commit 0970a31811751eea6202ca49356ea438e367d9b5
author Treehugger Robot <treehugger-gerrit@google.com> Fri Feb 24 03:11:00 2023 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Feb 24 03:11:00 2023 +0000
tree 30a939d53c07be67da4d68e4a75e1abb067d7d01
parent 923a51af57d8ec0847ea156d67761c210b3f0075
parent 1c9a82974a00383b43b8a49179d15367b00dc37d

Merge "Track tombstone_transmit denial"

build/soong/service_fuzzer_bindings.go

diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 2c1c416..efb5947 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -233,7 +233,7 @@
 		"devicestoragemonitor":                                            EXCEPTION_NO_FUZZER,
 		"diskstats":                                                       EXCEPTION_NO_FUZZER,
 		"display":                                                         EXCEPTION_NO_FUZZER,
-		"dnsresolver":                                                     EXCEPTION_NO_FUZZER,
+		"dnsresolver":                                                     []string{"resolv_service_fuzzer"},
 		"domain_verification":                                             EXCEPTION_NO_FUZZER,
 		"color_display":                                                   EXCEPTION_NO_FUZZER,
 		"netd_listener":                                                   EXCEPTION_NO_FUZZER,

private/compat/33.0/33.0.ignore.cil

diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index ccee3cf..3b61f73 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -53,6 +53,7 @@
     remote_provisioning_service
     rkpdapp
     servicemanager_prop
+    shutdown_checkpoints_system_data_file
     stats_config_data_file
     system_net_netd_service
     timezone_metadata_prop

private/crash_dump.te

diff --git a/private/crash_dump.te b/private/crash_dump.te
index bc6020e..5d5965e 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -8,7 +8,6 @@
   -apexd
   -bpfloader
   -crash_dump
-  -crosvm # TODO(b/236672526): Remove exception for crosvm
   -diced
   -init
   -kernel

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index b858d4e..9a0efb1 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2,9 +2,7 @@
 # This occurs when the process crashes.
 # We do not apply this to the su domain to avoid interfering with
 # tests (b/114136122)
-# We exempt crosvm because parts of its memory are inaccessible to the
-# kernel. TODO(b/238324526): Remove this.
-domain_auto_trans({ domain userdebug_or_eng(`-su') -crosvm }, crash_dump_exec, crash_dump);
+domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
 allow domain crash_dump:process sigchld;
 
 # Allow every process to check the heapprofd.enable properties to determine
@@ -38,7 +36,7 @@
 can_profile_heap({
   dumpable_domain
   -app_zygote
-  -hal_configstore
+  -hal_configstore_server
   -logpersist
   -recovery
   -recovery_persist
@@ -51,7 +49,7 @@
 can_profile_perf({
   dumpable_domain
   -app_zygote
-  -hal_configstore
+  -hal_configstore_server
   -webview_zygote
   -zygote
 })

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 01995bb..2b98801 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -783,6 +783,9 @@
 # User icon files
 /data/system/users/[0-9]+/photo\.png             u:object_r:icon_file:s0
 
+# Shutdown-checkpoints files
+/data/system/shutdown-checkpoints(/.*)?          u:object_r:shutdown_checkpoints_system_data_file:s0
+
 # vold per-user data
 /data/misc_de/[0-9]+/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc_ce/[0-9]+/vold(/.*)?           u:object_r:vold_data_file:s0

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 08aa5a8..f5a92ac 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -187,6 +187,9 @@
 genfscon debugfs /tracing/per_cpu/cpu                 u:object_r:debugfs_tracing:s0
 genfscon tracefs /per_cpu/cpu                         u:object_r:debugfs_tracing:s0
 
+genfscon debugfs /tracing/hyp                         u:object_r:debugfs_tracing:s0
+genfscon tracefs /hyp                                 u:object_r:debugfs_tracing:s0
+
 genfscon debugfs /tracing/instances                   u:object_r:debugfs_tracing_instances:s0
 genfscon tracefs /instances                           u:object_r:debugfs_tracing_instances:s0
 genfscon debugfs /tracing/instances/bootreceiver      u:object_r:debugfs_bootreceiver_tracing:s0

private/heapprofd.te

diff --git a/private/heapprofd.te b/private/heapprofd.te
index 1b41823..718ce81 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -53,7 +53,7 @@
   app_zygote
   bpfloader
   diced
-  hal_configstore
+  hal_configstore_server
   init
   kernel
   keystore

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 3208377..2db9da6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1472,6 +1472,7 @@
 
 # dck properties
 ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
+ro.gms.dck.se_capability u:object_r:dck_prop:s0 exact int
 
 # virtualization service properties
 virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 4e3ef8d..b3c7528 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1490,6 +1490,10 @@
 allow system_server self:perf_event { open write cpu kernel };
 neverallow system_server self:perf_event ~{ open write cpu kernel };
 
+# Allow writing files under /data/system/shutdown-checkpoints/
+allow system_server shutdown_checkpoints_system_data_file:dir create_dir_perms;
+allow system_server shutdown_checkpoints_system_data_file:file create_file_perms;
+
 # Do not allow any domain other than init or system server to set the property
 neverallow { domain -init -system_server } socket_hook_prop:property_service set;
 

private/traced_perf.te

diff --git a/private/traced_perf.te b/private/traced_perf.te
index 080b6fe..31fa620 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -67,7 +67,7 @@
   app_zygote
   bpfloader
   diced
-  hal_configstore
+  hal_configstore_server
   init
   kernel
   keystore

public/dumpstate.te

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 6b112dc..e626133 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -368,6 +368,10 @@
 
 use_apex_info(dumpstate)
 
+# Allow reading files under /data/system/shutdown-checkpoints/
+allow dumpstate shutdown_checkpoints_system_data_file:dir r_dir_perms;
+allow dumpstate shutdown_checkpoints_system_data_file:file r_file_perms;
+
 ###
 ### neverallow rules
 ###

public/file.te

diff --git a/public/file.te b/public/file.te
index 5241803..9ca6802 100644
--- a/public/file.te
+++ b/public/file.te
@@ -380,6 +380,8 @@
 type staging_data_file, file_type, data_file_type, core_data_file_type;
 # /vendor/apex
 type vendor_apex_file, vendor_file_type, file_type;
+# /data/system/shutdown-checkpoints
+type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;

public/hal_audio.te

diff --git a/public/hal_audio.te b/public/hal_audio.te
index aabc884..237ffcd 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -22,6 +22,8 @@
 
 # Needed to allow sound trigger hal to access shared memory from apps.
 allow hal_audio_server appdomain:fd use;
+# Allow sound trigger hal to access shared memory from system server.
+allow hal_audio_server system_server_tmpfs:file { getattr map read };
 
 # allow self to set scheduler (and allows Binder RT PI)
 allow hal_audio_server self:global_capability_class_set sys_nice;