te

diff --git a/public/servicemanager.te b/public/servicemanager.te
index 85777f5..63fc227 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -18,6 +18,9 @@
 }:binder transfer;
 
 allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;
+
 # nonplat_service_contexts only accessible on non full-treble devices
 not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')