Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709)
Bug: 166295507
Merged-In: I6d0b1be1a46288fff42c3689dbef2f7443efebcc
Change-Id: I133180d20457b9f805f3da0915e2cf6e48229132
diff --git a/Android.bp b/Android.bp
index dbd52cb..2ca424d 100644
--- a/Android.bp
+++ b/Android.bp
@@ -289,6 +289,11 @@
srcs: ["service_contexts"],
}
+se_filegroup {
+ name: "keystore2_key_contexts_files",
+ srcs: ["keystore2_key_contexts"],
+}
+
file_contexts {
name: "plat_file_contexts",
srcs: [":file_contexts_files"],
@@ -425,6 +430,30 @@
soc_specific: true,
}
+keystore2_key_contexts {
+ name: "plat_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+}
+
+keystore2_key_contexts {
+ name: "system_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ system_ext_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "product_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ product_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "vendor_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ reqd_mask: true,
+ soc_specific: true,
+}
+
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
diff --git a/Android.mk b/Android.mk
index b667fd2..fa3a418 100644
--- a/Android.mk
+++ b/Android.mk
@@ -272,6 +272,7 @@
build_sepolicy \
plat_file_contexts \
plat_file_contexts_test \
+ plat_keystore2_key_contexts \
plat_mac_permissions.xml \
plat_property_contexts \
plat_property_contexts_test \
diff --git a/apex/Android.bp b/apex/Android.bp
index d3acfdb..78e1be9 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -77,6 +77,13 @@
}
filegroup {
+ name: "com.android.gki-file_contexts",
+ srcs: [
+ "com.android.gki-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.ipsec-file_contexts",
srcs: [
"com.android.ipsec-file_contexts",
diff --git a/apex/com.android.gki-file_contexts b/apex/com.android.gki-file_contexts
new file mode 100644
index 0000000..ccee7f8
--- /dev/null
+++ b/apex/com.android.gki-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/(.*)? u:object_r:gki_apex_prepostinstall_exec:s0
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 635ebda..26e8246 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -92,6 +92,7 @@
android.RegisterModuleType("hwservice_contexts", hwServiceFactory)
android.RegisterModuleType("property_contexts", propertyFactory)
android.RegisterModuleType("service_contexts", serviceFactory)
+ android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
android.PreDepsMutators(func(ctx android.RegisterMutatorsContext) {
ctx.BottomUp("selinux_contexts", selinuxContextsMutator).Parallel()
@@ -426,3 +427,9 @@
m.build = m.buildGeneralContexts
return m
}
+
+func keystoreKeyFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ return m
+}
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 3cc0151..02376bc 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -52,9 +52,9 @@
system_ext_mac_perms_keys.tmp := $(intermediates)/system_ext_keys.tmp
$(system_ext_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(system_ext_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_system_ext_mac_perms_keys)
-$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys)
+$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys) $(M4)
@mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_system_ext_mac_perms_files)
$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
@@ -83,9 +83,9 @@
product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(product_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_product_mac_perms_keys)
-$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys)
+$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys) $(M4)
@mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
diff --git a/prebuilts/api/26.0/private/app.te b/prebuilts/api/26.0/private/app.te
index 6f2b820..da8c67b 100644
--- a/prebuilts/api/26.0/private/app.te
+++ b/prebuilts/api/26.0/private/app.te
@@ -494,7 +494,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -515,7 +515,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te
index d37a0bd..999c16a 100644
--- a/prebuilts/api/26.0/private/domain.te
+++ b/prebuilts/api/26.0/private/domain.te
@@ -4,7 +4,7 @@
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
diff --git a/prebuilts/api/26.0/private/incidentd.te b/prebuilts/api/26.0/private/incidentd.te
index efd23bd..64e174f 100644
--- a/prebuilts/api/26.0/private/incidentd.te
+++ b/prebuilts/api/26.0/private/incidentd.te
@@ -66,7 +66,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/26.0/private/system_server.te b/prebuilts/api/26.0/private/system_server.te
index 05e4773..2e14d18 100644
--- a/prebuilts/api/26.0/private/system_server.te
+++ b/prebuilts/api/26.0/private/system_server.te
@@ -50,7 +50,7 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
@@ -92,7 +92,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/26.0/public/domain.te b/prebuilts/api/26.0/public/domain.te
index d2b370a..3adefd1 100644
--- a/prebuilts/api/26.0/public/domain.te
+++ b/prebuilts/api/26.0/public/domain.te
@@ -195,19 +195,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -223,7 +223,7 @@
### neverallow rules
###
-# All socket ioctls must be restricted to a whitelist.
+# All socket ioctls must be restricted to a allowlist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# TIOCSTI is only ever used for exploits. Block it.
@@ -234,7 +234,7 @@
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -243,7 +243,7 @@
-vold
} self:capability mknod;
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -343,7 +343,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
#
neverallow {
domain
@@ -445,7 +445,7 @@
neverallow { domain -init } mmc_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -668,7 +668,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -722,7 +722,7 @@
} vendor_shell_exec:file { execute execute_no_trans };
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -923,7 +923,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/26.0/public/hal_wifi_supplicant.te b/prebuilts/api/26.0/public/hal_wifi_supplicant.te
index 0f2540e..028440c 100644
--- a/prebuilts/api/26.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/26.0/public/hal_wifi_supplicant.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/26.0/public/netd.te b/prebuilts/api/26.0/public/netd.te
index 691887f..80fb76d 100644
--- a/prebuilts/api/26.0/public/netd.te
+++ b/prebuilts/api/26.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/26.0/public/vendor_toolbox.te b/prebuilts/api/26.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/26.0/public/vendor_toolbox.te
+++ b/prebuilts/api/26.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/27.0/private/app.te b/prebuilts/api/27.0/private/app.te
index 9251ed9..c53fa36 100644
--- a/prebuilts/api/27.0/private/app.te
+++ b/prebuilts/api/27.0/private/app.te
@@ -512,7 +512,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -533,7 +533,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te
index d37a0bd..999c16a 100644
--- a/prebuilts/api/27.0/private/domain.te
+++ b/prebuilts/api/27.0/private/domain.te
@@ -4,7 +4,7 @@
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
diff --git a/prebuilts/api/27.0/private/incidentd.te b/prebuilts/api/27.0/private/incidentd.te
index efd23bd..64e174f 100644
--- a/prebuilts/api/27.0/private/incidentd.te
+++ b/prebuilts/api/27.0/private/incidentd.te
@@ -66,7 +66,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/27.0/private/isolated_app.te b/prebuilts/api/27.0/private/isolated_app.te
index 37935c3..fbfb8a5 100644
--- a/prebuilts/api/27.0/private/isolated_app.te
+++ b/prebuilts/api/27.0/private/isolated_app.te
@@ -74,7 +74,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/27.0/private/system_server.te b/prebuilts/api/27.0/private/system_server.te
index 40c5382..3a5b53b 100644
--- a/prebuilts/api/27.0/private/system_server.te
+++ b/prebuilts/api/27.0/private/system_server.te
@@ -50,7 +50,7 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
@@ -95,7 +95,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/27.0/public/domain.te b/prebuilts/api/27.0/public/domain.te
index f5c72cc..e9ae56c 100644
--- a/prebuilts/api/27.0/public/domain.te
+++ b/prebuilts/api/27.0/public/domain.te
@@ -195,19 +195,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -226,7 +226,7 @@
### neverallow rules
###
-# All socket ioctls must be restricted to a whitelist.
+# All socket ioctls must be restricted to a allowlist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# TIOCSTI is only ever used for exploits. Block it.
@@ -237,7 +237,7 @@
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -246,7 +246,7 @@
-vold
} self:capability mknod;
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -347,7 +347,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
#
neverallow {
domain
@@ -448,7 +448,7 @@
neverallow { domain -init } mmc_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -664,7 +664,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -718,7 +718,7 @@
} vendor_shell_exec:file { execute execute_no_trans };
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -916,7 +916,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/27.0/public/hal_wifi_supplicant.te b/prebuilts/api/27.0/public/hal_wifi_supplicant.te
index 0f2540e..028440c 100644
--- a/prebuilts/api/27.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/27.0/public/hal_wifi_supplicant.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/27.0/public/netd.te b/prebuilts/api/27.0/public/netd.te
index aa99da2..7f7872e 100644
--- a/prebuilts/api/27.0/public/netd.te
+++ b/prebuilts/api/27.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/27.0/public/vendor_toolbox.te b/prebuilts/api/27.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/27.0/public/vendor_toolbox.te
+++ b/prebuilts/api/27.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te
index fb6ba4f..5053c28 100644
--- a/prebuilts/api/28.0/private/domain.te
+++ b/prebuilts/api/28.0/private/domain.te
@@ -4,7 +4,7 @@
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
diff --git a/prebuilts/api/28.0/private/incidentd.te b/prebuilts/api/28.0/private/incidentd.te
index 6b248f1..35b184c 100644
--- a/prebuilts/api/28.0/private/incidentd.te
+++ b/prebuilts/api/28.0/private/incidentd.te
@@ -115,7 +115,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/28.0/private/isolated_app.te b/prebuilts/api/28.0/private/isolated_app.te
index a6276b3..6af6040 100644
--- a/prebuilts/api/28.0/private/isolated_app.te
+++ b/prebuilts/api/28.0/private/isolated_app.te
@@ -77,7 +77,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/28.0/private/perfetto.te b/prebuilts/api/28.0/private/perfetto.te
index 9ac5d87..67725bf 100644
--- a/prebuilts/api/28.0/private/perfetto.te
+++ b/prebuilts/api/28.0/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te
index fa84c32..2927e0b 100644
--- a/prebuilts/api/28.0/private/system_server.te
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -46,7 +46,7 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
@@ -91,7 +91,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/28.0/private/traced_probes.te b/prebuilts/api/28.0/private/traced_probes.te
index 5d80f7e..e32e2e6 100644
--- a/prebuilts/api/28.0/private/traced_probes.te
+++ b/prebuilts/api/28.0/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the blacklist/whitelist.
+# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
')
diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
index 439c1f8..55308da 100644
--- a/prebuilts/api/28.0/public/app.te
+++ b/prebuilts/api/28.0/public/app.te
@@ -530,7 +530,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -551,7 +551,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
index e9337b6..2533aec 100644
--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
@@ -257,19 +257,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -288,7 +288,7 @@
### neverallow rules
###
-# All socket ioctls must be restricted to a whitelist.
+# All socket ioctls must be restricted to a allowlist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -303,7 +303,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -312,7 +312,7 @@
-vold
} self:global_capability_class_set mknod;
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -424,7 +424,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
#
neverallow {
domain
@@ -552,7 +552,7 @@
')
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -928,7 +928,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -997,7 +997,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -1014,7 +1014,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones whitelisted here.
+ # except for the ones allowlisted here.
neverallow {
coredomain
-init
@@ -1224,7 +1224,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/28.0/public/hal_wifi_supplicant.te b/prebuilts/api/28.0/public/hal_wifi_supplicant.te
index 6bf0d32..3778515 100644
--- a/prebuilts/api/28.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/28.0/public/hal_wifi_supplicant.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te
index 18113e7..1fb3d48 100644
--- a/prebuilts/api/28.0/public/netd.te
+++ b/prebuilts/api/28.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/28.0/public/vendor_toolbox.te b/prebuilts/api/28.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/28.0/public/vendor_toolbox.te
+++ b/prebuilts/api/28.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/29.0/private/coredomain.te b/prebuilts/api/29.0/private/coredomain.te
index 169f6b2..419d9fe 100644
--- a/prebuilts/api/29.0/private/coredomain.te
+++ b/prebuilts/api/29.0/private/coredomain.te
@@ -15,7 +15,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index 209eeb0..447176e 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
@@ -83,7 +83,7 @@
')
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
@@ -185,7 +185,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
@@ -299,7 +299,7 @@
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
diff --git a/prebuilts/api/29.0/private/heapprofd.te b/prebuilts/api/29.0/private/heapprofd.te
index 5330c58..f984677 100644
--- a/prebuilts/api/29.0/private/heapprofd.te
+++ b/prebuilts/api/29.0/private/heapprofd.te
@@ -29,7 +29,7 @@
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only whitelisted domains will be allowed by SELinux. Avoid
+# profiling, only allowlisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
diff --git a/prebuilts/api/29.0/private/incidentd.te b/prebuilts/api/29.0/private/incidentd.te
index b93f1b2..ee9812e 100644
--- a/prebuilts/api/29.0/private/incidentd.te
+++ b/prebuilts/api/29.0/private/incidentd.te
@@ -126,7 +126,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/29.0/private/isolated_app.te b/prebuilts/api/29.0/private/isolated_app.te
index 94b49b0..714405f 100644
--- a/prebuilts/api/29.0/private/isolated_app.te
+++ b/prebuilts/api/29.0/private/isolated_app.te
@@ -87,7 +87,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/29.0/private/perfetto.te b/prebuilts/api/29.0/private/perfetto.te
index 60a6250..6b1a81a 100644
--- a/prebuilts/api/29.0/private/perfetto.te
+++ b/prebuilts/api/29.0/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index 73891c9..5f60674 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -50,14 +50,14 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# Allow setup of tcp keepalive offload. This gives system_server the permission to
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values whitelisted in
+# be granted individually, except for a small set of safe values allowlisted in
# public/domain.te.
allow system_server appdomain:tcp_socket ioctl;
@@ -102,7 +102,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/29.0/private/traced_probes.te b/prebuilts/api/29.0/private/traced_probes.te
index 4820e3f..5b4c0cc 100644
--- a/prebuilts/api/29.0/private/traced_probes.te
+++ b/prebuilts/api/29.0/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the blacklist/whitelist.
+# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
diff --git a/prebuilts/api/29.0/public/app.te b/prebuilts/api/29.0/public/app.te
index 5c48e71..5b3459f 100644
--- a/prebuilts/api/29.0/public/app.te
+++ b/prebuilts/api/29.0/public/app.te
@@ -537,7 +537,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -558,7 +558,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index 987bb9f..1a9e0e1 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -260,19 +260,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -288,7 +288,7 @@
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this whitelist to domain does not grant the ioctl permission to
+# this allowlist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };
@@ -331,7 +331,7 @@
###
# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to a whitelist.
+# sockets must be restricted to a allowlist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -346,7 +346,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -544,7 +544,7 @@
')
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -951,7 +951,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -970,7 +970,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones whitelisted here.
+ # except for the ones allowlisted here.
neverallow {
coredomain
-init
@@ -998,7 +998,7 @@
full_treble_only(`
# Do not allow system components access to /vendor files except for the
- # ones whitelisted here.
+ # ones allowlisted here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
@@ -1028,7 +1028,7 @@
full_treble_only(`
# Do not allow vendor components access to /system files except for the
- # ones whitelisted here.
+ # ones allowlisted here.
neverallow {
domain
-appdomain
@@ -1215,7 +1215,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/29.0/public/hal_wifi_supplicant.te b/prebuilts/api/29.0/public/hal_wifi_supplicant.te
index 6004c33..79a0667 100644
--- a/prebuilts/api/29.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/29.0/public/hal_wifi_supplicant.te
@@ -4,7 +4,7 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/29.0/public/netd.te b/prebuilts/api/29.0/public/netd.te
index c8877b2..f776db6 100644
--- a/prebuilts/api/29.0/public/netd.te
+++ b/prebuilts/api/29.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/29.0/public/vendor_toolbox.te b/prebuilts/api/29.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/29.0/public/vendor_toolbox.te
+++ b/prebuilts/api/29.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/30.0/private/apexd.te b/prebuilts/api/30.0/private/apexd.te
index 9e702dd..7c7ddc6 100644
--- a/prebuilts/api/30.0/private/apexd.te
+++ b/prebuilts/api/30.0/private/apexd.te
@@ -37,6 +37,7 @@
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
+ LOOP_CONFIGURE
};
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
diff --git a/prebuilts/api/30.0/private/atrace.te b/prebuilts/api/30.0/private/atrace.te
index ad7d177..585c254 100644
--- a/prebuilts/api/30.0/private/atrace.te
+++ b/prebuilts/api/30.0/private/atrace.te
@@ -59,7 +59,7 @@
hal_client_domain(atrace, hal_vibrator)
')
-# Remove logspam from notification attempts to non-whitelisted services.
+# Remove logspam from notification attempts to non-allowlisted services.
dontaudit atrace hwservice_manager_type:hwservice_manager find;
dontaudit atrace service_manager_type:service_manager find;
dontaudit atrace domain:binder call;
diff --git a/prebuilts/api/30.0/private/coredomain.te b/prebuilts/api/30.0/private/coredomain.te
index 86e8009..f13d98a 100644
--- a/prebuilts/api/30.0/private/coredomain.te
+++ b/prebuilts/api/30.0/private/coredomain.te
@@ -15,7 +15,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te
index 1a8ce50..dc83b8f 100644
--- a/prebuilts/api/30.0/private/domain.te
+++ b/prebuilts/api/30.0/private/domain.te
@@ -122,7 +122,7 @@
allow domain boringssl_self_test_marker:dir search;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
@@ -225,7 +225,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
@@ -342,7 +342,7 @@
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
diff --git a/prebuilts/api/30.0/private/heapprofd.te b/prebuilts/api/30.0/private/heapprofd.te
index ec3e4d0..7bd60a4 100644
--- a/prebuilts/api/30.0/private/heapprofd.te
+++ b/prebuilts/api/30.0/private/heapprofd.te
@@ -29,7 +29,7 @@
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only whitelisted domains will be allowed by SELinux. Avoid
+# profiling, only allowlisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
diff --git a/prebuilts/api/30.0/private/incidentd.te b/prebuilts/api/30.0/private/incidentd.te
index 656f69f..f10173b 100644
--- a/prebuilts/api/30.0/private/incidentd.te
+++ b/prebuilts/api/30.0/private/incidentd.te
@@ -145,7 +145,7 @@
r_dir_file(incidentd, misc_logd_file)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/30.0/private/isolated_app.te b/prebuilts/api/30.0/private/isolated_app.te
index 4c6c5aa..94d60f0 100644
--- a/prebuilts/api/30.0/private/isolated_app.te
+++ b/prebuilts/api/30.0/private/isolated_app.te
@@ -88,7 +88,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/30.0/private/perfetto.te b/prebuilts/api/30.0/private/perfetto.te
index 0161361..14707ac 100644
--- a/prebuilts/api/30.0/private/perfetto.te
+++ b/prebuilts/api/30.0/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 0499ce4..5e53af8 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -29,7 +29,7 @@
allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
# To get signature of an APK installed on Incremental File System and fill in data blocks
-allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
+allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
@@ -66,14 +66,14 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# Allow setup of tcp keepalive offload. This gives system_server the permission to
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values whitelisted in
+# be granted individually, except for a small set of safe values allowlisted in
# public/domain.te.
allow system_server appdomain:tcp_socket ioctl;
@@ -118,7 +118,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/30.0/private/traced_probes.te b/prebuilts/api/30.0/private/traced_probes.te
index dd6ece0..36f9c51 100644
--- a/prebuilts/api/30.0/private/traced_probes.te
+++ b/prebuilts/api/30.0/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the blacklist/whitelist.
+# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
diff --git a/prebuilts/api/30.0/public/app.te b/prebuilts/api/30.0/public/app.te
index 9c635aa..53c73b7 100644
--- a/prebuilts/api/30.0/public/app.te
+++ b/prebuilts/api/30.0/public/app.te
@@ -537,7 +537,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -558,7 +558,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index 8cb4950..c151b95 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -260,19 +260,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -288,7 +288,7 @@
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this whitelist to domain does not grant the ioctl permission to
+# this allowlist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };
@@ -331,7 +331,7 @@
###
# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to a whitelist.
+# sockets must be restricted to a allowlist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -346,7 +346,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -544,7 +544,7 @@
')
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -934,7 +934,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -955,7 +955,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones whitelisted here.
+ # except for the ones allowlisted here.
neverallow {
coredomain
-init
@@ -984,7 +984,7 @@
full_treble_only(`
# Do not allow system components access to /vendor files except for the
- # ones whitelisted here.
+ # ones allowlisted here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
@@ -1019,7 +1019,7 @@
full_treble_only(`
# Do not allow vendor components access to /system files except for the
- # ones whitelisted here.
+ # ones allowlisted here.
neverallow {
domain
-appdomain
@@ -1212,7 +1212,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/30.0/public/dumpstate.te b/prebuilts/api/30.0/public/dumpstate.te
index 1724b70..6563461 100644
--- a/prebuilts/api/30.0/public/dumpstate.te
+++ b/prebuilts/api/30.0/public/dumpstate.te
@@ -76,10 +76,12 @@
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
+ hal_audiocontrol_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
+ hal_evs_server
hal_face_server
hal_fingerprint_server
hal_graphics_allocator_server
@@ -91,6 +93,7 @@
hal_power_stats_server
hal_sensors_server
hal_thermal_server
+ hal_vehicle_server
hal_vr_server
system_suspend_server
}:process signal;
diff --git a/prebuilts/api/30.0/public/hal_wifi_supplicant.te b/prebuilts/api/30.0/public/hal_wifi_supplicant.te
index 6004c33..79a0667 100644
--- a/prebuilts/api/30.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/30.0/public/hal_wifi_supplicant.te
@@ -4,7 +4,7 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/30.0/public/ioctl_defines b/prebuilts/api/30.0/public/ioctl_defines
index 4cc3bba..3c7758a 100644
--- a/prebuilts/api/30.0/public/ioctl_defines
+++ b/prebuilts/api/30.0/public/ioctl_defines
@@ -1059,6 +1059,7 @@
define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
+define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
@@ -1370,6 +1371,7 @@
define(`LOGGER_SET_VERSION', `0x0000ae06')
define(`LOOP_CHANGE_FD', `0x00004c06')
define(`LOOP_CLR_FD', `0x00004c01')
+define(`LOOP_CONFIGURE', `0x00004c0a')
define(`LOOP_CTL_ADD', `0x00004c80')
define(`LOOP_CTL_GET_FREE', `0x00004c82')
define(`LOOP_CTL_REMOVE', `0x00004c81')
diff --git a/prebuilts/api/30.0/public/netd.te b/prebuilts/api/30.0/public/netd.te
index 8005406..0b83d4c 100644
--- a/prebuilts/api/30.0/public/netd.te
+++ b/prebuilts/api/30.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/30.0/public/vendor_toolbox.te b/prebuilts/api/30.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/30.0/public/vendor_toolbox.te
+++ b/prebuilts/api/30.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/private/access_vectors b/private/access_vectors
index f41eadd..8364bc5 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -711,6 +711,31 @@
gen_unique_id
}
+class keystore2
+{
+ add_auth
+ clear_ns
+ get_state
+ lock
+ reset
+ unlock
+}
+
+class keystore2_key
+{
+ delete
+ gen_unique_id
+ get_info
+ grant
+ list
+ manage_blob
+ rebind
+ req_forced_op
+ update
+ use
+ use_dev_id
+}
+
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/private/adbd.te b/private/adbd.te
index b03c62e..f2bf3b3 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -105,6 +105,9 @@
# Read persist.adb.tls_server.enable property
get_prop(adbd, system_adbd_prop)
+# Read service.adb.tcp.port property
+get_prop(adbd, adbd_config_prop)
+
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
diff --git a/private/apexd.te b/private/apexd.te
index 97e2539..b7d6702 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -37,6 +37,7 @@
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
+ LOOP_CONFIGURE
};
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
@@ -134,6 +135,9 @@
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
')
+# Allow transition to GKI update pre/post install domain
+domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall)
+
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
diff --git a/private/app.te b/private/app.te
index a42b60e..ab9cf3c 100644
--- a/private/app.te
+++ b/private/app.te
@@ -6,11 +6,13 @@
get_prop(appdomain, dalvik_config_prop)
get_prop(appdomain, media_config_prop)
get_prop(appdomain, packagemanager_config_prop)
+get_prop(appdomain, radio_control_prop)
get_prop(appdomain, surfaceflinger_color_prop)
get_prop(appdomain, systemsound_config_prop)
get_prop(appdomain, telephony_config_prop)
get_prop(appdomain, userspace_reboot_config_prop)
get_prop(appdomain, vold_config_prop)
+get_prop(appdomain, adbd_config_prop)
userdebug_or_eng(`perfetto_producer({ appdomain })')
@@ -49,5 +51,11 @@
# Don't allow regular apps access to storage configuration properties.
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+# Allow to read sendbug.preferred.domain
+get_prop(appdomain, sendbug_config_prop)
+
# Allow to read graphics related properties.
get_prop(appdomain, graphics_config_prop)
+
+# Allow to read persist.config.calibration_fac
+get_prop(appdomain, camera_calibration_prop)
diff --git a/private/atrace.te b/private/atrace.te
index ad7d177..585c254 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -59,7 +59,7 @@
hal_client_domain(atrace, hal_vibrator)
')
-# Remove logspam from notification attempts to non-whitelisted services.
+# Remove logspam from notification attempts to non-allowlisted services.
dontaudit atrace hwservice_manager_type:hwservice_manager find;
dontaudit atrace service_manager_type:service_manager find;
dontaudit atrace domain:binder call;
diff --git a/private/binder_in_vendor_violators.te b/private/binder_in_vendor_violators.te
deleted file mode 100644
index 4a1218e..0000000
--- a/private/binder_in_vendor_violators.te
+++ /dev/null
@@ -1 +0,0 @@
-allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 0891ee5..cbe8ed7 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -18,5 +18,7 @@
allow binderservicedomain permission_service:service_manager find;
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow binderservicedomain keystore:keystore2 { get_state };
+allow binderservicedomain keystore:keystore2_key { delete get_info list rebind use };
use_keystore(binderservicedomain)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 1680361..0453b3d 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -1,6 +1,6 @@
# bluetooth app
-typeattribute bluetooth coredomain;
+typeattribute bluetooth coredomain, mlstrustedsubject;
app_domain(bluetooth)
net_domain(bluetooth)
diff --git a/private/bug_map b/private/bug_map
index c2670ef..eaa1593 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,6 +1,5 @@
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
-gmscore_app ashmem_device chr_file b/160984921
gmscore_app system_data_file dir b/146166941
init app_data_file file b/77873135
init cache_file blk_file b/77873135
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
new file mode 100644
index 0000000..171f68a
--- /dev/null
+++ b/private/canhalconfigurator.te
@@ -0,0 +1,11 @@
+type canhalconfigurator, domain, coredomain;
+type canhalconfigurator_exec, exec_type, system_file_type, file_type;
+init_daemon_domain(canhalconfigurator)
+
+# This allows the configurator to look up the CAN HAL controller via
+# hwservice_manager and communicate with it.
+allow canhalconfigurator hal_can_controller_hwservice:hwservice_manager find;
+binder_call(canhalconfigurator, hal_can_controller);
+allow canhalconfigurator hidl_manager_hwservice:hwservice_manager find;
+hwbinder_use(canhalconfigurator);
+get_prop(canhalconfigurator, hwservicemanager_prop);
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 0138743..1599a3e 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -70,7 +70,6 @@
exported2_radio_prop
exported2_system_prop
exported2_vold_prop
- exported3_default_prop
exported3_radio_prop
exported3_system_prop
fastbootd
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index c80c4dc..a566eaa 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -29,12 +29,14 @@
blank_screen_tmpfs
boot_status_prop
bootloader_boot_reason_prop
+ bootloader_prop
bluetooth_a2dp_offload_prop
bpfloader
bpfloader_exec
build_odm_prop
build_prop
build_vendor_prop
+ camera_calibration_prop
camera_config_prop
cgroup_bpf
charger_config_prop
@@ -95,6 +97,7 @@
hal_confirmationui_hwservice
hal_evs_hwservice
hal_health_storage_hwservice
+ hal_instrumentation_prop
hal_lowpan_hwservice
hal_secure_element_hwservice
hal_usb_gadget_hwservice
@@ -139,6 +142,7 @@
network_stack_service
network_watchlist_data_file
network_watchlist_service
+ oem_unlock_prop
overlayfs_file
packagemanager_config_prop
perfetto
@@ -146,7 +150,9 @@
perfetto_tmpfs
perfetto_traces_data_file
property_info
+ property_service_version_prop
provisioned_prop
+ radio_control_prop
recovery_config_prop
recovery_socket
retaildemo_prop
@@ -157,6 +163,7 @@
secure_element_device
secure_element_service
secure_element_tmpfs
+ sendbug_config_prop
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
@@ -177,6 +184,7 @@
surfaceflinger_color_prop
surfaceflinger_prop
staging_data_file
+ storagemanager_config_prop
system_boot_reason_prop
system_bootstrap_lib_file
system_lmk_prop
@@ -229,6 +237,7 @@
wait_for_keymaster_exec
wait_for_keymaster_tmpfs
watchdogd_tmpfs
+ wifi_config_prop
wifi_hal_prop
wm_trace_data_file
wpantund
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index c2babb8..d16d9ed 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1,4 +1,5 @@
;; types removed from current policy
+(type cgroup_bpf)
(type exported_audio_prop)
(type exported_dalvik_prop)
(type exported_ffs_prop)
@@ -8,11 +9,17 @@
(type exported_vold_prop)
(type exported_wifi_prop)
(type exported2_config_prop)
+(type exported2_default_prop)
(type exported2_radio_prop)
+(type exported2_system_prop)
(type exported2_vold_prop)
+(type exported3_default_prop)
+(type exported3_radio_prop)
(type ffs_prop)
(type system_radio_prop)
+(typeattribute binder_in_vendor_violators)
+
(expandtypeattribute (DockObserver_service_30_0) true)
(expandtypeattribute (IProxyService_service_30_0) true)
(expandtypeattribute (accessibility_service_30_0) true)
@@ -1347,9 +1354,12 @@
(typeattributeset exported2_default_prop_30_0
( exported2_default_prop
aac_drc_prop
+ bootloader_prop
build_prop
+ hal_instrumentation_prop
init_service_status_prop
- libc_debug_prop))
+ libc_debug_prop
+ property_service_version_prop))
(typeattributeset exported2_radio_prop_30_0 (exported2_radio_prop))
(typeattributeset exported2_system_prop_30_0
( exported2_system_prop
@@ -1359,6 +1369,7 @@
(typeattributeset exported2_vold_prop_30_0 (exported2_vold_prop vold_config_prop))
(typeattributeset exported3_default_prop_30_0
( exported3_default_prop
+ camera_calibration_prop
camera_config_prop
charger_config_prop
drm_service_config_prop
@@ -1367,13 +1378,17 @@
lmkd_config_prop
media_config_prop
mediadrm_config_prop
+ oem_unlock_prop
packagemanager_config_prop
recovery_config_prop
+ sendbug_config_prop
+ storagemanager_config_prop
telephony_config_prop
tombstone_config_prop
vts_status_prop
+ wifi_config_prop
zram_config_prop))
-(typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop))
+(typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop radio_control_prop))
(typeattributeset exported3_system_prop_30_0
( exported3_system_prop
boot_status_prop
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 44a6799..1441a5b 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -5,12 +5,20 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ adbd_config_prop
apex_info_file
debugfs_kprobes
+ gki_apex_prepostinstall
+ gki_apex_prepostinstall_exec
gnss_device
+ hal_dumpstate_config_prop
+ keystore2_key_contexts_file
mediatranscoding_tmpfs
+ people_service
profcollectd
profcollectd_data_file
profcollectd_exec
- profcollectd_service))
-
+ profcollectd_service
+ update_engine_stable_service
+ cgroup_v2
+ userspace_reboot_metadata_file))
diff --git a/private/coredomain.te b/private/coredomain.te
index d8ee85f..a4ab7e7 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -4,11 +4,14 @@
get_prop(coredomain, dalvik_runtime_prop)
get_prop(coredomain, exported_pm_prop)
get_prop(coredomain, ffs_config_prop)
+get_prop(coredomain, graphics_config_prop)
get_prop(coredomain, hdmi_config_prop)
get_prop(coredomain, init_service_status_private_prop)
get_prop(coredomain, lmkd_config_prop)
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
+get_prop(coredomain, radio_control_prop)
+get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
get_prop(coredomain, systemsound_config_prop)
get_prop(coredomain, telephony_config_prop)
@@ -32,7 +35,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
diff --git a/private/domain.te b/private/domain.te
index 9cd064a..a4abe53 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -74,18 +74,12 @@
not_compatible_property(`
# DO NOT ADD ANY PROPERTIES HERE
get_prop(domain, core_property_type)
- get_prop(domain, exported2_system_prop)
- get_prop(domain, exported3_default_prop)
- get_prop(domain, exported3_radio_prop)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
')
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
get_prop({coredomain appdomain shell}, core_property_type)
- get_prop({coredomain appdomain shell}, exported2_system_prop)
- get_prop({coredomain appdomain shell}, exported3_default_prop)
- get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({coredomain appdomain shell}, exported_camera_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
@@ -111,7 +105,7 @@
allow domain boringssl_self_test_marker:dir search;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
@@ -124,6 +118,9 @@
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
+neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
+neverallow { domain -system_server } *:keystore2_key use_dev_id;
+neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
neverallow {
domain
@@ -214,7 +211,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
@@ -331,7 +328,7 @@
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
diff --git a/private/file_contexts b/private/file_contexts
index a4d967e..5cc5b9b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -62,6 +62,7 @@
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
# Use nonplat_service_contexts_file to allow servicemanager to read it
# on non full-treble devices.
@@ -201,6 +202,7 @@
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
+/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
@@ -258,6 +260,7 @@
/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
+/system/bin/keystore2 u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
@@ -329,6 +332,7 @@
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
@@ -419,6 +423,7 @@
/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
@@ -431,6 +436,7 @@
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(product|system/product)/etc/selinux/product_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
@@ -448,6 +454,7 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts u:object_r:file_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts u:object_r:property_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
@@ -728,6 +735,7 @@
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
+/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
#############################
# asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index b1cd127..433abbc 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -103,7 +103,7 @@
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
-genfscon cgroup2 / u:object_r:cgroup_bpf:s0
+genfscon cgroup2 / u:object_r:cgroup_v2:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
@@ -253,6 +253,8 @@
genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -301,6 +303,8 @@
genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/gki_apex_prepostinstall.te b/private/gki_apex_prepostinstall.te
new file mode 100644
index 0000000..fa5cd14
--- /dev/null
+++ b/private/gki_apex_prepostinstall.te
@@ -0,0 +1,20 @@
+# GKI pre- & post-install hooks.
+#
+# Allow to run pre- and post-install hooks for GKI APEXes
+
+type gki_apex_prepostinstall, domain, coredomain;
+type gki_apex_prepostinstall_exec, system_file_type, exec_type, file_type;
+
+# Execute /system/bin/sh.
+allow gki_apex_prepostinstall shell_exec:file rx_file_perms;
+
+# Execute various toolsbox utilities.
+allow gki_apex_prepostinstall toolbox_exec:file rx_file_perms;
+
+# Allow preinstall.sh to execute update_engine_stable_client binary.
+allow gki_apex_prepostinstall gki_apex_prepostinstall_exec:file execute_no_trans;
+
+# Allow preinstall hook to communicate with update_engine to execute update.
+binder_use(gki_apex_prepostinstall)
+allow gki_apex_prepostinstall update_engine_stable_service:service_manager find;
+binder_call(gki_apex_prepostinstall, update_engine)
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 698857b..5022160 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -33,6 +33,7 @@
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore_key gen_unique_id;
+allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow gmscore_app selinuxfs:file r_file_perms;
diff --git a/private/gpuservice.te b/private/gpuservice.te
index c467383..2e4254c 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -64,5 +64,3 @@
# Only uncomment below line when in development
# userdebug_or_eng(`permissive gpuservice;')
-
-get_prop(gpuservice, graphics_config_prop)
diff --git a/private/gsid.te b/private/gsid.te
index 3ff9d67..9d07adb 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -133,7 +133,10 @@
allowxperm gsid {
gsi_data_file
ota_image_data_file
-}:file ioctl FS_IOC_FIEMAP;
+}:file ioctl {
+ FS_IOC_FIEMAP
+ FS_IOC_GETFLAGS
+};
allow gsid system_server:binder call;
diff --git a/private/healthd.te b/private/healthd.te
index 921d33f..93bc3d8 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -9,5 +9,4 @@
# process when running in charger mode.
set_prop(healthd, system_prop)
set_prop(healthd, exported_system_prop)
-set_prop(healthd, exported2_system_prop)
set_prop(healthd, exported3_system_prop)
diff --git a/private/heapprofd.te b/private/heapprofd.te
index ec3e4d0..7bd60a4 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -29,7 +29,7 @@
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only whitelisted domains will be allowed by SELinux. Avoid
+# profiling, only allowlisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
diff --git a/private/incidentd.te b/private/incidentd.te
index 656f69f..f10173b 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -145,7 +145,7 @@
r_dir_file(incidentd, misc_logd_file)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/private/init.te b/private/init.te
index 49a98e0..1f7ce25 100644
--- a/private/init.te
+++ b/private/init.te
@@ -63,3 +63,12 @@
# Only init can write vts.native_server.on
set_prop(init, vts_status_prop)
neverallow { -init } vts_status_prop:property_service set;
+
+# Only init can write normal ro.boot. properties
+neverallow { -init } bootloader_prop:property_service set;
+
+# Only init can write hal.instrumentation.enable
+neverallow { -init } hal_instrumentation_prop:property_service set;
+
+# Only init can write ro.property_service.version
+neverallow { -init } property_service_version_prop:property_service set;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 33b5219..e9411f5 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -91,7 +91,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/private/keystore.te b/private/keystore.te
index 81b6dfb..2f62920c 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -16,3 +16,7 @@
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
+
+# Keystore need access to the keystore_key context files to load the keystore key backend.
+allow keystore keystore2_key_contexts_file:file r_file_perms;
+
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
new file mode 100644
index 0000000..1c6573c
--- /dev/null
+++ b/private/keystore2_key_contexts
@@ -0,0 +1,15 @@
+# Keystore 2.0 key contexts.
+# This file defines Keystore 2.0 namespaces and maps them to labels.
+# Format:
+# <namespace> <label>
+#
+# <namespace> must be an integer in the interval [0 ... 2^31)
+# su_key is a keystore_key namespace for the su domain intended for native tests.
+0 u:object_r:su_key:s0
+
+# shell_key is a keystore_key namespace for the shell domain intended for native tests.
+1 u:object_r:shell_key:s0
+
+# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
+100 u:object_r:vold_key:s0
+
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
new file mode 100644
index 0000000..cff37eb
--- /dev/null
+++ b/private/keystore_keys.te
@@ -0,0 +1,12 @@
+# Specify keystore2_key namespaces in this file.
+# Please keep the names in alphabetical order and comment each new entry.
+
+# A keystore2_key namespace for the shell domain. Mainly used for native tests.
+type shell_key, keystore2_key_type;
+
+# A keystore2 namespace for the su domain. Mainly used for native tests.
+type su_key, keystore2_key_type;
+
+# A keystore2 namespace for vold. Vold need special permission to handle
+# its own Keymint blobs.
+type vold_key, keystore2_key_type;
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 414b39f..3e08e42 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -16,4 +16,7 @@
# Allow linkerconfig to scan for apex modules
allow linkerconfig apex_mnt_dir:dir r_dir_perms;
+# Allow linkerconfig to read apex-info-list.xml
+allow linkerconfig apex_info_file:file r_file_perms;
+
neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
new file mode 100644
index 0000000..b803dbc
--- /dev/null
+++ b/private/mlstrustedsubject.te
@@ -0,0 +1,32 @@
+# MLS override can't be used to access private app data.
+
+# Apps should not normally be mlstrustedsubject, but if they must be
+# they cannot use this to access app private data files; their own app
+# data files must use a different label.
+
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
+
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+} { app_data_file privapp_data_file }:dir ~{ read getattr search };
+
+# TODO(b/141677108): See if we can remove any of these.
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+ -system_server
+ -adbd
+ -runas
+ -dexoptanalyzer
+ -zygote
+} { app_data_file privapp_data_file }:dir { read getattr search };
diff --git a/private/nfc.te b/private/nfc.te
index 2e48eef..315b096 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -1,5 +1,5 @@
# nfc subsystem
-typeattribute nfc coredomain;
+typeattribute nfc coredomain, mlstrustedsubject;
app_domain(nfc)
net_domain(nfc)
diff --git a/private/perfetto.te b/private/perfetto.te
index 0161361..14707ac 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/private/property.te b/private/property.te
index 8817094..bc1934d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -140,9 +140,6 @@
exported_default_prop
exported_dumpstate_prop
exported_system_prop
- exported2_default_prop
- exported2_system_prop
- exported3_default_prop
exported3_system_prop
usb_control_prop
-nfc_prop
@@ -166,7 +163,7 @@
-hal_telephony_server
-vendor_init
} {
- exported3_radio_prop
+ radio_control_prop
}:property_service set;
neverallow {
@@ -237,8 +234,6 @@
core_property_type
dalvik_config_prop
extended_core_property_type
- exported2_system_prop
- exported3_default_prop
exported3_system_prop
systemsound_config_prop
-debug_prop
@@ -432,3 +427,36 @@
} {
localization_prop
}:property_service set;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -system_app
+} oem_unlock_prop:file no_rw_file_perms;
+
+neverallow {
+ -coredomain
+ -vendor_init
+} storagemanager_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -appdomain
+} sendbug_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -appdomain
+} camera_calibration_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ -dumpstate
+ -hal_dumpstate_server
+ not_compatible_property(`-vendor_init')
+} hal_dumpstate_config_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index c5c6ecb..9a53c28 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -45,7 +45,6 @@
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
service.adb.root u:object_r:shell_prop:s0
-service.adb.tcp.port u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
@@ -98,6 +97,9 @@
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+# adbd protoctl configuration property
+service.adb.tcp.port u:object_r:adbd_config_prop:s0 exact int
+
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
# a personal device.
@@ -129,7 +131,7 @@
ctl.console u:object_r:ctl_console_prop:s0
ctl. u:object_r:ctl_default_prop:s0
-# Don't allow blind access to all services
+# Don't allow uncontrolled access to all services
ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
ctl.start$ u:object_r:ctl_start_prop:s0
@@ -192,8 +194,6 @@
persist.odm. u:object_r:vendor_default_prop:s0
persist.vendor. u:object_r:vendor_default_prop:s0
vendor. u:object_r:vendor_default_prop:s0
-# ro.boot. properties are set based on kernel commandline arguments, which are vendor owned.
-ro.boot. u:object_r:exported2_default_prop:s0
# Properties that relate to time / time zone detection behavior.
persist.time. u:object_r:time_prop:s0
@@ -238,6 +238,7 @@
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0
+ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
ota.warm_reset u:object_r:ota_prop:s0
@@ -266,6 +267,8 @@
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
+persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
+
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
@@ -344,6 +347,7 @@
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
+ro.zygote u:object_r:dalvik_config_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@@ -359,14 +363,13 @@
persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
-persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
+persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
-persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
-
-persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.device_type u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
+persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.device_type u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
@@ -383,7 +386,6 @@
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
-ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
@@ -398,8 +400,6 @@
ro.config.system_vol_steps u:object_r:systemsound_config_prop:s0 exact int
ro.config.vc_call_vol_default u:object_r:systemsound_config_prop:s0 exact int
-ro.config.per_app_memcg u:object_r:exported3_default_prop:s0 exact bool
-
ro.control_privapp_permissions u:object_r:packagemanager_config_prop:s0 exact enum disable enforce log
ro.cp_system_other_odex u:object_r:packagemanager_config_prop:s0 exact bool
@@ -421,6 +421,7 @@
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.critical_upgrade u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.debug u:object_r:lmkd_config_prop:s0 exact bool
@@ -447,13 +448,11 @@
ro.minui.overscan_percent u:object_r:recovery_config_prop:s0 exact int
ro.minui.pixel_format u:object_r:recovery_config_prop:s0 exact string
-ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
-
-ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
+ro.oem_unlock_supported u:object_r:oem_unlock_prop:s0 exact int
ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
-ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
+ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
@@ -465,9 +464,7 @@
zram.force_writeback u:object_r:zram_config_prop:s0 exact bool
persist.sys.zram_enabled u:object_r:zram_control_prop:s0 exact bool
-ro.zygote u:object_r:exported3_default_prop:s0 exact string
-
-sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
+sendbug.preferred.domain u:object_r:sendbug_config_prop:s0 exact string
persist.sys.usb.usbradio.config u:object_r:usb_control_prop:s0 exact string
@@ -520,17 +517,20 @@
dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
+persist.dumpstate.verbose_logging.enabled u:object_r:hal_dumpstate_config_prop:s0 exact bool
-hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
+hal.instrumentation.enable u:object_r:hal_instrumentation_prop:s0 exact bool
# default contexts only accessible by coredomain
-init.svc. u:object_r:init_service_status_private_prop:s0 exact string
+init.svc. u:object_r:init_service_status_private_prop:s0 prefix string
# vendor-init-readable init service props
init.svc.bugreport u:object_r:init_service_status_prop:s0 exact string
+init.svc.bugreportd u:object_r:init_service_status_prop:s0 exact string
init.svc.console u:object_r:init_service_status_prop:s0 exact string
init.svc.dumpstatez u:object_r:init_service_status_prop:s0 exact string
init.svc.mediadrm u:object_r:init_service_status_prop:s0 exact string
+init.svc.statsd u:object_r:init_service_status_prop:s0 exact string
init.svc.surfaceflinger u:object_r:init_service_status_prop:s0 exact string
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
init.svc.zygote u:object_r:init_service_status_prop:s0 exact string
@@ -545,29 +545,36 @@
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
-ro.arch u:object_r:exported2_default_prop:s0 exact string
+ro.arch u:object_r:build_prop:s0 exact string
-ro.baseband u:object_r:exported2_default_prop:s0 exact string
+# ro.boot. properties are set based on kernel commandline arguments, which are vendor owned.
+ro.boot. u:object_r:bootloader_prop:s0
+ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.baseband u:object_r:bootloader_prop:s0 exact string
+ro.boot.bootdevice u:object_r:bootloader_prop:s0 exact string
+ro.boot.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.boot.boottime u:object_r:bootloader_prop:s0 exact string
+ro.boot.console u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware.color u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware.sku u:object_r:bootloader_prop:s0 exact string
+ro.boot.keymaster u:object_r:bootloader_prop:s0 exact string
+ro.boot.mode u:object_r:bootloader_prop:s0 exact string
+ro.boot.revision u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
+ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
-ro.boot.avb_version u:object_r:exported2_default_prop:s0 exact string
-ro.boot.baseband u:object_r:exported2_default_prop:s0 exact string
-ro.boot.bootdevice u:object_r:exported2_default_prop:s0 exact string
-ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
-ro.boot.boottime u:object_r:exported2_default_prop:s0 exact string
-ro.boot.console u:object_r:exported2_default_prop:s0 exact string
-ro.boot.hardware u:object_r:exported2_default_prop:s0 exact string
-ro.boot.hardware.color u:object_r:exported2_default_prop:s0 exact string
-ro.boot.hardware.sku u:object_r:exported2_default_prop:s0 exact string
-ro.boot.keymaster u:object_r:exported2_default_prop:s0 exact string
-ro.boot.mode u:object_r:exported2_default_prop:s0 exact string
-ro.boot.vbmeta.avb_version u:object_r:exported2_default_prop:s0 exact string
-ro.boot.verifiedbootstate u:object_r:exported2_default_prop:s0 exact string
-ro.boot.veritymode u:object_r:exported2_default_prop:s0 exact string
+# These ro.X properties are set to values of ro.boot.X by property_service.
+ro.baseband u:object_r:bootloader_prop:s0 exact string
+ro.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.bootmode u:object_r:bootloader_prop:s0 exact string
+ro.hardware u:object_r:bootloader_prop:s0 exact string
+ro.revision u:object_r:bootloader_prop:s0 exact string
+
ro.boot.dynamic_partitions u:object_r:exported_default_prop:s0 exact string
ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string
-ro.bootloader u:object_r:exported2_default_prop:s0 exact string
-
ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
@@ -608,6 +615,18 @@
ro.product.model u:object_r:build_prop:s0 exact string
ro.product.name u:object_r:build_prop:s0 exact string
+# Sanitizer properties
+ro.sanitize.address u:object_r:build_prop:s0 exact bool
+ro.sanitize.cfi u:object_r:build_prop:s0 exact bool
+ro.sanitize.default-ub u:object_r:build_prop:s0 exact bool
+ro.sanitize.fuzzer u:object_r:build_prop:s0 exact bool
+ro.sanitize.hwaddress u:object_r:build_prop:s0 exact bool
+ro.sanitize.integer_overflow u:object_r:build_prop:s0 exact bool
+ro.sanitize.safe-stack u:object_r:build_prop:s0 exact bool
+ro.sanitize.scudo u:object_r:build_prop:s0 exact bool
+ro.sanitize.thread u:object_r:build_prop:s0 exact bool
+ro.sanitize.undefined u:object_r:build_prop:s0 exact bool
+
# All odm build props are set by /odm/build.prop
ro.odm.build.date u:object_r:build_odm_prop:s0 exact string
ro.odm.build.date.utc u:object_r:build_odm_prop:s0 exact int
@@ -650,11 +669,7 @@
ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
-ro.hardware u:object_r:exported2_default_prop:s0 exact string
-
-ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
-
-ro.revision u:object_r:exported2_default_prop:s0 exact string
+ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
@@ -767,6 +782,8 @@
wifi.interface u:object_r:wifi_hal_prop:s0 exact string
wlan.driver.status u:object_r:wifi_hal_prop:s0 exact enum ok unloaded
+ro.boot.wificountrycode u:object_r:wifi_config_prop:s0 exact string
+
ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
# Property to enable incremental feature
@@ -780,10 +797,6 @@
init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
-
-ro.bootmode u:object_r:exported2_default_prop:s0 exact string
-
sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
# surfaceflinger properties
@@ -865,6 +878,8 @@
ro.localization.locale_filter u:object_r:localization_prop:s0 exact string
# Graphics related properties
+ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
+
ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
diff --git a/private/radio.te b/private/radio.te
index fad6174..2758289 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,12 +1,12 @@
-typeattribute radio coredomain;
+typeattribute radio coredomain, mlstrustedsubject;
app_domain(radio)
read_runtime_log_tags(radio)
# Property service
+set_prop(radio, radio_control_prop)
set_prop(radio, radio_prop)
-set_prop(radio, exported3_radio_prop)
set_prop(radio, net_radio_prop)
set_prop(radio, telephony_status_prop)
diff --git a/private/security_classes b/private/security_classes
index 04ed814..3e9bff0 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -153,8 +153,14 @@
# hardware service manager # userspace
class hwservice_manager
-# Keystore Key
+# Legacy Keystore key permissions
class keystore_key # userspace
+# Keystore 2.0 permissions
+class keystore2 # userspace
+
+# Keystore 2.0 key permissions
+class keystore2_key # userspace
+
class drmservice # userspace
# FLASK
diff --git a/private/service_contexts b/private/service_contexts
index 435f199..a78b108 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -13,8 +13,10 @@
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
+android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.keystore2 u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
app_integrity u:object_r:app_integrity_service:s0
@@ -157,6 +159,7 @@
overlay u:object_r:overlay_service:s0
package u:object_r:package_service:s0
package_native u:object_r:package_native_service:s0
+people u:object_r:people_service:s0
permission u:object_r:permission_service:s0
permissionmgr u:object_r:permissionmgr_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
diff --git a/private/shell.te b/private/shell.te
index 9758b36..090adb2 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,5 +1,4 @@
-
-typeattribute shell coredomain;
+typeattribute shell coredomain, mlstrustedsubject;
# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;
@@ -141,10 +140,13 @@
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
-# Allow to read graphics related properties.
-get_prop(shell, graphics_config_prop)
-
# Allow to issue control commands to profcollectd binder service.
userdebug_or_eng(`
allow shell profcollectd:binder call;
')
+
+# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
+allow shell keystore2_key_contexts_file:file r_file_perms;
+
+# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
+allow shell shell_key:keystore2_key { delete rebind use get_info list update };
diff --git a/private/su.te b/private/su.te
index 16e47bb..072e8db 100644
--- a/private/su.te
+++ b/private/su.te
@@ -20,4 +20,8 @@
permissive su;
app_domain(su)
+
+ # Do not audit accesses to keystore2 namespace for the su domain.
+ dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
+
')
diff --git a/private/system_app.te b/private/system_app.te
index e160ff4..9298937 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -4,7 +4,7 @@
### server.
###
-typeattribute system_app coredomain;
+typeattribute system_app coredomain, mlstrustedsubject;
app_domain(system_app)
net_domain(system_app)
@@ -44,7 +44,6 @@
set_prop(system_app, system_prop)
set_prop(system_app, exported_bluetooth_prop)
set_prop(system_app, exported_system_prop)
-set_prop(system_app, exported2_system_prop)
set_prop(system_app, exported3_system_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
@@ -136,6 +135,16 @@
user_changed
};
+allow system_app keystore:keystore2_key {
+ delete
+ get_info
+ grant
+ list
+ rebind
+ update
+ use
+};
+
# settings app reads /proc/version
allow system_app {
proc_version
@@ -153,6 +162,9 @@
allow system_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# Settings app reads ro.oem_unlock_supported
+get_prop(system_app, oem_unlock_prop)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 81988fd..8191b6a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -29,7 +29,7 @@
allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
# To get signature of an APK installed on Incremental File System and fill in data blocks
-allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
+allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
@@ -66,14 +66,14 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# Allow setup of tcp keepalive offload. This gives system_server the permission to
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values whitelisted in
+# be granted individually, except for a small set of safe values allowlisted in
# public/domain.te.
allow system_server appdomain:tcp_socket ioctl;
@@ -118,7 +118,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
@@ -599,7 +599,6 @@
# Property Service write
set_prop(system_server, system_prop)
set_prop(system_server, exported_system_prop)
-set_prop(system_server, exported2_system_prop)
set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
set_prop(system_server, theme_prop)
@@ -824,6 +823,26 @@
user_changed
};
+allow system_server keystore:keystore2 {
+ add_auth
+ clear_ns
+ get_state
+ lock
+ reset
+ unlock
+};
+
+allow system_server keystore:keystore2_key {
+ delete
+ use_dev_id
+ grant
+ get_info
+ list
+ rebind
+ update
+ use
+};
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
@@ -886,9 +905,6 @@
# Set persist.adb.tls_server.enable property
set_prop(system_server, system_adbd_prop)
-# Read ro.gfx.* properties
-get_prop(system_server, graphics_config_prop)
-
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
@@ -914,6 +930,8 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
+allow system_server cgroup_v2:dir rw_dir_perms;
+allow system_server cgroup_v2:file rw_file_perms;
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net_type)
@@ -992,6 +1010,8 @@
# on low memory kills.
get_prop(system_server, system_lmk_prop)
+get_prop(system_server, wifi_config_prop)
+
###
### Neverallow rules
###
@@ -1141,6 +1161,9 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
+allow system_server userspace_reboot_metadata_file:file create_file_perms;
+
# Allow system server rw access to files in /metadata/staged-install folder
allow system_server staged_install_file:dir rw_dir_perms;
allow system_server staged_install_file:file create_file_perms;
@@ -1182,6 +1205,10 @@
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
+# Only system_server/init should access /metadata/userspacereboot.
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
+
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
@@ -1196,3 +1223,10 @@
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
neverallow { domain -init -system_server } boot_status_prop:property_service set;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -system_server
+} wifi_config_prop:file no_rw_file_perms;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index dd6ece0..36f9c51 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the blacklist/whitelist.
+# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
diff --git a/private/update_engine.te b/private/update_engine.te
index 539399e..a33e675 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -14,3 +14,6 @@
# Allow to get the DSU status
get_prop(update_engine, gsid_prop)
+
+# Allow update_engine to call the callback function provided by GKI update hook.
+binder_call(update_engine, gki_apex_prepostinstall)
diff --git a/private/vold.te b/private/vold.te
index 580dabd..ce451ac 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -31,3 +31,17 @@
set_prop(vold, ota_prop)
set_prop(vold, boottime_prop)
set_prop(vold, boottime_public_prop)
+
+# Vold will use Keystore instead of using Keymint directly. But it still needs
+# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
+allow vold vold_key:keystore2_key {
+ delete
+ get_info
+ list
+ manage_blob
+ rebind
+ req_forced_op
+ update
+ use
+};
+
diff --git a/public/app.te b/public/app.te
index 433bb7d..8263c09 100644
--- a/public/app.te
+++ b/public/app.te
@@ -66,8 +66,11 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
+
+# Access via already open fds is ok even for mlstrustedsubject.
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -292,6 +295,7 @@
allow appdomain zygote:unix_dgram_socket write;
allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info list rebind update };
use_keystore({ appdomain -isolated_app -ephemeral_app })
@@ -539,7 +543,9 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Sensitive app domains are not allowed to execute from /data
+# to prevent persistence attacks and ensure all code is executed
+# from read-only locations.
neverallow {
bluetooth
isolated_app
@@ -560,7 +566,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/public/attributes b/public/attributes
index 19623af..ce6e540 100644
--- a/public/attributes
+++ b/public/attributes
@@ -101,13 +101,16 @@
# All /system-defined properties with no restrictions.
attribute system_public_property_type;
+# All keystore2_key labels.
+attribute keystore2_key_type;
+
# All properties defined by /product.
# Currently there are no enforcements between /system and /product, so for now
# /product attributes are just replaced to /system attributes.
define(`product_property_type', `system_property_type')
-define(`product_internal_type', `system_internal_property_type')
-define(`product_restricted_type', `system_restricted_property_type')
-define(`product_public_type', `system_public_property_type')
+define(`product_internal_property_type', `system_internal_property_type')
+define(`product_restricted_property_type', `system_restricted_property_type')
+define(`product_public_property_type', `system_public_property_type')
# All properties defined by /vendor.
attribute vendor_property_type;
@@ -197,11 +200,6 @@
attribute coredomain_socket;
expandattribute coredomain_socket false;
-# All vendor domains which violate the requirement of not using Binder
-# TODO(b/35870313): Remove this once there are no violations
-attribute binder_in_vendor_violators;
-expandattribute binder_in_vendor_violators false;
-
# All vendor domains which violate the requirement of not using sockets for
# communicating with core components
# TODO(b/36577153): Remove this once there are no violations
diff --git a/public/domain.te b/public/domain.te
index 984a882..58b2d98 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -95,6 +95,7 @@
# Public readable properties
get_prop(domain, aaudio_config_prop)
+get_prop(domain, bootloader_prop)
get_prop(domain, build_odm_prop)
get_prop(domain, build_prop)
get_prop(domain, build_vendor_prop)
@@ -104,12 +105,13 @@
get_prop(domain, exported_dumpstate_prop)
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
-get_prop(domain, exported2_default_prop)
get_prop(domain, fingerprint_prop)
+get_prop(domain, hal_instrumentation_prop)
get_prop(domain, init_service_status_prop)
get_prop(domain, libc_debug_prop)
get_prop(domain, logd_prop)
get_prop(domain, mediadrm_config_prop)
+get_prop(domain, property_service_version_prop)
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
@@ -271,19 +273,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to an allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowed ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -299,7 +301,7 @@
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this whitelist to domain does not grant the ioctl permission to
+# this allowlist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };
@@ -342,7 +344,7 @@
###
# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to a whitelist.
+# sockets must be restricted to an allowlist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -357,7 +359,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowed domains.
neverallow {
domain
-kernel
@@ -539,8 +541,6 @@
neverallow { domain -init } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
neverallow { domain -init } exported_secure_prop:property_service set;
- neverallow { domain -init } exported2_default_prop:property_service set;
- neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
')
@@ -554,7 +554,7 @@
neverallow { domain -init } build_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowed domains.
neverallow {
domain
-adbd
@@ -644,7 +644,6 @@
neverallow {
domain
-coredomain
- -binder_in_vendor_violators # TODO(b/131617943) remove once all violators are gone
} {
service_manager_type
-vendor_service
@@ -941,7 +940,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowed here.
neverallow {
domain
-coredomain
@@ -979,7 +978,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones whitelisted here.
+ # except for the ones allowed here.
neverallow {
coredomain
-init
@@ -1008,7 +1007,7 @@
full_treble_only(`
# Do not allow system components access to /vendor files except for the
- # ones whitelisted here.
+ # ones allowed here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
@@ -1043,7 +1042,7 @@
full_treble_only(`
# Do not allow vendor components access to /system files except for the
- # ones whitelisted here.
+ # ones allowed here.
neverallow {
domain
-appdomain
@@ -1236,7 +1235,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowed domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 63eb1e9..763467f 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -76,10 +76,12 @@
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
+ hal_audiocontrol_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
+ hal_evs_server
hal_face_server
hal_fingerprint_server
hal_graphics_allocator_server
@@ -91,6 +93,7 @@
hal_power_stats_server
hal_sensors_server
hal_thermal_server
+ hal_vehicle_server
hal_vr_server
system_suspend_server
}:process signal;
@@ -139,6 +142,7 @@
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
+dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
dump_hal(hal_thermal)
dump_hal(hal_power)
@@ -336,6 +340,8 @@
allow dumpstate binderfs_logs:dir r_dir_perms;
allow dumpstate binderfs_logs:file r_file_perms;
+allow dumpstate apex_info_file:file getattr;
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index 4c5b541..4144956 100644
--- a/public/file.te
+++ b/public/file.te
@@ -77,7 +77,7 @@
type selinuxfs, fs_type, mlstrustedobject;
type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
-type cgroup_bpf, fs_type;
+type cgroup_v2, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
@@ -233,6 +233,8 @@
type ota_metadata_file, file_type;
# property files within /metadata/bootstat
type metadata_bootstat_file, file_type;
+# userspace reboot files within /metadata/userspacereboot
+type userspace_reboot_metadata_file, file_type;
# Staged install files within /metadata/staged-install
type staged_install_file, file_type;
@@ -511,6 +513,9 @@
# service_contexts file
type service_contexts_file, system_file_type, file_type;
+# keystore2_key_contexts_file
+type keystore2_key_contexts_file, system_file_type, file_type;
+
# vendor service_contexts file
type vendor_service_contexts_file, vendor_file_type, file_type;
@@ -526,7 +531,7 @@
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
-allow cgroup_bpf tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
allow cgroup_rc_file tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index ff7a884..8cf2411 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -18,6 +18,7 @@
# Need to add auth tokens to KeyStore
use_keystore(fingerprintd)
allow fingerprintd keystore:keystore_key { add_auth };
+allow fingerprintd keystore:keystore2 { add_auth };
# For permissions checking
binder_call(fingerprintd, system_server);
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index e1739c2..6ab9727 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -23,6 +23,7 @@
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };
+allow gatekeeperd keystore:keystore2 { add_auth };
# For permissions checking
allow gatekeeperd system_server:binder call;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index b7676ed..9f854e3 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,6 +2,8 @@
binder_call(hal_dumpstate_client, hal_dumpstate_server)
binder_call(hal_dumpstate_server, hal_dumpstate_client)
+set_prop(hal_dumpstate_server, hal_dumpstate_config_prop)
+
hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 7966271..4cb0c5a 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -21,8 +21,8 @@
# property service
get_prop(hal_telephony_server, telephony_config_prop)
+set_prop(hal_telephony_server, radio_control_prop)
set_prop(hal_telephony_server, radio_prop)
-set_prop(hal_telephony_server, exported3_radio_prop)
set_prop(hal_telephony_server, telephony_status_prop)
allow hal_telephony_server tty_device:chr_file rw_file_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 6004c33..79a0667 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -4,7 +4,7 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/public/init.te b/public/init.te
index 7dc522a..f84bacb 100644
--- a/public/init.te
+++ b/public/init.te
@@ -96,7 +96,7 @@
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
-allow init cgroup_bpf:dir { create mounton };
+allow init cgroup_v2:dir { mounton create_dir_perms };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
@@ -579,6 +579,7 @@
allow init vold_metadata_file:file getattr;
allow init metadata_bootstat_file:dir create_dir_perms;
allow init metadata_bootstat_file:file w_file_perms;
+allow init userspace_reboot_metadata_file:file w_file_perms;
# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { rw_file_perms setattr };
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 4cc3bba..3c7758a 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1059,6 +1059,7 @@
define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
+define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
@@ -1370,6 +1371,7 @@
define(`LOGGER_SET_VERSION', `0x0000ae06')
define(`LOOP_CHANGE_FD', `0x00004c06')
define(`LOOP_CLR_FD', `0x00004c01')
+define(`LOOP_CONFIGURE', `0x00004c0a')
define(`LOOP_CTL_ADD', `0x00004c80')
define(`LOOP_CTL_GET_FREE', `0x00004c82')
define(`LOOP_CTL_REMOVE', `0x00004c81')
diff --git a/public/keystore.te b/public/keystore.te
index 27c4624..3fac95f 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -1,4 +1,4 @@
-type keystore, domain;
+type keystore, domain, keystore2_key_type;
type keystore_exec, system_file_type, exec_type, file_type;
# keystore daemon
diff --git a/public/logd.te b/public/logd.te
index f8dd164..b0acb14 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -38,6 +38,9 @@
# expected to be locally cached).
dontaudit domain runtime_event_log_tags_file:file { map open read };
+# Logd sets defaults if certain properties are empty.
+set_prop(logd, logd_prop)
+
###
### Neverallow rules
###
diff --git a/public/netd.te b/public/netd.te
index 55b6283..48e79b7 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
@@ -62,7 +62,7 @@
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
-r_dir_file(netd, cgroup_bpf)
+r_dir_file(netd, cgroup_v2)
allow netd fs_bpf:dir search;
allow netd fs_bpf:file { read write };
diff --git a/public/property.te b/public/property.te
index c845d00..5f48884 100644
--- a/public/property.te
+++ b/public/property.te
@@ -59,15 +59,18 @@
system_restricted_prop(binder_cache_system_server_prop)
system_restricted_prop(binder_cache_telephony_server_prop)
system_restricted_prop(boot_status_prop)
+system_restricted_prop(bootloader_prop)
system_restricted_prop(boottime_public_prop)
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_prop)
system_restricted_prop(charger_status_prop)
system_restricted_prop(fingerprint_prop)
+system_restricted_prop(hal_instrumentation_prop)
system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(property_service_version_prop)
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
@@ -90,7 +93,6 @@
system_restricted_prop(device_logging_prop)
system_restricted_prop(dhcp_prop)
system_restricted_prop(dumpstate_prop)
- system_restricted_prop(exported2_default_prop)
system_restricted_prop(exported3_system_prop)
system_restricted_prop(exported_dumpstate_prop)
system_restricted_prop(exported_secure_prop)
@@ -107,10 +109,12 @@
# Properties which can be written only by vendor_init
system_vendor_config_prop(aaudio_config_prop)
+system_vendor_config_prop(adbd_config_prop)
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
+system_vendor_config_prop(camera_calibration_prop)
system_vendor_config_prop(camera_config_prop)
system_vendor_config_prop(charger_config_prop)
system_vendor_config_prop(cpu_variant_prop)
@@ -119,7 +123,6 @@
system_vendor_config_prop(exported_camera_prop)
system_vendor_config_prop(exported_config_prop)
system_vendor_config_prop(exported_default_prop)
-system_vendor_config_prop(exported3_default_prop)
system_vendor_config_prop(ffs_config_prop)
system_vendor_config_prop(graphics_config_prop)
system_vendor_config_prop(hdmi_config_prop)
@@ -129,9 +132,12 @@
system_vendor_config_prop(media_config_prop)
system_vendor_config_prop(media_variant_prop)
system_vendor_config_prop(mediadrm_config_prop)
+system_vendor_config_prop(oem_unlock_prop)
system_vendor_config_prop(packagemanager_config_prop)
system_vendor_config_prop(recovery_config_prop)
+system_vendor_config_prop(sendbug_config_prop)
system_vendor_config_prop(storage_config_prop)
+system_vendor_config_prop(storagemanager_config_prop)
system_vendor_config_prop(surfaceflinger_prop)
system_vendor_config_prop(systemsound_config_prop)
system_vendor_config_prop(telephony_config_prop)
@@ -145,6 +151,7 @@
system_vendor_config_prop(vndk_prop)
system_vendor_config_prop(vts_config_prop)
system_vendor_config_prop(vold_config_prop)
+system_vendor_config_prop(wifi_config_prop)
system_vendor_config_prop(zram_config_prop)
# Properties with no restrictions
@@ -160,12 +167,11 @@
system_public_prop(debug_prop)
system_public_prop(dumpstate_options_prop)
system_public_prop(exported_system_prop)
-system_public_prop(exported2_system_prop)
-system_public_prop(exported3_radio_prop)
system_public_prop(exported_bluetooth_prop)
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
system_public_prop(ffs_control_prop)
+system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
system_public_prop(lmkd_prop)
@@ -177,6 +183,7 @@
system_public_prop(nfc_prop)
system_public_prop(ota_prop)
system_public_prop(powerctl_prop)
+system_public_prop(radio_control_prop)
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
system_public_prop(surfaceflinger_color_prop)
@@ -238,7 +245,6 @@
system_public_prop(device_logging_prop)
system_public_prop(dhcp_prop)
system_public_prop(dumpstate_prop)
- system_public_prop(exported2_default_prop)
system_public_prop(exported3_system_prop)
system_public_prop(exported_dumpstate_prop)
system_public_prop(exported_secure_prop)
diff --git a/public/service.te b/public/service.te
index 7a65f96..07ab90f 100644
--- a/public/service.te
+++ b/public/service.te
@@ -34,6 +34,7 @@
type system_app_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
+type update_engine_stable_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;
@@ -141,6 +142,7 @@
type overlay_service, system_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type people_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 99d4603..cefc44d 100644
--- a/public/su.te
+++ b/public/su.te
@@ -47,6 +47,7 @@
dontaudit su hwservicemanager:hwservice_manager list;
dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
+ dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;
diff --git a/public/update_engine.te b/public/update_engine.te
index ba2f3cf..b7cf827 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -35,6 +35,7 @@
# Register the service to perform Binder IPC.
binder_use(update_engine)
add_service(update_engine, update_engine_service)
+add_service(update_engine, update_engine_stable_service)
# Allow update_engine to call the callback function provided by priv_app/GMS core.
binder_call(update_engine, priv_app)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 48cdeb8..609880a 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -57,6 +57,7 @@
-vold_metadata_file
-gsi_metadata_file
-apex_metadata_file
+ -userspace_reboot_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -75,6 +76,7 @@
-gsi_metadata_file
-apex_metadata_file
-apex_info_file
+ -userspace_reboot_metadata_file
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -89,6 +91,7 @@
-vold_metadata_file
-gsi_metadata_file
-apex_metadata_file
+ -userspace_reboot_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
@@ -104,6 +107,7 @@
-vold_metadata_file
-gsi_metadata_file
-apex_metadata_file
+ -userspace_reboot_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
@@ -118,6 +122,7 @@
-vold_metadata_file
-gsi_metadata_file
-apex_metadata_file
+ -userspace_reboot_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
@@ -219,15 +224,13 @@
set_prop(vendor_init, exported_default_prop)
set_prop(vendor_init, exported_overlay_prop)
set_prop(vendor_init, exported_pm_prop)
-set_prop(vendor_init, exported2_system_prop)
-set_prop(vendor_init, exported3_default_prop)
-set_prop(vendor_init, exported3_radio_prop)
set_prop(vendor_init, ffs_control_prop)
set_prop(vendor_init, incremental_prop)
set_prop(vendor_init, lmkd_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
+set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
set_prop(vendor_init, serialno_prop)
set_prop(vendor_init, surfaceflinger_color_prop)
diff --git a/public/vendor_toolbox.te b/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/public/vendor_toolbox.te
+++ b/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 2b25ed7..9209b66 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -13,11 +13,11 @@
Use file_contexts and policy to verify Treble requirements
are not violated.
'''
-coredomainWhitelist = {
+coredomainAllowlist = {
# TODO: how do we make sure vendor_init doesn't have bad coupling with
# /vendor? It is the only system process which is not coredomain.
'vendor_init',
- # TODO(b/152813275): need to avoid whitelist for rootdir
+ # TODO(b/152813275): need to avoid allowlist for rootdir
"modprobe",
"slideshow",
"healthd",
@@ -92,7 +92,7 @@
domain.coredomain = True
coredomains.add(d)
# check whether domains are executed off of /system or /vendor
- if d in coredomainWhitelist:
+ if d in coredomainAllowlist:
continue
# TODO(b/153112003): add checks to prevent app domains from being
# incorrectly labeled as coredomain. Apps don't have entrypoints as
@@ -294,7 +294,7 @@
return ret
def TestViolatorAttributes():
- ret = TestViolatorAttribute("binder_in_vendor_violators")
+ ret = ""
ret += TestViolatorAttribute("socket_between_core_and_vendor_violators")
ret += TestViolatorAttribute("vendor_executes_system_violators")
return ret
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 6d60a12..1d695c0 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -459,7 +459,7 @@
log_info("Validating %s=%s\n", key, value);
/*
- * Neverallows are completely skipped from sanity checking so you can match
+ * Neverallows are completely skipped from validity checking so you can match
* un-unspecified inputs.
*/
if (is_neverallow) {
diff --git a/tools/insertkeys.py b/tools/insertkeys.py
index ca1e432..51b4ab6 100755
--- a/tools/insertkeys.py
+++ b/tools/insertkeys.py
@@ -56,7 +56,7 @@
# If we ended the certificate trip the flag
inCert = False
- # Sanity check the input
+ # Check the input
if len(base64Key) == 0:
sys.exit("Empty certficate , certificate "+ str(certNo) + " found in file: "
+ path)