Merge "init: tighten sysfs_type permissions"
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 927296d..790133e 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -6,6 +6,7 @@
( adbd_exec
bootloader_boot_reason_prop
broadcastradio_service
+ crossprofileapps_service
e2fs
e2fs_exec
hal_broadcastradio_hwservice
@@ -28,6 +29,13 @@
package_native_service
property_info
slice_service
+ stats
+ stats_data_file
+ stats_exec
+ stats_service
+ statsd
+ statsd_exec
+ statsd_tmpfs
statscompanion_service
storaged_data_file
sysfs_fs_ext4_features
@@ -40,6 +48,7 @@
thermalserviced_tmpfs
timezone_service
tombstoned_java_trace_socket
+ tombstone_wifi_data_file
update_engine_log_data_file
vendor_init
vold_prepare_subdirs
diff --git a/private/file.te b/private/file.te
index 5b4dbc8..5ff7768 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,6 +1,9 @@
# /proc/config.gz
type config_gz, fs_type;
+# /data/misc/stats-data, /data/misc/stats-service
+type stats_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 3c6642a..7d1457a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -277,6 +277,8 @@
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
+/system/bin/stats u:object_r:stats_exec:s0
+/system/bin/statsd u:object_r:statsd_exec:s0
#############################
# Vendor files
@@ -315,7 +317,11 @@
#############################
# OEM and ODM files
#
-/odm(/.*)? u:object_r:vendor_file:s0
+/odm(/.*)? u:object_r:vendor_file:s0
+/odm/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+/odm/lib(64)?/hw u:object_r:vendor_hal_file:s0
+/odm/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+
/oem(/.*)? u:object_r:oemfs:s0
@@ -345,6 +351,7 @@
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
+/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
@@ -380,6 +387,8 @@
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
+/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index 0401ffe..17ee9d7 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -2,6 +2,8 @@
/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
+/data/asan/odm/lib(/.*)? u:object_r:system_file:s0
+/data/asan/odm/lib64(/.*)? u:object_r:system_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
/system/bin/asan/app_process u:object_r:zygote_exec:s0
diff --git a/private/service.te b/private/service.te
new file mode 100644
index 0000000..3fec882
--- /dev/null
+++ b/private/service.te
@@ -0,0 +1,2 @@
+type stats_service, service_manager_type;
+type statscompanion_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 6451ffc..10d8d09 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -32,6 +32,7 @@
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
cpuinfo u:object_r:cpuinfo_service:s0
+crossprofileapps u:object_r:crossprofileapps_service:s0
dbinfo u:object_r:dbinfo_service:s0
device_policy u:object_r:device_policy_service:s0
device_identifiers u:object_r:device_identifiers_service:s0
@@ -142,6 +143,7 @@
simphonebook u:object_r:radio_service:s0
sip u:object_r:radio_service:s0
slice u:object_r:slice_service:s0
+stats u:object_r:stats_service:s0
statscompanion u:object_r:statscompanion_service:s0
soundtrigger u:object_r:voiceinteraction_service:s0
statusbar u:object_r:statusbar_service:s0
diff --git a/private/stats.te b/private/stats.te
new file mode 100644
index 0000000..be8cfbd
--- /dev/null
+++ b/private/stats.te
@@ -0,0 +1,25 @@
+type stats, domain;
+typeattribute stats coredomain;
+type stats_exec, exec_type, file_type;
+
+# switch to stats domain for stats command
+domain_auto_trans(shell, stats_exec, stats)
+
+# allow stats access to stdout from its parent shell.
+allow stats shell:fd use;
+
+# allow stats to communicate use, read and write over the adb
+# connection.
+allow stats adbd:fd use;
+allow stats adbd:unix_stream_socket { read write };
+
+# allow adbd to reap stats
+allow stats adbd:process { sigchld };
+
+# Allow the stats command to talk to the statsd over the binder, and get
+# back the stats report data from a ParcelFileDescriptor.
+binder_use(stats)
+allow stats stats_service:service_manager find;
+binder_call(stats, statsd)
+allow stats statsd:fifo_file write;
+
diff --git a/private/statsd.te b/private/statsd.te
new file mode 100644
index 0000000..82691d3
--- /dev/null
+++ b/private/statsd.te
@@ -0,0 +1,72 @@
+type statsd, domain;
+typeattribute statsd coredomain;
+
+init_daemon_domain(statsd)
+
+type statsd_exec, exec_type, file_type;
+binder_use(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
+allow statsd stats_data_file:dir create_dir_perms;
+allow statsd stats_data_file:file create_file_perms;
+
+# Allow statsd to make binder calls to any binder service.
+binder_call(statsd, appdomain)
+binder_call(statsd, incidentd)
+binder_call(statsd, statscompanion_service)
+
+# Allow logd access.
+read_logd(statsd)
+control_logd(statsd)
+
+# Grant statsd with permissions to register the services.
+allow statsd {
+ statscompanion_service
+ app_api_service
+ system_api_service
+}:service_manager find;
+
+# Only statsd can publish the binder service.
+add_service(statsd, stats_service)
+
+# Allow pipes from (and only from) stats.
+allow statsd stats:fd use;
+allow statsd stats:fifo_file write;
+
+# Allow statsd to call back to stats with status updates.
+binder_call(statsd, stats)
+
+###
+### neverallow rules
+###
+
+# Only system_server, system_app, and stats command can find the stats service.
+neverallow {
+ domain
+ -dumpstate
+ -shell
+ -stats
+ -statsd
+ -system_app
+ -system_server
+} stats_service:service_manager find;
+
+# Only statsd and the other root services in limited circumstances.
+# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
+# Other services are prohibitted from accessing the file.
+neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:file *;
+
+# Limited access to the directory itself.
+neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:dir *;
+
diff --git a/private/system_server.te b/private/system_server.te
index 7b0aad1..7d7a1a6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -169,6 +169,7 @@
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
+binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, vold)
binder_call(system_server, wificond)
@@ -578,6 +579,7 @@
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
+allow system_server stats_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server vold_service:service_manager find;
@@ -800,5 +802,3 @@
# file read access. However, that is now unnecessary (b/34951864)
neverallow system_server system_server:global_capability_class_set sys_resource;
-# TODO(b/67468181): Remove following lines upon resolution of this bug
-dontaudit system_server statscompanion_service:service_manager { add find };
diff --git a/public/file.te b/public/file.te
index 339f57d..81bb1f1 100644
--- a/public/file.te
+++ b/public/file.te
@@ -163,6 +163,8 @@
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/tombstones - core dumps
type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/vendor/tombstones/wifi - vendor wifi dumps
+type tombstone_wifi_data_file, file_type, data_file_type;
# /data/app - user-installed apps
type apk_data_file, file_type, data_file_type, core_data_file_type;
type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index ac8a0d9..b8693fb 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -23,3 +23,9 @@
allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
allow hal_wifi proc_modules:file { getattr open read };
+
+# allow hal_wifi to write into /data/vendor/tombstones/wifi
+userdebug_or_eng(`
+ allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
+ allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
+')
diff --git a/public/perfprofd.te b/public/perfprofd.te
index 2846592..cb4a144 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -7,6 +7,9 @@
typeattribute perfprofd coredomain;
typeattribute perfprofd mlstrustedsubject;
+ # perfprofd access to sysfs directory structure.
+ allow perfprofd sysfs_type:dir search;
+
# perfprofd needs to control CPU hot-plug in order to avoid kernel
# perfevents problems in cases where CPU goes on/off during measurement;
# this means read access to /sys/devices/system/cpu/possible
diff --git a/public/service.te b/public/service.te
index 6dec274..e48d4b7 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,7 +21,6 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
-type statscompanion_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
@@ -49,6 +48,7 @@
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
+type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;