Merge "Add app_api_service to pac_proxy_service"
diff --git a/Android.bp b/Android.bp
index 1ec7570..a43a689 100644
--- a/Android.bp
+++ b/Android.bp
@@ -294,6 +294,20 @@
// top_half: "31.0.ignore.cil",
}
+se_cil_compat_map {
+ name: "system_ext_30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map"],
+ // top_half: "system_ext_31.0.ignore.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map"],
+ // top_half: "product_31.0.ignore.cil",
+ product_specific: true,
+}
+
se_compat_cil {
name: "26.0.compat.cil",
srcs: [":26.0.board.compat.cil"],
@@ -913,63 +927,3 @@
cts: true,
exclude_build_test: true,
}
-
-//////////////////////////////////
-// modules for microdroid
-//////////////////////////////////
-
-// microdroid's system sepolicy is almost identical to host's system sepolicy, except that
-// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is
-// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system +
-// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from
-// host's files.
-se_versioned_policy {
- name: "microdroid_plat_pub_versioned.cil",
- stem: "plat_pub_versioned.cil",
- base: ":plat_pub_policy.cil",
- target_policy: ":plat_pub_policy.cil",
- version: "current",
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":plat_mapping_file",
- ],
- installable: false,
-}
-
-// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
-// contains system/sepolicy/public and system/sepolicy/vendor.
-se_policy_conf {
- name: "microdroid_vendor_sepolicy.conf",
- srcs: [":se_build_files{.plat_vendor}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "microdroid_vendor_sepolicy.cil.raw",
- src: ":microdroid_vendor_sepolicy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false, // will be done in se_versioned_policy module
- installable: false,
-}
-
-se_versioned_policy {
- name: "microdroid_vendor_sepolicy.cil",
- stem: "vendor_sepolicy.cil",
- base: ":plat_pub_policy.cil",
- target_policy: ":microdroid_vendor_sepolicy.cil.raw",
- version: "current", // microdroid is bundled to system
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":microdroid_plat_pub_versioned.cil",
- ":plat_mapping_file",
- ],
- filter_out: [":microdroid_plat_pub_versioned.cil"],
- installable: false,
-}
-
-sepolicy_vers {
- name: "microdroid_plat_sepolicy_vers.txt",
- version: "platform",
- stem: "plat_sepolicy_vers.txt",
- installable: false,
-}
diff --git a/Android.mk b/Android.mk
index 882f397..d9c5b3c 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1380,6 +1380,130 @@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
+
+#####################################################
+intermediates := $(call intermediates-dir-for,ETC,built_system_ext_sepolicy,,,,)
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
+base_system_ext_policy.conf := $(intermediates)/base_system_ext_policy.conf
+$(base_system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_system_ext_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+built_system_ext_sepolicy := $(intermediates)/built_system_ext_sepolicy
+$(built_system_ext_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(built_system_ext_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(built_system_ext_sepolicy): $(base_system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/secilc \
+$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+$(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+base_system_ext_pub_policy.conf := $(intermediates)/base_system_ext_pub_policy.conf
+$(base_system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_system_ext_pub_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+
+base_system_ext_pub_policy.cil := $(intermediates)/base_system_ext_pub_policy.cil
+$(base_system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(base_system_ext_pub_policy.conf)
+$(base_system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(base_system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+
+################################################################################
+intermediates := $(call intermediates-dir-for,ETC,built_product_sepolicy,,,,)
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
+base_product_policy.conf := $(intermediates)/base_product_policy.conf
+$(base_product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_product_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_product_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+built_product_sepolicy := $(intermediates)/built_product_sepolicy
+$(built_product_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(built_product_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(built_product_sepolicy): $(base_product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/secilc \
+$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+$(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+base_product_pub_policy.conf := $(intermediates)/base_product_pub_policy.conf
+$(base_product_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_product_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_product_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_product_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_product_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_product_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_product_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_product_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_product_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_product_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_product_pub_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+
+base_product_pub_policy.cil := $(intermediates)/base_product_pub_policy.cil
+$(base_product_pub_policy.cil): PRIVATE_POL_CONF := $(base_product_pub_policy.conf)
+$(base_product_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(base_product_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_product_pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
diff --git a/OWNERS b/OWNERS
index 866b7b6..c5b61ae 100644
--- a/OWNERS
+++ b/OWNERS
@@ -9,3 +9,4 @@
jiyong@google.com
smoreland@google.com
trong@google.com
+tweek@google.com
diff --git a/apex/Android.bp b/apex/Android.bp
index 2ffaa9e..b5199f0 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -71,6 +71,13 @@
}
filegroup {
+ name: "com.android.compos-file_contexts",
+ srcs: [
+ "com.android.compos-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.conscrypt-file_contexts",
srcs: [
"com.android.conscrypt-file_contexts",
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
new file mode 100644
index 0000000..83b4b58
--- /dev/null
+++ b/apex/com.android.compos-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 4703eba..ad8d55c 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,3 +1,3 @@
-(/.*)? u:object_r:system_file:s0
-/bin/crosvm u:object_r:crosvm_exec:s0
-/bin/virtmanager u:object_r:virtmanager_exec:s0
+(/.*)? u:object_r:system_file:s0
+/bin/crosvm u:object_r:crosvm_exec:s0
+/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 5cc73f9..230fdc3 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -87,15 +87,6 @@
srcPaths := c.expandSeSources(ctx)
out := android.PathForModuleGen(ctx, c.Name())
-
- // TODO(b/183362912): Patch secilc to handle empty cil files.
- // Put a header so that the generated cil mustn't be empty.
- header := android.PathForModuleGen(ctx, c.Name()+"_header")
- rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().Text("echo").Flag(proptools.ShellEscape(";; " + c.stem())).Text(">").Output(header)
- rule.Build(c.Name()+"_header", "Generate cil header")
- srcPaths = append(android.Paths{header}, srcPaths...)
-
ctx.Build(pctx, android.BuildParams{
Rule: android.Cat,
Inputs: srcPaths,
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 75fbdf1..604014f 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -175,13 +175,13 @@
}
func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- c.installSource = c.transformPolicyToConf(ctx)
- c.installPath = android.PathForModuleInstall(ctx, "etc")
- ctx.InstallFile(c.installPath, c.stem(), c.installSource)
-
if !c.installable() {
c.SkipInstall()
}
+
+ c.installSource = c.transformPolicyToConf(ctx)
+ c.installPath = android.PathForModuleInstall(ctx, "etc")
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
}
func (c *policyConf) AndroidMkEntries() []android.AndroidMkEntries {
@@ -325,6 +325,10 @@
conf := android.PathForModuleSrc(ctx, *c.properties.Src)
cil := c.compileConfToCil(ctx, conf)
+ if !c.Installable() {
+ c.SkipInstall()
+ }
+
if c.InstallInDebugRamdisk() {
// for userdebug_plat_sepolicy.cil
c.installPath = android.PathForModuleInstall(ctx)
@@ -333,10 +337,6 @@
}
c.installSource = cil
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
-
- if !c.Installable() {
- c.SkipInstall()
- }
}
func (c *policyCil) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/build/soong/sepolicy_vers.go b/build/soong/sepolicy_vers.go
index 0d938e7..9d1fe78 100644
--- a/build/soong/sepolicy_vers.go
+++ b/build/soong/sepolicy_vers.go
@@ -82,13 +82,13 @@
rule.Command().Text("echo").Text(ver).Text(">").Output(out)
rule.Build("sepolicy_vers", v.Name())
- v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
- v.installSource = out
- ctx.InstallFile(v.installPath, v.stem(), v.installSource)
-
if !v.installable() {
v.SkipInstall()
}
+
+ v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ v.installSource = out
+ ctx.InstallFile(v.installPath, v.stem(), v.installSource)
}
func (v *sepolicyVers) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
index f25cd59..d4bdd74 100644
--- a/build/soong/versioned_policy.go
+++ b/build/soong/versioned_policy.go
@@ -151,16 +151,16 @@
rule.Build("mapping", "Versioning mapping file "+ctx.ModuleName())
+ if !m.installable() {
+ m.SkipInstall()
+ }
+
m.installSource = out
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
if subdir := proptools.String(m.properties.Relative_install_path); subdir != "" {
m.installPath = m.installPath.Join(ctx, subdir)
}
ctx.InstallFile(m.installPath, m.installSource.Base(), m.installSource)
-
- if !m.installable() {
- m.SkipInstall()
- }
}
func (m *versionedPolicy) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk
index a591a48..e46f92a 100644
--- a/prebuilt_policy.mk
+++ b/prebuilt_policy.mk
@@ -240,7 +240,7 @@
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL) -t $@
+ -f $(PRIVATE_PLAT_CIL_FILES) -t $@
# Line markers (denoted by ;;) are malformed after above cmd. They are only
# used for debugging, so we remove them.
$(hide) grep -v ';;' $@ > $@.tmp
diff --git a/private/adbd.te b/private/adbd.te
index 3fc77a2..c2c6164 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -84,6 +84,10 @@
allow adbd anr_data_file:dir r_dir_perms;
allow adbd anr_data_file:file r_file_perms;
+# adb pull /vendor/framework/*
+allow adbd vendor_framework_file:dir r_dir_perms;
+allow adbd vendor_framework_file:file r_file_perms;
+
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
@@ -213,6 +217,9 @@
allow adbd apex_data_file:dir search;
allow adbd staging_data_file:file r_file_perms;
+# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
+allow adbd apex_info_file:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/apexd.te b/private/apexd.te
index 862bab9..b05fecb 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -18,6 +18,8 @@
allow apexd apex_ota_reserved_file:file create_file_perms;
# Allow apexd to create files and directories for snapshots of apex data
+allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_appsearch_data_file:file { create_file_perms relabelto };
allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
allow apexd apex_art_data_file:file { create_file_perms relabelto };
allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
@@ -81,6 +83,9 @@
# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
allow apexd apex_info_file:file relabelto;
+# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
+allow apexd apex_info_file:file rw_file_perms;
+
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
@@ -187,6 +192,13 @@
# only apexd can write apex-info-list.xml
neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
+# Only apexd and init should be allowed to manage /apex mounts
+# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
+# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
+# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
+neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
+neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
+
# Allow for use in postinstall
allow apexd otapreopt_chroot:fd use;
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
diff --git a/private/app.te b/private/app.te
index 94d24e0..2b3554f 100644
--- a/private/app.te
+++ b/private/app.te
@@ -14,6 +14,11 @@
get_prop(appdomain, vold_config_prop)
get_prop(appdomain, adbd_config_prop)
+# Allow ART to be configurable via device_config properties
+# (ART "runs" inside the app process)
+get_prop(appdomain, device_config_runtime_native_prop)
+get_prop(appdomain, device_config_runtime_native_boot_prop)
+
userdebug_or_eng(`perfetto_producer({ appdomain })')
# Prevent apps from causing presubmit failures.
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index aff3a0a..096a41b 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -117,12 +117,7 @@
} *;
# Disallow sending RTM_GETLINK messages on netlink sockets.
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
- -untrusted_app_29
-} domain:netlink_route_socket { bind nlmsg_readpriv };
+neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 7f2236c..4ee3af7 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -75,6 +75,10 @@
# Send unsolicited message to system_server
unix_socket_send(app_zygote, system_unsolzygote, system_server)
+# Allow the app_zygote to access the runtime feature flag properties.
+get_prop(app_zygote, device_config_runtime_native_prop)
+get_prop(app_zygote, device_config_runtime_native_boot_prop)
+
#####
##### Neverallow
#####
diff --git a/private/artd.te b/private/artd.te
index a76074b..0aa12dc 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -10,3 +10,7 @@
typeattribute artd coredomain;
init_daemon_domain(artd)
+
+# Allow query ART device config properties
+get_prop(artd, device_config_runtime_native_prop)
+get_prop(artd, device_config_runtime_native_boot_prop)
diff --git a/private/audioserver.te b/private/audioserver.te
index 5047e2c..feda8d4 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -36,6 +36,7 @@
allow audioserver external_vibrator_service:service_manager find;
allow audioserver package_native_service:service_manager find;
allow audioserver permission_service:service_manager find;
+allow audioserver permission_checker_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
@@ -94,7 +95,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow audioserver domain:{ udp_socket rawip_socket } *;
+neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
# Allow using wake locks
wakelock_use(audioserver)
diff --git a/private/bpfloader.te b/private/bpfloader.te
index ae9b52c..343ec7a 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -27,13 +27,13 @@
# TODO: get rid of init & vendor_init
neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
-neverallow { domain -bpfloader -gpuservice -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
+neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -netd -network_stack -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -lmkd -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 59c07d3..6e66493 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -8,6 +8,7 @@
ab_update_gki_prop
adbd_config_prop
apc_service
+ apex_appsearch_data_file
apex_art_data_file
apex_art_staging_data_file
apex_info_file
@@ -27,6 +28,7 @@
cgroup_v2
codec2_config_prop
ctl_snapuserd_prop
+ dck_prop
debugfs_kprobes
debugfs_mm_events_tracing
debugfs_bootreceiver_tracing
diff --git a/private/crosvm.te b/private/crosvm.te
index 5d7080a..f7729fd 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -5,8 +5,8 @@
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
-# Let crosvm receive file descriptors from virtmanager.
-allow crosvm virtmanager:fd use;
+# Let crosvm receive file descriptors from VirtualizationService.
+allow crosvm virtualizationservice:fd use;
# Let crosvm open /dev/kvm.
allow crosvm kvm_device:chr_file rw_file_perms;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 5f0a41e..d194acb 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -47,3 +47,7 @@
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
+
+# Allow query ART device config properties
+get_prop(dexoptanalyzer, device_config_runtime_native_prop)
+get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 0174faa..40b3945 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -41,4 +41,7 @@
# Mount /metadata to interact with Virtual A/B snapshots.
allow fastbootd labeledfs:filesystem { mount unmount };
+
+ # Needed for reading boot properties.
+ allow fastbootd proc_bootconfig:file r_file_perms;
')
diff --git a/private/file.te b/private/file.te
index a024600..0f7e689 100644
--- a/private/file.te
+++ b/private/file.te
@@ -57,6 +57,9 @@
# /data/misc/odsign
type odsign_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/virtualizationservice
+type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 4a4867b..89b63d6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -565,12 +565,12 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
-/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
+/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
-/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
+/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_scheduling_data_file:s0
-/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
+/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0
@@ -620,6 +620,7 @@
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
+/data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
@@ -671,6 +672,7 @@
# Apex data directories
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)? u:object_r:apex_appsearch_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 10de777..571d155 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -135,3 +135,6 @@
# b/168059475 Allow GMSCore to read Virtual AB properties to determine
# if device supports VAB.
get_prop(gmscore_app, virtual_ab_prop)
+
+# b/186488185: Allow GMSCore to read dck properties
+get_prop(gmscore_app, dck_prop)
diff --git a/private/lmkd.te b/private/lmkd.te
index fef3a89..ec9a93e 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -8,4 +8,8 @@
# Set lmkd.* properties.
set_prop(lmkd, lmkd_prop)
+allow lmkd fs_bpf:dir search;
+allow lmkd fs_bpf:file read;
+allow lmkd bpfloader:bpf map_read;
+
neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 7fb8029..6fe460c 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -15,3 +15,6 @@
get_prop(mediaserver, drm_service_config_prop)
get_prop(mediaserver, media_config_prop)
+
+# Allow mediaserver to start media.transcoding service via ctl.start.
+set_prop(mediaserver, ctl_mediatranscoding_prop);
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 2a43cf9..d812525 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -61,4 +61,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
+neverallow mediatranscoding { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 3ea8ad2..7a64247 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -48,3 +48,7 @@
# Allow updating boot animation status.
set_prop(odrefresh, bootanim_system_prop)
+
+# Allow query ART device config properties
+get_prop(odrefresh, device_config_runtime_native_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
diff --git a/private/platform_app.te b/private/platform_app.te
index a112081..f746f1c 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -99,6 +99,9 @@
# suppress denials caused by debugfs_tracing
dontaudit platform_app debugfs_tracing:file rw_file_perms;
+# Allow platform apps to act as Perfetto producers.
+perfetto_producer(platform_app)
+
###
### Neverallow rules
###
diff --git a/private/property.te b/private/property.te
index 267ff85..01d4fd9 100644
--- a/private/property.te
+++ b/private/property.te
@@ -34,6 +34,7 @@
system_internal_prop(userspace_reboot_test_prop)
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
+system_internal_prop(ctl_mediatranscoding_prop)
###
### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index 5d1f117..0799e57 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -168,6 +168,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+# Restrict access to starting media.transcoding.
+ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0
+
# Restrict access to restart dumpstate
ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
@@ -312,8 +315,9 @@
audio.offload.video u:object_r:audio_config_prop:s0 exact bool
audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
-ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
-ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
+ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
+ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
+ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
@@ -326,7 +330,13 @@
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
-# Should always_debuggable be bool? It's checked against the string "1".
+# ART properties
+dalvik.vm. u:object_r:dalvik_config_prop:s0
+ro.dalvik.vm. u:object_r:dalvik_config_prop:s0
+ro.zygote u:object_r:dalvik_config_prop:s0 exact string
+
+# A set of ART properties listed explicitly for compatibility purposes.
+ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.backgroundgctype u:object_r:dalvik_config_prop:s0 exact string
@@ -350,6 +360,7 @@
dalvik.vm.dex2oat-swap u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat64.enabled u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dexopt.secondary u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.dexopt.thermal-cutoff u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.execution-mode u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.extra-opts u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.foreground-heap-growth-multiplier u:object_r:dalvik_config_prop:s0 exact string
@@ -401,7 +412,6 @@
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
-ro.zygote u:object_r:dalvik_config_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@@ -442,6 +452,7 @@
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.cmdline u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
@@ -488,8 +499,6 @@
ro.crypto.volume.metadata.method u:object_r:vold_config_prop:s0 exact string
ro.crypto.volume.options u:object_r:vold_config_prop:s0 exact string
-ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
-
external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
@@ -550,6 +559,7 @@
sys.usb.controller u:object_r:usb_control_prop:s0 exact string
sys.usb.state u:object_r:usb_control_prop:s0 exact string
+sys.usb.mtp.batchcancel u:object_r:usb_config_prop:s0 exact bool
sys.usb.mtp.device_type u:object_r:usb_config_prop:s0 exact int
sys.usb.config. u:object_r:usb_prop:s0
@@ -825,6 +835,7 @@
ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.fingerprint_has_digest u:object_r:build_vendor_prop:s0 exact bool
ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string
@@ -832,6 +843,7 @@
ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.build.dont_use_vabc u:object_r:build_vendor_prop:s0 exact bool
# All vendor CPU abilist props are set by /vendor/build.prop
ro.vendor.product.cpu.abilist u:object_r:build_vendor_prop:s0 exact string
@@ -1056,6 +1068,7 @@
ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
@@ -1184,3 +1197,6 @@
# bootanimation properties
ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
+
+# dck properties
+ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
diff --git a/private/seapp_contexts b/private/seapp_contexts
index b8e42ea..1d38fd9 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -158,7 +158,6 @@
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
-user=_app minTargetSdkVersion=31 isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
diff --git a/private/service_contexts b/private/service_contexts
index 3357943..b410b18 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -71,7 +71,7 @@
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
-android.system.virtmanager u:object_r:virtualization_service:s0
+android.system.virtualizationservice u:object_r:virtualization_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
diff --git a/private/shell.te b/private/shell.te
index 5831d54..40b19fd 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -114,6 +114,11 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
+allow shell apex_info_file:file r_file_perms;
+allow shell vendor_apex_file:file r_file_perms;
+allow shell vendor_apex_file:dir r_dir_perms;
+
# Set properties.
set_prop(shell, shell_prop)
set_prop(shell, ctl_bugreport_prop)
@@ -197,3 +202,6 @@
# Allow ReadDefaultFstab() for CTS.
read_fstab(shell)
+
+# Allow shell read access to /apex/apex-info-list.xml for CTS.
+allow shell apex_info_file:file r_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index 48d5f9d..10b8177 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -169,6 +169,9 @@
# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)
+# Allow system apps to act as Perfetto producers.
+perfetto_producer(system_app)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index dcccc5e..f35f9a8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -44,11 +44,28 @@
INCFS_IOCTL_FILL_BLOCKS
INCFS_IOCTL_GET_FILLED_BLOCKS
INCFS_IOCTL_GET_BLOCK_COUNT
+ F2FS_IOC_GET_FEATURES
+ F2FS_IOC_GET_COMPRESS_BLOCKS
+ F2FS_IOC_COMPRESS_FILE
+ F2FS_IOC_DECOMPRESS_FILE
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ F2FS_IOC_RESERVE_COMPRESS_BLOCKS
+ FS_IOC_SETFLAGS
+ FS_IOC_GETFLAGS
+};
+
+allowxperm system_server apk_tmp_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_GETFLAGS
};
# For Incremental Service to check incfs metrics
allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
+# For f2fs-compression support
+allow system_server sysfs_fs_f2fs:dir r_dir_perms;
+allow system_server sysfs_fs_f2fs:file r_file_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@@ -205,6 +222,9 @@
# for dumpsys meminfo
allow system_server dmabuf_heap_device:dir r_dir_perms;
+# Allow reading /proc/vmstat for the oom kill count
+allow system_server proc_vmstat:file r_file_perms;
+
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -319,6 +339,7 @@
drmserver
gpuservice
inputflinger
+ keystore
mediadrmserver
mediaextractor
mediametrics
@@ -688,6 +709,11 @@
set_prop(system_server, device_config_configuration_prop)
set_prop(system_server, device_config_connectivity_prop)
+
+# Allow query ART device config properties
+get_prop(system_server, device_config_runtime_native_boot_prop)
+get_prop(system_server, device_config_runtime_native_prop)
+
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
# PowerManager to read sys.boot.reason
@@ -1120,6 +1146,12 @@
# Allow system process to setup fs-verity for font files
allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+# Read qemu.hw.mainkeys property
+get_prop(system_server, qemu_hw_prop)
+
+# Allow system server to read profcollectd reports for upload.
+userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
+
###
### Neverallow rules
###
@@ -1258,6 +1290,8 @@
# Allow the system server to manage relevant apex module data files.
allow system_server apex_module_data_file:dir { getattr search };
+allow system_server apex_appsearch_data_file:dir create_dir_perms;
+allow system_server apex_appsearch_data_file:file create_file_perms;
allow system_server apex_permission_data_file:dir create_dir_perms;
allow system_server apex_permission_data_file:file create_file_perms;
allow system_server apex_scheduling_data_file:dir create_dir_perms;
@@ -1373,6 +1407,3 @@
# Only system server can write the font files.
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
-
-# Read qemu.hw.mainkeys property
-get_prop(system_server, qemu_hw_prop)
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index 902941e..3301304 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -14,3 +14,7 @@
# Child of the zygote.
allow system_server_startup zygote:process sigchld;
+
+# Allow query ART device config properties
+get_prop(system_server_startup, device_config_runtime_native_boot_prop)
+get_prop(system_server_startup, device_config_runtime_native_prop)
diff --git a/private/toolbox.te b/private/toolbox.te
index a2b958d..6077f0b 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -1,3 +1,7 @@
typeattribute toolbox coredomain;
init_daemon_domain(toolbox)
+
+# rm -rf /data/misc/virtualizationservice
+allow toolbox virtualizationservice_data_file:dir { remove_name rmdir };
+allow toolbox virtualizationservice_data_file:file { getattr unlink };
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 41cabe8..82c07ff 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -48,7 +48,3 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
-
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 0993faa..7a326a5 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -36,7 +36,3 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
-
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index c5652b1..d03f399 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -14,7 +14,3 @@
untrusted_app_domain(untrusted_app_29)
net_domain(untrusted_app_29)
bluetooth_domain(untrusted_app_29)
-
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/virtmanager.te b/private/virtmanager.te
deleted file mode 100644
index 467f7d4..0000000
--- a/private/virtmanager.te
+++ /dev/null
@@ -1,17 +0,0 @@
-type virtmanager, domain, coredomain;
-type virtmanager_exec, system_file_type, exec_type, file_type;
-
-# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
-init_daemon_domain(virtmanager)
-
-# Let the virtmanager domain use Binder.
-binder_use(virtmanager)
-
-# Let the virtmanager domain register the virtualization_service with ServiceManager.
-add_service(virtmanager, virtualization_service)
-
-# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
-domain_auto_trans(virtmanager, crosvm_exec, crosvm)
-
-# Let virtmanager kill crosvm.
-allow virtmanager crosvm:process sigkill;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
new file mode 100644
index 0000000..4c6f1f9
--- /dev/null
+++ b/private/virtualizationservice.te
@@ -0,0 +1,25 @@
+type virtualizationservice, domain, coredomain;
+type virtualizationservice_exec, system_file_type, exec_type, file_type;
+
+# When init runs a file labelled with virtualizationservice_exec, run it in the
+# virtualizationservice domain.
+init_daemon_domain(virtualizationservice)
+
+# Let the virtualizationservice domain use Binder.
+binder_use(virtualizationservice)
+
+# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
+add_service(virtualizationservice, virtualization_service)
+
+# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
+
+# Let virtualizationservice exec other files (e.g. mk_cdisk) in the same domain.
+allow virtualizationservice system_file:file execute_no_trans;
+
+# Let virtualizationservice kill crosvm.
+allow virtualizationservice crosvm:process sigkill;
+
+# Let virtualizationservice access its data directory.
+allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
+allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 1414f6c..956e94e 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -16,6 +16,7 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ apex_appsearch_data_file
apex_art_data_file
apex_module_data_file
apex_permission_data_file
@@ -32,6 +33,7 @@
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ apex_appsearch_data_file
apex_art_data_file
apex_art_staging_data_file
apex_module_data_file
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index 8878acf..da98e2e 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -10,6 +10,6 @@
# wait_for_keymaster needs to find keystore and call methods with the returned
# binder reference.
-allow wait_for_keymaster servicemanager:binder call;
+binder_use(wait_for_keymaster)
allow wait_for_keymaster keystore_service:service_manager find;
-allow wait_for_keymaster keystore:binder call;
+binder_call(wait_for_keymaster, keystore)
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 3f217e1..10bcf1c 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -83,6 +83,10 @@
# Send unsolicited message to system_server
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
+# Allow the webview_zygote to access the runtime feature flag properties.
+get_prop(webview_zygote, device_config_runtime_native_prop)
+get_prop(webview_zygote, device_config_runtime_native_boot_prop)
+
#####
##### Neverallow
#####
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 7a29240..b7e555f 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -28,6 +28,7 @@
allow cameraserver cameraproxy_service:service_manager find;
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver package_native_service:service_manager find;
+allow cameraserver permission_checker_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver sensor_privacy_service:service_manager find;
@@ -53,7 +54,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow cameraserver domain:{ udp_socket rawip_socket } *;
+neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
# Allow shell commands from ADB for CTS testing/dumping
allow cameraserver adbd:fd use;
diff --git a/public/domain.te b/public/domain.te
index 8244b9c..d84abf1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,7 +66,7 @@
allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
-allow domain dmabuf_heap_device:dir search;
+allow domain dmabuf_heap_device:dir r_dir_perms;
allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index 2250482..20348b5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -385,6 +385,7 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 4117878..0214e2a 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -25,7 +25,21 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
-} domain:{ tcp_socket udp_socket rawip_socket } *;
+} domain:{ udp_socket rawip_socket } *;
+
+neverallow {
+ halserverdomain
+ -hal_automotive_socket_exemption
+ -hal_can_controller_server
+ -hal_tetheroffload_server
+ -hal_wifi_server
+ -hal_wifi_hostapd_server
+ -hal_wifi_supplicant_server
+ -hal_telephony_server
+} {
+ domain
+ userdebug_or_eng(`-su')
+}:tcp_socket *;
###
# HALs are defined as an attribute and so a given domain could hypothetically
diff --git a/public/hal_omx.te b/public/hal_omx.te
index 8e74383..2611dcd 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -46,4 +46,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;
+neverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/installd.te b/public/installd.te
index eb13cfa..08060e3 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -160,6 +160,10 @@
#add for move app to sd card
get_prop(installd, storage_config_prop)
+# Allow installd to access apps installed on the Incremental File System
+# Accessing files on the Incremental File System uses fds opened in the context of vold.
+allow installd vold:fd use;
+
###
### Neverallow rules
###
diff --git a/public/ioctl_defines b/public/ioctl_defines
index afb0b2d..5ac4d94 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -698,22 +698,30 @@
define(`EVIOCSKEYCODE', `0x40084504')
define(`EVIOCSKEYCODE_V2', `0x40284504')
define(`EVIOCSREP', `0x40084503')
-define(`F2FS_IOC_ABORT_VOLATILE_WRITE', `0xf505')
+define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501')
define(`F2FS_IOC_COMMIT_ATOMIC_WRITE', `0xf502')
-define(`F2FS_IOC_DEFRAGMENT', `0xf508')
-define(`F2FS_IOC_FLUSH_DEVICE', `0xf50a')
+define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503')
+define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504')
+define(`F2FS_IOC_ABORT_VOLATILE_WRITE', `0xf505')
define(`F2FS_IOC_GARBAGE_COLLECT', `0xf506')
+define(`F2FS_IOC_WRITE_CHECKPOINT', `0xf507')
+define(`F2FS_IOC_DEFRAGMENT', `0xf508')
+define(`F2FS_IOC_MOVE_RANGE', `0xf509')
+define(`F2FS_IOC_FLUSH_DEVICE', `0xf50a')
define(`F2FS_IOC_GARBAGE_COLLECT_RANGE', `0xf50b')
define(`F2FS_IOC_GET_FEATURES', `0xf50c')
-define(`F2FS_IOC_GET_PIN_FILE', `0xf50e')
-define(`F2FS_IOC_MOVE_RANGE', `0xf509')
-define(`F2FS_IOC_PRECACHE_EXTENTS', `0xf50f')
-define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504')
-define(`F2FS_IOC_SEC_TRIM_FILE', `0xf514')
define(`F2FS_IOC_SET_PIN_FILE', `0xf50d')
-define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501')
-define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503')
-define(`F2FS_IOC_WRITE_CHECKPOINT', `0xf507')
+define(`F2FS_IOC_GET_PIN_FILE', `0xf50e')
+define(`F2FS_IOC_PRECACHE_EXTENTS', `0xf50f')
+define(`F2FS_IOC_RESIZE_FS', `0xf510')
+define(`F2FS_IOC_GET_COMPRESS_BLOCKS', `0xf511')
+define(`F2FS_IOC_RELEASE_COMPRESS_BLOCKS', `0xf512')
+define(`F2FS_IOC_RESERVE_COMPRESS_BLOCKS', `0xf513')
+define(`F2FS_IOC_SEC_TRIM_FILE', `0xf514')
+define(`F2FS_IOC_GET_COMPRESS_OPTION', `0xf515')
+define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
+define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
+define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
diff --git a/public/iorapd.te b/public/iorapd.te
index b970699..b772af8 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -94,4 +94,5 @@
}:binder call;
neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow iorapd domain:{ udp_socket rawip_socket } *;
+neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 06f7928..a29e5dc 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -59,7 +59,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
+neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
# mediaextractor should not be opening /data files directly. Any files
# it touches (with a few exceptions) need to be passed to it via a file
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 468c0d0..76f819e 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -42,4 +42,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediametrics domain:{ udp_socket rawip_socket } *;
+neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 388001d..ad460e1 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -76,6 +76,7 @@
allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
+allow mediaserver permission_checker_service:service_manager find;
allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find;
allow mediaserver scheduling_policy_service:service_manager find;
diff --git a/public/profman.te b/public/profman.te
index 8ff6271..c014d79 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -22,6 +22,10 @@
allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
allow profman { privapp_data_file app_data_file }:dir { getattr read search };
+# Allow query ART device config properties
+get_prop(profman, device_config_runtime_native_prop)
+get_prop(profman, device_config_runtime_native_boot_prop)
+
###
### neverallow rules
###
diff --git a/public/property.te b/public/property.te
index 5edb59e..57146a4 100644
--- a/public/property.te
+++ b/public/property.te
@@ -11,8 +11,6 @@
system_internal_prop(device_config_media_native_prop)
system_internal_prop(device_config_netd_native_prop)
system_internal_prop(device_config_reset_performed_prop)
-system_internal_prop(device_config_runtime_native_boot_prop)
-system_internal_prop(device_config_runtime_native_prop)
system_internal_prop(firstboot_prop)
compatible_property_only(`
@@ -67,6 +65,8 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(charger_status_prop)
+system_restricted_prop(device_config_runtime_native_boot_prop)
+system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(hal_instrumentation_prop)
system_restricted_prop(init_service_status_prop)
@@ -169,6 +169,7 @@
system_vendor_config_prop(wifi_config_prop)
system_vendor_config_prop(zram_config_prop)
system_vendor_config_prop(zygote_config_prop)
+system_vendor_config_prop(dck_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index b7ff7a0..2ed007e 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te
@@ -27,7 +27,8 @@
allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
# simpleperf_app_runner passes pipe fds.
-allow simpleperf_app_runner shell:fifo_file read;
+# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
+allow simpleperf_app_runner shell:fifo_file { read write };
# simpleperf_app_runner checks shell data paths.
# simpleperf_app_runner passes shell data fds.
diff --git a/public/te_macros b/public/te_macros
index 8d15d47..2a218cb 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -670,6 +670,12 @@
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
+
+ # On debug builds with root, allow binder services to use binder over TCP.
+ # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
+ userdebug_or_eng(`
+ allow $1 su:tcp_socket { accept getopt read write };
+ ')
')
###########################################
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 0f549c9..3b04671 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -32,8 +32,12 @@
r_dir_file(uncrypt, rootfs)
-# uncrypt reads /proc/cmdline
-allow uncrypt proc_cmdline:file r_file_perms;
+# Access to bootconfig is needed when calling ReadDefaultFstab.
+allow uncrypt {
+ proc_bootconfig
+ proc_cmdline
+
+}:file r_file_perms;
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 7e96cb1..b0e1da5 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -262,6 +262,7 @@
get_prop(vendor_init, surfaceflinger_display_prop)
get_prop(vendor_init, test_harness_prop)
get_prop(vendor_init, theme_prop)
+set_prop(vendor_init, dck_prop)
###
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index edd1708..1d26dfc 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -40,11 +40,18 @@
def TestDebugfsTypeViolations(pol):
ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
- ret += pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "debugfs_type")
ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
"/sys/kernel/tracing"], [], "debugfs_type")
return ret
+def TestTracefsTypeViolations(pol):
+ ret = pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "tracefs_type")
+ ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/tracing"], [], "tracefs_type")
+ ret += pol.AssertPathTypesDoNotHaveAttr(["/sys/kernel/debug"],
+ ["/sys/kernel/debug/tracing"], "tracefs_type",
+ [])
+ return ret
+
def TestVendorTypeViolations(pol):
partitions = ["/vendor/", "/odm/"]
exceptions = [
@@ -111,6 +118,7 @@
"TestSysfsTypeViolations",
"TestSystemTypeViolators",
"TestDebugfsTypeViolations",
+ "TestTracefsTypeViolations",
"TestVendorTypeViolations",
"TestCoreDataTypeViolations",
"TestPropertyTypeViolations",
@@ -165,6 +173,8 @@
results += TestSystemTypeViolations(pol)
if options.test is None or "TestDebugfsTypeViolations" in options.test:
results += TestDebugfsTypeViolations(pol)
+ if options.test is None or "TestTracefsTypeViolations" in options.test:
+ results += TestTracefsTypeViolations(pol)
if options.test is None or "TestVendorTypeViolations" in options.test:
results += TestVendorTypeViolations(pol)
if options.test is None or "TestCoreDataTypeViolations" in options.test:
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index fdfe9ee..1f27727 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -11,6 +11,27 @@
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
+# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
+# make file of the system_ext partition.
+SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
+# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
+# make file of the product partition.
+PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
+# BOARD_PLAT_PUB_VERSIONED_POLICY - path_to_plat_pub_versioned_of_vendor
+# plat_pub_versioned.cil should be in
+# $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version) dir.
+# plat_pub_versioned.cil should have platform, system_ext and product sepolicies
+# similar to system/sepolicy/prebuilts/api/$(version/plat_pub_verioned.cil file.
+# In order to enable treble sepolicy tests for platform, system_ext and product
+# sepolicies SYSTEM_EXT_PREBUILT_POLICY , PRODUCT_PREBUILT_POLICY and
+# BOARD_PLAT_PUB_VERSIONED_POLICY should be set.
+IS_TREBLE_TEST_ENABLED_PARTNER := false
+ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
+ifneq (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
+IS_TREBLE_TEST_ENABLED_PARTNER := true
+endif # (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
+endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
+
include $(BUILD_SYSTEM)/base_rules.mk
# $(version)_plat - the platform policy shipped as part of the $(version) release. This is
@@ -19,6 +40,20 @@
# been maintained by our mapping files.
$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
+ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
+$(version)_PLAT_PUBLIC_POLICY += \
+ $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
+$(version)_PLAT_PRIVATE_POLICY += \
+ $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
+endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
+ifneq (,$(PRODUCT_PREBUILT_POLICY))
+$(version)_PLAT_PUBLIC_POLICY += \
+ $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
+$(version)_PLAT_PRIVATE_POLICY += \
+ $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
+endif # (,$(PRODUCT_PREBUILT_POLICY))
+endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
@@ -52,7 +87,6 @@
$(version)_plat_policy.conf :=
-
# $(version)_compat - the current plat_sepolicy.cil built with the compatibility file
# targeting the $(version) SELinux release. This ensures that our policy will build
# when used on a device that has non-platform policy targetting the $(version) release.
@@ -61,6 +95,21 @@
$(version)_mapping.ignore.cil := \
$(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
$(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
+ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
+$(version)_mapping.cil += \
+ $(call intermediates-dir-for,ETC,system_ext_$(version).cil)/system_ext_$(version).cil
+$(version)_mapping.ignore.cil += \
+ $(call intermediates-dir-for,ETC,system_ext_$(version).ignore.cil)/system_ext_$(version).ignore.cil
+endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
+ifneq (,$(PRODUCT_PREBUILT_POLICY))
+$(version)_mapping.cil += \
+ $(call intermediates-dir-for,ETC,product_$(version).cil)/product_$(version).cil
+$(version)_mapping.ignore.cil += \
+ $(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil
+endif # (,$(PRODUCT_PREBUILT_POLICY))
+$(version)_prebuilts_dir := $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version)
+endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
# vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
# nonplat_sepolicy.cil.
@@ -70,10 +119,18 @@
$(version)_nonplat := $($(version)_prebuilts_dir)/nonplat_sepolicy.cil
endif
-$($(version)_compat): PRIVATE_CIL_FILES := \
-$(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
-$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
+cil_files := $(built_plat_cil)
+ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)
+cil_files += $(built_system_ext_cil)
+endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)
+ifneq (,$(PRODUCT_PREBUILT_POLICY)
+cil_files += $(built_product_cil)
+endif # (,$(PRODUCT_PREBUILT_POLICY)
+endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+cil_files += $($(version)_mapping.cil) $($(version)_nonplat)
+$($(version)_compat): PRIVATE_CIL_FILES := $(cil_files)
+$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc $(cil_files)
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
@@ -86,32 +143,47 @@
mkdir -p $(dir $@)
cat $^ > $@
+ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+built_sepolicy_files := $(built_product_sepolicy)
+public_cil_files := $(base_product_pub_policy.cil)
+else
+built_sepolicy_files := $(built_plat_sepolicy)
+public_cil_files := $(base_plat_pub_policy.cil)
+endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(base_plat_pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE :=
ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
# TODO(b/113124961): remove fake-treble
$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := --fake-treble
endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- $(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
- $(base_plat_pub_policy.cil) \
+ $(all_fc_files) $(built_sepolicy) \
+ $(built_sepolicy_files) \
+ $(public_cil_files) \
$(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
- $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
- -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
- -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
- -u $(PRIVATE_PLAT_PUB_SEPOLICY) \
- $(PRIVATE_FAKE_TREBLE)
+ $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
+ -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
+ -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
+ -u $(PRIVATE_PLAT_PUB_SEPOLICY) \
+ $(PRIVATE_FAKE_TREBLE)
$(hide) touch $@
+$(version)_SYSTEM_EXT_PUBLIC_POLICY :=
+$(version)_SYSTEM_EXT_PRIVATE_POLICY :=
+$(version)_PRODUCT_PUBLIC_POLICY :=
+$(version)_PRODUCT_PRIVATE_POLICY :=
$(version)_PLAT_PUBLIC_POLICY :=
$(version)_PLAT_PRIVATE_POLICY :=
+built_sepolicy_files :=
+public_cil_files :=
+cil_files :=
$(version)_compat :=
$(version)_mapping.cil :=
$(version)_mapping.combined.cil :=
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index f78b58f..8587e12 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -34,5 +34,6 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediacodec domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec { domain userdebug_or_eng(`-su') }:tcp_socket *;