Merge "sepolicy: Relabel wifi. properties as wifi_prop"
diff --git a/Android.mk b/Android.mk
index e3b4143..6c25fc1 100644
--- a/Android.mk
+++ b/Android.mk
@@ -202,6 +202,9 @@
ifeq ($(NATIVE_COVERAGE),true)
with_native_coverage := true
endif
+ifeq ($(CLANG_COVERAGE),true)
+ with_native_coverage := true
+endif
treble_sysprop_neverallow := true
ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
diff --git a/apex/Android.bp b/apex/Android.bp
index 29c2518..d3acfdb 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -28,6 +28,13 @@
}
filegroup {
+ name: "com.android.sdkext-file_contexts",
+ srcs: [
+ "com.android.sdkext-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.art.debug-file_contexts",
srcs: [
"com.android.art.debug-file_contexts",
@@ -63,6 +70,13 @@
}
filegroup {
+ name: "com.android.cronet-file_contexts",
+ srcs: [
+ "com.android.cronet-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.ipsec-file_contexts",
srcs: [
"com.android.ipsec-file_contexts",
@@ -133,13 +147,6 @@
}
filegroup {
- name: "com.android.sdkext-file_contexts",
- srcs: [
- "com.android.sdkext-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.telephony-file_contexts",
srcs: [
"com.android.telephony-file_contexts",
@@ -173,3 +180,10 @@
"com.android.tethering-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.extservices-file_contexts",
+ srcs: [
+ "com.android.extservices-file_contexts",
+ ],
+}
diff --git a/apex/com.android.extservices-file_contexts b/apex/com.android.extservices-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.extservices-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.incremental-file_contexts b/apex/com.android.incremental-file_contexts
deleted file mode 100644
index f6b21da..0000000
--- a/apex/com.android.incremental-file_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-(/.*)? u:object_r:system_file:s0
-/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/private/access_vectors b/private/access_vectors
index 66c1b79..aa0109c 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -27,6 +27,14 @@
execute
quotaon
mounton
+ audit_access
+ open
+ execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
}
@@ -125,7 +133,7 @@
common cap2
{
mac_override # unused by SELinux
- mac_admin # unused by SELinux
+ mac_admin
syslog
wake_alarm
block_suspend
@@ -164,14 +172,6 @@
reparent
search
rmdir
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class file
@@ -179,82 +179,26 @@
{
execute_no_trans
entrypoint
- execmod
- open
- audit_access
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class lnk_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class chr_file
inherits file
{
execute_no_trans
entrypoint
- execmod
- open
- audit_access
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class blk_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class sock_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class fifo_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class fd
{
@@ -505,8 +449,6 @@
send
recv
relabelto
- flow_in # deprecated
- flow_out # deprecated
forward_in
forward_out
}
@@ -781,3 +723,13 @@
class xdp_socket
inherits socket
+
+class perf_event
+{
+ open
+ cpu
+ kernel
+ tracepoint
+ read
+ write
+}
diff --git a/private/adbd.te b/private/adbd.te
index ec5c57e..dee3c9b 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -180,7 +180,7 @@
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
-allow adbd shell:unix_stream_socket { read write };
+allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
###
diff --git a/private/aidl_lazy_test_server.te b/private/aidl_lazy_test_server.te
new file mode 100644
index 0000000..33efde0
--- /dev/null
+++ b/private/aidl_lazy_test_server.te
@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+ typeattribute aidl_lazy_test_server coredomain;
+
+ init_daemon_domain(aidl_lazy_test_server)
+')
diff --git a/private/apexd.te b/private/apexd.te
index 1e1ccc5..36b7999 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -11,10 +11,18 @@
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
-# Allow apexd to create directories for snapshots of apex data
+# Allow apexd to create files and directories for snapshots of apex data
+allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_permission_data_file:file { create_file_perms relabelto };
+allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
+allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
+# Allow apexd to read directories under /data/misc_de in order to snapshot and
+# restore apex data for all users.
+allow apexd system_data_file:dir r_dir_perms;
+
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
@@ -36,7 +44,16 @@
allow apexd dm_device:blk_file rw_file_perms;
# sys_admin is required to access the device-mapper and mount
-allow apexd self:global_capability_class_set sys_admin;
+# dac_override, chown, and fowner are needed for snapshot and restore
+allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
+
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set. We do not appear to truly need this capability
+# for apexd to operate.
+dontaudit apexd self:global_capability_class_set fsetid;
# allow apexd to create a mount point in /apex
allow apexd apex_mnt_dir:dir create_dir_perms;
@@ -71,12 +88,6 @@
allow apexd sysfs_loop:dir r_dir_perms;
allow apexd sysfs_loop:file rw_file_perms;
-# Spawning a libbinder thread results in a dac_override deny,
-# /dev/cpuset/tasks is owned by system.
-#
-# See b/35323867#comment3
-dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
-
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file w_file_perms;
@@ -121,6 +132,16 @@
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
+# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to
+# other processes
+create_pty(apexd)
+
+# Allow apexd to read file contexts when performing restorecon of snapshots.
+allow apexd file_contexts_file:file r_file_perms;
+
+# Allow apexd to execute toybox for snapshot & restore
+allow apexd toolbox_exec:file rx_file_perms;
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index eb798e3..f08f516 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -6,9 +6,11 @@
ephemeral_app
isolated_app
mediaprovider
+ mediaprovider_app
untrusted_app
untrusted_app_25
untrusted_app_27
+ untrusted_app_29
untrusted_app_all
}')
# Receive or send uevent messages.
@@ -111,6 +113,14 @@
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
+# Disallow sending RTM_GETLINK messages on netlink sockets.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+} domain:netlink_route_socket { bind nlmsg_readpriv };
+
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
@@ -136,8 +146,8 @@
')
}:dir_file_class_set { create unlink };
-# No untrusted component except mediaprovider should be touching /dev/fuse
-neverallow { all_untrusted_apps -mediaprovider } fuse_device:chr_file *;
+# No untrusted component except mediaprovider_app should be touching /dev/fuse
+neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
diff --git a/private/app_zygote.te b/private/app_zygote.te
index c111ac8..a826f7f 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -70,6 +70,9 @@
allow app_zygote system_data_file:lnk_file r_file_perms;
allow app_zygote system_data_file:file { getattr read map };
+# Send unsolicited message to system_server
+unix_socket_send(app_zygote, system_unsolzygote, system_server)
+
#####
##### Neverallow
#####
@@ -129,15 +132,18 @@
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
-# Only allow app_zygote to talk to the logd socket, and su/heapprofd on eng/userdebug
-# This is because cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
+# Only allow app_zygote to talk to the logd socket, and
+# su/heapprofd/traced_perf on eng/userdebug. This is because
+# cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
# Think twice before changing.
neverallow app_zygote {
domain
-app_zygote
-logd
+ -system_server
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
}:unix_dgram_socket *;
neverallow app_zygote {
@@ -145,6 +151,7 @@
-app_zygote
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
}:unix_stream_socket *;
# Never allow ptrace
diff --git a/private/atrace.te b/private/atrace.te
index 2545c8b..ad7d177 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -37,6 +37,7 @@
-installd_service
-vold_service
-lpdump_service
+ -default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
new file mode 100644
index 0000000..e397d10
--- /dev/null
+++ b/private/automotive_display_service.te
@@ -0,0 +1,20 @@
+# Display service for Automotive
+type automotive_display, domain, coredomain;
+type automotive_display_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(automotive_display)
+
+# Allow to use Binder IPC for SurfaceFlinger.
+binder_use(automotive_display)
+
+# Allow to use HwBinder IPC for HAL implementations.
+hwbinder_use(automotive_display)
+
+# Allow to read the target property.
+get_prop(automotive_display, hwservicemanager_prop)
+
+# Allow to find SurfaceFlinger.
+allow automotive_display surfaceflinger_service:service_manager find;
+
+# Allow client domain to do binder IPC to serverdomain.
+binder_call(automotive_display, surfaceflinger)
diff --git a/private/automotive_display_service_server.te b/private/automotive_display_service_server.te
new file mode 100644
index 0000000..a916de8
--- /dev/null
+++ b/private/automotive_display_service_server.te
@@ -0,0 +1 @@
+add_hwservice(automotive_display, fwk_automotive_display_hwservice)
diff --git a/private/blank_screen.te b/private/blank_screen.te
index 51310d1..69dd7e6 100644
--- a/private/blank_screen.te
+++ b/private/blank_screen.te
@@ -4,3 +4,5 @@
init_daemon_domain(blank_screen)
hal_client_domain(blank_screen, hal_light)
+
+allow blank_screen hal_light_service:service_manager find;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index b96fc58..1680361 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -40,6 +40,9 @@
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
# Allow write access to bluetooth specific properties
+set_prop(bluetooth, binder_cache_bluetooth_server_prop);
+neverallow { domain -bluetooth -init }
+ binder_cache_bluetooth_server_prop:property_service set;
set_prop(bluetooth, bluetooth_a2dp_offload_prop)
set_prop(bluetooth, bluetooth_audio_hal_prop)
set_prop(bluetooth, bluetooth_prop)
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 00d4c79..34921e6 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -18,7 +18,7 @@
### Neverallow rules
###
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
+neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
diff --git a/private/bug_map b/private/bug_map
index c6c8278..60c2f15 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -27,6 +27,7 @@
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
+system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 15746a2..51e7b5c 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -199,6 +199,7 @@
vendor_apex_file
vendor_init
vendor_shell
+ vndk_prop
vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index fa8d9fe..a8d64bd 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -177,6 +177,7 @@
vendor_init
vendor_security_patch_level_prop
vendor_shell
+ vndk_prop
vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 222fa7b..de62740 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -151,5 +151,6 @@
vendor_misc_writer
vendor_misc_writer_exec
vendor_task_profiles_file
+ vndk_prop
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index c62edd5..60e6fb1 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1206,7 +1206,9 @@
(typeattributeset exported_bluetooth_prop_29_0 (exported_bluetooth_prop))
(typeattributeset exported_config_prop_29_0 (exported_config_prop))
(typeattributeset exported_dalvik_prop_29_0 (exported_dalvik_prop))
-(typeattributeset exported_default_prop_29_0 (exported_default_prop))
+(typeattributeset exported_default_prop_29_0
+ ( exported_default_prop
+ vndk_prop))
(typeattributeset exported_dumpstate_prop_29_0 (exported_dumpstate_prop))
(typeattributeset exported_ffs_prop_29_0 (exported_ffs_prop))
(typeattributeset exported_fingerprint_prop_29_0 (exported_fingerprint_prop))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 03b987e..376c0a5 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,13 +5,24 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ aidl_lazy_test_server
+ aidl_lazy_test_server_exec
+ aidl_lazy_test_service
apex_module_data_file
+ apex_permission_data_file
apex_rollback_data_file
app_integrity_service
app_search_service
auth_service
+ automotive_display
+ automotive_display_exec
ashmem_libcutils_device
blob_store_service
+ binder_cache_bluetooth_server_prop
+ binder_cache_system_server_prop
+ binderfs
+ binderfs_logs
+ binderfs_logs_proc
boringssl_self_test
charger_prop
cold_boot_done_prop
@@ -20,16 +31,22 @@
dataloader_manager_service
device_config_storage_native_boot_prop
device_config_sys_traced_prop
+ device_config_window_manager_native_boot_prop
+ exported_camera_prop
file_integrity_service
+ fwk_automotive_display_hwservice
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
+ hal_identity_hwservice
+ hal_light_service
+ hal_power_service
hal_rebootescrow_service
hal_tv_tuner_hwservice
hal_vibrator_service
incfs
incremental_service
- incremental_root_file
+ init_perf_lsm_hooks_prop
init_svc_debug_prop
iorap_prefetcherd
iorap_prefetcherd_data_file
@@ -40,22 +57,34 @@
mediatranscoding_exec
mediatranscoding_tmpfs
mirror_data_file
+ light_service
linker_prop
linkerconfig_file
+ mnt_pass_through_file
mock_ota_prop
- module_sdkext_prop
+ module_sdkextensions_prop
ota_metadata_file
ota_prop
art_apex_dir
+ rebootescrow_hal_prop
service_manager_service
+ simpleperf
+ snapshotctl_log_data_file
soundtrigger_middleware_service
+ sysfs_dm_verity
+ system_config_service
system_group_file
system_jvmti_agent_prop
system_passwd_file
+ system_unsolzygote_socket
tethering_service
+ traced_perf
+ traced_perf_socket
timezonedetector_service
+ untrusted_app_29
usb_serial_device
userspace_reboot_prop
+ userspace_reboot_config_prop
userspace_reboot_exported_prop
vehicle_hal_prop
vendor_apex_file
diff --git a/private/coredomain.te b/private/coredomain.te
index dac061a..0c84797 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -29,6 +29,7 @@
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -traced_perf
} vendor_app_file:dir { open read getattr search };
')
@@ -44,6 +45,7 @@
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -traced_perf
-mediaserver
} vendor_app_file:file r_file_perms;
')
@@ -60,6 +62,7 @@
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -traced_perf
-app_zygote
-webview_zygote
-zygote
@@ -78,6 +81,7 @@
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -traced_perf
-app_zygote
-webview_zygote
-zygote
@@ -128,6 +132,7 @@
-init
-traced_probes
-shell
+ -system_server
-traceur_app
} debugfs_tracing:file no_rw_file_perms;
diff --git a/private/derive_sdk.te b/private/derive_sdk.te
index 98cda20..1f60e34 100644
--- a/private/derive_sdk.te
+++ b/private/derive_sdk.te
@@ -8,5 +8,5 @@
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
-set_prop(derive_sdk, module_sdkext_prop)
-neverallow {domain -init -derive_sdk} module_sdkext_prop:property_service set;
+set_prop(derive_sdk, module_sdkextensions_prop)
+neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set;
diff --git a/private/domain.te b/private/domain.te
index 8a0a8e5..9f3ad0a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -28,6 +28,25 @@
-vold
})')
+# As above, allow perf profiling most processes on debug builds.
+# Do not diverge the two lists without a really good reason.
+userdebug_or_eng(`can_profile_perf({
+ domain
+ -bpfloader
+ -init
+ -kernel
+ -keystore
+ -llkd
+ -logd
+ -logpersist
+ -recovery
+ -recovery_persist
+ -recovery_refresh
+ -ueventd
+ -vendor_init
+ -vold
+})')
+
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
@@ -45,8 +64,8 @@
# Allow to read properties for linker
get_prop(domain, linker_prop);
-# Read access to sdkext props
-get_prop(domain, module_sdkext_prop)
+# Read access to sdkextensions props
+get_prop(domain, module_sdkextensions_prop)
# For now, everyone can access core property files
# Device specific properties are not granted by default
@@ -76,6 +95,8 @@
get_prop({coredomain appdomain shell}, exported3_default_prop)
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
+ get_prop({coredomain appdomain shell}, exported_camera_prop)
+ get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
@@ -266,6 +287,7 @@
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
define(`dac_override_allowed', `{
+ apexd
dnsmasq
dumpstate
init
@@ -294,6 +316,7 @@
neverallow ~{
dac_override_allowed
iorap_prefetcherd
+ traced_perf
traced_probes
userdebug_or_eng(`heapprofd')
} self:global_capability_class_set dac_read_search;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 508653c..56d4747 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -53,9 +53,9 @@
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(ephemeral_app)
-# Allow heap profiling if the app opts in by being marked
-# profileable/debuggable.
+# Allow profiling if the app opts in by being marked profileable/debuggable.
can_profile_heap(ephemeral_app)
+can_profile_perf(ephemeral_app)
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/file_contexts b/private/file_contexts
index 65d0e6f..0a0d3c9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -150,8 +150,9 @@
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
-/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
+/dev/socket/traced_perf u:object_r:traced_perf_socket:s0
+/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/socket/heapprofd u:object_r:heapprofd_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
@@ -282,6 +283,7 @@
/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
+/system/bin/traced_perf u:object_r:traced_perf_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/bin/heapprofd u:object_r:heapprofd_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
@@ -338,9 +340,11 @@
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
+/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
+/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_exec:s0
#############################
# Vendor files
@@ -442,6 +446,8 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
+
#############################
# Vendor files from /(product|system/product)/vendor_overlay
#
@@ -463,6 +469,7 @@
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
+/data/system/unsolzygotesocket u:object_r:system_unsolzygote_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
@@ -474,14 +481,16 @@
/data/apex/active/(.*)? u:object_r:staging_data_file:s0
/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
+# Traditional /data/app/[packageName]-[randomString]/base.apk location
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+# /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
+/data/app/[^/]+/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/gsi(/.*)? u:object_r:gsi_data_file:s0
/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
-/data/incremental(/.*)? u:object_r:incremental_root_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -503,6 +512,7 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
@@ -533,6 +543,7 @@
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/snapshotctl_log(/.*)? u:object_r:snapshotctl_log_data_file:s0
/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
@@ -590,11 +601,16 @@
# Apex data directories
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
# Apex rollback directories
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+# Incremental directories
+/data/incremental(/.*)? u:object_r:apk_data_file:s0
+
#############################
# Expanded data files
#
@@ -689,6 +705,7 @@
# external storage
/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
+/mnt/pass_through(/.*)? u:object_r:mnt_pass_through_file:s0
/mnt/sdcard u:object_r:mnt_sdcard_file:s0
/mnt/runtime(/.*)? u:object_r:storage_file:s0
/storage(/.*)? u:object_r:storage_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 5b956da..92ef6a8 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -145,6 +145,7 @@
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
@@ -290,9 +291,15 @@
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
+genfscon binder /binder u:object_r:binder_device:s0
+genfscon binder /hwbinder u:object_r:hwbinder_device:s0
+genfscon binder /vndbinder u:object_r:vndbinder_device:s0
+genfscon binder /binder_logs u:object_r:binderfs_logs:s0
+genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
+genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index daca057..4ae8eff 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -3,14 +3,6 @@
###
typeattribute gmscore_app coredomain;
-# Allow everything.
-# TODO(b/142672293): remove when no selinux denials are triggered for this
-# domain
-# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
-# `gmscore_app` and remove this line once we are confident about this having
-# the right set of permissions.
-userdebug_or_eng(`permissive gmscore_app;')
-
app_domain(gmscore_app)
allow gmscore_app sysfs_type:dir search;
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 9e17d06..b8a365a 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -35,6 +35,10 @@
allow gpuservice dumpstate:fd use;
allow gpuservice dumpstate:fifo_file write;
+# Needed for stats callback registration to statsd.
+allow gpuservice stats_service:service_manager find;
+binder_call(gpuservice, statsd);
+
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/private/gsid.te b/private/gsid.te
index 4771311..5d7b043 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -111,8 +111,12 @@
allow gsid metadata_file:dir { search getattr };
allow gsid {
gsi_metadata_file
+}:dir create_dir_perms;
+
+allow gsid {
ota_metadata_file
}:dir rw_dir_perms;
+
allow gsid {
gsi_metadata_file
ota_metadata_file
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index d72231b..238fd53 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -4,6 +4,7 @@
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
android.frameworks.stats::IStats u:object_r:fwk_stats_hwservice:s0
+android.frameworks.automotive.display::ICarWindowService u:object_r:fwk_automotive_display_hwservice:s0
android.hardware.atrace::IAtraceDevice u:object_r:hal_atrace_hwservice:s0
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
@@ -24,6 +25,7 @@
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
+android.hardware.identity::IIdentityCredentialStore u:object_r:hal_identity_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index b806f6e..45499fc 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -128,10 +128,18 @@
# Run a shell.
allow incidentd shell_exec:file rx_file_perms;
+# For running am, incident-helper-cmd and similar framework commands.
+# Run /system/bin/app_process.
+allow incidentd zygote_exec:file { rx_file_perms };
+
# logd access - work to be done is a PII safe log (possibly an event log?)
userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
+# Access /data/misc/logd
+allow incidentd misc_logd_file:dir r_dir_perms;
+allow incidentd misc_logd_file:file r_file_perms;
+
# Allow incidentd to find these standard groups of services.
# Others can be whitelisted individually.
allow incidentd {
diff --git a/private/init.te b/private/init.te
index 116eff4..42ec0f3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -45,3 +45,18 @@
set_prop(init, userspace_reboot_exported_prop)
neverallow { domain -init } userspace_reboot_prop:property_service set;
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
+
+# Second-stage init performs a test for whether the kernel has SELinux hooks
+# for the perf_event_open() syscall. This is done by testing for the syscall
+# outcomes corresponding to this policy.
+# TODO(b/137092007): this can be removed once the platform stops supporting
+# kernels that precede the perf_event_open hooks (Android common kernels 4.4
+# and 4.9).
+allow init self:perf_event { open cpu };
+neverallow init self:perf_event { kernel tracepoint read write };
+dontaudit init self:perf_event { kernel tracepoint read write };
+
+# Only init is allowed to set the sysprop indicating whether perf_event_open()
+# SELinux hooks were detected.
+set_prop(init, init_perf_lsm_hooks_prop)
+neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 15c0f3f..4c6c5aa 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -13,6 +13,10 @@
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
+# Allow access to network sockets received over IPC. New socket creation is not
+# permitted.
+allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
+
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
allow isolated_app webviewupdate_service:service_manager find;
@@ -58,9 +62,10 @@
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(isolated_app)
-# Allow heap profiling if the main app has been marked as profileable or
+# Allow profiling if the main app has been marked as profileable or
# debuggable.
can_profile_heap(isolated_app)
+can_profile_perf(isolated_app)
#####
##### Neverallow
@@ -130,7 +135,7 @@
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
-neverallow isolated_app self:{
+neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index f82e05d..414b39f 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -4,7 +4,7 @@
init_daemon_domain(linkerconfig)
## Read and write linkerconfig subdirectory.
-allow linkerconfig linkerconfig_file:dir rw_dir_perms;
+allow linkerconfig linkerconfig_file:dir create_dir_perms;
allow linkerconfig linkerconfig_file:file create_file_perms;
# Allow linkerconfig to log to the kernel.
@@ -13,4 +13,7 @@
# Allow linkerconfig to be invoked with logwrapper from init.
allow linkerconfig devpts:chr_file { read write };
+# Allow linkerconfig to scan for apex modules
+allow linkerconfig apex_mnt_dir:dir r_dir_perms;
+
neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/llkd.te b/private/llkd.te
index 385f930..f218dec 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -7,7 +7,7 @@
allow llkd self:global_capability_class_set kill;
userdebug_or_eng(`
- allow llkd self:global_capability_class_set sys_ptrace;
+ allow llkd self:global_capability_class_set { sys_ptrace sys_admin };
allow llkd self:global_capability_class_set { dac_override dac_read_search };
')
diff --git a/private/logpersist.te b/private/logpersist.te
index 6f6ab50..ac324df 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -24,6 +24,6 @@
userdebug_or_eng(`-misc_logd_file -coredump_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append };
-neverallow { domain -init -dumpstate userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init -dumpstate -incidentd userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms;
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 5050e1a..249fee1 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -34,9 +34,6 @@
# MtpServer uses /dev/mtp_usb
allow mediaprovider mtp_device:chr_file rw_file_perms;
-# Fuse daemon
-allow mediaprovider fuse_device:chr_file { read write ioctl getattr };
-
# MtpServer uses /dev/usb-ffs/mtp
allow mediaprovider functionfs:dir search;
allow mediaprovider functionfs:file rw_file_perms;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
new file mode 100644
index 0000000..a07fc2d
--- /dev/null
+++ b/private/mediaprovider_app.te
@@ -0,0 +1,40 @@
+###
+### A domain for further sandboxing the MediaProvider mainline module.
+###
+type mediaprovider_app, domain, coredomain;
+
+app_domain(mediaprovider_app)
+
+# Access to /mnt/pass_through.
+allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;
+
+# Allow MediaProvider to host a FUSE daemon for external storage
+allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
+
+# Allow MediaProvider to read/write media_rw_data_file files and dirs
+allow mediaprovider_app media_rw_data_file:file create_file_perms;
+allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
+
+# Talk to the DRM service
+allow mediaprovider_app drmserver_service:service_manager find;
+
+# Talk to the MediaServer service
+allow mediaprovider_app mediaserver_service:service_manager find;
+
+# Talk to regular app services
+allow mediaprovider_app app_api_service:service_manager find;
+
+# Talk to the GPU service
+binder_call(mediaprovider_app, gpuservice)
+
+# read pipe-max-size configuration
+allow mediaprovider_app proc_pipe_conf:file r_file_perms;
+
+# Allow MediaProvider to set extended attributes (such as quota project ID)
+# on media files.
+allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 0fa2dea..8a6f6aa 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -3,14 +3,6 @@
###
type permissioncontroller_app, domain, coredomain;
-# Allow everything.
-# TODO(b/142672293): remove when no selinux denials are triggered for this
-# domain
-# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
-# `permissioncontroller_app` and remove this line once we are confident about
-# this having the right set of permissions.
-userdebug_or_eng(`permissive permissioncontroller_app;')
-
app_domain(permissioncontroller_app)
# Allow interaction with gpuservice
diff --git a/private/platform_app.te b/private/platform_app.te
index 9e26d7a..76eaae6 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,9 +68,7 @@
allow platform_app vr_manager_service:service_manager find;
allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
-userdebug_or_eng(`
- allow platform_app platform_compat_service:service_manager find;
-')
+allow platform_app platform_compat_service:service_manager find;
# Allow platform apps to interact with gpuservice
binder_call(platform_app, gpuservice)
diff --git a/private/priv_app.te b/private/priv_app.te
index e180b1d..74930ee 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -14,13 +14,6 @@
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
create_pty(priv_app)
-# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
-allow priv_app self:process ptrace;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app self:process ptrace;
-')
-
# Allow loading executable code from writable priv-app home
# directories. This is a W^X violation, however, it needs
# to be supported for now for the following reasons.
@@ -63,15 +56,6 @@
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
allow priv_app cache_file:lnk_file r_file_perms;
-# Write to /data/ota_package for OTA packages.
-allow priv_app ota_package_file:dir rw_dir_perms;
-allow priv_app ota_package_file:file create_file_perms;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app ota_package_file:dir rw_dir_perms;
- auditallow priv_app ota_package_file:file create_file_perms;
-')
-
# Access to /data/media.
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
@@ -80,11 +64,6 @@
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
allow priv_app shell_data_file:dir r_dir_perms;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app shell_data_file:file r_file_perms;
- auditallow priv_app shell_data_file:dir r_dir_perms;
-')
# Allow traceur to pass file descriptors through a content provider to betterbug
allow priv_app trace_data_file:file { getattr read };
@@ -93,13 +72,6 @@
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-# b/18504118: Allow reads from /data/anr/traces.txt
-allow priv_app anr_data_file:file r_file_perms;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app anr_data_file:file r_file_perms;
-')
-
# For AppFuse.
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
@@ -117,47 +89,9 @@
r_dir_file(priv_app, rootfs)
-# Allow GMS core to open kernel config for OTA matching through libvintf
-allow priv_app config_gz:file { open read getattr };
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app config_gz:file { open read getattr };
-')
-
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-# Allow GMS core to communicate with update_engine for A/B update.
-binder_call(priv_app, update_engine)
-allow priv_app update_engine_service:service_manager find;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app update_engine:binder { call transfer };
- auditallow update_engine priv_app:binder transfer;
- auditallow priv_app update_engine:fd use;
- auditallow priv_app update_engine_service:service_manager find;
-')
-
-# Allow GMS core to communicate with dumpsys storaged.
-binder_call(priv_app, storaged)
-allow priv_app storaged_service:service_manager find;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app storaged:binder { call transfer };
- auditallow storaged priv_app:binder transfer;
- auditallow priv_app storaged:fd use;
- auditallow priv_app storaged_service:service_manager find;
-')
-
-
-# Allow GMS core to access system_update_service (e.g. to publish pending
-# system update info).
-allow priv_app system_update_service:service_manager find;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app system_update_service:service_manager find;
-')
-
# Allow com.android.vending to communicate with statsd.
binder_call(priv_app, statsd)
@@ -170,20 +104,6 @@
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
-# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
-allow priv_app keystore:keystore_key gen_unique_id;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app keystore:keystore_key gen_unique_id;
-')
-
-# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
-allow priv_app selinuxfs:file r_file_perms;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app selinuxfs:file r_file_perms;
-')
-
read_runtime_log_tags(priv_app)
# Write app-specific trace data to the Perfetto traced damon. This requires
@@ -196,9 +116,9 @@
binder_call(priv_app, incidentd)
allow priv_app incidentd:fifo_file { read write };
-# Allow heap profiling if the app opts in by being marked
-# profileable/debuggable.
+# Allow profiling if the app opts in by being marked profileable/debuggable.
can_profile_heap(priv_app)
+can_profile_perf(priv_app)
# Allow priv_apps to check whether Dynamic System Update is enabled
get_prop(priv_app, dynamic_system_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 6511668..07fbe7a 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -23,6 +23,7 @@
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
sys.init.userspace_reboot u:object_r:userspace_reboot_prop:s0
+sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
sys.linker. u:object_r:linker_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
@@ -48,6 +49,7 @@
security.perf_harden u:object_r:shell_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tcp.port u:object_r:shell_prop:s0
+persist.adb.wifi. u:object_r:shell_prop:s0
persist.audio. u:object_r:audio_prop:s0
persist.bluetooth. u:object_r:bluetooth_prop:s0
@@ -197,6 +199,7 @@
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
+persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
# Properties that relate to legacy server configurable flags
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
@@ -227,5 +230,5 @@
ota.warm_reset u:object_r:ota_prop:s0
# Module properties
-com.android.sdkext. u:object_r:module_sdkext_prop:s0
-persist.com.android.sdkext. u:object_r:module_sdkext_prop:s0
+com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
+persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
diff --git a/private/runas_app.te b/private/runas_app.te
index e6fd953..c1b354a 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -16,3 +16,17 @@
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
allow runas_app untrusted_app_all:process { ptrace signal sigstop };
allow runas_app untrusted_app_all:unix_stream_socket connectto;
+
+# Allow executing system image simpleperf without a domain transition.
+allow runas_app simpleperf_exec:file rx_file_perms;
+
+# Suppress denial logspam when simpleperf is trying to find a matching process
+# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
+# the same domain as their respective process, most of which this domain is not
+# allowed to see.
+dontaudit runas_app domain:dir search;
+
+# Allow runas_app to call perf_event_open for profiling debuggable app
+# processes, but not the whole system.
+allow runas_app self:perf_event { open read write kernel };
+neverallow runas_app self:perf_event ~{ open read write kernel };
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 3838578..6c3b607 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -158,12 +158,15 @@
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/security_classes b/private/security_classes
index 25b4cba..c0631e9 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -139,6 +139,8 @@
class xdp_socket
+class perf_event
+
# Property service
class property_service # userspace
diff --git a/private/service_contexts b/private/service_contexts
index 849717a..19d3b0d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,11 +1,15 @@
-android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
-android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
+android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.power.IPower/default u:object_r:hal_power_service:s0
+android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
activity_task u:object_r:activity_task_service:s0
adb u:object_r:adb_service:s0
+aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
+aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
@@ -111,6 +115,7 @@
isub u:object_r:radio_service:s0
jobscheduler u:object_r:jobscheduler_service:s0
launcherapps u:object_r:launcherapps_service:s0
+lights u:object_r:light_service:s0
location u:object_r:location_service:s0
lock_settings u:object_r:lock_settings_service:s0
looper_stats u:object_r:looper_stats_service:s0
@@ -199,6 +204,7 @@
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
+system_config u:object_r:system_config_service:s0
system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
diff --git a/private/shell.te b/private/shell.te
index 975fde4..8bd4e1d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -83,3 +83,11 @@
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_GET_ENCRYPTION_POLICY_EX
};
+
+# Allow shell to execute simpleperf without a domain transition.
+allow shell simpleperf_exec:file rx_file_perms;
+
+# Allow shell to call perf_event_open for profiling other shell processes, but
+# not the whole system.
+allow shell self:perf_event { open read write kernel };
+neverallow shell self:perf_event ~{ open read write kernel };
diff --git a/private/simpleperf.te b/private/simpleperf.te
new file mode 100644
index 0000000..0639c11
--- /dev/null
+++ b/private/simpleperf.te
@@ -0,0 +1,37 @@
+# Domain used when running /system/bin/simpleperf to profile a specific app.
+# Entered either by the app itself exec-ing the binary, or through
+# simpleperf_app_runner (with shell as its origin). Certain other domains
+# (runas_app, shell) can also exec this binary without a domain transition.
+typeattribute simpleperf coredomain;
+type simpleperf_exec, system_file_type, exec_type, file_type;
+
+domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
+
+# When running in this domain, simpleperf is scoped to profiling an individual
+# app. The necessary MAC permissions for profiling are more maintainable and
+# consistent if simpleperf is marked as an app domain as well (as, for example,
+# it will then see the same set of system libraries as the app).
+app_domain(simpleperf)
+untrusted_app_domain(simpleperf)
+
+# Allow ptrace attach to the target app, for reading JIT debug info (using
+# process_vm_readv) during unwinding and symbolization.
+allow simpleperf untrusted_app_all:process ptrace;
+
+# Allow using perf_event_open syscall for profiling the target app.
+allow simpleperf self:perf_event { open read write kernel };
+
+# Allow /proc/<pid> access for the target app (for example, when trying to
+# discover it by cmdline).
+r_dir_file(simpleperf, untrusted_app_all)
+
+# Suppress denial logspam when simpleperf is trying to find a matching process
+# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
+# the same domain as their respective processes, most of which this domain is
+# not allowed to see.
+dontaudit simpleperf domain:dir search;
+
+# Neverallows:
+
+# Profiling must be confined to the scope of an individual app.
+neverallow simpleperf self:perf_event ~{ open read write kernel };
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index 0f0313c..f8399fe 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te
@@ -34,3 +34,9 @@
# Snapshotctl talk to boot control HAL to set merge status.
hwbinder_use(snapshotctl)
hal_client_domain(snapshotctl, hal_bootctl)
+
+# Logging
+userdebug_or_eng(`
+ allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
+ allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
+')
diff --git a/private/stats.te b/private/stats.te
index ea9530c..3e8a3d5 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -41,12 +41,14 @@
domain
-dumpstate
-gmscore_app
+ -gpuservice
-incidentd
-platform_app
-priv_app
-shell
-stats
-statsd
+ -surfaceflinger
-system_app
-system_server
-traceur_app
diff --git a/private/statsd.te b/private/statsd.te
index a55c42d..1e56b67 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -19,3 +19,6 @@
# Allow StatsCompanionService to pipe data to statsd.
allow statsd system_server:fifo_file { read getattr };
+
+# Allow statsd to retrieve SF statistics over binder
+binder_call(statsd, surfaceflinger);
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index e696fe5..78853bb 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -27,6 +27,7 @@
binder_call(surfaceflinger, binderservicedomain)
binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)
+binder_call(surfaceflinger, system_server);
binder_service(surfaceflinger)
# Binder IPC to bu, presently runs in adbd domain.
@@ -114,6 +115,12 @@
pdx_client(surfaceflinger, bufferhub_client)
pdx_client(surfaceflinger, performance_client)
+# Allow supplying timestats statistics to statsd
+allow surfaceflinger stats_service:service_manager find;
+allow surfaceflinger statsmanager_service:service_manager find;
+# TODO(146461633): remove this once native pullers talk to StatsManagerService
+binder_call(surfaceflinger, statsd);
+
###
### Neverallow rules
###
diff --git a/private/system_app.te b/private/system_app.te
index ee18ab2..e5d7d18 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -93,6 +93,7 @@
-virtual_touchpad_service
-vold_service
-vr_hwc_service
+ -default_android_service
}:service_manager find;
# suppress denials for services system_app should not be accessing.
dontaudit system_app {
diff --git a/private/system_server.te b/private/system_server.te
index 190b85f..f2f1707 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -14,6 +14,9 @@
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
+# Create a socket for connections from zygotes.
+type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
+
allow system_server zygote_tmpfs:file read;
allow system_server appdomain_tmpfs:file { getattr map read write };
@@ -619,6 +622,7 @@
set_prop(system_server, device_config_media_native_prop)
set_prop(system_server, device_config_storage_native_boot_prop)
set_prop(system_server, device_config_sys_traced_prop)
+set_prop(system_server, device_config_window_manager_native_boot_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -660,6 +664,9 @@
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
+# Create a socket for connections from zygotes.
+allow system_server system_unsolzygote_socket:sock_file create_file_perms;
+
# Manage cache files.
allow system_server cache_file:lnk_file r_file_perms;
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
@@ -834,6 +841,9 @@
allow system_server adbd:fd use;
allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+# Read persist.adb.wifi. properties
+get_prop(system_server, shell_prop)
+
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
@@ -864,6 +874,7 @@
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
+ proc_cmdline
proc_loadavg
proc_meminfo
proc_pagetypeinfo
@@ -888,6 +899,9 @@
allow system_server debugfs_wifi_tracing:dir search;
allow system_server debugfs_wifi_tracing:file rw_file_perms;
+# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
+allow system_server debugfs_tracing:file r_file_perms;
+
# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
# asanwrapper.
with_asan(`
@@ -897,10 +911,11 @@
')
# allow system_server to read the eBPF maps that stores the traffic stats information and update
-# the map after snapshot is recorded
+# the map after snapshot is recorded, and to read, update and run the maps and programs used for
+# time in state accounting
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
-allow system_server bpfloader:bpf { map_read map_write };
+allow system_server bpfloader:bpf { map_read map_write prog_run };
# ART Profiles.
# Allow system_server to open profile snapshots for read.
@@ -974,6 +989,16 @@
# Only allow crash_dump to connect to system_ndebug_socket.
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
+# Only allow zygotes to connect to system_unsolzygote_socket.
+neverallow {
+ domain
+ -init
+ -system_server
+ -zygote
+ -app_zygote
+ -webview_zygote
+} system_unsolzygote_socket:sock_file { open write };
+
# Only allow init, system_server, flags_health_check to set properties for server configurable flags
neverallow {
domain
@@ -989,6 +1014,7 @@
device_config_media_native_prop
device_config_storage_native_boot_prop
device_config_sys_traced_prop
+ device_config_window_manager_native_boot_prop
}:property_service set;
# system_server should never be executing dex2oat. This is either
@@ -1054,6 +1080,11 @@
allow system_server vendor_apex_file:dir { getattr search };
allow system_server vendor_apex_file:file r_file_perms;
+# Allow the system server to manage relevant apex module data files.
+allow system_server apex_module_data_file:dir { getattr search };
+allow system_server apex_permission_data_file:dir create_dir_perms;
+allow system_server apex_permission_data_file:file create_file_perms;
+
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
allow system_server metadata_file:dir search;
@@ -1093,3 +1124,13 @@
-system_server
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
+
+# Allow systemserver to read/write the invalidation property
+set_prop(system_server, binder_cache_system_server_prop)
+neverallow { domain -system_server -init }
+ binder_cache_system_server_prop:property_service set;
+
+# Allow system server to attach BPF programs to tracepoints. Deny read permission so that
+# system_server cannot use this access to read perf event data like process stacks.
+allow system_server self:perf_event { open write cpu kernel };
+neverallow system_server self:perf_event ~{ open write cpu kernel };
diff --git a/private/traced_perf.te b/private/traced_perf.te
new file mode 100644
index 0000000..7a78d79
--- /dev/null
+++ b/private/traced_perf.te
@@ -0,0 +1,53 @@
+# Performance profiler, backed by perf_event_open(2).
+# See go/perfetto-perf-android.
+typeattribute traced_perf coredomain;
+typeattribute traced_perf mlstrustedsubject;
+
+type traced_perf_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(traced_perf)
+perfetto_producer(traced_perf)
+
+# Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide
+# profiling, but retain samples only for profileable processes.
+# Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH
+# check (which would require a process:attach SELinux allow-rule).
+allow traced_perf self:perf_event { open cpu kernel read write tracepoint };
+
+# Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a
+# process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of
+# sampled stacks, which requires opening the backing libraries/executables (as
+# symbols are usually not mapped into the process space). Not all such files
+# are world-readable, e.g. odex files that included user profiles during
+# profile-guided optimization.
+allow traced_perf self:capability { kill dac_read_search };
+
+# Allow reading /system/data/packages.list.
+allow traced_perf packages_list_file:file r_file_perms;
+
+# Allow reading files for stack unwinding and symbolization.
+r_dir_file(traced_perf, nativetest_data_file)
+r_dir_file(traced_perf, system_file_type)
+r_dir_file(traced_perf, apk_data_file)
+r_dir_file(traced_perf, dalvikcache_data_file)
+r_dir_file(traced_perf, vendor_file_type)
+
+# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
+# domains that it cannot read.
+dontaudit traced_perf domain:dir { search getattr open };
+
+# Never allow access to app data files
+neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
+
+# Never allow profiling highly privileged processes.
+never_profile_heap(`{
+ bpfloader
+ init
+ kernel
+ keystore
+ llkd
+ logd
+ ueventd
+ vendor_init
+ vold
+}')
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index c15fa22..6e7a99c 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -1,20 +1,11 @@
###
### Untrusted apps.
###
-### This file defines the rules for untrusted apps.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion >= 30.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
###
typeattribute untrusted_app coredomain;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 2091f2e..a1abc41 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -4,19 +4,8 @@
### This file defines the rules for untrusted apps running with
### targetSdkVersion <= 25.
###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
###
typeattribute untrusted_app_25 coredomain;
@@ -59,3 +48,6 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 03b3013..b7b6d72 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -4,20 +4,8 @@
### This file defines the rules for untrusted apps running with
### 25 < targetSdkVersion <= 28.
###
-### This file defines the rules for untrusted apps.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app_27 domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
###
typeattribute untrusted_app_27 coredomain;
@@ -48,3 +36,6 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
new file mode 100644
index 0000000..344ae89
--- /dev/null
+++ b/private/untrusted_app_29.te
@@ -0,0 +1,19 @@
+###
+### Untrusted_29.
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion = 29.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app_29 coredomain;
+
+app_domain(untrusted_app_29)
+untrusted_app_domain(untrusted_app_29)
+net_domain(untrusted_app_29)
+bluetooth_domain(untrusted_app_29)
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d8e0b14..d9fd5a1 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -137,9 +137,9 @@
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(untrusted_app_all)
-# Allow heap profiling if the app opts in by being marked
-# profileable/debuggable.
+# Allow profiling if the app opts in by being marked profileable/debuggable.
can_profile_heap(untrusted_app_all)
+can_profile_perf(untrusted_app_all)
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
@@ -168,3 +168,8 @@
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
+
+# Allow signalling simpleperf domain, which is the domain that the simpleperf
+# profiler runs as when executed by the app. The signals are used to control
+# the profiler (which would be profiling the app that is sending the signal).
+allow untrusted_app_all simpleperf:process signal;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index b287bdc..157ee55 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -15,6 +15,7 @@
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
apex_module_data_file
+ apex_permission_data_file
apex_rollback_data_file
backup_data_file
face_vendor_data_file
@@ -26,6 +27,7 @@
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
apex_module_data_file
+ apex_permission_data_file
apex_rollback_data_file
backup_data_file
face_vendor_data_file
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 8fe9733..969ab9c 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -64,8 +64,8 @@
# Directory listing in /system.
allow webview_zygote system_file:dir r_dir_perms;
-# Read system properties managed by zygote.
-allow webview_zygote zygote_tmpfs:file read;
+# Read and inspect temporary files (like system properties) managed by zygote.
+allow webview_zygote zygote_tmpfs:file { read getattr };
# Child of zygote.
allow webview_zygote zygote:fd use;
allow webview_zygote zygote:process sigchld;
@@ -77,6 +77,9 @@
allow webview_zygote system_data_file:lnk_file r_file_perms;
+# Send unsolicited message to system_server
+unix_socket_send(webview_zygote, system_unsolzygote, system_server)
+
#####
##### Neverallow
#####
diff --git a/private/zygote.te b/private/zygote.te
index e6c1db9..3963459 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -53,6 +53,16 @@
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
+# Relabel /data/user /data/user_de and /data/data
+allow zygote tmpfs:{ dir lnk_file } relabelfrom;
+allow zygote system_data_file:{ dir lnk_file } relabelto;
+
+# Zygote opens /mnt/expand to mount CE DE storage on each vol
+allow zygote mnt_expand_file:dir { open read search relabelto };
+
+# Bind mount subdirectories on /data/misc/profiles/cur
+allow zygote { user_profile_data_file }:dir { mounton search };
+
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
@@ -61,7 +71,7 @@
allow zygote mirror_data_file:dir r_dir_perms;
-# Get and set data directories
+# Get inode of data directories
allow zygote {
system_data_file
radio_data_file
@@ -119,6 +129,10 @@
allow zygote mnt_user_file:dir { create_dir_perms mounton };
allow zygote mnt_user_file:lnk_file create_file_perms;
allow zygote mnt_user_file:file create_file_perms;
+
+# Allow mounting user-specific storage source if started before vold.
+allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
+
# Allowed to mount user-specific storage into place
allow zygote storage_file:dir { search mounton };
@@ -126,9 +140,6 @@
allow zygote { sdcard_type }:dir { create_dir_perms mounton };
allow zygote { sdcard_type }:file { create_file_perms };
-# Allow zygote to expand app files while preloading libraries
-allow zygote mnt_expand_file:dir getattr;
-
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
@@ -163,12 +174,19 @@
get_prop(zygote, device_config_runtime_native_prop)
get_prop(zygote, device_config_runtime_native_boot_prop)
+# Allow the zygote to access window manager native boot feature flags
+# to initialize WindowManager static properties.
+get_prop(zygote, device_config_window_manager_native_boot_prop)
+
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
# Allow zygote to use ashmem fds from system_server.
allow zygote system_server:fd use;
+# Send unsolicited message to system_server
+unix_socket_send(zygote, system_unsolzygote, system_server)
+
###
### neverallow rules
###
@@ -201,7 +219,7 @@
exported_bluetooth_prop
}:file create_file_perms;
-# Do not allow zygote to access app data except getting attributes and relabeling to.
+# Zygote should not be able to access app private data.
neverallow zygote {
privapp_data_file
app_data_file
diff --git a/public/aidl_lazy_test_server.te b/public/aidl_lazy_test_server.te
new file mode 100644
index 0000000..626d008
--- /dev/null
+++ b/public/aidl_lazy_test_server.te
@@ -0,0 +1,9 @@
+type aidl_lazy_test_server, domain;
+type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
+
+userdebug_or_eng(`
+ binder_use(aidl_lazy_test_server)
+ binder_call(aidl_lazy_test_server, binderservicedomain)
+
+ add_service(aidl_lazy_test_server, aidl_lazy_test_service)
+')
diff --git a/public/attributes b/public/attributes
index 0fd2be2..a3728cf 100644
--- a/public/attributes
+++ b/public/attributes
@@ -313,6 +313,7 @@
hal_attribute(graphics_composer);
hal_attribute(health);
hal_attribute(health_storage);
+hal_attribute(identity);
hal_attribute(input_classifier);
hal_attribute(ir);
hal_attribute(keymaster);
@@ -352,6 +353,7 @@
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.
+attribute automotive_display_service_server;
attribute camera_service_server;
attribute display_service_server;
attribute scheduler_service_server;
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index d189c89..86f1eb1 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -23,3 +23,6 @@
allow dnsmasq netd:unix_stream_socket { getattr read write };
allow dnsmasq netd:unix_dgram_socket { read write };
allow dnsmasq netd:udp_socket { read write };
+
+# sometimes a network device vanishes and we try to load module netdev-{devicename}
+dontaudit dnsmasq kernel:system module_request;
diff --git a/public/domain.te b/public/domain.te
index e50ef75..0ecc280 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -80,6 +80,10 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
@@ -101,6 +105,11 @@
get_prop(domain, exported_vold_prop)
get_prop(domain, exported2_default_prop)
get_prop(domain, logd_prop)
+get_prop(domain, vndk_prop)
+
+# Binder cache properties are world-readable
+get_prop(domain, binder_cache_bluetooth_server_prop)
+get_prop(domain, binder_cache_system_server_prop)
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
@@ -492,9 +501,9 @@
# system_app_service rather than the generic type.
# New service_types are defined in {,hw,vnd}service.te and new mappings
# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager add;
-neverallow * default_android_vndservice:service_manager { add find };
-neverallow * default_android_hwservice:hwservice_manager { add find };
+neverallow * default_android_service:service_manager *;
+neverallow * default_android_vndservice:service_manager *;
+neverallow * default_android_hwservice:hwservice_manager *;
# Looking up the base class/interface of all HwBinder services is a bad idea.
# hwservicemanager currently offer such lookups only to make it so that security
@@ -509,6 +518,7 @@
# anyone but init to modify unknown properties.
neverallow { domain -init -vendor_init } default_prop:property_service set;
neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } vndk_prop:property_service set;
compatible_property_only(`
neverallow { domain -init } default_prop:property_service set;
@@ -643,6 +653,7 @@
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
-drmserver_service
+ -hal_light_service # TODO(b/148154485) remove once all violators are gone
-keystore_service
-mediadrmserver_service
-mediaextractor_service
@@ -718,7 +729,8 @@
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
- userdebug_or_eng('-heapprofd`)
+ userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
});
')
@@ -977,6 +989,7 @@
userdebug_or_eng(`-heapprofd')
-shell
-system_executes_vendor_violators
+ -traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
} {
vendor_file_type
@@ -1164,10 +1177,11 @@
-zygote
} shell:process { transition dyntransition };
-# Only domains spawned from zygote, runas and simpleperf_app_runner may have the appdomain
-# attribute.
+# Only domains spawned from zygote, runas and simpleperf_app_runner may have
+# the appdomain attribute. simpleperf is excluded as a domain transitioned to
+# when running an app-scoped profiling session.
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
- appdomain -shell userdebug_or_eng(`-su')
+ appdomain -shell -simpleperf userdebug_or_eng(`-su')
}:process { transition dyntransition };
# Minimize read access to shell- or app-writable symlinks.
@@ -1299,10 +1313,11 @@
-appdomain
-bootanim
-crash_dump
+ -heapprofd
-init
-iorap_prefetcherd
-kernel
- -heapprofd
+ -traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 7342856..2c0e470 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -230,6 +230,7 @@
-virtual_touchpad_service
-vold_service
-vr_hwc_service
+ -default_android_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
dontaudit dumpstate {
@@ -294,6 +295,9 @@
# Allow dumpstate to run ss
allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
+# Allow dumpstate to read linkerconfig directory
+allow dumpstate linkerconfig_file:dir { read open };
+
# For when dumpstate runs df
dontaudit dumpstate {
mnt_vendor_file
@@ -301,6 +305,7 @@
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
+ linkerconfig_file
mirror_data_file
}:dir getattr;
@@ -313,6 +318,10 @@
# Allow dumpstate to kill vendor dumpstate service by init
set_prop(dumpstate, ctl_dumpstate_prop)
+#Access /data/misc/snapshotctl_log
+allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
+allow dumpstate snapshotctl_log_data_file:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/fastbootd.te b/public/fastbootd.te
index f08885a..a0152d4 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -53,12 +53,13 @@
userdata_block_device
}:blk_file { w_file_perms getattr ioctl };
- # For disabling/wiping GSI.
+ # For disabling/wiping GSI, and for modifying/deleting files created via
+ # libfiemap.
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir search;
- allow fastbootd gsi_metadata_file:dir r_dir_perms;
- allow fastbootd gsi_metadata_file:file rw_file_perms;
+ allow fastbootd metadata_file:dir { search getattr };
+ allow fastbootd gsi_metadata_file:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
@@ -113,6 +114,10 @@
allow fastbootd gsi_metadata_file:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
+
+ # Determine allocation scheme (whether B partitions needs to be
+ # at the second half of super.
+ get_prop(fastbootd, virtual_ab_prop)
')
###
diff --git a/public/file.te b/public/file.te
index 73ac226..4ede12d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -4,6 +4,9 @@
type sockfs, fs_type;
type rootfs, fs_type;
type proc, fs_type, proc_type;
+type binderfs, fs_type;
+type binderfs_logs, fs_type;
+type binderfs_logs_proc, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;
@@ -81,6 +84,7 @@
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
@@ -305,12 +309,11 @@
type staging_data_file, file_type, data_file_type, core_data_file_type;
# /vendor/apex
type vendor_apex_file, vendor_file_type, file_type;
-# /data/incremental
-type incremental_root_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
type mnt_user_file, file_type;
+type mnt_pass_through_file, file_type;
type mnt_expand_file, file_type;
type mnt_sdcard_file, file_type;
type storage_file, file_type;
@@ -341,6 +344,7 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
@@ -362,6 +366,7 @@
type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
type stats_data_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
@@ -448,11 +453,13 @@
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
+type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
-type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject;
+type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject;
+type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
type uncrypt_socket, file_type, coredomain_socket;
type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
diff --git a/public/flags_health_check.te b/public/flags_health_check.te
index af7d96a..cf33ce7 100644
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@@ -12,6 +12,7 @@
set_prop(flags_health_check, device_config_media_native_prop)
set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
+set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 1a95b72..069da47 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -34,6 +34,7 @@
userdebug_or_eng(`-su')
-tombstoned
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
}:{ unix_dgram_socket unix_stream_socket } *;
# Should never need access to anything on /data
diff --git a/public/hal_identity.te b/public/hal_identity.te
new file mode 100644
index 0000000..a8df186
--- /dev/null
+++ b/public/hal_identity.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_identity_client, hal_identity_server)
+
+hal_attribute_hwservice(hal_identity, hal_identity_hwservice)
diff --git a/public/hal_light.te b/public/hal_light.te
index 333fcac..1e70b74 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -4,6 +4,13 @@
hal_attribute_hwservice(hal_light, hal_light_hwservice)
+add_service(hal_light_server, hal_light_service)
+binder_call(hal_light_server, servicemanager)
+
+allow hal_light_client hal_light_service:service_manager find;
+
+allow hal_light_server dumpstate:fifo_file write;
+
allow hal_light sysfs_leds:lnk_file read;
allow hal_light sysfs_leds:file rw_file_perms;
allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/public/hal_power.te b/public/hal_power.te
index 028011a..2c80a51 100644
--- a/public/hal_power.te
+++ b/public/hal_power.te
@@ -3,3 +3,7 @@
binder_call(hal_power_server, hal_power_client)
hal_attribute_hwservice(hal_power, hal_power_hwservice)
+
+add_service(hal_power_server, hal_power_service)
+binder_call(hal_power_server, servicemanager)
+allow hal_power_client hal_power_service:service_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 2cd582b..3619a63 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -6,6 +6,7 @@
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_automotive_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
@@ -27,6 +28,7 @@
type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_identity_hwservice, hwservice_manager_type, protected_hwservice;
type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/public/init.te b/public/init.te
index 56ed703..19c7e4b 100644
--- a/public/init.te
+++ b/public/init.te
@@ -381,6 +381,7 @@
# init access to /sys files.
allow init {
sysfs_android_usb
+ sysfs_dm_verity
sysfs_leds
sysfs_power
sysfs_fs_f2fs
@@ -545,7 +546,7 @@
allow init unencrypted_data_file:dir create_dir_perms;
# Set encryption policy on dirs in /data
-allowxperm init data_file_type:dir ioctl {
+allowxperm init { data_file_type unlabeled }:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_SET_ENCRYPTION_POLICY
};
diff --git a/public/installd.te b/public/installd.te
index 10277d2..a6307ef 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -57,6 +57,9 @@
# optimizing application code.
allow installd system_data_file:lnk_file { create getattr read setattr unlink };
+# Manage lower filesystem via pass_through mounts
+allow installd mnt_pass_through_file:dir r_dir_perms;
+
# Upgrade /data/media for multi-user if necessary.
allow installd media_rw_data_file:dir create_dir_perms;
allow installd media_rw_data_file:file { getattr unlink };
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 15cf7d5..b2a6fbf 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -804,6 +804,8 @@
define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
define(`FS_IOC_ENABLE_VERITY', `0x6685')
define(`FS_IOC_FIEMAP', `0xc020660b')
+define(`FS_IOC_FSGETXATTR', `0x801c581f')
+define(`FS_IOC_FSSETXATTR', `0x401c5820')
define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
diff --git a/public/iorapd.te b/public/iorapd.te
index abf7adb..4c08c72 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -36,6 +36,9 @@
# tracing sessions and read trace data.
unix_socket_connect(iorapd, traced_consumer, traced)
+# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
+allow iorapd system_file:file rx_file_perms;
+
###
### neverallow rules
###
diff --git a/public/keystore.te b/public/keystore.te
index e869f32..27c4624 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -6,6 +6,7 @@
binder_use(keystore)
binder_service(keystore)
binder_call(keystore, system_server)
+binder_call(keystore, wificond)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
diff --git a/public/net.te b/public/net.te
index bdef072..e90715e 100644
--- a/public/net.te
+++ b/public/net.te
@@ -18,10 +18,16 @@
allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
-# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and initially grant
-# this permission to everything that previously had the nlmsg_read permission.
-allow netdomain self:netlink_route_socket nlmsg_readpriv;
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
+# to avoid app-compat breakage.
+allow {
+ netdomain
+ -ephemeral_app
+ -mediaprovider
+ -untrusted_app_all
+} self:netlink_route_socket { bind nlmsg_readpriv };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/netd.te b/public/netd.te
index c15a03b..92c2ed1 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -173,3 +173,13 @@
neverallow netd sysfs_net:dir no_w_dir_perms;
dontaudit netd sysfs_net:dir write;
+
+# Netd should not have SYS_ADMIN privs.
+neverallow netd self:capability sys_admin;
+dontaudit netd self:capability sys_admin;
+
+# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
+# (things it requires should be built directly into the kernel)
+dontaudit netd self:capability sys_module;
+
+dontaudit netd kernel:system module_request;
diff --git a/public/property.te b/public/property.te
index 50844fb..f30663a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -11,8 +11,10 @@
system_internal_prop(device_config_runtime_native_prop)
system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
+system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(firstboot_prop)
system_internal_prop(gsid_prop)
+system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(netd_stable_secret_prop)
@@ -55,12 +57,15 @@
system_internal_prop(time_prop)
system_internal_prop(traced_enabled_prop)
system_internal_prop(traced_lazy_prop)
- system_internal_prop(virtual_ab_prop)
')
# Properties which can't be written outside system
+
+# Properties used by binder caches
+system_restricted_prop(binder_cache_bluetooth_server_prop)
+system_restricted_prop(binder_cache_system_server_prop)
system_restricted_prop(linker_prop)
-system_restricted_prop(module_sdkext_prop)
+system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(system_boot_reason_prop)
@@ -119,6 +124,7 @@
system_public_prop(exported3_radio_prop)
system_public_prop(exported_audio_prop)
system_public_prop(exported_bluetooth_prop)
+system_public_prop(exported_camera_prop)
system_public_prop(exported_config_prop)
system_public_prop(exported_dalvik_prop)
system_public_prop(exported_default_prop)
@@ -141,11 +147,17 @@
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
system_public_prop(system_prop)
+system_public_prop(userspace_reboot_config_prop)
system_public_prop(vehicle_hal_prop)
system_public_prop(vendor_security_patch_level_prop)
+system_public_prop(virtual_ab_prop)
+system_public_prop(vndk_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
+# Properties used in default HAL implementations
+vendor_internal_prop(rebootescrow_hal_prop)
+
# Properties which are public for devices launching with Android O or earlier
# This should not be used for any new properties.
not_compatible_property(`
@@ -184,7 +196,6 @@
system_public_prop(time_prop)
system_public_prop(traced_enabled_prop)
system_public_prop(traced_lazy_prop)
- system_public_prop(virtual_ab_prop)
system_public_prop(config_prop)
system_public_prop(cppreopt_prop)
@@ -452,6 +463,16 @@
neverallow {
domain
-coredomain
+ -hal_camera_server
+ -cameraserver
+ -vendor_init
+ } {
+ exported_camera_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
-hal_wifi_server
-wificond
} {
@@ -537,128 +558,7 @@
-system_writes_vendor_properties_violators
} {
property_type
- -apexd_prop
- -audio_prop
- -bluetooth_a2dp_offload_prop
- -bluetooth_audio_hal_prop
- -bluetooth_prop
- -bootloader_boot_reason_prop
- -boottime_prop
- -bpf_progs_loaded_prop
- -cold_boot_done_prop
- -config_prop
- -cppreopt_prop
- -ctl_adbd_prop
- -ctl_apexd_prop
- -ctl_bootanim_prop
- -ctl_bugreport_prop
- -ctl_console_prop
- -ctl_default_prop
- -ctl_dumpstate_prop
- -ctl_fuse_prop
- -ctl_gsid_prop
- -ctl_interface_restart_prop
- -ctl_interface_start_prop
- -ctl_interface_stop_prop
- -ctl_mdnsd_prop
- -ctl_restart_prop
- -ctl_rildaemon_prop
- -ctl_sigstop_prop
- -ctl_start_prop
- -ctl_stop_prop
- -dalvik_prop
- -debug_prop
- -debuggerd_prop
- -default_prop
- -device_logging_prop
- -dhcp_prop
- -dumpstate_options_prop
- -dumpstate_prop
- -exported2_config_prop
- -exported2_default_prop
- -exported2_radio_prop
- -exported2_system_prop
- -exported2_vold_prop
- -exported3_default_prop
- -exported3_radio_prop
- -exported3_system_prop
- -exported_bluetooth_prop
- -exported_config_prop
- -exported_dalvik_prop
- -exported_default_prop
- -exported_dumpstate_prop
- -exported_ffs_prop
- -exported_fingerprint_prop
- -exported_overlay_prop
- -exported_pm_prop
- -exported_radio_prop
- -exported_secure_prop
- -exported_system_prop
- -exported_system_radio_prop
- -exported_vold_prop
- -exported_wifi_prop
+ -system_property_type
-extended_core_property_type
- -sota_prop
- -ffs_prop
- -fingerprint_prop
- -firstboot_prop
- -device_config_activity_manager_native_boot_prop
- -device_config_reset_performed_prop
- -device_config_boot_count_prop
- -device_config_input_native_boot_prop
- -device_config_netd_native_prop
- -device_config_runtime_native_boot_prop
- -device_config_runtime_native_prop
- -device_config_media_native_prop
- -device_config_storage_native_boot_prop
- -device_config_sys_traced_prop
- -dynamic_system_prop
- -gsid_prop
- -heapprofd_enabled_prop
- -heapprofd_prop
- -hwservicemanager_prop
- -last_boot_reason_prop
- -module_sdkext_prop
- -system_lmk_prop
- -linker_prop
- -log_prop
- -log_tag_prop
- -logd_prop
- -logpersistd_logging_prop
- -lowpan_prop
- -lpdumpd_prop
- -mmc_prop
- -mock_ota_prop
- -net_dns_prop
- -net_radio_prop
- -netd_stable_secret_prop
- -nfc_prop
- -ota_prop
- -overlay_prop
- -pan_result_prop
- -persist_debug_prop
- -persistent_properties_ready_prop
- -pm_prop
- -powerctl_prop
- -radio_prop
- -restorecon_prop
- -safemode_prop
- -serialno_prop
- -shell_prop
- -system_boot_reason_prop
- -system_prop
- -system_radio_prop
- -system_trace_prop
- -test_boot_reason_prop
- -test_harness_prop
- -theme_prop
- -time_prop
- -traced_enabled_prop
- -traced_lazy_prop
- -vendor_default_prop
- -vendor_security_patch_level_prop
- -vold_prop
- -wifi_log_prop
- -wifi_prop
}:property_service set;
')
diff --git a/public/property_contexts b/public/property_contexts
index c5b80cf..5e419ee 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -150,6 +150,7 @@
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
+ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
ro.statsd.enable u:object_r:exported3_default_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool
@@ -253,10 +254,10 @@
ro.build.user u:object_r:exported2_default_prop:s0 exact string
ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string
ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.extensions. u:object_r:module_sdkext_prop:s0 prefix int
ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
ro.crypto.state u:object_r:exported_vold_prop:s0 exact string
@@ -298,6 +299,7 @@
aaudio.mmap_exclusive_policy u:object_r:exported_default_prop:s0 exact int
aaudio.mmap_policy u:object_r:exported_default_prop:s0 exact int
aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int
+config.disable_cameraservice u:object_r:exported_camera_prop:s0 exact bool
gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
@@ -385,20 +387,21 @@
ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
+ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact enum default legacy AP-assisted
ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
-ro.vndk.lite u:object_r:exported_default_prop:s0 exact bool
-ro.vndk.version u:object_r:exported_default_prop:s0 exact string
+ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
+ro.vndk.version u:object_r:vndk_prop:s0 exact string
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
wifi.active.interface u:object_r:exported_wifi_prop:s0 exact string
wifi.concurrent.interface u:object_r:exported_default_prop:s0 exact string
wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
wifi.interface u:object_r:exported_default_prop:s0 exact string
ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
-ro.init.userspace_reboot.is_supported u:object_r:userspace_reboot_prop:s0 exact bool
+ro.init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
# public-readable
ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
@@ -437,3 +440,16 @@
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
+
+# Binder cache properties. These are world-readable
+cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
+cache_key.bluetooth.get_bond_state u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.bluetooth.get_profile_connection_state u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.bluetooth.get_state u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.bluetooth.is_offloaded_filtering_supported u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.get_packages_for_uid u:object_r:binder_cache_system_server_prop:s0
+cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
+cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0
diff --git a/public/recovery.te b/public/recovery.te
index 1193354..3bac03d 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -85,7 +85,7 @@
allow recovery device:dir r_dir_perms;
allow recovery block_device:dir r_dir_perms;
allow recovery dev_type:blk_file rw_file_perms;
- allowxperm recovery { userdata_block_device metadata_block_device }:blk_file ioctl BLKPBSZGET;
+ allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;
# GUI
allow recovery graphics_device:chr_file rw_file_perms;
diff --git a/public/service.te b/public/service.te
index 8d56fb9..76e642d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,3 +1,4 @@
+type aidl_lazy_test_service, service_manager_type;
type apex_service, service_manager_type;
type audioserver_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
@@ -116,6 +117,7 @@
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type lock_settings_service, system_api_service, system_server_service, service_manager_type;
type looper_stats_service, system_server_service, service_manager_type;
@@ -165,6 +167,7 @@
type slice_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type system_config_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type soundtrigger_middleware_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
@@ -203,6 +206,8 @@
### HAL Services
###
+type hal_light_service, vendor_service, service_manager_type;
+type hal_power_service, vendor_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, service_manager_type;
type hal_vibrator_service, vendor_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 532d05f..0a97465 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -106,6 +106,9 @@
get_prop(shell, last_boot_reason_prop)
get_prop(shell, system_boot_reason_prop)
+# Allow reading the outcome of perf_event_open LSM support test for CTS.
+get_prop(shell, init_perf_lsm_hooks_prop)
+
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
@@ -124,6 +127,7 @@
-virtual_touchpad_service
-vold_service
-vr_hwc_service
+ -default_android_service
}:service_manager find;
allow shell dumpstate:binder call;
diff --git a/public/simpleperf.te b/public/simpleperf.te
new file mode 100644
index 0000000..218fee7
--- /dev/null
+++ b/public/simpleperf.te
@@ -0,0 +1 @@
+type simpleperf, domain;
diff --git a/public/su.te b/public/su.te
index fa32a4b..16ace6e 100644
--- a/public/su.te
+++ b/public/su.te
@@ -52,6 +52,7 @@
dontaudit su postinstall_file:filesystem *;
dontaudit su domain:bpf *;
dontaudit su unlabeled:vsock_socket *;
+ dontaudit su self:perf_event *;
# VTS tests run in the permissive su domain on debug builds, but the HALs
# being tested run in enforcing mode. Because hal_foo_server is enforcing
diff --git a/public/te_macros b/public/te_macros
index f065a21..2d0e050 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -171,16 +171,17 @@
# Label tmpfs objects for all apps.
type_transition $1 tmpfs:file appdomain_tmpfs;
allow $1 appdomain_tmpfs:file { execute getattr map read write };
-neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
-neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
+neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity
# of application data and execution state. Ptrace bypasses those
-# confidentiality guarantees. Disallow ptrace access from system components
-# to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces. llkd is excluded, as it needs to inspect
-# the kernel stack for live lock conditions. runas_app is excluded, as it can
-# only access debuggable apps.
-neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace;
+# confidentiality guarantees. Disallow ptrace access from system components to
+# apps. crash_dump is excluded, as it needs ptrace access to produce stack
+# traces. runas_app is excluded, as it operates only on debuggable apps.
+# simpleperf is excluded, as it operates only on debuggable or profileable
+# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
+# live lock conditions.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
')
#####################################
@@ -717,6 +718,34 @@
')
###################################
+# can_profile_perf(domain)
+# Allow processes within the domain to be profiled, and have their stacks
+# sampled, by traced_perf.
+define(`can_profile_perf', `
+ # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
+ # reads /proc/[pid]/cmdline.
+ allow traced_perf $1:file r_file_perms;
+ allow traced_perf $1:dir r_dir_perms;
+
+ # Allow central daemon to send signal to request /proc/[pid]/maps and
+ # /proc/[pid]/mem fds from this process.
+ allow traced_perf $1:process signal;
+
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, traced_perf, traced_perf)
+ # Allow daemon to use the passed fds.
+ allow traced_perf $1:fd use;
+')
+
+###################################
+# never_profile_perf(domain)
+# Opt out of profiling by traced_perf.
+define(`never_profile_perf', `
+ neverallow traced_perf $1:file read;
+ neverallow traced_perf $1:process signal;
+')
+
+###################################
# perfetto_producer(domain)
# Allow processes within the domain to write data to Perfetto.
define(`perfetto_producer', `
diff --git a/public/toolbox.te b/public/toolbox.te
index f4b164d..4c2cc3e 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -27,3 +27,12 @@
allow toolbox system_data_root_file:dir { remove_name write };
allow toolbox system_data_file:dir { rmdir rw_dir_perms };
allow toolbox system_data_file:file { getattr unlink };
+
+# chattr +F and chattr +P /data/media in init
+allow toolbox media_rw_data_file:dir { r_dir_perms setattr };
+allowxperm toolbox media_rw_data_file:dir ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
diff --git a/public/traced_perf.te b/public/traced_perf.te
new file mode 100644
index 0000000..f9a0324
--- /dev/null
+++ b/public/traced_perf.te
@@ -0,0 +1 @@
+type traced_perf, domain;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 5333015..7e2cc84 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -21,6 +21,7 @@
-virtual_touchpad_service
-vold_service
-vr_hwc_service
+ -default_android_service
}:service_manager find;
# Allow traceur_app to use atrace HAL
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 5289bf9..43fe19a 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -16,6 +16,15 @@
### seapp_contexts.
###
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion >= 30.
type untrusted_app, domain;
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion = 29.
+type untrusted_app_29, domain;
+# This file defines the rules for untrusted apps running with
+# 25 < targetSdkVersion <= 28.
type untrusted_app_27, domain;
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion <= 25.
type untrusted_app_25, domain;
diff --git a/public/update_engine.te b/public/update_engine.te
index a6be3d3..078e494 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -75,3 +75,10 @@
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
# the access.
dontaudit update_engine gsi_metadata_file:dir search;
+
+# Allow to write to snapshotctl_log logs.
+# TODO(b/148818798) revert when parent bug is fixed.
+userdebug_or_eng(`
+allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
+allow update_engine snapshotctl_log_data_file:file create_file_perms;
+')
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a756dc1..935c314 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -198,32 +198,8 @@
not_compatible_property(`
set_prop(vendor_init, {
property_type
- -device_config_activity_manager_native_boot_prop
- -device_config_boot_count_prop
- -device_config_reset_performed_prop
- -device_config_input_native_boot_prop
- -device_config_netd_native_prop
- -device_config_runtime_native_boot_prop
- -device_config_runtime_native_prop
- -device_config_media_native_prop
- -device_config_storage_native_boot_prop
- -device_config_sys_traced_prop
- -restorecon_prop
- -netd_stable_secret_prop
- -firstboot_prop
- -pm_prop
- -system_boot_reason_prop
- -system_jvmti_agent_prop
- -bootloader_boot_reason_prop
- -last_boot_reason_prop
- -apexd_prop
- -gsid_prop
- -nnapi_ext_deny_product_prop
- -init_svc_debug_prop
- -linker_prop
- -module_sdkext_prop
- -userspace_reboot_exported_prop
- -userspace_reboot_prop
+ -system_internal_property_type
+ -system_restricted_property_type
})
')
@@ -237,6 +213,7 @@
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_audio_prop)
set_prop(vendor_init, exported_bluetooth_prop)
+set_prop(vendor_init, exported_camera_prop)
set_prop(vendor_init, exported_config_prop)
set_prop(vendor_init, exported_dalvik_prop)
set_prop(vendor_init, exported_default_prop)
@@ -254,10 +231,14 @@
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
+set_prop(vendor_init, rebootescrow_hal_prop)
set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, userspace_reboot_config_prop)
set_prop(vendor_init, vehicle_hal_prop)
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
+set_prop(vendor_init, vndk_prop)
+set_prop(vendor_init, virtual_ab_prop)
set_prop(vendor_init, wifi_log_prop)
get_prop(vendor_init, exported2_radio_prop)
diff --git a/public/vold.te b/public/vold.te
index 9f4489d..0ffa119 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -95,6 +95,12 @@
# Allow mounting (lower filesystem) on parts of media for performance
allow vold media_rw_data_file:dir mounton;
+# Allow setting extended attributes (for project quota IDs) on files and dirs
+allowxperm vold media_rw_data_file:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+};
+
# Allow mounting of storage devices
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
@@ -103,6 +109,10 @@
allow vold mnt_user_file:lnk_file create_file_perms;
allow vold mnt_user_file:file create_file_perms;
+# Manage per-user pass_through primary symlinks
+allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
+allow vold mnt_pass_through_file:lnk_file create_file_perms;
+
# Allow to create and mount expanded storage
allow vold mnt_expand_file:dir { create_dir_perms mounton };
allow vold apk_data_file:dir { create getattr setattr };
diff --git a/public/wificond.te b/public/wificond.te
index cfca60e..af29511 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,6 +4,7 @@
binder_use(wificond)
binder_call(wificond, system_server)
+binder_call(wificond, keystore)
add_service(wificond, wificond_service)
@@ -38,5 +39,4 @@
# Allow keystore binder access to serve the HwBinder service.
allow wificond keystore_service:service_manager find;
-allow wificond keystore:binder call;
allow wificond keystore:keystore_key get;
diff --git a/tests/combine_maps.py b/tests/combine_maps.py
index d592b17..1a7dfaa 100644
--- a/tests/combine_maps.py
+++ b/tests/combine_maps.py
@@ -45,6 +45,11 @@
# Typeattributes in V.v.cil have _V_v suffix, but not in V.v.ignore.cil
bottom_type = m.group(1) if m else top_ta
+ # If type doesn't exist in bottom map, no need to maintain mappings to
+ # that type.
+ if bottom_type not in bottom.rTypeattributesets.keys():
+ continue
+
for bottom_ta in bottom.rTypeattributesets[bottom_type]:
bottom.typeattributesets[bottom_ta].update(top_type_set)
diff --git a/tools/sepolicy-analyze/Android.bp b/tools/sepolicy-analyze/Android.bp
new file mode 100644
index 0000000..ff40c16
--- /dev/null
+++ b/tools/sepolicy-analyze/Android.bp
@@ -0,0 +1,15 @@
+cc_binary_host {
+ name: "sepolicy-analyze",
+ defaults: ["sepolicy_tools_defaults"],
+
+ srcs: [
+ "sepolicy-analyze.c",
+ "dups.c",
+ "neverallow.c",
+ "perm.c",
+ "typecmp.c",
+ "booleans.c",
+ "attribute.c",
+ "utils.c",
+ ],
+}
diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk
deleted file mode 100644
index 56204a5..0000000
--- a/tools/sepolicy-analyze/Android.mk
+++ /dev/null
@@ -1,15 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-###################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy-analyze
-LOCAL_MODULE_TAGS := optional
-LOCAL_CFLAGS := -Wall -Werror
-LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c
-LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_CXX_STL := none
-
-LOCAL_COMPATIBILITY_SUITE := ats cts gts vts sts
-
-include $(BUILD_HOST_EXECUTABLE)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a3726ca..c5a9938 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,6 +10,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.1-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
@@ -35,6 +36,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.identity@1\.0-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
@@ -49,10 +51,12 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service.example u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service u:object_r:hal_power_stats_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
@@ -61,6 +65,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.0-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service.example u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index e61ba6b..ac30370 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -8,6 +8,7 @@
# Needed for ReadDefaultFstab.
allow hal_bootctl_default proc_cmdline:file r_file_perms;
allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
+allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms;
# ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting
# a GSI-corrected fstab.
diff --git a/vendor/hal_identity_default.te b/vendor/hal_identity_default.te
new file mode 100644
index 0000000..7f84687
--- /dev/null
+++ b/vendor/hal_identity_default.te
@@ -0,0 +1,5 @@
+type hal_identity_default, domain;
+hal_server_domain(hal_identity_default, hal_identity)
+
+type hal_identity_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_identity_default)
diff --git a/vendor/hal_rebootescrow_default.te b/vendor/hal_rebootescrow_default.te
index 99fadde..2625693 100644
--- a/vendor/hal_rebootescrow_default.te
+++ b/vendor/hal_rebootescrow_default.te
@@ -1,8 +1,10 @@
type hal_rebootescrow_default, domain;
hal_server_domain(hal_rebootescrow_default, hal_rebootescrow)
+get_prop(hal_rebootescrow_default, rebootescrow_hal_prop);
type hal_rebootescrow_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_rebootescrow_default)
type rebootescrow_device, dev_type;
-allow hal_rebootescrow_default rebootescrow_device:chr_file rw_file_perms;
+allow hal_rebootescrow_default rebootescrow_device:{ chr_file blk_file } rw_file_perms;
+allow hal_rebootescrow_default block_device:dir search;
diff --git a/vendor/hal_usb_gadget_default.te b/vendor/hal_usb_gadget_default.te
new file mode 100644
index 0000000..f1486b9
--- /dev/null
+++ b/vendor/hal_usb_gadget_default.te
@@ -0,0 +1,5 @@
+type hal_usb_gadget_default, domain;
+hal_server_domain(hal_usb_gadget_default, hal_usb_gadget)
+
+type hal_usb_gadget_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_usb_gadget_default)