Merge "Allow llkd to stat() /proc/sysrq-trigger"
diff --git a/prebuilts/api/31.0/private/access_vectors b/prebuilts/api/31.0/private/access_vectors
index 22f2ffa..5ff7aef 100644
--- a/prebuilts/api/31.0/private/access_vectors
+++ b/prebuilts/api/31.0/private/access_vectors
@@ -726,6 +726,7 @@
get_state
list
lock
+ pull_metrics
report_off_body
reset
unlock
diff --git a/prebuilts/api/31.0/private/apexd.te b/prebuilts/api/31.0/private/apexd.te
index 32b2594..b923cdb 100644
--- a/prebuilts/api/31.0/private/apexd.te
+++ b/prebuilts/api/31.0/private/apexd.te
@@ -209,4 +209,5 @@
allow apexd otapreopt_chroot:fd use;
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file r_file_perms;
diff --git a/prebuilts/api/31.0/private/atrace.te b/prebuilts/api/31.0/private/atrace.te
index d4aed40..d9e351c 100644
--- a/prebuilts/api/31.0/private/atrace.te
+++ b/prebuilts/api/31.0/private/atrace.te
@@ -27,15 +27,16 @@
allow atrace {
service_manager_type
-apex_service
- -incident_service
- -iorapd_service
- -netd_service
-dnsresolver_service
- -stats_service
-dumpstate_service
+ -incident_service
-installd_service
- -vold_service
+ -iorapd_service
-lpdump_service
+ -netd_service
+ -stats_service
+ -tracingproxy_service
+ -vold_service
-default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
diff --git a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
index be59151..4484823 100644
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
+++ b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
@@ -65,12 +65,15 @@
hal_remotelyprovisionedcomponent_service
hal_secureclock_service
hal_sharedsecret_service
+ hal_uwb_service
hal_weaver_service
hw_timeout_multiplier_prop
keystore_compat_hal_service
keystore_maintenance_service
+ keystore_metrics_service
keystore2_key_contexts_file
legacy_permission_service
+ legacykeystore_service
location_time_zone_manager_service
media_communication_service
media_metrics_service
@@ -139,7 +142,6 @@
vibrator_manager_service
virtualization_service
vpn_management_service
- vpnprofilestore_service
watchdog_metadata_file
wifi_key
zygote_config_prop))
diff --git a/prebuilts/api/31.0/private/incidentd.te b/prebuilts/api/31.0/private/incidentd.te
index ef191a2..e20e6ca 100644
--- a/prebuilts/api/31.0/private/incidentd.te
+++ b/prebuilts/api/31.0/private/incidentd.te
@@ -161,6 +161,7 @@
system_server_service
app_api_service
system_api_service
+ -tracingproxy_service
}:service_manager find;
# Only incidentd can publish the binder service
diff --git a/prebuilts/api/31.0/private/service_contexts b/prebuilts/api/31.0/private/service_contexts
index 02f326d..6d2b6a8 100644
--- a/prebuilts/api/31.0/private/service_contexts
+++ b/prebuilts/api/31.0/private/service_contexts
@@ -37,9 +37,10 @@
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.legacykeystore u:object_r:legacykeystore_service:s0
android.security.maintenance u:object_r:keystore_maintenance_service:s0
+android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
-android.security.vpnprofilestore u:object_r:vpnprofilestore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te
index 10b8177..239686e 100644
--- a/prebuilts/api/31.0/private/system_app.te
+++ b/prebuilts/api/31.0/private/system_app.te
@@ -90,6 +90,7 @@
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
+ -tracingproxy_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
diff --git a/prebuilts/api/31.0/private/system_server.te b/prebuilts/api/31.0/private/system_server.te
index f35f9a8..73301c1 100644
--- a/prebuilts/api/31.0/private/system_server.te
+++ b/prebuilts/api/31.0/private/system_server.te
@@ -853,6 +853,7 @@
allow system_server installd_service:service_manager find;
allow system_server iorapd_service:service_manager find;
allow system_server keystore_maintenance_service:service_manager find;
+allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
@@ -903,6 +904,7 @@
clear_uid
get_state
lock
+ pull_metrics
reset
unlock
};
diff --git a/prebuilts/api/31.0/private/traced.te b/prebuilts/api/31.0/private/traced.te
index 6e3ad46..fc9a245 100644
--- a/prebuilts/api/31.0/private/traced.te
+++ b/prebuilts/api/31.0/private/traced.te
@@ -116,3 +116,6 @@
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
diff --git a/prebuilts/api/31.0/private/wificond.te b/prebuilts/api/31.0/private/wificond.te
index 8bf37ca..3fdaca2 100644
--- a/prebuilts/api/31.0/private/wificond.te
+++ b/prebuilts/api/31.0/private/wificond.te
@@ -6,4 +6,6 @@
get_prop(wificond, hwservicemanager_prop)
+allow wificond legacykeystore_service:service_manager find;
+
init_daemon_domain(wificond)
diff --git a/prebuilts/api/31.0/public/attributes b/prebuilts/api/31.0/public/attributes
index daef4bb..2e01f1e 100644
--- a/prebuilts/api/31.0/public/attributes
+++ b/prebuilts/api/31.0/public/attributes
@@ -358,6 +358,7 @@
hal_attribute(tv_tuner);
hal_attribute(usb);
hal_attribute(usb_gadget);
+hal_attribute(uwb);
hal_attribute(vehicle);
hal_attribute(vibrator);
hal_attribute(vr);
diff --git a/prebuilts/api/31.0/public/domain.te b/prebuilts/api/31.0/public/domain.te
index d84abf1..799a2f1 100644
--- a/prebuilts/api/31.0/public/domain.te
+++ b/prebuilts/api/31.0/public/domain.te
@@ -677,6 +677,7 @@
-credstore_service
-keystore_maintenance_service
-keystore_service
+ -legacykeystore_service
-mediadrmserver_service
-mediaextractor_service
-mediametrics_service
@@ -684,7 +685,6 @@
-nfc_service
-radio_service
-virtual_touchpad_service
- -vpnprofilestore_service
-vr_hwc_service
-vr_manager_service
userdebug_or_eng(`-hal_face_service')
diff --git a/prebuilts/api/31.0/public/hal_neverallows.te b/prebuilts/api/31.0/public/hal_neverallows.te
index 0214e2a..faec074 100644
--- a/prebuilts/api/31.0/public/hal_neverallows.te
+++ b/prebuilts/api/31.0/public/hal_neverallows.te
@@ -8,6 +8,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -25,6 +26,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -36,11 +38,20 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
} {
domain
userdebug_or_eng(`-su')
}:tcp_socket *;
+# The UWB HAL is not actually a networking HAL but may need to bring up and down
+# interfaces. Restrict it to only these networking operations.
+neverallow hal_uwb_server self:global_capability_class_set { net_raw };
+
+# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
+# udp_socket is required to use interface ioctls.
+neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
+
###
# HALs are defined as an attribute and so a given domain could hypothetically
# have multiple HALs in it (or even all of them) with the subsequent policy of
diff --git a/prebuilts/api/31.0/public/keystore.te b/prebuilts/api/31.0/public/keystore.te
index 155322c..b7d5090 100644
--- a/prebuilts/api/31.0/public/keystore.te
+++ b/prebuilts/api/31.0/public/keystore.te
@@ -20,7 +20,8 @@
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
add_service(keystore, keystore_maintenance_service)
-add_service(keystore, vpnprofilestore_service)
+add_service(keystore, keystore_metrics_service)
+add_service(keystore, legacykeystore_service)
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/prebuilts/api/31.0/public/service.te b/prebuilts/api/31.0/public/service.te
index a0d77c1..8121d04 100644
--- a/prebuilts/api/31.0/public/service.te
+++ b/prebuilts/api/31.0/public/service.te
@@ -20,7 +20,9 @@
type credstore_service, app_api_service, service_manager_type;
type keystore_compat_hal_service, service_manager_type;
type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
type keystore_service, service_manager_type;
+type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
@@ -43,7 +45,6 @@
type virtualization_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
-type vpnprofilestore_service, service_manager_type;
type vr_hwc_service, service_manager_type;
type vrflinger_vsync_service, service_manager_type;
diff --git a/prebuilts/api/31.0/public/te_macros b/prebuilts/api/31.0/public/te_macros
index 2a218cb..200b2e3 100644
--- a/prebuilts/api/31.0/public/te_macros
+++ b/prebuilts/api/31.0/public/te_macros
@@ -635,7 +635,7 @@
allow keystore $1:process getattr;
allow $1 apc_service:service_manager find;
allow $1 keystore_service:service_manager find;
- allow $1 vpnprofilestore_service:service_manager find;
+ allow $1 legacykeystore_service:service_manager find;
binder_call($1, keystore)
binder_call(keystore, $1)
')
diff --git a/private/access_vectors b/private/access_vectors
index 22f2ffa..3732a52 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -395,6 +395,7 @@
nlmsg_read
nlmsg_write
nlmsg_readpriv
+ nlmsg_getneigh
}
class netlink_tcpdiag_socket
@@ -726,6 +727,7 @@
get_state
list
lock
+ pull_metrics
report_off_body
reset
unlock
diff --git a/private/adbd.te b/private/adbd.te
index c2c6164..c19630f 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -77,8 +77,8 @@
allow adbd tmpfs:dir search;
allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
+allow adbd { sdcard_type fuse }:dir create_dir_perms;
+allow adbd { sdcard_type fuse }:file create_file_perms;
# adb pull /data/anr/traces.txt
allow adbd anr_data_file:dir r_dir_perms;
diff --git a/private/apexd.te b/private/apexd.te
index 32b2594..b923cdb 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -209,4 +209,5 @@
allow apexd otapreopt_chroot:fd use;
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file r_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 096a41b..5c41b02 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -11,6 +11,7 @@
untrusted_app_25
untrusted_app_27
untrusted_app_29
+ untrusted_app_30
untrusted_app_all
}')
# Receive or send uevent messages.
@@ -119,6 +120,15 @@
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
+# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+} domain:netlink_route_socket nlmsg_getneigh;
+
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
@@ -131,6 +141,7 @@
neverallow { all_untrusted_apps -mediaprovider } {
fs_type
-sdcard_type
+ -fuse
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 4ee3af7..004c108 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -41,6 +41,9 @@
# Check SELinux permissions.
selinux_check_access(app_zygote)
+# Read and inspect temporary files managed by zygote.
+allow app_zygote zygote_tmpfs:file { read getattr };
+
######
###### Policy below is shared with regular zygote-spawned apps
######
@@ -79,6 +82,9 @@
get_prop(app_zygote, device_config_runtime_native_prop)
get_prop(app_zygote, device_config_runtime_native_boot_prop)
+# Allow app_zygote to access odsign verification status
+get_prop(app_zygote, odsign_prop)
+
#####
##### Neverallow
#####
diff --git a/private/atrace.te b/private/atrace.te
index d4aed40..d9e351c 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -27,15 +27,16 @@
allow atrace {
service_manager_type
-apex_service
- -incident_service
- -iorapd_service
- -netd_service
-dnsresolver_service
- -stats_service
-dumpstate_service
+ -incident_service
-installd_service
- -vold_service
+ -iorapd_service
-lpdump_service
+ -netd_service
+ -stats_service
+ -tracingproxy_service
+ -vold_service
-default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
diff --git a/private/audioserver.te b/private/audioserver.te
index feda8d4..ca29373 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -7,6 +7,7 @@
tmpfs_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
+r_dir_file(audioserver, fuse)
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 7c508cd..c943973 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -73,8 +73,10 @@
hw_timeout_multiplier_prop
keystore_compat_hal_service
keystore_maintenance_service
+ keystore_metrics_service
keystore2_key_contexts_file
legacy_permission_service
+ legacykeystore_service
location_time_zone_manager_service
media_communication_service
media_metrics_service
@@ -145,7 +147,6 @@
vibrator_manager_service
virtualization_service
vpn_management_service
- vpnprofilestore_service
watchdog_metadata_file
wifi_key
zygote_config_prop))
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index f9e073e..9cb5c92 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -9,4 +9,6 @@
camera2_extensions_prop
power_stats_service
transformer_service
+ proc_watermark_boost_factor
+ untrusted_app_30
))
diff --git a/private/crosvm.te b/private/crosvm.te
index f7729fd..b139286 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -14,3 +14,10 @@
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
+
+# Let crosvm read and write files from clients of virtualizationservice, but not open them directly
+# as they must be passed via virtualizationservice.
+allow crosvm apk_data_file:file { getattr read };
+allow crosvm app_data_file:file { getattr read write };
+# shell_data_file is used for automated tests and manual debugging.
+allow crosvm shell_data_file:file { getattr read write };
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 28d8b9a..e7cdd5f 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -79,6 +79,7 @@
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
+allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index b99349e..8eb1d29 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -53,4 +53,4 @@
get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
# Allow dexoptanalyzer to read /apex/apex-info-list.xml
-allow dex2oat apex_info_file:file r_file_perms;
+allow dexoptanalyzer apex_info_file:file r_file_perms;
diff --git a/private/domain.te b/private/domain.te
index b91d36d..63e1bde 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -354,8 +354,8 @@
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
+# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
+# set of domains need this capability, including device-specific domains.
neverallow {
domain
-apexd
@@ -369,6 +369,7 @@
-zygote
} { fs_type
-sdcard_type
+ -fusefs_type
}:filesystem { mount remount relabelfrom relabelto };
enforce_debugfs_restriction(`
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e004891..3b916e2 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -17,7 +17,7 @@
app_domain(ephemeral_app)
# Allow ephemeral apps to read/write files in visible storage if provided fds
-allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+allow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
@@ -87,8 +87,8 @@
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
diff --git a/private/file_contexts b/private/file_contexts
index d34f64f..2ac0981 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -370,6 +370,7 @@
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
+/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
#############################
# Vendor files
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 55d1a9a..f6675ac 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -19,6 +19,7 @@
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
set_prop(flags_health_check, device_config_configuration_prop)
set_prop(flags_health_check, device_config_connectivity_prop)
+set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3499aa0..b890ba6 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -86,6 +86,7 @@
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
+genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
diff --git a/private/gsid.te b/private/gsid.te
index 8a13cb1..2ccc51c 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -84,7 +84,7 @@
# gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
allow gsid { shell su }:fifo_file r_file_perms;
# Allow installing images from /storage/emulated/...
- allow gsid sdcard_type:file r_file_perms;
+ allow gsid { sdcard_type fuse }:file r_file_perms;
')
neverallow {
diff --git a/private/incidentd.te b/private/incidentd.te
index ef191a2..918ffda 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -140,6 +140,8 @@
# Access the runtime feature flag properties.
get_prop(incidentd, device_config_runtime_native_prop)
get_prop(incidentd, device_config_runtime_native_boot_prop)
+# Access odsign verification status.
+get_prop(incidentd, odsign_prop)
# ART locks profile files.
allow incidentd system_file:file lock;
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
@@ -161,6 +163,7 @@
system_server_service
app_api_service
system_api_service
+ -tracingproxy_service
}:service_manager find;
# Only incidentd can publish the binder service
diff --git a/private/installd.te b/private/installd.te
index c89ba8b..726e5aa 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -40,6 +40,9 @@
# Allow installd to access apk verity feature flag (for legacy case).
get_prop(installd, apk_verity_prop)
+# Allow installd to access odsign verification status
+get_prop(installd, odsign_prop)
+
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 71749c0..800775b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -33,7 +33,7 @@
# neverallow rules below.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
+allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
@@ -110,10 +110,10 @@
# Do not allow isolated_app to access external storage, except for files passed
# via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
+neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map };
# Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 0e4a50e..e8a85e5 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -21,6 +21,9 @@
# Talk to the MediaServer service
allow mediaprovider_app mediaserver_service:service_manager find;
+# Talk to the AudioServer service
+allow mediaprovider_app audioserver_service:service_manager find;
+
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
diff --git a/private/odsign.te b/private/odsign.te
index 0ff3b7b..57ca048 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -41,7 +41,7 @@
# For ART apex data dir access
allow odsign apex_module_data_file:dir { getattr search };
-allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
+allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
allow odsign apex_art_data_file:file { rw_file_perms unlink };
# Run odrefresh to refresh ART artifacts
diff --git a/private/platform_app.te b/private/platform_app.te
index f746f1c..55ccbde 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -71,6 +71,12 @@
# Allow platform apps to log via statsd.
binder_call(platform_app, statsd)
+# Allow platform applications to find and call artd for testing
+userdebug_or_eng(`
+ allow platform_app artd_service:service_manager find;
+ binder_call(platform_app, artd)
+')
+
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
allow platform_app preloads_data_file:dir r_dir_perms;
diff --git a/private/property.te b/private/property.te
index 01d4fd9..d6ddbdf 100644
--- a/private/property.te
+++ b/private/property.te
@@ -10,6 +10,7 @@
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
system_internal_prop(device_config_swcodec_native_prop)
+system_internal_prop(device_config_surface_flinger_native_boot_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 62862e9..593274f 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -52,6 +52,7 @@
persist.audio. u:object_r:audio_prop:s0
persist.bluetooth. u:object_r:bluetooth_prop:s0
+persist.nfc. u:object_r:nfc_prop:s0
persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
logd. u:object_r:logd_prop:s0
@@ -241,6 +242,7 @@
persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
persist.device_config.statsd_native_boot. u:object_r:device_config_statsd_native_boot_prop:s0
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
+persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
@@ -438,6 +440,8 @@
persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
+persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
+
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
diff --git a/private/recovery.te b/private/recovery.te
index 00d7132..bba2a0d 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -43,4 +43,7 @@
set_prop(recovery, fastbootd_protocol_prop)
get_prop(recovery, recovery_config_prop)
+
+ # Needed to read bootconfig parameters through libfs_mgr
+ allow recovery proc_bootconfig:file r_file_perms;
')
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 1d38fd9..c7daf6b 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -5,11 +5,9 @@
# Input selectors:
# isSystemServer (boolean)
# isEphemeralApp (boolean)
-# isOwner (boolean)
# user (string)
# seinfo (string)
# name (string)
-# path (string)
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
@@ -17,7 +15,7 @@
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
# value.
-# A user, name, or path string selector that ends in * will perform a prefix
+# A user, or name string selector that ends in * will perform a prefix
# match.
# String matching is case-insensitive.
# See external/selinux/libselinux/src/android/android_platform.c,
@@ -26,7 +24,6 @@
# isSystemServer=true only matches the system server.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
-# isOwner=true will only match for the owner/primary user.
# user=_app will match any regular app process.
# user=_isolated will match any isolated service process.
# Other values of user are matched against the name associated with the process
@@ -35,7 +32,6 @@
# mac_permissions.xml files.
# The ':' character is reserved and may not be used in seinfo.
# name= matches against the package name of the app.
-# path= matches against the directory path when labeling app directories.
# isPrivApp=true will only match for applications preinstalled in
# /system/priv-app.
# minTargetSdkVersion will match applications with a targetSdkVersion
@@ -50,19 +46,16 @@
# (1) isSystemServer=true before isSystemServer=false.
# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
# boolean.
-# (3) Specified isOwner= before unspecified isOwner= boolean.
-# (4) Specified user= string before unspecified user= string;
+# (3) Specified user= string before unspecified user= string;
# more specific user= string before less specific user= string.
-# (5) Specified seinfo= string before unspecified seinfo= string.
-# (6) Specified name= string before unspecified name= string;
+# (4) Specified seinfo= string before unspecified seinfo= string.
+# (5) Specified name= string before unspecified name= string;
# more specific name= string before less specific name= string.
-# (7) Specified path= string before unspecified path= string.
-# more specific name= string before less specific name= string.
-# (8) Specified isPrivApp= before unspecified isPrivApp= boolean.
-# (9) Higher value of minTargetSdkVersion= before lower value of
+# (6) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (7) Higher value of minTargetSdkVersion= before lower value of
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
# defaults to 0 if unspecified.
-# (10) fromRunAs=true before fromRunAs=false.
+# (8) fromRunAs=true before fromRunAs=false.
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
@@ -168,7 +161,8 @@
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index c020a04..f8c1607 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -37,9 +37,10 @@
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.legacykeystore u:object_r:legacykeystore_service:s0
android.security.maintenance u:object_r:keystore_maintenance_service:s0
+android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
-android.security.vpnprofilestore u:object_r:vpnprofilestore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
diff --git a/private/simpleperf.te b/private/simpleperf.te
index 0639c11..9c70060 100644
--- a/private/simpleperf.te
+++ b/private/simpleperf.te
@@ -5,7 +5,16 @@
typeattribute simpleperf coredomain;
type simpleperf_exec, system_file_type, exec_type, file_type;
-domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
+# Define apps that can be marked debuggable/profileable and be profiled by simpleperf.
+define(`simpleperf_profileable_apps', `{
+ ephemeral_app
+ isolated_app
+ platform_app
+ priv_app
+ untrusted_app_all
+}')
+
+domain_auto_trans({ simpleperf_profileable_apps -runas_app }, simpleperf_exec, simpleperf)
# When running in this domain, simpleperf is scoped to profiling an individual
# app. The necessary MAC permissions for profiling are more maintainable and
@@ -16,14 +25,19 @@
# Allow ptrace attach to the target app, for reading JIT debug info (using
# process_vm_readv) during unwinding and symbolization.
-allow simpleperf untrusted_app_all:process ptrace;
+allow simpleperf simpleperf_profileable_apps:process ptrace;
# Allow using perf_event_open syscall for profiling the target app.
allow simpleperf self:perf_event { open read write kernel };
# Allow /proc/<pid> access for the target app (for example, when trying to
# discover it by cmdline).
-r_dir_file(simpleperf, untrusted_app_all)
+r_dir_file(simpleperf, simpleperf_profileable_apps)
+
+# Allow apps signalling simpleperf domain, which is the domain that the simpleperf
+# profiler runs as when executed by the app. The signals are used to control
+# the profiler (which would be profiling the app that is sending the signal).
+allow simpleperf_profileable_apps simpleperf:process signal;
# Suppress denial logspam when simpleperf is trying to find a matching process
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
diff --git a/private/simpleperf_app_runner.te b/private/simpleperf_app_runner.te
index 8501826..184a80a 100644
--- a/private/simpleperf_app_runner.te
+++ b/private/simpleperf_app_runner.te
@@ -1,3 +1,45 @@
typeattribute simpleperf_app_runner coredomain;
domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
+
+# run simpleperf_app_runner in adb shell.
+allow simpleperf_app_runner adbd:fd use;
+allow simpleperf_app_runner shell:fd use;
+allow simpleperf_app_runner devpts:chr_file { read write ioctl };
+
+# simpleperf_app_runner reads package information.
+allow simpleperf_app_runner system_data_file:file r_file_perms;
+allow simpleperf_app_runner system_data_file:lnk_file getattr;
+allow simpleperf_app_runner packages_list_file:file r_file_perms;
+
+# The app's data dir may be accessed through a symlink.
+allow simpleperf_app_runner system_data_file:lnk_file read;
+
+# simpleperf_app_runner switches to the app UID/GID.
+allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
+
+# simpleperf_app_runner switches to the app security context.
+selinux_check_context(simpleperf_app_runner) # validate context
+allow simpleperf_app_runner self:process setcurrent;
+allow simpleperf_app_runner { ephemeral_app isolated_app platform_app priv_app untrusted_app_all }:process dyntransition; # setcon
+
+# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
+
+# simpleperf_app_runner passes pipe fds.
+# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
+allow simpleperf_app_runner shell:fifo_file { read write };
+
+# simpleperf_app_runner checks shell data paths.
+# simpleperf_app_runner passes shell data fds.
+allow simpleperf_app_runner shell_data_file:dir { getattr search };
+allow simpleperf_app_runner shell_data_file:file { getattr write };
+
+###
+### neverallow rules
+###
+
+# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
+neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 7a92bd4..9900600 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -61,6 +61,7 @@
# Get properties.
get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
+get_prop(surfaceflinger, device_config_surface_flinger_native_boot_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
@@ -142,7 +143,7 @@
# Do not allow accessing SDcard files as unsafe ejection could
# cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
+neverallow surfaceflinger { sdcard_type fuse }:file rw_file_perms;
# b/68864350
dontaudit surfaceflinger unlabeled:dir search;
diff --git a/private/system_app.te b/private/system_app.te
index 10b8177..239686e 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -90,6 +90,7 @@
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
+ -tracingproxy_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
diff --git a/private/system_server.te b/private/system_server.te
index f35f9a8..5d685c3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -708,7 +708,7 @@
set_prop(system_server, device_config_window_manager_native_boot_prop)
set_prop(system_server, device_config_configuration_prop)
set_prop(system_server, device_config_connectivity_prop)
-
+set_prop(system_server, device_config_surface_flinger_native_boot_prop)
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
@@ -853,6 +853,7 @@
allow system_server installd_service:service_manager find;
allow system_server iorapd_service:service_manager find;
allow system_server keystore_maintenance_service:service_manager find;
+allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
@@ -903,6 +904,7 @@
clear_uid
get_state
lock
+ pull_metrics
reset
unlock
};
@@ -965,7 +967,7 @@
# Allow statfs() on storage devices, which happens fast enough that
# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
+allow system_server { sdcard_type fuse }:dir { getattr search };
# Traverse into expanded storage
allow system_server mnt_expand_file:dir r_dir_perms;
@@ -1159,8 +1161,8 @@
# Do not allow opening files from external storage as unsafe ejection
# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
+neverallow system_server { sdcard_type fuse }:dir { open read write };
+neverallow system_server { sdcard_type fuse }:file rw_file_perms;
# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
@@ -1216,6 +1218,7 @@
device_config_runtime_native_prop
device_config_media_native_prop
device_config_storage_native_boot_prop
+ device_config_surface_flinger_native_boot_prop
device_config_sys_traced_prop
device_config_swcodec_native_prop
device_config_window_manager_native_boot_prop
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index 3301304..064e038 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -7,6 +7,10 @@
allow system_server_startup self:process execmem;
allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
+# Allow to pick up integrity-checked artifacts from the ART APEX dalvik cache.
+allow system_server_startup apex_art_data_file:dir r_dir_perms;
+allow system_server_startup apex_art_data_file:file { r_file_perms execute };
+
# Allow system_server_startup to run setcon() and enter the
# system_server domain
allow system_server_startup self:process setcurrent;
diff --git a/private/toolbox.te b/private/toolbox.te
index 6077f0b..b4a3466 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -3,5 +3,5 @@
init_daemon_domain(toolbox)
# rm -rf /data/misc/virtualizationservice
-allow toolbox virtualizationservice_data_file:dir { remove_name rmdir };
-allow toolbox virtualizationservice_data_file:file { getattr unlink };
+allow toolbox virtualizationservice_data_file:dir create_dir_perms;
+allow toolbox virtualizationservice_data_file:file create_file_perms;
diff --git a/private/traced.te b/private/traced.te
index 6e3ad46..fc9a245 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -116,3 +116,6 @@
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 6e7a99c..62d458d 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -2,7 +2,7 @@
### Untrusted apps.
###
### This file defines the rules for untrusted apps running with
-### targetSdkVersion >= 30.
+### targetSdkVersion >= 32.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 82c07ff..4235d7e 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -48,3 +48,7 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7a326a5..c747af1 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -36,3 +36,7 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index d03f399..6bb2606 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -14,3 +14,7 @@
untrusted_app_domain(untrusted_app_29)
net_domain(untrusted_app_29)
bluetooth_domain(untrusted_app_29)
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
new file mode 100644
index 0000000..e0a71ef
--- /dev/null
+++ b/private/untrusted_app_30.te
@@ -0,0 +1,22 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps running with
+### 29 < targetSdkVersion <= 31.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+### TODO(b/192334803): Merge this policy into untrusted_app_29 when possible
+###
+
+typeattribute untrusted_app_30 coredomain;
+
+app_domain(untrusted_app_30)
+untrusted_app_domain(untrusted_app_30)
+net_domain(untrusted_app_30)
+bluetooth_domain(untrusted_app_30)
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6064c14..f7dfdeb 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -170,8 +170,3 @@
# according to the heuristic of lockdown.
allow untrusted_app_all self:lockdown integrity;
')
-
-# Allow signalling simpleperf domain, which is the domain that the simpleperf
-# profiler runs as when executed by the app. The signals are used to control
-# the profiler (which would be profiling the app that is sending the signal).
-allow untrusted_app_all simpleperf:process signal;
diff --git a/private/vdc.te b/private/vdc.te
index bc7409e..63c9c2a 100644
--- a/private/vdc.te
+++ b/private/vdc.te
@@ -1,3 +1,6 @@
typeattribute vdc coredomain;
init_daemon_domain(vdc)
+
+# Allow stdin/out back to vehicle_binding_util
+allow vdc vehicle_binding_util:fd use;
diff --git a/private/vehicle_binding_util.te b/private/vehicle_binding_util.te
new file mode 100644
index 0000000..76d0756
--- /dev/null
+++ b/private/vehicle_binding_util.te
@@ -0,0 +1,20 @@
+# vehicle binding util startup application
+type vehicle_binding_util, domain, coredomain;
+
+# allow init to start vehicle_binding_util
+type vehicle_binding_util_exec, exec_type, file_type, system_file_type;
+init_daemon_domain(vehicle_binding_util)
+
+# allow writing to kmsg during boot
+allow vehicle_binding_util kmsg_device:chr_file { getattr w_file_perms };
+
+# allow reading the binding property from vhal
+hwbinder_use(vehicle_binding_util)
+hal_client_domain(vehicle_binding_util, hal_vehicle)
+
+# allow executing vdc
+domain_auto_trans(vehicle_binding_util, vdc_exec, vdc)
+
+# devpts is needed to redirect output from vdc
+allow vehicle_binding_util devpts:chr_file rw_file_perms;
+
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 4c6f1f9..9b82e01 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -23,3 +23,21 @@
# Let virtualizationservice access its data directory.
allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
+
+# virtualizationservice_use(client)
+define(`virtualizationservice_use', `
+# Let the client call virtualizationservice.
+binder_call($1, virtualizationservice)
+# Let the client pass file descriptors to virtualizationservice.
+allow virtualizationservice $1:fd use;
+')
+
+# Let the shell user call virtualizationservice for debugging.
+virtualizationservice_use(shell)
+
+# Let virtualizationservice read and write files from its various clients, but not open them
+# directly as they must be passed over Binder by the client.
+allow virtualizationservice apk_data_file:file { getattr read };
+allow virtualizationservice app_data_file:file { getattr read write };
+# shell_data_file is used for automated tests and manual debugging.
+allow virtualizationservice shell_data_file:file { getattr read write };
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 10bcf1c..3473eca 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -87,6 +87,9 @@
get_prop(webview_zygote, device_config_runtime_native_prop)
get_prop(webview_zygote, device_config_runtime_native_boot_prop)
+# Allow webview_zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
#####
##### Neverallow
#####
diff --git a/private/wificond.te b/private/wificond.te
index 8bf37ca..3fdaca2 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -6,4 +6,6 @@
get_prop(wificond, hwservicemanager_prop)
+allow wificond legacykeystore_service:service_manager find;
+
init_daemon_domain(wificond)
diff --git a/private/zygote.te b/private/zygote.te
index dd42a81..651fb10 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -152,8 +152,8 @@
allow zygote storage_file:dir { search mounton };
# Allow mounting and creating files, dirs on sdcardfs.
-allow zygote { sdcard_type }:dir { create_dir_perms mounton };
-allow zygote { sdcard_type }:file { create_file_perms };
+allow zygote { sdcard_type fuse }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type fuse }:file { create_file_perms };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
@@ -217,6 +217,9 @@
# Allow zygote to access media_variant_prop for static initialization
get_prop(zygote, media_variant_prop)
+# Allow zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
get_prop(zygote, packagemanager_config_prop)
diff --git a/public/app.te b/public/app.te
index 5527f99..7de9c00 100644
--- a/public/app.te
+++ b/public/app.te
@@ -261,8 +261,8 @@
allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
@@ -569,6 +569,9 @@
-system_app
} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
+# allow system_app to access Nfc-related system properties.
+set_prop(system_app, nfc_prop)
+
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
diff --git a/public/attributes b/public/attributes
index 2e01f1e..15c5000 100644
--- a/public/attributes
+++ b/public/attributes
@@ -18,6 +18,12 @@
# All types used for context= mounts.
attribute contextmount_type;
+# All types referencing a FUSE filesystem.
+# When mounting a new FUSE filesystem, the fscontext= option should be used to
+# set a domain-specific type with this attribute. See app_fusefs for an
+# example.
+attribute fusefs_type;
+
# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
# On change, update CHECK_FC_ASSERT_ATTRS
diff --git a/public/domain.te b/public/domain.te
index d84abf1..799a2f1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -677,6 +677,7 @@
-credstore_service
-keystore_maintenance_service
-keystore_service
+ -legacykeystore_service
-mediadrmserver_service
-mediaextractor_service
-mediametrics_service
@@ -684,7 +685,6 @@
-nfc_service
-radio_service
-virtual_touchpad_service
- -vpnprofilestore_service
-vr_hwc_service
-vr_manager_service
userdebug_or_eng(`-hal_face_service')
diff --git a/public/drmserver.te b/public/drmserver.te
index eede0fc..d515079 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -18,11 +18,11 @@
# Perform Binder IPC to mediaserver
binder_call(drmserver, mediaserver)
-allow drmserver sdcard_type:dir search;
+allow drmserver { sdcard_type fuse }:dir search;
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
-allow drmserver sdcard_type:file { read write getattr map };
+allow drmserver { sdcard_type fuse }:file { read write getattr map };
r_dir_file(drmserver, efs_file)
type drmserver_socket, file_type;
diff --git a/public/file.te b/public/file.te
index 20348b5..cfac66d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -13,6 +13,7 @@
type proc_overcommit_memory, fs_type, proc_type;
type proc_min_free_order_shift, fs_type, proc_type;
type proc_kpageflags, fs_type, proc_type;
+type proc_watermark_boost_factor, fs_type, proc_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
@@ -138,7 +139,7 @@
type tmpfs, fs_type;
type shm, fs_type;
type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
+type fuse, fusefs_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
@@ -160,7 +161,7 @@
type oemfs, fs_type, contextmount_type;
type usbfs, fs_type;
type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
+type app_fusefs, fs_type, fusefs_type, contextmount_type;
# File types
type unlabeled, file_type;
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
index e56ab99..9c65e22 100644
--- a/public/hal_keymint.te
+++ b/public/hal_keymint.te
@@ -3,3 +3,6 @@
hal_attribute_service(hal_keymint, hal_keymint_service)
hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
+
+allow hal_keymint tee_device:chr_file rw_file_perms;
+allow hal_keymint ion_device:chr_file r_file_perms;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index a895ad0..faec074 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -44,6 +44,14 @@
userdebug_or_eng(`-su')
}:tcp_socket *;
+# The UWB HAL is not actually a networking HAL but may need to bring up and down
+# interfaces. Restrict it to only these networking operations.
+neverallow hal_uwb_server self:global_capability_class_set { net_raw };
+
+# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
+# udp_socket is required to use interface ioctls.
+neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
+
###
# HALs are defined as an attribute and so a given domain could hypothetically
# have multiple HALs in it (or even all of them) with the subsequent policy of
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 12d72b6..55efc3c 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -23,5 +23,5 @@
###
# hal_wifi_hostapd should not trust any data from sdcards
-neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_hostapd_server sdcard_type:file *;
+neverallow hal_wifi_hostapd_server { sdcard_type fuse }:dir ~getattr;
+neverallow hal_wifi_hostapd_server { sdcard_type fuse }:file *;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 7361af1..f7c444e 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -34,5 +34,5 @@
###
# wpa_supplicant should not trust any data from sdcards
-neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_supplicant_server sdcard_type:file *;
+neverallow hal_wifi_supplicant_server { sdcard_type fuse }:dir ~getattr;
+neverallow hal_wifi_supplicant_server { sdcard_type fuse }:file *;
diff --git a/public/init.te b/public/init.te
index ea5a979..5fd1715 100644
--- a/public/init.te
+++ b/public/init.te
@@ -313,11 +313,12 @@
-keychord_device
-proc_type
-sdcard_type
+ -fusefs_type
-sysfs_type
-rootfs
enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
+allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir { open read setattr search };
allow init {
binder_device
@@ -383,6 +384,7 @@
proc_perf
proc_sched
proc_sysrq
+ proc_watermark_boost_factor
}:file w_file_perms;
allow init {
diff --git a/public/installd.te b/public/installd.te
index 08060e3..1134aaa 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -71,8 +71,8 @@
# Delete /data/media files through sdcardfs, instead of going behind its back
allow installd tmpfs:dir r_dir_perms;
allow installd storage_file:dir search;
-allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
-allow installd sdcard_type:file { getattr unlink };
+allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
+allow installd { sdcard_type fuse }:file { getattr unlink };
# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
allow installd mirror_data_file:dir { create_dir_perms mounton };
diff --git a/public/kernel.te b/public/kernel.te
index 9aa40cc..09d2480 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -56,7 +56,7 @@
allow kernel self:security setcheckreqprot;
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel sdcard_type:file { read write };
+allow kernel { sdcard_type fuse }:file { read write };
# f_mtp driver accesses files from kernel context.
allow kernel mediaprovider:fd use;
@@ -95,6 +95,11 @@
staging_data_file
vendor_apex_file
}:file read;
+# Also allow the kernel to read /data/local/tmp files via loop device
+# for ApexTestCases
+userdebug_or_eng(`
+ allow kernel shell_data_file:file read;
+')
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
diff --git a/public/keystore.te b/public/keystore.te
index 155322c..b7d5090 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -20,7 +20,8 @@
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
add_service(keystore, keystore_maintenance_service)
-add_service(keystore, vpnprofilestore_service)
+add_service(keystore, keystore_metrics_service)
+add_service(keystore, legacykeystore_service)
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index a29e5dc..1315b8f 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -26,7 +26,7 @@
crash_dump_fallback(mediaextractor)
# allow mediaextractor read permissions for file sources
-allow mediaextractor sdcard_type:file { getattr read };
+allow mediaextractor { sdcard_type fuse }:file { getattr read };
allow mediaextractor media_rw_data_file:file { getattr read };
allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
diff --git a/public/mediaserver.te b/public/mediaserver.te
index ad460e1..0275532 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -8,6 +8,7 @@
net_domain(mediaserver)
r_dir_file(mediaserver, sdcard_type)
+r_dir_file(mediaserver, fuse)
r_dir_file(mediaserver, cgroup)
r_dir_file(mediaserver, cgroup_v2)
@@ -30,7 +31,7 @@
allow mediaserver media_data_file:dir create_dir_perms;
allow mediaserver media_data_file:file create_file_perms;
allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
-allow mediaserver sdcard_type:file write;
+allow mediaserver { sdcard_type fuse }:file write;
allow mediaserver gpu_device:chr_file rw_file_perms;
allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
diff --git a/public/net.te b/public/net.te
index e90715e..714bcde 100644
--- a/public/net.te
+++ b/public/net.te
@@ -20,14 +20,16 @@
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
-# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
+# untrusted_apps.
+# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
# to avoid app-compat breakage.
allow {
netdomain
-ephemeral_app
-mediaprovider
-untrusted_app_all
-} self:netlink_route_socket { bind nlmsg_readpriv };
+} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/recovery.te b/public/recovery.te
old mode 100644
new mode 100755
index 3649888..33658e8
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -133,6 +133,10 @@
# Allow mounting /metadata for writing update states
allow recovery metadata_file:dir { getattr mounton };
+
+ # Recovery uses liblogwrap to write fsck logs to kmsg, liblogwrap requires devpts.
+ allow recovery devpts:chr_file rw_file_perms;
+ allow recovery kmsg_device:chr_file { getattr w_file_perms };
')
###
diff --git a/public/sdcardd.te b/public/sdcardd.te
index bb1c919..220e7d0 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -10,11 +10,11 @@
allow sdcardd mnt_media_rw_file:dir r_dir_perms;
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
-allow sdcardd sdcard_type:filesystem { mount unmount };
+allow sdcardd { sdcard_type fuse }:filesystem { mount unmount };
allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
-allow sdcardd sdcard_type:dir create_dir_perms;
-allow sdcardd sdcard_type:file create_file_perms;
+allow sdcardd { sdcard_type fuse }:dir create_dir_perms;
+allow sdcardd { sdcard_type fuse }:file create_file_perms;
allow sdcardd media_rw_data_file:dir create_dir_perms;
allow sdcardd media_rw_data_file:file create_file_perms;
diff --git a/public/service.te b/public/service.te
index 4fa6a13..756c31c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,7 +21,9 @@
type credstore_service, app_api_service, service_manager_type;
type keystore_compat_hal_service, service_manager_type;
type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
type keystore_service, service_manager_type;
+type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
@@ -44,7 +46,6 @@
type virtualization_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
-type vpnprofilestore_service, service_manager_type;
type vr_hwc_service, service_manager_type;
type vrflinger_vsync_service, service_manager_type;
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index 2ed007e..3719d9f 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te
@@ -1,44 +1,2 @@
type simpleperf_app_runner, domain, mlstrustedsubject;
type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
-
-# run simpleperf_app_runner in adb shell.
-allow simpleperf_app_runner adbd:fd use;
-allow simpleperf_app_runner shell:fd use;
-allow simpleperf_app_runner devpts:chr_file { read write ioctl };
-
-# simpleperf_app_runner reads package information.
-allow simpleperf_app_runner system_data_file:file r_file_perms;
-allow simpleperf_app_runner system_data_file:lnk_file getattr;
-allow simpleperf_app_runner packages_list_file:file r_file_perms;
-
-# The app's data dir may be accessed through a symlink.
-allow simpleperf_app_runner system_data_file:lnk_file read;
-
-# simpleperf_app_runner switches to the app UID/GID.
-allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
-
-# simpleperf_app_runner switches to the app security context.
-selinux_check_context(simpleperf_app_runner) # validate context
-allow simpleperf_app_runner self:process setcurrent;
-allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
-
-# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
-
-# simpleperf_app_runner passes pipe fds.
-# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
-allow simpleperf_app_runner shell:fifo_file { read write };
-
-# simpleperf_app_runner checks shell data paths.
-# simpleperf_app_runner passes shell data fds.
-allow simpleperf_app_runner shell_data_file:dir { getattr search };
-allow simpleperf_app_runner shell_data_file:file { getattr write };
-
-###
-### neverallow rules
-###
-
-# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
-neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/public/te_macros b/public/te_macros
index 2a218cb..200b2e3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -635,7 +635,7 @@
allow keystore $1:process getattr;
allow $1 apc_service:service_manager find;
allow $1 keystore_service:service_manager find;
- allow $1 vpnprofilestore_service:service_manager find;
+ allow $1 legacykeystore_service:service_manager find;
binder_call($1, keystore)
binder_call(keystore, $1)
')
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 43fe19a..0a67614 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -17,9 +17,12 @@
###
# This file defines the rules for untrusted apps running with
-# targetSdkVersion >= 30.
+# targetSdkVersion >= 32.
type untrusted_app, domain;
# This file defines the rules for untrusted apps running with
+# 29 < targetSdkVersion <= 31.
+type untrusted_app_30, domain;
+# This file defines the rules for untrusted apps running with
# targetSdkVersion = 29.
type untrusted_app_29, domain;
# This file defines the rules for untrusted apps running with
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0999f48..c6e5e82 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -140,6 +140,7 @@
-contextmount_type
-keychord_device
-sdcard_type
+ -fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
@@ -153,6 +154,7 @@
fs_type
-contextmount_type
-sdcard_type
+ -fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
diff --git a/public/vold.te b/public/vold.te
index 7796ba8..af3152e 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -86,14 +86,12 @@
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;
allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton; # TODO: deprecated in M
-allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
-allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
-allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
+allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
+allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
# Manage locations where storage is mounted
-allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
-allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
# Access to storage that backs emulated FUSE daemons for migration optimization
allow vold media_rw_data_file:dir create_dir_perms;
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 2b06c11..7795e3a 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -207,11 +207,9 @@
/*Inputs*/
{ .name = "isSystemServer", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isEphemeralApp", .dir = dir_in, .fn_validate = validate_bool },
- { .name = "isOwner", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "user", .dir = dir_in, },
{ .name = "seinfo", .dir = dir_in, },
{ .name = "name", .dir = dir_in, },
- { .name = "path", .dir = dir_in, },
{ .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },