Merge "priv_app: dontaudit read access to default sysfs label"
diff --git a/Android.mk b/Android.mk
index e1adea4..729f3b4 100644
--- a/Android.mk
+++ b/Android.mk
@@ -769,6 +769,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
diff --git a/definitions.mk b/definitions.mk
index 4b9e098..36b75ac 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -10,6 +10,7 @@
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
+ -D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
$(PRIVATE_TGT_RECOVERY) \
-s $^ > $@
endef
diff --git a/private/adbd.te b/private/adbd.te
index bde6864..58038c7 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -12,6 +12,14 @@
allow adbd su:process dyntransition;
')
+# When 'adb shell' is executed in recovery mode, adbd explicitly
+# switches into shell domain using setcon() because the shell executable
+# is not labeled as shell but as rootfs.
+recovery_only(`
+ domain_trans(adbd, rootfs, shell)
+ allow adbd shell:process dyntransition;
+')
+
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
@@ -148,4 +156,4 @@
# transitions to the shell domain (except when it crashes). In particular, we
# never want to see a transition from adbd to su (aka "adb root")
neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
+neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index e71d565..5c4aa40 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -70,7 +70,7 @@
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow all_untrusted_apps *:{
socket netlink_socket packet_socket key_socket appletalk_socket
@@ -79,7 +79,11 @@
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
# Do not allow untrusted apps access to /cache
@@ -125,6 +129,7 @@
proc_loadavg
proc_mounts
proc_pagetypeinfo
+ proc_slabinfo
proc_stat
proc_swaps
proc_uptime
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 5696d95..f53a194 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -5,6 +5,7 @@
;; types removed from current policy
(type asan_reboot_prop)
+(type commontime_management_service)
(type log_device)
(type mediacasserver_service)
(type mediacodec)
@@ -120,7 +121,7 @@
(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
+(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
@@ -480,6 +481,7 @@
proc_pipe_conf
proc_random
proc_sched
+ proc_slabinfo
proc_swaps
proc_uid_time_in_state
proc_uid_concurrent_active_time
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index b678221..d99c58f 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -3,7 +3,8 @@
;; previous ones. Add here to pass checkapi tests.
(typeattribute new_objects)
(typeattributeset new_objects
- ( adb_service
+ ( activity_task_service
+ adb_service
adbd_exec
atrace
binder_calls_stats_service
@@ -24,6 +25,7 @@
e2fs
e2fs_exec
exfat
+ exported_audio_prop
exported_bluetooth_prop
exported_config_prop
exported_dalvik_prop
@@ -117,7 +119,10 @@
thermalserviced
thermalserviced_exec
thermalserviced_tmpfs
+ time_prop
+ timedetector_service
timezone_service
+ timezonedetector_service
tombstoned_java_trace_socket
tombstone_wifi_data_file
trace_data_file
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 4bc428c..8eedf56 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1,4 +1,5 @@
;; types removed from current policy
+(type commontime_management_service)
(type qtaguid_proc)
(type mediacodec)
(type mediacodec_exec)
@@ -455,7 +456,7 @@
(expandtypeattribute (preopt2cachename_exec_27_0) true)
(expandtypeattribute (print_service_27_0) true)
(expandtypeattribute (priv_app_27_0) true)
-(expandtypeattribute (proc_27_0) true)
+(typeattributeset proc_27_0 (proc proc_slabinfo))
(expandtypeattribute (proc_bluetooth_writable_27_0) true)
(expandtypeattribute (proc_cpuinfo_27_0) true)
(expandtypeattribute (proc_drop_caches_27_0) true)
@@ -825,7 +826,7 @@
(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
+(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 06f85fc..9b82f35 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -3,7 +3,8 @@
;; previous ones. Add here to pass checkapi tests.
(typeattribute new_objects)
(typeattributeset new_objects
- ( adb_service
+ ( activity_task_service
+ adb_service
atrace
binder_calls_stats_service
blank_screen
@@ -28,6 +29,7 @@
exported3_default_prop
exported3_radio_prop
exported3_system_prop
+ exported_audio_prop
exported_bluetooth_prop
exported_config_prop
exported_dalvik_prop
@@ -94,6 +96,9 @@
system_boot_reason_prop
system_update_service
test_boot_reason_prop
+ time_prop
+ timedetector_service
+ timezonedetector_service
tombstone_wifi_data_file
trace_data_file
traced
diff --git a/private/file_contexts b/private/file_contexts
index 1ce0a80..bec6b14 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -352,7 +352,12 @@
#############################
# Product files
#
-/(product|system/product)(/.*)? u:object_r:system_file:s0
+/(product|system/product)(/.*)? u:object_r:system_file:s0
+
+#############################
+# Product-Services files
+#
+/(product-services|system/product-services)(/.*)? u:object_r:system_file:s0
#############################
# Data files
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 265e646..b4d7cbc 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -23,6 +23,7 @@
genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
+genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
genfscon proc /softirqs u:object_r:proc_timer:s0
genfscon proc /stat u:object_r:proc_stat:s0
genfscon proc /swaps u:object_r:proc_swaps:s0
@@ -98,6 +99,10 @@
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
+genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill1/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
@@ -189,6 +194,7 @@
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/record-tgid u:object_r:debugfs_tracing:s0
genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
@@ -217,6 +223,7 @@
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/record-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index 6fab126..4456e39 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -19,6 +19,9 @@
allow incidentd system_file:file execute_no_trans;
allow incidentd toolbox_exec:file rx_file_perms;
+# section id 1002, allow reading kernel version /proc/version
+allow incidentd proc_version:file r_file_perms;
+
# section id 2001, allow reading /proc/pagetypeinfo
allow incidentd proc_pagetypeinfo:file r_file_perms;
diff --git a/private/net.te b/private/net.te
index f16daf9..2e6ced3 100644
--- a/private/net.te
+++ b/private/net.te
@@ -4,7 +4,8 @@
# Use network sockets.
allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
# Bind to ports.
diff --git a/private/property_contexts b/private/property_contexts
index 32be0b3..37d4427 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -70,6 +70,7 @@
ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0
persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
sys.boot.reason u:object_r:system_boot_reason_prop:s0
+sys.boot.reason.last u:object_r:last_boot_reason_prop:s0
pm. u:object_r:pm_prop:s0
test.sys.boot.reason u:object_r:test_boot_reason_prop:s0
@@ -114,6 +115,11 @@
ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
+ # Restrict access to starting/stopping adbd
+ctl.start$adbd u:object_r:ctl_adbd_prop:s0
+ctl.stop$adbd u:object_r:ctl_adbd_prop:s0
+ctl.restart$adbd u:object_r:ctl_adbd_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
@@ -145,3 +151,6 @@
persist.odm. u:object_r:vendor_default_prop:s0
persist.vendor. u:object_r:vendor_default_prop:s0
vendor. u:object_r:vendor_default_prop:s0
+
+# Properties that relate to time / time zone detection behavior.
+persist.time. u:object_r:time_prop:s0
diff --git a/private/radio.te b/private/radio.te
index b4f5390..9ac2cf1 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -3,3 +3,6 @@
app_domain(radio)
read_runtime_log_tags(radio)
+
+# Telephony code contains time / time zone detection logic so it reads the associated properties.
+get_prop(radio, time_prop)
diff --git a/private/service_contexts b/private/service_contexts
index 8b9b862..0513073 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,6 +1,7 @@
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
+activity_task u:object_r:activity_task_service:s0
adb u:object_r:adb_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
@@ -22,9 +23,6 @@
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
-commontime_management u:object_r:commontime_management_service:s0
-common_time.clock u:object_r:mediaserver_service:s0
-common_time.config u:object_r:mediaserver_service:s0
companiondevice u:object_r:companion_device_service:s0
connectivity u:object_r:connectivity_service:s0
connmetrics u:object_r:connmetrics_service:s0
@@ -162,7 +160,9 @@
telephony.registry u:object_r:registry_service:s0
textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
+time_detector u:object_r:timedetector_service:s0
timezone u:object_r:timezone_service:s0
+time_zone_detector u:object_r:timezonedetector_service:s0
thermalservice u:object_r:thermal_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
diff --git a/private/storaged.te b/private/storaged.te
index ff5390a..0916adf 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -5,10 +5,6 @@
init_daemon_domain(storaged)
# Read access to pseudo filesystems
-r_dir_file(storaged, proc_net_type)
-userdebug_or_eng(`
- auditallow storaged proc_net_type:{ dir file lnk_file } { getattr open read };
-')
r_dir_file(storaged, domain)
# Read /proc/uid_io/stats
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index e64b8de..e2f1a07 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -14,6 +14,7 @@
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_configstore)
+hal_client_domain(surfaceflinger, hal_power)
allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
diff --git a/private/system_server.te b/private/system_server.te
index f74159e..182b004 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -524,8 +524,8 @@
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
-# PowerManager to read persist.sys.boot.reason
-get_prop(system_server, last_boot_reason_prop)
+# PowerManager to read sys.boot.reason
+get_prop(system_server, system_boot_reason_prop)
# Collect metrics on boot time created by init
get_prop(system_server, boottime_prop)
@@ -536,6 +536,10 @@
# Read/write the property which keeps track of whether this is the first start of system_server
set_prop(system_server, firstboot_prop)
+# Audio service in system server can read exported audio properties,
+# such as camera shutter enforcement
+get_prop(system_server, exported_audio_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -795,6 +799,9 @@
allow system_server functionfs:dir search;
allow system_server functionfs:file rw_file_perms;
+# system_server contains time / time zone detection logic so reads the associated properties.
+get_prop(system_server, time_prop)
+
###
### Neverallow rules
###
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 7f9d315..b04e5e0 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -12,6 +12,10 @@
(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
(typeattributeset halclientdomain (hal_allocator_client))
+; Apps, except isolated apps, are clients of OMX-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_configstore_client;
diff --git a/private/zygote.te b/private/zygote.te
index 2810976..ac1ef00 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -92,12 +92,6 @@
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
-# Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net_type)
-userdebug_or_eng(`
- auditallow zygote proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
# Root fs.
r_dir_file(zygote, rootfs)
diff --git a/public/adbd.te b/public/adbd.te
index 95854c0..82373fd 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -2,3 +2,7 @@
# it lives in the rootfs and has no unique file type.
type adbd, domain;
type adbd_exec, exec_type, file_type;
+
+# Only init is allowed to enter the adbd domain via exec()
+neverallow { domain -init } adbd:process transition;
+neverallow * adbd:process dyntransition;
diff --git a/public/app.te b/public/app.te
index 35c2008..1dca49c 100644
--- a/public/app.te
+++ b/public/app.te
@@ -219,15 +219,6 @@
# Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app)
-# TODO(b/80317992): use hal_client_domain on individual domains or have tests
-# that the required individual permissions are all granted
-hwbinder_use({ appdomain -isolated_app })
-allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find;
-allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
-allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
-get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
-binder_call({ appdomain -isolated_app }, hal_omx_server)
-
# Talk with graphics composer fences
allow appdomain hal_graphics_composer:fd use;
diff --git a/public/attributes b/public/attributes
index 68696a1..90e1148 100644
--- a/public/attributes
+++ b/public/attributes
@@ -77,6 +77,11 @@
# All properties used to configure log filtering.
attribute log_property_type;
+# All properties that are not specific to device but are added from
+# outside of AOSP. (e.g. OEM-specific properties)
+# These properties are not accessible from device-specific domains
+attribute extended_core_property_type;
+
# All service_manager types created by system_server
attribute system_server_service;
@@ -173,6 +178,12 @@
attribute system_executes_vendor_violators;
expandattribute system_executes_vendor_violators false;
+# All system domains which violate the requirement of not writing vendor
+# properties.
+# TODO(b/78598545): Remove this once there are no violations
+attribute system_writes_vendor_properties_violators;
+expandattribute system_writes_vendor_properties_violators false;
+
# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
# absolutely necessary. It is a temporary allowance to aid the
diff --git a/public/domain.te b/public/domain.te
index 2f93e42..3d35fab 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -181,7 +181,7 @@
# All domains get access to /vendor/etc
allow domain vendor_configs_file:dir r_dir_perms;
-allow domain vendor_configs_file:file { read open getattr };
+allow domain vendor_configs_file:file { read open getattr map };
full_treble_only(`
# Allow all domains to be able to follow /system/vendor and/or
@@ -262,7 +262,7 @@
# defaults for all processes. Note that granting this whitelist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
# default whitelist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
@@ -1390,6 +1390,7 @@
neverallow {
coredomain
-init
+ -ueventd
} mnt_vendor_file:dir *;
# Only apps are allowed access to vendor public libraries.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index f6c7507..412418a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -167,6 +167,7 @@
proc_pagetypeinfo
proc_qtaguid_ctrl
proc_qtaguid_stat
+ proc_slabinfo
proc_version
proc_vmallocinfo
proc_vmstat
diff --git a/public/file.te b/public/file.te
index 8c33bed..68ce321 100644
--- a/public/file.te
+++ b/public/file.te
@@ -45,6 +45,7 @@
type proc_pipe_conf, fs_type, proc_type;
type proc_random, fs_type, proc_type;
type proc_sched, fs_type, proc_type;
+type proc_slabinfo, fs_type, proc_type;
type proc_stat, fs_type, proc_type;
type proc_swaps, fs_type, proc_type;
type proc_sysrq, fs_type, proc_type;
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index 646cebd..b7e3ca5 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -1,6 +1,5 @@
# HwBinder IPC from client to server
binder_call(hal_allocator_client, hal_allocator_server)
-add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
-allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_allocator, hidl_allocator_hwservice)
allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 037066e..9ffb769 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -2,8 +2,7 @@
binder_call(hal_audio_client, hal_audio_server)
binder_call(hal_audio_server, hal_audio_client)
-add_hwservice(hal_audio_server, hal_audio_hwservice)
-allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_audio, hal_audio_hwservice)
allow hal_audio ion_device:chr_file r_file_perms;
diff --git a/public/hal_audiocontrol.te b/public/hal_audiocontrol.te
index 438db53..4a52b89 100644
--- a/public/hal_audiocontrol.te
+++ b/public/hal_audiocontrol.te
@@ -2,6 +2,4 @@
binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
-add_hwservice(hal_audiocontrol_server, hal_audiocontrol_hwservice)
-
-allow hal_audiocontrol_client hal_audiocontrol_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_audiocontrol, hal_audiocontrol_hwservice)
diff --git a/public/hal_authsecret.te b/public/hal_authsecret.te
index 81b0c04..daf8d48 100644
--- a/public/hal_authsecret.te
+++ b/public/hal_authsecret.te
@@ -1,5 +1,4 @@
# HwBinder IPC from client to server
binder_call(hal_authsecret_client, hal_authsecret_server)
-add_hwservice(hal_authsecret_server, hal_authsecret_hwservice)
-allow hal_authsecret_client hal_authsecret_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 373dbec..09c3ce6 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -2,8 +2,7 @@
binder_call(hal_bluetooth_client, hal_bluetooth_server)
binder_call(hal_bluetooth_server, hal_bluetooth_client)
-add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
-allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
wakelock_use(hal_bluetooth);
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 181de4a..9c13f55 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -2,7 +2,6 @@
binder_call(hal_bootctl_client, hal_bootctl_server)
binder_call(hal_bootctl_server, hal_bootctl_client)
-add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
-allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
dontaudit hal_bootctl self:capability sys_rawio;
diff --git a/public/hal_broadcastradio.te b/public/hal_broadcastradio.te
index 24d4908..5653afa 100644
--- a/public/hal_broadcastradio.te
+++ b/public/hal_broadcastradio.te
@@ -1,4 +1,3 @@
binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
-add_hwservice(hal_broadcastradio_server, hal_broadcastradio_hwservice)
-allow hal_broadcastradio_client hal_broadcastradio_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_broadcastradio, hal_broadcastradio_hwservice)
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 43f74b4..77216e4 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,8 +2,7 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
-add_hwservice(hal_camera_server, hal_camera_hwservice)
-allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
allow hal_camera device:dir r_dir_perms;
allow hal_camera video_device:dir r_dir_perms;
diff --git a/public/hal_cas.te b/public/hal_cas.te
index 7f65358..7de6a13 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -2,8 +2,7 @@
binder_call(hal_cas_client, hal_cas_server)
binder_call(hal_cas_server, hal_cas_client)
-add_hwservice(hal_cas_server, hal_cas_hwservice)
-allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_cas, hal_cas_hwservice)
allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
# Permit reading device's serial number from system properties
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index c8051e1..2931cb5 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -1,12 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_configstore_client, hal_configstore_server)
-allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-
-add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
-# As opposed to the rules of most other HALs, the different services exposed by
-# this HAL should be restricted to different clients. Thus, the allow rules for
-# clients are defined in the .te files of the clients.
+hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs)
# hal_configstore runs with a strict seccomp filter. Use crash_dump's
# fallback path to collect crash data.
diff --git a/public/hal_confirmationui.te b/public/hal_confirmationui.te
index 228e864..5d2e4b7 100644
--- a/public/hal_confirmationui.te
+++ b/public/hal_confirmationui.te
@@ -1,5 +1,4 @@
# HwBinder IPC from client to server
binder_call(hal_confirmationui_client, hal_confirmationui_server)
-add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice)
-allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
index f11bfc8..34acb38 100644
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -2,5 +2,4 @@
binder_call(hal_contexthub_client, hal_contexthub_server)
binder_call(hal_contexthub_server, hal_contexthub_client)
-add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
-allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_contexthub, hal_contexthub_hwservice)
diff --git a/public/hal_drm.te b/public/hal_drm.te
index a46dd91..339af52 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -2,8 +2,7 @@
binder_call(hal_drm_client, hal_drm_server)
binder_call(hal_drm_server, hal_drm_client)
-add_hwservice(hal_drm_server, hal_drm_hwservice)
-allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
allow hal_drm hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 2853567..b7676ed 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,8 +2,7 @@
binder_call(hal_dumpstate_client, hal_dumpstate_server)
binder_call(hal_dumpstate_server, hal_dumpstate_client)
-add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
-allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index ebe0b0c..b673e29 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -2,8 +2,7 @@
binder_call(hal_fingerprint_client, hal_fingerprint_server)
binder_call(hal_fingerprint_server, hal_fingerprint_client)
-add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
-allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index 123acf5..b918f88 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,7 +1,6 @@
binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
-add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
-allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_gatekeeper, hal_gatekeeper_hwservice)
# TEE access.
allow hal_gatekeeper tee_device:chr_file rw_file_perms;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index b59cd1d..9bfc4ec 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -2,5 +2,4 @@
binder_call(hal_gnss_client, hal_gnss_server)
binder_call(hal_gnss_server, hal_gnss_client)
-add_hwservice(hal_gnss_server, hal_gnss_hwservice)
-allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index e2b04ae..41a3249 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,8 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
-add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
-allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
# GPU device access
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 2df4612..e10daf9 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -2,8 +2,7 @@
binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
-add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
-allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
# Coordinate with hal_graphics_mapper
allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
diff --git a/public/hal_health.te b/public/hal_health.te
index c0a0f80..32afcad 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -2,8 +2,7 @@
binder_call(hal_health_client, hal_health_server)
binder_call(hal_health_server, hal_health_client)
-add_hwservice(hal_health_server, hal_health_hwservice)
-allow hal_health_client hal_health_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_health, hal_health_hwservice)
# Read access to system files for HALs in
# /{system,vendor,odm}/lib[64]/hw/ in order
diff --git a/public/hal_ir.te b/public/hal_ir.te
index b1bfdd8..29555f7 100644
--- a/public/hal_ir.te
+++ b/public/hal_ir.te
@@ -2,5 +2,4 @@
binder_call(hal_ir_client, hal_ir_server)
binder_call(hal_ir_server, hal_ir_client)
-add_hwservice(hal_ir_server, hal_ir_hwservice)
-allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_ir, hal_ir_hwservice)
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index dc5f6d0..3e164ad 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -1,8 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_keymaster_client, hal_keymaster_server)
-add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
-allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_keymaster, hal_keymaster_hwservice)
allow hal_keymaster tee_device:chr_file rw_file_perms;
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/hal_light.te b/public/hal_light.te
index 5b93dd1..333fcac 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -2,8 +2,7 @@
binder_call(hal_light_client, hal_light_server)
binder_call(hal_light_server, hal_light_client)
-add_hwservice(hal_light_server, hal_light_hwservice)
-allow hal_light_client hal_light_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_light, hal_light_hwservice)
allow hal_light sysfs_leds:lnk_file read;
allow hal_light sysfs_leds:file rw_file_perms;
diff --git a/public/hal_lowpan.te b/public/hal_lowpan.te
index af491b1..6fb95e9 100644
--- a/public/hal_lowpan.te
+++ b/public/hal_lowpan.te
@@ -2,10 +2,9 @@
binder_call(hal_lowpan_client, hal_lowpan_server)
binder_call(hal_lowpan_server, hal_lowpan_client)
-add_hwservice(hal_lowpan_server, hal_lowpan_hwservice)
# Allow hal_lowpan_client to be able to find the hal_lowpan_server
-allow hal_lowpan_client hal_lowpan_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_lowpan, hal_lowpan_hwservice)
# hal_lowpan domain can write/read to/from lowpan_prop
set_prop(hal_lowpan_server, lowpan_prop)
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
index b2cc9cd..ed93a29 100644
--- a/public/hal_memtrack.te
+++ b/public/hal_memtrack.te
@@ -1,5 +1,4 @@
# HwBinder IPC from client to server
binder_call(hal_memtrack_client, hal_memtrack_server)
-add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
-allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index c697ac2..348fdb8 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -2,7 +2,6 @@
binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
-add_hwservice(hal_neuralnetworks_server, hal_neuralnetworks_hwservice)
-allow hal_neuralnetworks_client hal_neuralnetworks_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_neuralnetworks, hal_neuralnetworks_hwservice)
allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
allow hal_neuralnetworks hal_allocator:fd use;
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index 3bcdf5e..7cef4a1 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -2,8 +2,7 @@
binder_call(hal_nfc_client, hal_nfc_server)
binder_call(hal_nfc_server, hal_nfc_client)
-add_hwservice(hal_nfc_server, hal_nfc_hwservice)
-allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_nfc, hal_nfc_hwservice)
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
index 3fb5a18..26b2b42 100644
--- a/public/hal_oemlock.te
+++ b/public/hal_oemlock.te
@@ -1,5 +1,4 @@
# HwBinder IPC from client to server
binder_call(hal_oemlock_client, hal_oemlock_server)
-add_hwservice(hal_oemlock_server, hal_oemlock_hwservice)
-allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
diff --git a/public/hal_omx.te b/public/hal_omx.te
index cf03690..a477875 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -1,8 +1,6 @@
# applies all permissions to hal_omx NOT hal_omx_server
# since OMX must always be in its own process.
-add_hwservice(hal_omx_server, hal_codec2_hwservice)
-add_hwservice(hal_omx_server, hal_omx_hwservice)
# can route /dev/binder traffic to /dev/vndbinder
vndbinder_use(hal_omx_server)
@@ -27,11 +25,13 @@
# via PDX. Thus, there is no need to use pdx_client macro.
allow hal_omx_server bufferhubd:fd use;
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_client hal_omx_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
+hal_attribute_hwservice(hal_omx, hal_codec2_hwservice)
+
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
binder_call(hal_omx_client, hal_omx_server)
+binder_call(hal_omx_server, hal_omx_client)
###
### neverallow rules
diff --git a/public/hal_power.te b/public/hal_power.te
index fcba3d2..028011a 100644
--- a/public/hal_power.te
+++ b/public/hal_power.te
@@ -2,5 +2,4 @@
binder_call(hal_power_client, hal_power_server)
binder_call(hal_power_server, hal_power_client)
-add_hwservice(hal_power_server, hal_power_hwservice)
-allow hal_power_client hal_power_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_power, hal_power_hwservice)
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
index e3046d1..3724d35 100644
--- a/public/hal_secure_element.te
+++ b/public/hal_secure_element.te
@@ -2,5 +2,4 @@
binder_call(hal_secure_element_client, hal_secure_element_server)
binder_call(hal_secure_element_server, hal_secure_element_client)
-add_hwservice(hal_secure_element_server, hal_secure_element_hwservice)
-allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_secure_element, hal_secure_element_hwservice)
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 9d7cbe9..06e76f1 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -1,8 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_sensors_client, hal_sensors_server)
-add_hwservice(hal_sensors_server, hal_sensors_hwservice)
-allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_sensors, hal_sensors_hwservice)
# Allow sensor hals to access ashmem memory allocated by apps
allow hal_sensors { appdomain -isolated_app }:fd use;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 21b6e02..a7c687d 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -2,8 +2,7 @@
binder_call(hal_telephony_client, hal_telephony_server)
binder_call(hal_telephony_server, hal_telephony_client)
-add_hwservice(hal_telephony_server, hal_telephony_hwservice)
-allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
index 48d67a2..cf51723 100644
--- a/public/hal_tetheroffload.te
+++ b/public/hal_tetheroffload.te
@@ -2,7 +2,7 @@
binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
-allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_tetheroffload, hal_tetheroffload_hwservice)
# allow the client to pass the server already open netlink sockets
allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index b1764f1..2115da1 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -2,5 +2,4 @@
binder_call(hal_thermal_client, hal_thermal_server)
binder_call(hal_thermal_server, hal_thermal_client)
-add_hwservice(hal_thermal_server, hal_thermal_hwservice)
-allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_thermal, hal_thermal_hwservice)
diff --git a/public/hal_tv_cec.te b/public/hal_tv_cec.te
index 7719cae..6584904 100644
--- a/public/hal_tv_cec.te
+++ b/public/hal_tv_cec.te
@@ -2,5 +2,4 @@
binder_call(hal_tv_cec_client, hal_tv_cec_server)
binder_call(hal_tv_cec_server, hal_tv_cec_client)
-add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
-allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_tv_cec, hal_tv_cec_hwservice)
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
index 31a0067..5a5bdda 100644
--- a/public/hal_tv_input.te
+++ b/public/hal_tv_input.te
@@ -2,5 +2,4 @@
binder_call(hal_tv_input_client, hal_tv_input_server)
binder_call(hal_tv_input_server, hal_tv_input_client)
-add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
-allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_tv_input, hal_tv_input_hwservice)
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 9cfd516..b8034b8 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -2,8 +2,7 @@
binder_call(hal_usb_client, hal_usb_server)
binder_call(hal_usb_server, hal_usb_client)
-add_hwservice(hal_usb_server, hal_usb_hwservice)
-allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_usb, hal_usb_hwservice)
allow hal_usb self:netlink_kobject_uevent_socket create;
allow hal_usb self:netlink_kobject_uevent_socket setopt;
diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
index e412758..a474652 100644
--- a/public/hal_usb_gadget.te
+++ b/public/hal_usb_gadget.te
@@ -2,8 +2,7 @@
binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
-add_hwservice(hal_usb_gadget_server, hal_usb_gadget_hwservice)
-allow hal_usb_gadget_client hal_usb_gadget_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_usb_gadget, hal_usb_gadget_hwservice)
# Configuring usb gadget functions
allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
diff --git a/public/hal_vehicle.te b/public/hal_vehicle.te
index a59f8d2..6855d14 100644
--- a/public/hal_vehicle.te
+++ b/public/hal_vehicle.te
@@ -2,6 +2,5 @@
binder_call(hal_vehicle_client, hal_vehicle_server)
binder_call(hal_vehicle_server, hal_vehicle_client)
-add_hwservice(hal_vehicle_server, hal_vehicle_hwservice)
-allow hal_vehicle_client hal_vehicle_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_vehicle, hal_vehicle_hwservice)
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 9ce34ca..ab6138d 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -1,8 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_vibrator_client, hal_vibrator_server)
-add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
-allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/public/hal_vr.te b/public/hal_vr.te
index 3cb392d..e52c77f 100644
--- a/public/hal_vr.te
+++ b/public/hal_vr.te
@@ -2,5 +2,4 @@
binder_call(hal_vr_client, hal_vr_server)
binder_call(hal_vr_server, hal_vr_client)
-add_hwservice(hal_vr_server, hal_vr_hwservice)
-allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
index b80ba29..36d1306 100644
--- a/public/hal_weaver.te
+++ b/public/hal_weaver.te
@@ -1,5 +1,4 @@
# HwBinder IPC from client to server
binder_call(hal_weaver_client, hal_weaver_server)
-add_hwservice(hal_weaver_server, hal_weaver_hwservice)
-allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 8f5b77b..f735be5 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -2,8 +2,7 @@
binder_call(hal_wifi_client, hal_wifi_server)
binder_call(hal_wifi_server, hal_wifi_client)
-add_hwservice(hal_wifi_server, hal_wifi_hwservice)
-allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 73bf037..12d72b6 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -2,8 +2,7 @@
binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
-add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice)
-allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
index f74ed05..765e72a 100644
--- a/public/hal_wifi_offload.te
+++ b/public/hal_wifi_offload.te
@@ -2,8 +2,7 @@
binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
-add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
-allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_wifi_offload, hal_wifi_offload_hwservice)
r_dir_file(hal_wifi_offload, proc_net_type)
r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 3d61766..6004c33 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -2,8 +2,7 @@
binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
-add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
-allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/init.te b/public/init.te
index 2519311..e37f1ce 100644
--- a/public/init.te
+++ b/public/init.te
@@ -320,6 +320,7 @@
proc_kmsg
proc_net
proc_qtaguid_stat
+ proc_slabinfo
proc_sysrq
proc_qtaguid_ctrl
proc_vmallocinfo
diff --git a/public/kernel.te b/public/kernel.te
index b7a351c..cf913ba 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -103,3 +103,18 @@
# Instead of adding dac_{read_search,override}, fix the unix permissions
# on files being accessed.
neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
+
+# Allow the first-stage init (which is running in the kernel domain) to execute the
+# dynamic linker when it re-executes /init to switch into the second stage.
+# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
+# before the domain is switched to the target domain. So, we need to allow the kernel
+# domain (the source domain) to execute the dynamic linker (system_file type).
+# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
+# kernel older than 4.8.
+allow kernel system_file:file execute;
+# The label for the dynamic linker is rootfs in the recovery partition. This is because
+# the recovery partition which is rootfs does not support xattr and thus labeling can't be
+# done at build-time. All files are by default labeled as rootfs upon booting.
+recovery_only(`
+ allow kernel rootfs:file execute;
+')
diff --git a/public/logd.te b/public/logd.te
index 23318b0..2ef257f 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -6,10 +6,6 @@
r_dir_file(logd, cgroup)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
-r_dir_file(logd, proc_net_type)
-userdebug_or_eng(`
- auditallow logd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
allow logd self:global_capability2_class_set syslog;
diff --git a/public/property.te b/public/property.te
index f8dfb04..b92f18a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -5,6 +5,7 @@
type bootloader_boot_reason_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
+type ctl_adbd_prop, property_type;
type ctl_bootanim_prop, property_type;
type ctl_bugreport_prop, property_type;
type ctl_console_prop, property_type;
@@ -59,6 +60,7 @@
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
type test_boot_reason_prop, property_type;
+type time_prop, property_type;
type traced_enabled_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
@@ -66,6 +68,7 @@
type vendor_security_patch_level_prop, property_type;
# Properties for whitelisting
+type exported_audio_prop, property_type;
type exported_bluetooth_prop, property_type;
type exported_config_prop, property_type;
type exported_dalvik_prop, property_type;
@@ -160,6 +163,7 @@
-vendor_init
} {
core_property_type
+ extended_core_property_type
exported_config_prop
exported_dalvik_prop
exported_default_prop
@@ -256,6 +260,7 @@
-vendor_init
} {
core_property_type
+ extended_core_property_type
exported_dalvik_prop
exported_ffs_prop
exported_system_radio_prop
@@ -307,3 +312,106 @@
wifi_prop
}:file no_rw_file_perms;
')
+
+compatible_property_only(`
+ # Neverallow coredomain to set vendor properties
+ neverallow {
+ coredomain
+ -init
+ -system_writes_vendor_properties_violators
+ } {
+ property_type
+ -audio_prop
+ -bluetooth_a2dp_offload_prop
+ -bluetooth_prop
+ -bootloader_boot_reason_prop
+ -boottime_prop
+ -config_prop
+ -cppreopt_prop
+ -ctl_adbd_prop
+ -ctl_bootanim_prop
+ -ctl_bugreport_prop
+ -ctl_console_prop
+ -ctl_default_prop
+ -ctl_dumpstate_prop
+ -ctl_fuse_prop
+ -ctl_interface_restart_prop
+ -ctl_interface_start_prop
+ -ctl_interface_stop_prop
+ -ctl_mdnsd_prop
+ -ctl_restart_prop
+ -ctl_rildaemon_prop
+ -ctl_sigstop_prop
+ -ctl_start_prop
+ -ctl_stop_prop
+ -dalvik_prop
+ -debug_prop
+ -debuggerd_prop
+ -default_prop
+ -device_logging_prop
+ -dhcp_prop
+ -dumpstate_options_prop
+ -dumpstate_prop
+ -exported2_config_prop
+ -exported2_default_prop
+ -exported2_radio_prop
+ -exported2_system_prop
+ -exported2_vold_prop
+ -exported3_default_prop
+ -exported3_radio_prop
+ -exported3_system_prop
+ -exported_bluetooth_prop
+ -exported_config_prop
+ -exported_dalvik_prop
+ -exported_default_prop
+ -exported_dumpstate_prop
+ -exported_ffs_prop
+ -exported_fingerprint_prop
+ -exported_overlay_prop
+ -exported_pm_prop
+ -exported_radio_prop
+ -exported_secure_prop
+ -exported_system_prop
+ -exported_system_radio_prop
+ -exported_vold_prop
+ -exported_wifi_prop
+ -extended_core_property_type
+ -ffs_prop
+ -fingerprint_prop
+ -firstboot_prop
+ -hwservicemanager_prop
+ -last_boot_reason_prop
+ -log_prop
+ -log_tag_prop
+ -logd_prop
+ -logpersistd_logging_prop
+ -lowpan_prop
+ -mmc_prop
+ -net_dns_prop
+ -net_radio_prop
+ -netd_stable_secret_prop
+ -nfc_prop
+ -overlay_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -persistent_properties_ready_prop
+ -pm_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -safemode_prop
+ -serialno_prop
+ -shell_prop
+ -system_boot_reason_prop
+ -system_prop
+ -system_radio_prop
+ -test_boot_reason_prop
+ -time_prop
+ -traced_enabled_prop
+ -vendor_default_prop
+ -vendor_security_patch_level_prop
+ -vold_prop
+ -wifi_log_prop
+ -wifi_prop
+ }:property_service set;
+')
diff --git a/public/property_contexts b/public/property_contexts
index e74d936..52e5300 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -3,6 +3,7 @@
# vendor-init-settable
af.fast_track_multiplier u:object_r:exported3_default_prop:s0 exact int
+audio.camerasound.force u:object_r:exported_audio_prop:s0 exact bool
camera.disable_zsl_mode u:object_r:exported3_default_prop:s0 exact bool
camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
@@ -109,7 +110,7 @@
ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
-ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int
+ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
ro.url.legal u:object_r:exported3_default_prop:s0 exact string
ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
@@ -221,6 +222,7 @@
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
+ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
ro.carrier u:object_r:exported_default_prop:s0 exact string
ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
diff --git a/public/radio.te b/public/radio.te
index 8fb5ad6..05bfd8c 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -35,6 +35,8 @@
allow radio nfc_service:service_manager find;
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
+allow radio timedetector_service:service_manager find;
+allow radio timezonedetector_service:service_manager find;
# Perform HwBinder IPC.
hwbinder_use(radio)
diff --git a/public/recovery.te b/public/recovery.te
index 57ad202..dcec970 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -30,6 +30,7 @@
# Mount filesystems.
allow recovery rootfs:dir mounton;
+ allow recovery tmpfs:dir mounton;
allow recovery fs_type:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
@@ -108,7 +109,7 @@
set_prop(recovery, powerctl_prop)
# Start/stop adbd via ctl.start adbd
- set_prop(recovery, ctl_default_prop)
+ set_prop(recovery, ctl_adbd_prop)
# Read serial number of the device from system properties
get_prop(recovery, serialno_prop)
diff --git a/public/service.te b/public/service.te
index 394e334..11fb831 100644
--- a/public/service.te
+++ b/public/service.te
@@ -37,6 +37,7 @@
type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type adb_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -55,7 +56,6 @@
type contexthub_service, app_api_service, system_server_service, service_manager_type;
type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type commontime_management_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -140,7 +140,9 @@
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
+type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 4293f52..6755f69 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -128,6 +128,7 @@
proc_modules
proc_pid_max
proc_qtaguid_stat
+ proc_slabinfo
proc_stat
proc_timer
proc_uptime
@@ -199,6 +200,12 @@
# Allow shell to start up vendor shell
allow shell vendor_shell_exec:file rx_file_perms;
+# Everything is labeled as rootfs in recovery mode. Allow shell to
+# execute them.
+recovery_only(`
+ allow shell rootfs:file rx_file_perms;
+')
+
###
### Neverallow rules
###
diff --git a/public/te_macros b/public/te_macros
index e5c476a..cdfdc89 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -213,10 +213,15 @@
attribute hal_$1_server;
expandattribute hal_$1_server false;
-neverallow { hal_$1_server -hal_$1 } domain:process fork;
neverallow { hal_$1_server -halserverdomain } domain:process fork;
+# hal_*_client and halclientdomain attributes are always expanded for
+# performance reasons. Neverallow rules targeting expanded attributes can not be
+# verified by CTS since these attributes are already expanded by that time.
+build_test_only(`
+neverallow { hal_$1_server -hal_$1 } domain:process fork;
neverallow { hal_$1_client -halclientdomain } domain:process fork;
')
+')
#####################################
# hal_server_domain(domain, hal_type)
@@ -498,6 +503,12 @@
#
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
+#####################################
+# Build-time-only test
+# SELinux rules which are verified during build, but not as part of *TS testing.
+#
+define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
+
####################################
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
#
@@ -603,3 +614,19 @@
allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add;
')
+
+###########################################
+# hal_attribute_hwservice(attribute, service)
+# Ability for domain to get a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_hwservice
+define(`hal_attribute_hwservice', `
+ allow $1_client $2:hwservice_manager find;
+ add_hwservice($1_server, $2)
+
+ build_test_only(`
+ neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
+ ')
+')
diff --git a/public/ueventd.te b/public/ueventd.te
index 9b9eacb..ea73166 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -39,6 +39,16 @@
# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
allow ueventd proc_cmdline:file r_file_perms;
+# Everything is labeled as rootfs in recovery mode. ueventd has to execute
+# the dynamic linker and shared libraries.
+recovery_only(`
+ allow ueventd rootfs:file { r_file_perms execute };
+')
+
+# Suppress denials for ueventd to getattr /postinstall. This occurs when the
+# linker tries to resolve paths in ld.config.txt.
+dontaudit ueventd postinstall_mnt_dir:dir getattr;
+
#####
##### neverallow rules
#####
diff --git a/public/usbd.te b/public/usbd.te
index 98786e0..6dd1334 100644
--- a/public/usbd.te
+++ b/public/usbd.te
@@ -1,3 +1,5 @@
type usbd, domain;
type usbd_exec, exec_type, file_type;
+# Start/stop adbd via ctl.start adbd
+set_prop(usbd, ctl_adbd_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index ad69437..8112474 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -4,9 +4,6 @@
# Communication to the main init process
allow vendor_init init:unix_stream_socket { read write };
-# Vendor init shouldn't communicate with any vendor process, nor most system processes.
-neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
-
# Logging to kmsg
allow vendor_init kmsg_device:chr_file { open write };
@@ -155,6 +152,12 @@
# Raw writes to misc block device
allow vendor_init misc_block_device:blk_file w_file_perms;
+# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
+# the dynamic linker and shared libraries.
+recovery_only(`
+ allow vendor_init rootfs:file { r_file_perms execute };
+')
+
not_compatible_property(`
set_prop(vendor_init, {
property_type
@@ -170,6 +173,7 @@
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, debug_prop)
+set_prop(vendor_init, exported_audio_prop)
set_prop(vendor_init, exported_bluetooth_prop)
set_prop(vendor_init, exported_config_prop)
set_prop(vendor_init, exported_dalvik_prop)
@@ -195,3 +199,29 @@
get_prop(vendor_init, exported2_radio_prop)
get_prop(vendor_init, exported3_system_prop)
+
+###
+### neverallow rules
+###
+
+# Vendor init shouldn't communicate with any vendor process, nor most system processes.
+neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+
+# The vendor_init domain is only entered via an exec based transition from the
+# init domain, never via setcon().
+neverallow domain vendor_init:process dyntransition;
+neverallow { domain -init } vendor_init:process transition;
+neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
+
+# Never read/follow symlinks created by shell or untrusted apps.
+neverallow vendor_init app_data_file:lnk_file read;
+neverallow vendor_init shell_data_file:lnk_file read;
+# Init should not be creating subdirectories in /data/local/tmp
+neverallow vendor_init shell_data_file:dir { write add_name remove_name };
+
+# init should never execute a program without changing to another domain.
+neverallow vendor_init { file_type fs_type }:file execute_no_trans;
+
+# Init never adds or uses services via service_manager.
+neverallow vendor_init service_manager_type:service_manager { add find };
+neverallow vendor_init servicemanager:service_manager list;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ded356d..20b3b9f 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -6,6 +6,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te
new file mode 100644
index 0000000..22d9cf0
--- /dev/null
+++ b/vendor/hal_bluetooth_btlinux.te
@@ -0,0 +1,8 @@
+type hal_bluetooth_btlinux, domain;
+type hal_bluetooth_btlinux_exec, exec_type, file_type, vendor_file_type;
+
+hal_server_domain(hal_bluetooth_btlinux, hal_bluetooth)
+init_daemon_domain(hal_bluetooth_btlinux)
+
+allow hal_bluetooth_btlinux self:socket { create bind read write };
+allow hal_bluetooth_btlinux self:bluetooth_socket { create bind read write };