Merge "Use property_info_checker instead of checkfc and fc_sort for properties"
diff --git a/private/access_vectors b/private/access_vectors
index 14e1712..898c884 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -282,6 +282,15 @@
class unix_dgram_socket
inherits socket
+class bpf
+{
+ map_create
+ map_read
+ map_write
+ prog_load
+ prog_run
+}
+
#
# Define the access vector interpretation for process-related objects
#
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index e359935..ab4a49a 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -6,9 +6,11 @@
( adbd_exec
bootloader_boot_reason_prop
broadcastradio_service
+ cgroup_bpf
crossprofileapps_service
e2fs
e2fs_exec
+ fs_bpf
hal_broadcastradio_hwservice
hal_cas_hwservice
hal_lowpan_hwservice
@@ -25,6 +27,7 @@
lowpan_service
mediaprovider_tmpfs
netd_stable_secret_prop
+ network_watchlist_data_file
network_watchlist_service
package_native_service
perfprofd_service
diff --git a/private/file_contexts b/private/file_contexts
index 7d1457a..0765ef0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -375,6 +375,7 @@
/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
+/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
@@ -384,6 +385,7 @@
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
+/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e0cafa4..c07cd4c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -84,6 +84,7 @@
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
+genfscon cgroup2 / u:object_r:cgroup_bpf:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
@@ -173,3 +174,4 @@
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+genfscon bpf / u:object_r:fs_bpf:s0
diff --git a/private/security_classes b/private/security_classes
index 2cfc768..251b721 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -35,6 +35,7 @@
class key_socket
class unix_stream_socket
class unix_dgram_socket
+class bpf
# sysv-ipc-related classes
class sem
diff --git a/private/service_contexts b/private/service_contexts
index b8d05e2..2279c51 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -178,5 +178,6 @@
wifi u:object_r:wifi_service:s0
wificond u:object_r:wificond_service:s0
wifiaware u:object_r:wifiaware_service:s0
+wifirtt u:object_r:rttmanager_service:s0
window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 6fb6142..df24104 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -381,6 +381,10 @@
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;
+# Manage /data/misc/network_watchlist
+allow system_server network_watchlist_data_file:dir create_dir_perms;
+allow system_server network_watchlist_data_file:file create_file_perms;
+
# Manage /data/misc/sms.
# TODO: Split into a separate type?
allow system_server radio_data_file:dir create_dir_perms;
@@ -721,6 +725,11 @@
allow system_server zygote_exec:file rx_file_perms;
')
+# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
+# the map after snapshot is recorded
+allow system_server fs_bpf:file write;
+allow system_server netd:bpf { map_read map_write };
+
# ART Profiles.
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index f85d40c..78fa5f0 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -54,6 +54,9 @@
# Check SELinux permissions.
selinux_check_access(webview_zygote)
+# Directory listing in /system.
+allow webview_zygote system_file:dir r_dir_perms;
+
#####
##### Neverallow
#####
diff --git a/public/file.te b/public/file.te
index 81bb1f1..cdaaf22 100644
--- a/public/file.te
+++ b/public/file.te
@@ -60,6 +60,7 @@
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
+type cgroup_bpf, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
@@ -81,6 +82,7 @@
type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type fs_bpf, fs_type, sysfs_type;
type configfs, fs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
@@ -234,6 +236,7 @@
type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type misc_user_data_file, file_type, data_file_type, core_data_file_type;
type net_data_file, file_type, data_file_type, core_data_file_type;
+type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
type nfc_data_file, file_type, data_file_type, core_data_file_type;
type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
@@ -363,6 +366,7 @@
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
+allow cgroup_bpf tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
allow file_type labeledfs:filesystem associate;
diff --git a/public/init.te b/public/init.te
index 450afd8..ad3ef49 100644
--- a/public/init.te
+++ b/public/init.te
@@ -69,6 +69,10 @@
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
+allow init cgroup_bpf:dir { create mounton };
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
@@ -301,13 +305,16 @@
sysfs_android_usb
sysfs_leds
sysfs_power
- sysfs_zram
}:file w_file_perms;
allow init {
sysfs_dt_firmware_android
}:file r_file_perms;
+allow init {
+ sysfs_zram
+}:file rw_file_perms;
+
# init chmod/chown access to /sys files.
allow init {
sysfs_android_usb
diff --git a/public/netd.te b/public/netd.te
index fa03dbd..225ada9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -7,6 +7,7 @@
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
+r_dir_file(netd, cgroup_bpf)
allow netd system_server:fd use;
allow netd self:global_capability_class_set { net_admin net_raw kill };
@@ -57,6 +58,9 @@
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
+allow netd fs_bpf:dir create_dir_perms;
+allow netd fs_bpf:file create_file_perms;
+
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
@@ -103,6 +107,9 @@
# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+# give netd permission to use eBPF functionalities
+allow netd self:bpf { map_create map_read map_write prog_load prog_run };
+
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index ace58ab..9aaa538 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -40,6 +40,7 @@
-incident_data_file
-keystore_data_file
-misc_logd_file
+ -network_watchlist_data_file
-nfc_data_file
-property_data_file
-radio_data_file
@@ -62,6 +63,7 @@
-incident_data_file
-keystore_data_file
-misc_logd_file
+ -network_watchlist_data_file
-nfc_data_file
-property_data_file
-radio_data_file
@@ -85,6 +87,7 @@
-incident_data_file
-keystore_data_file
-misc_logd_file
+ -network_watchlist_data_file
-nfc_data_file
-property_data_file
-radio_data_file
@@ -107,6 +110,7 @@
-incident_data_file
-keystore_data_file
-misc_logd_file
+ -network_watchlist_data_file
-nfc_data_file
-property_data_file
-radio_data_file
@@ -129,6 +133,7 @@
-incident_data_file
-keystore_data_file
-misc_logd_file
+ -network_watchlist_data_file
-nfc_data_file
-property_data_file
-radio_data_file
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 38b3f1a..e2476c4 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -20,6 +20,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index b79c3b5..0dac075 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -6,3 +6,5 @@
allow hal_drm_default mediacodec:fd use;
allow hal_drm_default { appdomain -isolated_app }:fd use;
+
+allow hal_drm_default hal_allocator_server:fd use;