Merge "sepolicy(wifi): Allow wifi service access to wifi apex directories"
diff --git a/private/adbd.te b/private/adbd.te
index dee3c9b..89fa1f9 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -87,6 +87,9 @@
set_prop(adbd, ffs_prop)
set_prop(adbd, exported_ffs_prop)
+# Set service.adb.tls.port, persist.adb.wifi. properties
+set_prop(adbd, adbd_prop)
+
# Access device logging gating property
get_prop(adbd, device_logging_prop)
@@ -96,6 +99,9 @@
# Read whether or not Test Harness Mode is enabled
get_prop(adbd, test_harness_prop)
+# Read persist.adb.tls_server.enable property
+get_prop(adbd, system_adbd_prop)
+
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index f08f516..66e9f69 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -186,7 +186,6 @@
neverallow all_untrusted_apps {
proc
proc_asound
- proc_filesystems
proc_kmsg
proc_loadavg
proc_mounts
@@ -200,6 +199,10 @@
proc_vmstat
}:file { no_rw_file_perms no_x_file_perms };
+# /proc/filesystems is accessible to mediaprovider_app only since it handles
+# external storage
+neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
+
# Avoid all access to kernel configuration
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 8271add..249f3df 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -3,26 +3,36 @@
type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader coredomain;
-# These permission is required for pin bpf program for netd.
-allow bpfloader fs_bpf:dir create_dir_perms;
-allow bpfloader fs_bpf:file create_file_perms;
-allow bpfloader devpts:chr_file { read write };
+# These permissions are required to pin ebpf maps & programs.
+allow bpfloader fs_bpf:dir { search write add_name };
+allow bpfloader fs_bpf:file { create setattr };
-# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
-# for retrieving a pinned map when bpfloader do a run time restart.
-allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
+# Allow bpfloader to create bpf maps and programs.
+allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
allow bpfloader self:capability { chown sys_admin };
###
### Neverallow rules
###
+
+# TODO: get rid of init & vendor_init
+neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
+neverallow { domain -bpfloader } fs_bpf:dir { write add_name };
+neverallow domain fs_bpf:dir { reparent rename rmdir };
+
+# TODO: get rid of init & vendor_init
+neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr;
+neverallow { domain -bpfloader } fs_bpf:file create;
+neverallow domain fs_bpf:file { rename unlink };
+
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -netd -system_server } *:bpf { map_read map_write };
+
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
+
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
-# only system_server, netd and bpfloader can read/write the bpf maps
-neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 73fb877..b395855 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -147,6 +147,7 @@
simpleperf_app_runner
simpleperf_app_runner_exec
slice_service
+ socket_hook_prop
staging_data_file
stats
stats_data_file
@@ -200,6 +201,7 @@
vendor_apex_file
vendor_init
vendor_shell
+ vendor_socket_hook_prop
vndk_prop
vold_metadata_file
vold_prepare_subdirs
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 8dd367a..cb500c9 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -134,6 +134,7 @@
simpleperf_app_runner
simpleperf_app_runner_exec
slice_service
+ socket_hook_prop
stats
stats_data_file
stats_exec
@@ -178,6 +179,7 @@
vendor_init
vendor_security_patch_level_prop
vendor_shell
+ vendor_socket_hook_prop
vndk_prop
vold_metadata_file
vold_prepare_subdirs
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 16637f3..d24d12d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -124,6 +124,7 @@
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
+ socket_hook_prop
su_tmpfs
super_block_device
sysfs_fs_f2fs
@@ -151,6 +152,7 @@
vendor_keylayout_file
vendor_misc_writer
vendor_misc_writer_exec
+ vendor_socket_hook_prop
vendor_task_profiles_file
vndk_prop
vrflinger_vsync_service
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index ea3c6b0..108e741 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -8,6 +8,7 @@
aidl_lazy_test_server
aidl_lazy_test_server_exec
aidl_lazy_test_service
+ adbd_prop
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
@@ -28,6 +29,10 @@
bq_config_prop
charger_prop
cold_boot_done_prop
+ credstore
+ credstore_data_file
+ credstore_exec
+ credstore_service
platform_compat_service
ctl_apexd_prop
dataloader_manager_service
@@ -40,7 +45,7 @@
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
- hal_identity_hwservice
+ hal_identity_service
hal_light_service
hal_power_service
hal_rebootescrow_service
@@ -50,6 +55,10 @@
incremental_service
init_perf_lsm_hooks_prop
init_svc_debug_prop
+ iorap_inode2filename
+ iorap_inode2filename_data_file
+ iorap_inode2filename_exec
+ iorap_inode2filename_tmpfs
iorap_prefetcherd
iorap_prefetcherd_data_file
iorap_prefetcherd_exec
@@ -73,8 +82,10 @@
service_manager_service
simpleperf
snapshotctl_log_data_file
+ socket_hook_prop
soundtrigger_middleware_service
sysfs_dm_verity
+ system_adbd_prop
system_config_service
system_group_file
system_jvmti_agent_prop
@@ -95,4 +106,5 @@
vendor_incremental_module
vendor_install_recovery
vendor_install_recovery_exec
+ vendor_socket_hook_prop
virtual_ab_prop))
diff --git a/private/coredomain.te b/private/coredomain.te
index 0c84797..32a1e3f 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -58,6 +58,7 @@
-idmap
-init
-installd
+ -iorap_inode2filename
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
@@ -77,6 +78,7 @@
-idmap
-init
-installd
+ -iorap_inode2filename
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
diff --git a/private/credstore.te b/private/credstore.te
new file mode 100644
index 0000000..8d87e2f
--- /dev/null
+++ b/private/credstore.te
@@ -0,0 +1,6 @@
+typeattribute credstore coredomain;
+
+init_daemon_domain(credstore)
+
+# talk to Identity Credential
+hal_client_domain(credstore, hal_identity)
diff --git a/private/domain.te b/private/domain.te
index f1f1896..f54f2c9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -162,6 +162,7 @@
-app_zygote
-dexoptanalyzer
-installd
+ -iorap_inode2filename
-iorap_prefetcherd
-profman
-rs # spawned by appdomain, so carryover the exception above
@@ -204,8 +205,8 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
@@ -315,6 +316,7 @@
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
+ iorap_inode2filename
iorap_prefetcherd
traced_perf
traced_probes
diff --git a/private/file_contexts b/private/file_contexts
index e95a1af..557321e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -252,6 +252,7 @@
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
+/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
@@ -298,6 +299,7 @@
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
+/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
@@ -536,6 +538,7 @@
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
/data/misc/installd(/.*)? u:object_r:install_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
+/data/misc/credstore(/.*)? u:object_r:credstore_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 238fd53..b2cad3f 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -25,7 +25,6 @@
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
-android.hardware.identity::IIdentityCredentialStore u:object_r:hal_identity_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index 45499fc..8924d83 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -131,14 +131,21 @@
# For running am, incident-helper-cmd and similar framework commands.
# Run /system/bin/app_process.
allow incidentd zygote_exec:file { rx_file_perms };
+# Access the runtime feature flag properties.
+get_prop(incidentd, device_config_runtime_native_prop)
+get_prop(incidentd, device_config_runtime_native_boot_prop)
+# ART locks profile files.
+allow incidentd system_file:file lock;
+# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
+dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
+dontaudit incidentd tmpfs:file rwx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
# Access /data/misc/logd
-allow incidentd misc_logd_file:dir r_dir_perms;
-allow incidentd misc_logd_file:file r_file_perms;
+r_dir_file(incidentd, misc_logd_file)
# Allow incidentd to find these standard groups of services.
# Others can be whitelisted individually.
diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
new file mode 100644
index 0000000..96b7bc2
--- /dev/null
+++ b/private/iorap_inode2filename.te
@@ -0,0 +1,9 @@
+typeattribute iorap_inode2filename coredomain;
+
+# Grant access to open most of the files under /
+allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
+allow iorap_inode2filename dalvikcache_data_file:file { getattr };
+allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
+allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
+allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
+allow iorap_inode2filename storaged_data_file:file { getattr };
diff --git a/private/iorapd.te b/private/iorapd.te
index 7f9bcee..73acec9 100644
--- a/private/iorapd.te
+++ b/private/iorapd.te
@@ -4,6 +4,7 @@
tmpfs_domain(iorapd)
domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
+domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
# Allow iorapd to access the runtime native boot feature flag properties.
get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index a07fc2d..0b1047a 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -38,3 +38,5 @@
FS_IOC_GETFLAGS
FS_IOC_SETFLAGS
};
+
+allow mediaprovider_app proc_filesystems:file r_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 54f2df9..6315c88 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -47,7 +47,9 @@
security.perf_harden u:object_r:shell_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tcp.port u:object_r:shell_prop:s0
-persist.adb.wifi. u:object_r:shell_prop:s0
+service.adb.tls.port u:object_r:adbd_prop:s0
+persist.adb.wifi. u:object_r:adbd_prop:s0
+persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
persist.audio. u:object_r:audio_prop:s0
persist.bluetooth. u:object_r:bluetooth_prop:s0
@@ -92,8 +94,9 @@
sys.trace. u:object_r:system_trace_prop:s0
# Boolean property set by system server upon boot indicating
-# if device owner is provisioned.
-ro.device_owner u:object_r:device_logging_prop:s0
+# if device is fully owned by organization instead of being
+# a personal device.
+ro.organization_owned u:object_r:device_logging_prop:s0
# selinux non-persistent properties
selinux.restorecon_recursive u:object_r:restorecon_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 19d3b0d..21067ec 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,4 @@
+android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
@@ -12,6 +13,7 @@
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
+android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 9789a52..e59e7ad 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -84,6 +84,9 @@
# Allow system apps to interact with gpuservice
binder_call(system_app, gpuservice)
+# Allow system app to interact with Dumpstate HAL
+hal_client_domain(system_app, hal_dumpstate)
+
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
allow system_app {
diff --git a/private/system_server.te b/private/system_server.te
index ad22085..13baa74 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -615,6 +615,7 @@
set_prop(system_server, exported_overlay_prop)
set_prop(system_server, pm_prop)
set_prop(system_server, exported_pm_prop)
+set_prop(system_server, socket_hook_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
@@ -853,8 +854,11 @@
allow system_server adbd:fd use;
allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-# Read persist.adb.wifi. properties
-get_prop(system_server, shell_prop)
+# Read service.adb.tls.port, persist.adb.wifi. properties
+get_prop(system_server, adbd_prop)
+
+# Set persist.adb.tls_server.enable property
+set_prop(system_server, system_adbd_prop)
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
@@ -1151,3 +1155,6 @@
# system_server cannot use this access to read perf event data like process stacks.
allow system_server self:perf_event { open write cpu kernel };
neverallow system_server self:perf_event ~{ open write cpu kernel };
+
+# Do not allow any domain other than init or system server to set the property
+neverallow { domain -init -system_server } socket_hook_prop:property_service set;
diff --git a/private/zygote.te b/private/zygote.te
index 3963459..f9e5476 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -66,6 +66,12 @@
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
+# Goes into media directory and bind mount obb directory
+allow zygote media_rw_data_file:dir { getattr search };
+
+# Read if sdcardfs is supported
+allow zygote proc_filesystems:file r_file_perms;
+
# Create symlink for /data/user/0
allow zygote tmpfs:lnk_file create;
diff --git a/public/app.te b/public/app.te
index a156183..4ceb4a6 100644
--- a/public/app.te
+++ b/public/app.te
@@ -293,6 +293,8 @@
use_keystore({ appdomain -isolated_app -ephemeral_app })
+use_credstore({ appdomain -isolated_app -ephemeral_app })
+
allow appdomain console_device:chr_file { read write };
# only allow unprivileged socket ioctl commands
@@ -482,6 +484,7 @@
neverallow { appdomain -bluetooth }
bluetooth_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
neverallow appdomain
keystore_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
diff --git a/public/credstore.te b/public/credstore.te
new file mode 100644
index 0000000..db16a8d
--- /dev/null
+++ b/public/credstore.te
@@ -0,0 +1,16 @@
+type credstore, domain;
+type credstore_exec, system_file_type, exec_type, file_type;
+
+# credstore daemon
+binder_use(credstore)
+binder_service(credstore)
+binder_call(credstore, system_server)
+
+allow credstore credstore_data_file:dir create_dir_perms;
+allow credstore credstore_data_file:file create_file_perms;
+
+add_service(credstore, credstore_service)
+allow credstore sec_key_att_app_id_provider_service:service_manager find;
+allow credstore dropbox_service:service_manager find;
+
+r_dir_file(credstore, cgroup)
diff --git a/public/domain.te b/public/domain.te
index f2af7b1..ede2c96 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -105,6 +105,8 @@
get_prop(domain, exported_vold_prop)
get_prop(domain, exported2_default_prop)
get_prop(domain, logd_prop)
+get_prop(domain, socket_hook_prop)
+get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
# Binder cache properties are world-readable
@@ -654,6 +656,7 @@
-cameraserver_service
-drmserver_service
-hal_light_service # TODO(b/148154485) remove once all violators are gone
+ -credstore_service
-keystore_service
-mediadrmserver_service
-mediaextractor_service
@@ -942,6 +945,7 @@
-system_linker_exec
-crash_dump_exec
-iorap_prefetcherd_exec
+ -iorap_inode2filename_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
}:file { entrypoint execute execute_no_trans };
@@ -984,6 +988,7 @@
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
-init # starts vendor executables
+ -iorap_inode2filename
-iorap_prefetcherd
-kernel # loads /vendor/firmware
userdebug_or_eng(`-heapprofd')
@@ -1024,6 +1029,7 @@
system_file_type
-crash_dump_exec
-file_contexts_file
+ -iorap_inode2filename_exec
-netutils_wrapper_exec
-property_contexts_file
-system_event_log_tags_file
@@ -1154,6 +1160,7 @@
-appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
+ -iorap_inode2filename
-traced_probes # resolve inodes for i/o tracing.
# only needs open and read, the rest is neverallow in
# traced_probes.te.
@@ -1316,6 +1323,7 @@
-crash_dump
-heapprofd
-init
+ -iorap_inode2filename
-iorap_prefetcherd
-kernel
-traced_perf
diff --git a/public/file.te b/public/file.te
index 1420637..1cc34f5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -360,6 +360,7 @@
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
type camera_data_file, file_type, data_file_type, core_data_file_type;
+type credstore_data_file, file_type, data_file_type, core_data_file_type;
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
type incident_data_file, file_type, data_file_type, core_data_file_type;
type keychain_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_identity.te b/public/hal_identity.te
index a8df186..3a95743 100644
--- a/public/hal_identity.te
+++ b/public/hal_identity.te
@@ -1,4 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_identity_client, hal_identity_server)
-hal_attribute_hwservice(hal_identity, hal_identity_hwservice)
+add_service(hal_identity_server, hal_identity_service)
+binder_call(hal_identity_server, servicemanager)
+
+allow hal_identity_client hal_identity_service:service_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 3619a63..3481385 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -28,7 +28,6 @@
type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_identity_hwservice, hwservice_manager_type, protected_hwservice;
type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/public/init.te b/public/init.te
index bdcf057..403b4c5 100644
--- a/public/init.te
+++ b/public/init.te
@@ -189,6 +189,7 @@
-app_data_file
-exec_type
-iorapd_data_file
+ -credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -206,6 +207,7 @@
-exec_type
-gsi_data_file
-iorapd_data_file
+ -credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -224,6 +226,7 @@
-exec_type
-gsi_data_file
-iorapd_data_file
+ -credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -242,6 +245,7 @@
-exec_type
-gsi_data_file
-iorapd_data_file
+ -credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -441,6 +445,11 @@
allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };
+# Init creates credstore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init credstore_data_file:dir { open create read getattr setattr search };
+allow init credstore_data_file:file { getattr };
+
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
diff --git a/public/installd.te b/public/installd.te
index a6307ef..c8cc89d 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -172,6 +172,9 @@
allow installd preloads_media_file:file { r_file_perms unlink };
allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
+# Allow installd to read /proc/filesystems
+allow installd proc_filesystems:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
new file mode 100644
index 0000000..4041ddd
--- /dev/null
+++ b/public/iorap_inode2filename.te
@@ -0,0 +1,77 @@
+# iorap.inode2filename -> look up file paths from an inode
+type iorap_inode2filename, domain;
+type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
+type iorap_inode2filename_tmpfs, file_type;
+
+r_dir_file(iorap_inode2filename, rootfs)
+
+# Allow usage of pipes (child stdout -> parent pipe).
+allow iorap_inode2filename iorapd:fd use;
+allow iorap_inode2filename iorapd:fifo_file { read write getattr };
+
+# Allow reading most files under / ignoring usual access controls.
+allow iorap_inode2filename self:capability dac_read_search;
+
+typeattribute iorap_inode2filename mlstrustedsubject;
+
+# Grant access to open most of the files under /
+allow iorap_inode2filename apex_data_file:dir { getattr open read search };
+allow iorap_inode2filename apex_data_file:file { getattr };
+allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
+allow iorap_inode2filename apex_mnt_dir:file { getattr };
+allow iorap_inode2filename apk_data_file:dir { getattr open read search };
+allow iorap_inode2filename apk_data_file:file { getattr };
+allow iorap_inode2filename app_data_file:dir { getattr open read search };
+allow iorap_inode2filename app_data_file:file { getattr };
+allow iorap_inode2filename backup_data_file:dir { getattr open read search };
+allow iorap_inode2filename backup_data_file:file { getattr };
+allow iorap_inode2filename bluetooth_data_file:dir { getattr open read search };
+allow iorap_inode2filename bluetooth_data_file:file { getattr };
+allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
+allow iorap_inode2filename bootchart_data_file:file { getattr };
+allow iorap_inode2filename metadata_file:dir { getattr open read search search };
+allow iorap_inode2filename metadata_file:file { getattr };
+allow iorap_inode2filename packages_list_file:dir { getattr open read search };
+allow iorap_inode2filename packages_list_file:file { getattr };
+allow iorap_inode2filename privapp_data_file:dir { getattr open read search };
+allow iorap_inode2filename privapp_data_file:file { getattr };
+allow iorap_inode2filename property_data_file:dir { getattr open read search };
+allow iorap_inode2filename property_data_file:file { getattr };
+allow iorap_inode2filename radio_data_file:dir { getattr open read search };
+allow iorap_inode2filename radio_data_file:file { getattr };
+allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
+allow iorap_inode2filename resourcecache_data_file:file { getattr };
+allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
+allow iorap_inode2filename ringtone_file:dir { getattr open read search };
+allow iorap_inode2filename ringtone_file:file { getattr };
+allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
+allow iorap_inode2filename same_process_hal_file:file { getattr };
+allow iorap_inode2filename sepolicy_file:file { getattr };
+allow iorap_inode2filename staging_data_file:dir { getattr open read search };
+allow iorap_inode2filename staging_data_file:file { getattr };
+allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
+allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
+allow iorap_inode2filename system_app_data_file:dir { getattr open read search };
+allow iorap_inode2filename system_app_data_file:file { getattr };
+allow iorap_inode2filename system_data_file:dir { getattr open read search };
+allow iorap_inode2filename system_data_file:file { getattr };
+allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
+allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
+allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
+allow iorap_inode2filename textclassifier_data_file:file { getattr };
+allow iorap_inode2filename toolbox_exec:file getattr;
+allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
+allow iorap_inode2filename user_profile_data_file:file { getattr };
+allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
+allow iorap_inode2filename unlabeled:file { getattr };
+allow iorap_inode2filename vendor_file:dir { getattr open read search };
+allow iorap_inode2filename vendor_file:file { getattr };
+allow iorap_inode2filename vendor_overlay_file:file { getattr };
+allow iorap_inode2filename zygote_exec:file { getattr };
+
+###
+### neverallow rules
+###
+
+neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
+neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/netd.te b/public/netd.te
index 92c2ed1..8005406 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -63,7 +63,7 @@
r_dir_file(netd, cgroup_bpf)
allow netd fs_bpf:dir search;
-allow netd fs_bpf:file { read write setattr };
+allow netd fs_bpf:file { read write };
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
diff --git a/public/property.te b/public/property.te
index bb44a64..4696668 100644
--- a/public/property.te
+++ b/public/property.te
@@ -20,6 +20,8 @@
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
system_internal_prop(userspace_reboot_log_prop)
+system_internal_prop(system_adbd_prop)
+system_internal_prop(adbd_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -68,6 +70,7 @@
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
+system_restricted_prop(socket_hook_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(userspace_reboot_exported_prop)
@@ -113,6 +116,7 @@
system_vendor_config_prop(userspace_reboot_config_prop)
system_vendor_config_prop(vehicle_hal_prop)
system_vendor_config_prop(vendor_security_patch_level_prop)
+system_vendor_config_prop(vendor_socket_hook_prop)
system_vendor_config_prop(vndk_prop)
system_vendor_config_prop(virtual_ab_prop)
@@ -564,3 +568,19 @@
} {
userspace_reboot_log_prop
}:property_service set;
+
+neverallow {
+ # Only allow init and system_server to set system_adbd_prop
+ -init
+ -system_server
+} {
+ system_adbd_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and adbd to set adbd_prop
+ -init
+ -adbd
+} {
+ adbd_prop
+}:property_service set;
diff --git a/public/property_contexts b/public/property_contexts
index 3bf3ccd..3718e0f 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -220,6 +220,7 @@
libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string
libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
+net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
persist.sys.locale u:object_r:exported_system_prop:s0 exact string
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
@@ -277,6 +278,7 @@
ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
ro.revision u:object_r:exported2_default_prop:s0 exact string
ro.secure u:object_r:exported_secure_prop:s0 exact int
+ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
diff --git a/public/service.te b/public/service.te
index 79cce0e..0b08028 100644
--- a/public/service.te
+++ b/public/service.te
@@ -16,6 +16,7 @@
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
+type credstore_service, app_api_service, service_manager_type;
type keystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
@@ -206,6 +207,7 @@
### HAL Services
###
+type hal_identity_service, vendor_service, service_manager_type;
type hal_light_service, vendor_service, service_manager_type;
type hal_power_service, vendor_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 89061a0..a9dea92 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -599,6 +599,18 @@
binder_call(keystore, $1)
')
+#####################################
+# use_credstore(domain)
+# Ability to use credstore.
+define(`use_credstore', `
+ allow credstore $1:dir search;
+ allow credstore $1:file { read open };
+ allow credstore $1:process getattr;
+ allow $1 credstore_service:service_manager find;
+ binder_call($1, credstore)
+ binder_call(credstore, $1)
+')
+
###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 446e920..94b8095 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -36,7 +36,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.identity@1\.0-service.example u:object_r:hal_identity_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0