Merge "microdroid: allow init_debug_policy.sh to handle AVF debug policy"
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index 1b578ea..af366d8 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
/bin/for-system/clatd u:object_r:clatd_exec:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 383a282..ed92f1a 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -80,7 +80,7 @@
return paths, nil
}
- return nil, fmt.Errorf("unknown tag %q. Supported tags are: %q", tag, strings.Join(android.SortedStringKeys(b.srcs), " "))
+ return nil, fmt.Errorf("unknown tag %q. Supported tags are: %q", tag, strings.Join(android.SortedKeys(b.srcs), " "))
}
var _ android.OutputFileProducer = (*buildFiles)(nil)
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 2c1c416..efb5947 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -233,7 +233,7 @@
"devicestoragemonitor": EXCEPTION_NO_FUZZER,
"diskstats": EXCEPTION_NO_FUZZER,
"display": EXCEPTION_NO_FUZZER,
- "dnsresolver": EXCEPTION_NO_FUZZER,
+ "dnsresolver": []string{"resolv_service_fuzzer"},
"domain_verification": EXCEPTION_NO_FUZZER,
"color_display": EXCEPTION_NO_FUZZER,
"netd_listener": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors
index 477f78f..22f2ffa 100644
--- a/microdroid/system/private/access_vectors
+++ b/microdroid/system/private/access_vectors
@@ -746,16 +746,6 @@
use_dev_id
}
-class diced
-{
- demote
- demote_self
- derive
- get_attestation_chain
- use_seal
- use_sign
-}
-
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes
index 0d3cc80..200b030 100644
--- a/microdroid/system/private/security_classes
+++ b/microdroid/system/private/security_classes
@@ -163,8 +163,5 @@
# Keystore 2.0 key permissions
class keystore2_key # userspace
-# Diced permissions
-class diced # userspace
-
class drmservice # userspace
# FLASK
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 61bf8fb..cfefc67 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -139,9 +139,6 @@
attribute halclientdomain;
expandattribute halclientdomain true;
-# HALs
-hal_attribute(dice);
-
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
diff --git a/private/app.te b/private/app.te
index 49b8cde..b6b4714 100644
--- a/private/app.te
+++ b/private/app.te
@@ -52,6 +52,9 @@
get_prop(appdomain, device_config_runtime_native_prop)
get_prop(appdomain, device_config_runtime_native_boot_prop)
+# Allow the heap dump ART plugin to the count of sessions waiting for OOME
+get_prop(appdomain, traced_oome_heap_session_count_prop)
+
# Allow to read ro.vendor.camera.extensions.enabled
get_prop(appdomain, camera2_extensions_prop)
diff --git a/private/bug_map b/private/bug_map
index 083c213..656121f 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -29,6 +29,7 @@
system_server sdcardfs file b/77856826
system_server system_server capability b/228030183
system_server zygote process b/77856826
+tombstone_transmit tombstone_transmit capability b/264420112
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 56da496..5737284 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -1,4 +1,9 @@
;; types removed from current policy
+(type dice_maintenance_service)
+(type dice_node_service)
+(type diced)
+(type diced_exec)
+(type hal_dice_service)
(type iorap_inode2filename)
(type iorap_inode2filename_exec)
(type iorap_inode2filename_tmpfs)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 238cb96..3b61f73 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -42,15 +42,22 @@
keystore_config_prop
ntfs
ondevicepersonalization_system_service
+ fuseblk
+ fuseblkd_untrusted
+ fuseblkd_untrusted_exec
+ fuseblkd
+ fuseblkd_exec
permissive_mte_prop
prng_seeder
recovery_usb_config_prop
remote_provisioning_service
rkpdapp
servicemanager_prop
+ shutdown_checkpoints_system_data_file
stats_config_data_file
system_net_netd_service
timezone_metadata_prop
+ traced_oome_heap_session_count_prop
tuner_config_prop
tuner_server_ctl_prop
ublk_block_device
diff --git a/private/crash_dump.te b/private/crash_dump.te
index bc6020e..60962cb 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -8,8 +8,6 @@
-apexd
-bpfloader
-crash_dump
- -crosvm # TODO(b/236672526): Remove exception for crosvm
- -diced
-init
-kernel
-keystore
@@ -44,7 +42,6 @@
apexd
userdebug_or_eng(`-apexd')
bpfloader
- diced
init
kernel
keystore
diff --git a/private/crosvm.te b/private/crosvm.te
index aae8323..df97235 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -79,6 +79,12 @@
# crosvm only needs write permission, so dontaudit read
dontaudit crosvm virtualizationmanager:fifo_file read;
+# Required for crosvm to start gdb-server to enable debugging of guest kernel.
+allow crosvm self:tcp_socket { bind create read setopt write accept listen };
+allow crosvm port:tcp_socket name_bind;
+allow crosvm adbd:unix_stream_socket ioctl;
+allow crosvm node:tcp_socket node_bind;
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/private/diced.te b/private/diced.te
deleted file mode 100644
index b37809c..0000000
--- a/private/diced.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute diced coredomain;
-
-init_daemon_domain(diced)
-
-# Talk to dice HAL.
-hal_client_domain(diced, hal_dice)
diff --git a/private/domain.te b/private/domain.te
index b858d4e..1e5e0f5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2,9 +2,7 @@
# This occurs when the process crashes.
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
-# We exempt crosvm because parts of its memory are inaccessible to the
-# kernel. TODO(b/238324526): Remove this.
-domain_auto_trans({ domain userdebug_or_eng(`-su') -crosvm }, crash_dump_exec, crash_dump);
+domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Allow every process to check the heapprofd.enable properties to determine
@@ -20,7 +18,6 @@
-bpfloader
-crash_dump
-crosvm # TODO(b/236672526): Remove exception for crosvm
- -diced
-init
-kernel
-keystore
@@ -38,7 +35,7 @@
can_profile_heap({
dumpable_domain
-app_zygote
- -hal_configstore
+ -hal_configstore_server
-logpersist
-recovery
-recovery_persist
@@ -51,7 +48,7 @@
can_profile_perf({
dumpable_domain
-app_zygote
- -hal_configstore
+ -hal_configstore_server
-webview_zygote
-zygote
})
diff --git a/private/file_contexts b/private/file_contexts
index 6166065..57fcdfb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -233,6 +233,8 @@
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/ntfsfix -- u:object_r:fsck_exec:s0
+/system/bin/ntfs-3g -- u:object_r:fuseblkd_untrusted_exec:s0
+/system/bin/ntfs-3g-compart -- u:object_r:fuseblkd_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
@@ -288,7 +290,6 @@
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/keystore2 u:object_r:keystore_exec:s0
-/system/bin/diced u:object_r:diced_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
@@ -781,6 +782,9 @@
# User icon files
/data/system/users/[0-9]+/photo\.png u:object_r:icon_file:s0
+# Shutdown-checkpoints files
+/data/system/shutdown-checkpoints(/.*)? u:object_r:shutdown_checkpoints_system_data_file:s0
+
# vold per-user data
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
diff --git a/private/fuseblkd.te b/private/fuseblkd.te
new file mode 100644
index 0000000..4423913
--- /dev/null
+++ b/private/fuseblkd.te
@@ -0,0 +1,31 @@
+# Compartmentalized domain specifically for mounting fuseblk filesystems.
+# We need this to not grant fuseblkd_untrusted sys_admin permissions.
+type fuseblkd_exec, system_file_type, exec_type, file_type;
+type fuseblkd, domain;
+
+typeattribute fuseblkd coredomain;
+
+# Required for mount and unmounting. We can't minimize this permission,
+# even though we only allow mount/unmount.
+allow fuseblkd self:global_capability_class_set sys_admin;
+
+# Permissions for the fuseblk filesystem.
+allow fuseblkd fuse_device:chr_file rw_file_perms;
+allow fuseblkd fuseblk:filesystem { mount unmount };
+allow fuseblkd fuseblkd_untrusted:fd use;
+
+# Look through block devices to find the correct one.
+allow fuseblkd block_device:dir search;
+
+# Permissions to mount on the media_rw directory for USB drives.
+allow fuseblkd mnt_media_rw_file:dir search;
+allow fuseblkd mnt_media_rw_stub_file:dir mounton;
+
+###
+### neverallow rules
+###
+
+# Only allow entry from fuseblkd_untrusted, and only through fuseblkd_exec binary.
+neverallow { domain -fuseblkd_untrusted } fuseblkd:process transition;
+neverallow * fuseblkd:process dyntransition;
+neverallow fuseblkd { file_type fs_type -fuseblkd_exec }:file entrypoint;
diff --git a/private/fuseblkd_untrusted.te b/private/fuseblkd_untrusted.te
new file mode 100644
index 0000000..b99a49c
--- /dev/null
+++ b/private/fuseblkd_untrusted.te
@@ -0,0 +1,82 @@
+# Fuseblk is a Filesystem in USErspace for block device. It should only be used
+# to mount untrusted blocks like USB drives.
+type fuseblkd_untrusted_exec, system_file_type, exec_type, file_type;
+type fuseblkd_untrusted, domain;
+
+typeattribute fuseblkd_untrusted coredomain;
+
+domain_auto_trans(fuseblkd_untrusted, fuseblkd_exec, fuseblkd);
+
+# Allow stdin/out back to vold.
+allow fuseblkd_untrusted vold:fd use;
+
+# Allows fuseblk to read block devices.
+allow fuseblkd_untrusted block_device:dir search;
+
+# Permissions to read dynamic partitions blocks.
+allow fuseblkd_untrusted super_block_device:blk_file getattr;
+
+# Permissions to access FUSE character devices.
+allow fuseblkd_untrusted fuse_device:chr_file { getattr open read write };
+
+# Permissions to access /mnt/media_rw/.
+allow fuseblkd_untrusted mnt_media_rw_file:dir { getattr search };
+allow fuseblkd_untrusted mnt_media_rw_stub_file:dir getattr;
+
+# Permissions to read device mappers.
+allow fuseblkd_untrusted sysfs_dm:dir search;
+allow fuseblkd_untrusted sysfs_dm:file { getattr open read };
+allow fuseblkd_untrusted dm_device:blk_file getattr;
+
+# Permissions to read links in tmpfs.
+allow fuseblkd_untrusted tmpfs:lnk_file read;
+
+# Permissions to read loop device blocks.
+allow fuseblkd_untrusted loop_device:blk_file getattr;
+
+# Permissions to access the /proc/filesystems file.
+allow fuseblkd_untrusted proc_filesystems:file { open read getattr };
+
+###
+### dontaudit rules
+###
+
+# ntfs-3g wants this permission to read a fork return code, for some reason.
+# It's unclear why, because it still reads the fork return code correctly,
+# and nothing breaks. If enforce is set to permissive, the audit goes away.
+dontaudit fuseblkd_untrusted self:capability sys_admin;
+
+###
+### neverallow rules
+###
+
+# Fuseblk should never be run on block devices holding sensitive data.
+neverallow fuseblkd_untrusted {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdata_block_device
+ cache_block_device
+ dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold, and only through fuseblkd_untrusted_exec binaries.
+neverallow { domain -vold } fuseblkd_untrusted:process transition;
+neverallow * fuseblkd_untrusted:process dyntransition;
+neverallow fuseblkd_untrusted { file_type fs_type -fuseblkd_untrusted_exec }:file entrypoint;
+
+# Under no circumstances should fuseblkd_untrusted or any other fuseblk filesystem be
+# given sys_admin access. They are fundementally untrusted, insecure filesystems.
+# The correct solution here is to compartmentalize permissions correctly so that
+# a smaller binary can get the required permissions. See fuseblkd.te.
+# Similar to above, we don't need setgid or setuid permissions.
+neverallow fuseblkd_untrusted self:capability { setgid setuid sys_admin };
+neverallow fuseblkd_untrusted self:global_capability_class_set { setgid setuid sys_admin };
+
+# Since we can't have sys_admin permissions, we definitely can't have mount/unmount
+# permissions, since we won't be able to use them. Same with relabel permissions.
+neverallow fuseblkd_untrusted fuseblk:filesystem { mount unmount relabelto relabelfrom};
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 77e3954..f5a92ac 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -187,6 +187,9 @@
genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/hyp u:object_r:debugfs_tracing:s0
+genfscon tracefs /hyp u:object_r:debugfs_tracing:s0
+
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
@@ -385,9 +388,9 @@
genfscon vfat / u:object_r:vfat:s0
genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
-genfscon ntfs / u:object_r:ntfs:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
+genfscon fuseblk / u:object_r:fuseblk:s0
genfscon configfs / u:object_r:configfs:s0
genfscon sdcardfs / u:object_r:sdcardfs:s0
genfscon esdfs / u:object_r:sdcardfs:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 1b41823..91418b5 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -52,8 +52,7 @@
apexd
app_zygote
bpfloader
- diced
- hal_configstore
+ hal_configstore_server
init
kernel
keystore
diff --git a/private/llkd.te b/private/llkd.te
index 8512e85..9c96dfb 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -23,7 +23,6 @@
allow llkd {
domain
-apexd
- -diced
-kernel
-keystore
-init
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index dc6882b..7ad8feb 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -11,6 +11,10 @@
# Allow MediaProvider to host a FUSE daemon for external storage
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
+# Allow MediaProvider to access fuseblk devices for external storage.
+allow mediaprovider_app fuseblk:dir create_dir_perms;
+allow mediaprovider_app fuseblk:file create_file_perms;
+
# Allow MediaProvider to read/write media_rw_data_file files and dirs
allow mediaprovider_app media_userdir_file:dir r_dir_perms;
allow mediaprovider_app media_rw_data_file:file create_file_perms;
diff --git a/private/property.te b/private/property.te
index 4f806d4..4fd9bc3 100644
--- a/private/property.te
+++ b/private/property.te
@@ -632,6 +632,7 @@
domain
-init
-remote_prov_app
+ -shell
} remote_prov_prop:property_service set;
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index c980696..4ce654c 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -221,6 +221,9 @@
# heapprofd properties
heapprofd. u:object_r:heapprofd_prop:s0
+# traced properties
+traced.oome_heap_session.count u:object_r:traced_oome_heap_session_count_prop:s0 exact uint
+
# servicemanager properties
servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
@@ -869,6 +872,7 @@
# Populated on Android Studio Emulator (for emulator specific workarounds)
ro.boot.qemu u:object_r:bootloader_prop:s0 exact bool
ro.boot.revision u:object_r:bootloader_prop:s0 exact string
+ro.boot.serialconsole u:object_r:bootloader_prop:s0 exact bool
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
@@ -1469,6 +1473,7 @@
# dck properties
ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
+ro.gms.dck.se_capability u:object_r:dck_prop:s0 exact int
# virtualization service properties
virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
diff --git a/private/service_contexts b/private/service_contexts
index db48f62..6543e3f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -84,7 +84,6 @@
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
-android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
@@ -136,8 +135,6 @@
android.security.apc u:object_r:apc_service:s0
android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
-android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
-android.security.dice.IDiceNode u:object_r:dice_node_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0
diff --git a/private/shell.te b/private/shell.te
index 02105a9..cdbf7c2 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -101,6 +101,9 @@
# Allow shell to set this property used for rollback tests
set_prop(shell, rollback_test_prop)
+# Allow shell to set RKP properties for testing purposes
+set_prop(shell, remote_prov_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
diff --git a/private/system_server.te b/private/system_server.te
index a39eaa2..27e5594 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -102,10 +102,12 @@
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
-# May kill zygote on crashes.
+# May kill zygote (or its child processes) on crashes.
allow system_server {
app_zygote
crash_dump
+ crosvm
+ virtualizationmanager
webview_zygote
zygote
}:process { getpgid sigkill signull };
@@ -839,6 +841,9 @@
# Write tuner.server.enable
set_prop(system_server, tuner_server_ctl_prop)
+# Allow the heap dump ART plugin to the count of sessions waiting for OOME
+get_prop(system_server, traced_oome_heap_session_count_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -1487,6 +1492,10 @@
allow system_server self:perf_event { open write cpu kernel };
neverallow system_server self:perf_event ~{ open write cpu kernel };
+# Allow writing files under /data/system/shutdown-checkpoints/
+allow system_server shutdown_checkpoints_system_data_file:dir create_dir_perms;
+allow system_server shutdown_checkpoints_system_data_file:file create_file_perms;
+
# Do not allow any domain other than init or system server to set the property
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 27ea187..485ce53 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -47,7 +47,7 @@
; Apps, except isolated apps, are clients of Neuralnetworks HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app_all } hal_neuralnetworks_client;
-(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app_all))))))
+(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes.
; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators.
diff --git a/private/traced.te b/private/traced.te
index 3029094..171e092 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -60,6 +60,11 @@
set_prop(traced, system_trace_prop)
# Allow to lazily start producers.
set_prop(traced, traced_lazy_prop)
+# Allow tracking the count of sessions intercepting Java OutOfMemoryError
+# If there are such tracing sessions and an OutOfMemoryError is thrown by ART,
+# the hprof plugin intercepts the error, lazily registers a data source to
+# traced and collects a heap dump.
+set_prop(traced, traced_oome_heap_session_count_prop)
# Allow traced to talk to statsd for logging metrics.
unix_socket_send(traced, statsdw, statsd)
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 080b6fe..640b054 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -66,8 +66,7 @@
apexd
app_zygote
bpfloader
- diced
- hal_configstore
+ hal_configstore_server
init
kernel
keystore
diff --git a/private/vold.te b/private/vold.te
index 40c1a57..957e5d0 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -5,6 +5,7 @@
# Switch to more restrictive domains when executing common tools
domain_auto_trans(vold, sgdisk_exec, sgdisk);
domain_auto_trans(vold, sdcardd_exec, sdcardd);
+domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
diff --git a/public/attributes b/public/attributes
index 4897be5..0b5f596 100644
--- a/public/attributes
+++ b/public/attributes
@@ -336,7 +336,6 @@
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
-hal_attribute(dice);
hal_attribute(drm);
hal_attribute(dumpstate);
hal_attribute(evs);
diff --git a/public/diced.te b/public/diced.te
deleted file mode 100644
index 0908936..0000000
--- a/public/diced.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type diced, domain;
-type diced_exec, system_file_type, exec_type, file_type;
-
-binder_use(diced)
-binder_service(diced)
-
-add_service(diced, dice_node_service)
-add_service(diced, dice_maintenance_service)
-
-# Check SELinux permissions.
-selinux_check_access(diced)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 6b112dc..e626133 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -368,6 +368,10 @@
use_apex_info(dumpstate)
+# Allow reading files under /data/system/shutdown-checkpoints/
+allow dumpstate shutdown_checkpoints_system_data_file:dir r_dir_perms;
+allow dumpstate shutdown_checkpoints_system_data_file:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index 1e13e53..9ca6802 100644
--- a/public/file.te
+++ b/public/file.te
@@ -154,10 +154,10 @@
type shm, fs_type;
type mqueue, fs_type;
type fuse, fusefs_type, fs_type, mlstrustedobject;
+type fuseblk, sdcard_type, fusefs_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
-type ntfs, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
@@ -380,6 +380,8 @@
type staging_data_file, file_type, data_file_type, core_data_file_type;
# /vendor/apex
type vendor_apex_file, vendor_file_type, file_type;
+# /data/system/shutdown-checkpoints
+type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index 8510c94..7e981bf 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -47,3 +47,21 @@
neverallow { domain -vold } fsck_untrusted:process transition;
neverallow * fsck_untrusted:process dyntransition;
neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
+
+# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
+# permissions, that is a code mistake that needs to be fixed, not a permission that
+# should be granted. Same with setgid and setuid.
+neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
+
+###
+### dontaudit rules
+###
+
+# Ignores attempts to access sysfs. fsck binaries seem to like trying to go
+# here, but nothing bad happens if they can't, and they shouldn't be allowed.
+dontaudit fsck_untrusted sysfs:file rw_file_perms;
+dontaudit fsck_untrusted sysfs_dm:file rw_file_perms;
+dontaudit fsck_untrusted sysfs_dm:dir rw_dir_perms;
+
+# Ignore attempts to access tmpfs. fsck don't need to do this.
+dontaudit fsck_untrusted tmpfs:lnk_file read;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index aabc884..237ffcd 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -22,6 +22,8 @@
# Needed to allow sound trigger hal to access shared memory from apps.
allow hal_audio_server appdomain:fd use;
+# Allow sound trigger hal to access shared memory from system server.
+allow hal_audio_server system_server_tmpfs:file { getattr map read };
# allow self to set scheduler (and allows Binder RT PI)
allow hal_audio_server self:global_capability_class_set sys_nice;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 8867a8d..d26e1db 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -47,11 +47,11 @@
# Should never need sdcard access
neverallow hal_configstore_server {
sdcard_type
- fuse sdcardfs vfat exfat ntfs # manual expansion for completeness
+ fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness
}:dir ~getattr;
neverallow hal_configstore_server {
sdcard_type
- fuse sdcardfs vfat exfat ntfs # manual expansion for completeness
+ fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness
}:file *;
# Do not permit access to service_manager and vndservice_manager
diff --git a/public/hal_dice.te b/public/hal_dice.te
deleted file mode 100644
index 92222c5..0000000
--- a/public/hal_dice.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_dice_client, hal_dice_server)
-
-hal_attribute_service(hal_dice, hal_dice_service)
-binder_call(hal_dice_server, servicemanager)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index e4f1d21..a0826bb 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -5,7 +5,7 @@
hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
hal_attribute_service(hal_wifi, hal_wifi_service)
-binder_call(hal_wifi_server, servicemanager)
+binder_use(hal_wifi_server)
r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/ioctl_defines b/public/ioctl_defines
index e900173..1dd2e3d 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -170,6 +170,7 @@
define(`BLKRESETZONE', `0x40101283')
define(`BLKROGET', `0x0000125e')
define(`BLKROSET', `0x0000125d')
+define(`BLKBSZSET', `0x00001271')
define(`BLKROTATIONAL', `0x0000127e')
define(`BLKRRPART', `0x0000125f')
define(`BLKSECDISCARD', `0x0000127d')
@@ -826,6 +827,7 @@
define(`FS_IOC_FIEMAP', `0xc020660b')
define(`FS_IOC_FSGETXATTR', `0x801c581f')
define(`FS_IOC_FSSETXATTR', `0x401c5820')
+define(`FS_IOC_GET_ENCRYPTION_KEY_STATUS', `0xc080661a')
define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
diff --git a/public/property.te b/public/property.te
index e4470d6..74dd0f5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -94,6 +94,7 @@
system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
+system_restricted_prop(traced_oome_heap_session_count_prop)
system_restricted_prop(ab_update_gki_prop)
system_restricted_prop(usb_prop)
system_restricted_prop(userspace_reboot_exported_prop)
diff --git a/public/service.te b/public/service.te
index 68fd9e2..82a713a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,8 +10,6 @@
type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
-type dice_maintenance_service, service_manager_type;
-type dice_node_service, service_manager_type;
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
@@ -236,7 +234,7 @@
type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type timedetector_service, app_api_service, system_server_service, service_manager_type;
+type timedetector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
@@ -285,7 +283,6 @@
type hal_cas_service, hal_service_type, service_manager_type;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
-type hal_dice_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;
type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
type hal_evs_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/vold.te b/public/vold.te
index 209bf49..3d204e1 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -51,6 +51,7 @@
FS_IOC_SET_ENCRYPTION_POLICY
FS_IOC_ADD_ENCRYPTION_KEY
FS_IOC_REMOVE_ENCRYPTION_KEY
+ FS_IOC_GET_ENCRYPTION_KEY_STATUS
};
# Only vold and init should ever set file-based encryption policies.
@@ -65,7 +66,7 @@
neverallowxperm {
domain
-vold
-} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
+} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS };
# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 7d9119e..ac23351 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -95,7 +95,6 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
diff --git a/vendor/hal_dice_default.te b/vendor/hal_dice_default.te
deleted file mode 100644
index 832e717..0000000
--- a/vendor/hal_dice_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_dice_default, domain;
-hal_server_domain(hal_dice_default, hal_dice)
-
-type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_dice_default)