Merge "Adding on_device_intelligence selinux policy to allow system appliations to retrieve this service" into main
diff --git a/OWNERS b/OWNERS
index 61eecb2..1f2ac9b 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,11 +1,9 @@
adamshih@google.com
alanstokes@google.com
bowgotsai@google.com
-cbrubaker@google.com
inseob@google.com
jbires@google.com
jeffv@google.com
jiyong@google.com
smoreland@google.com
-trong@google.com
tweek@google.com
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index e5ee663..4806270 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -48,8 +48,8 @@
"android.hardware.biometrics.fingerprint.IFingerprint/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
- "android.hardware.broadcastradio.IBroadcastRadio/amfm": EXCEPTION_NO_FUZZER,
- "android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
+ "android.hardware.broadcastradio.IBroadcastRadio/amfm": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
+ "android.hardware.broadcastradio.IBroadcastRadio/dab": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
"android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default": EXCEPTION_NO_FUZZER,
@@ -333,7 +333,7 @@
"media.metrics": []string{"mediametrics_aidl_fuzzer"},
"media.extractor": []string{"mediaextractor_service_fuzzer"},
"media.transcoding": EXCEPTION_NO_FUZZER,
- "media.resource_manager": EXCEPTION_NO_FUZZER,
+ "media.resource_manager": []string{"resourcemanager_service_fuzzer", "mediaresourcemanager_fuzzer"},
"media.resource_observer": EXCEPTION_NO_FUZZER,
"media.sound_trigger_hw": EXCEPTION_NO_FUZZER,
"media.drm": EXCEPTION_NO_FUZZER,
@@ -480,7 +480,7 @@
"vibrator_manager": EXCEPTION_NO_FUZZER,
"virtualdevice": EXCEPTION_NO_FUZZER,
"virtualdevice_native": EXCEPTION_NO_FUZZER,
- "virtual_camera": EXCEPTION_NO_FUZZER,
+ "virtual_camera": []string{"virtual_camera_fuzzer"},
"virtual_touchpad": EXCEPTION_NO_FUZZER,
"voiceinteraction": EXCEPTION_NO_FUZZER,
"vold": []string{"vold_native_service_fuzzer"},
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index c799171..2d48c37 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -169,7 +169,6 @@
/dev/pmsg0 pmsg_device
/dev/pn544 nfc_device
/dev/port port_device
-/dev/ppp ppp_device
/dev/ptmx ptmx_device
/dev/pvrsrvkm gpu_device
/dev/kmsg kmsg_device
@@ -189,6 +188,7 @@
/dev/socket socket_device
/dev/socket/does_not_exist socket_device
/dev/socket/adbd adbd_socket
+/dev/socket/aconfigd aconfigd_socket
/dev/socket/dnsproxyd dnsproxyd_socket
/dev/socket/dumpstate dumpstate_socket
/dev/socket/fwmarkd fwmarkd_socket
@@ -199,7 +199,6 @@
/dev/socket/statsdw statsdw_socket
/dev/socket/mdns mdns_socket
/dev/socket/mdnsd mdnsd_socket
-/dev/socket/mtpd mtpd_socket
/dev/socket/ot-daemon/ ot_daemon_socket
/dev/socket/ot-daemon/thread-wpan ot_daemon_socket
/dev/socket/ot-daemon/100 ot_daemon_socket
@@ -215,7 +214,6 @@
/dev/socket/prng_seeder prng_seeder_socket
/dev/socket/property_service property_socket
/dev/socket/property_service_for_system property_socket
-/dev/socket/racoon racoon_socket
/dev/socket/recovery recovery_socket
/dev/socket/rild rild_socket
/dev/socket/rild-debug rild_debug_socket
@@ -367,6 +365,7 @@
/system/bin/mediatranscoding mediatranscoding_exec
/system/bin/mediatuner mediatuner_exec
/system/bin/mdnsd mdnsd_exec
+/system/bin/ot-ctl ot_ctl_exec
/system/bin/installd installd_exec
/system/bin/otapreopt_chroot otapreopt_chroot_exec
/system/bin/otapreopt_slot otapreopt_slot_exec
@@ -384,9 +383,6 @@
/system/bin/dhcpcd dhcp_exec
/system/bin/dhcpcd-6.8.2 dhcp_exec
/system/bin/dmesgd dmesgd_exec
-/system/bin/mtpd mtp_exec
-/system/bin/pppd ppp_exec
-/system/bin/racoon racoon_exec
/system/xbin/su su_exec
/system/bin/dnsmasq dnsmasq_exec
/system/bin/linker system_linker_exec
@@ -407,6 +403,7 @@
/system/bin/perfetto perfetto_exec
/system/bin/misctrl misctrl_exec
/system/bin/mtectrl mtectrl_exec
+/system/bin/kcmdlinectrl kcmdlinectrl_exec
/system/bin/traced traced_exec
/system/bin/traced_perf traced_perf_exec
/system/bin/traced_probes traced_probes_exec
@@ -432,6 +429,7 @@
/system/bin/virtual_touchpad virtual_touchpad_exec
/system/bin/hw/android.frameworks.bufferhub@1.0-service fwk_bufferhub_exec
/system/bin/hw/android.system.suspend-service system_suspend_exec
+/system/etc/aconfig system_aconfig_storage_file
/system/etc/cgroups.json cgroup_desc_file
/system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file
/system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file
@@ -441,6 +439,7 @@
/system/etc/ld.config. system_linker_config_file
/system/etc/ld.config.test system_linker_config_file
/system/etc/passwd system_passwd_file
+/system/etc/perfetto/persistent_cfg.pbtxt system_perfetto_config_file
/system/etc/seccomp_policy system_seccomp_policy_file
/system/etc/seccomp_policy/crash_dump.x86.policy system_seccomp_policy_file
/system/etc/security/cacerts system_security_cacerts_file
@@ -462,6 +461,7 @@
/system/usr/share/zoneinfo system_zoneinfo_file
/system/usr/share/zoneinfo/0 system_zoneinfo_file
/system/bin/adbd adbd_exec
+/system/bin/aconfigd aconfigd_exec
/system/bin/vold_prepare_subdirs vold_prepare_subdirs_exec
/system/bin/stats stats_exec
/system/bin/statsd statsd_exec
@@ -495,6 +495,7 @@
/system/vendor/bin/toolbox vendor_toolbox_exec
/vendor/etc vendor_configs_file
/vendor/etc/does_not_exist vendor_configs_file
+/vendor/etc/aconfig vendor_aconfig_storage_file
/system/vendor/etc vendor_configs_file
/system/vendor/etc/does_not_exist vendor_configs_file
/vendor/etc/cgroups.json vendor_cgroup_desc_file
@@ -729,6 +730,8 @@
/system_ext/overlay/does_not_exist vendor_overlay_file
/system/system_ext/overlay vendor_overlay_file
/system/system_ext/overlay/does_not_exist vendor_overlay_file
+/system_ext/etc/aconfig system_aconfig_storage_file
+/product/etc/aconfig system_aconfig_storage_file
/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
/system/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index 9a50f67..519b9dd 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -54,6 +54,9 @@
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
+# adbd may try to restorecon files (see b/328753027)
+allow adbd file_contexts_file:file r_file_perms;
+
# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
# TODO(b/200902288): patch adb and remove this rule
dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
diff --git a/prebuilts/api/34.0/public/domain.te b/prebuilts/api/34.0/public/domain.te
index 1da3f51..d4be205 100644
--- a/prebuilts/api/34.0/public/domain.te
+++ b/prebuilts/api/34.0/public/domain.te
@@ -903,6 +903,9 @@
-crash_dump_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
+ # Vendor components still can invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
}:file { entrypoint execute execute_no_trans };
')
@@ -983,6 +986,9 @@
-task_profiles_api_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
+ # Vendor components still can invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
}:file *;
')
diff --git a/prebuilts/api/34.0/public/hal_neverallows.te b/prebuilts/api/34.0/public/hal_neverallows.te
index e77ea9d..1aae9ee 100644
--- a/prebuilts/api/34.0/public/hal_neverallows.te
+++ b/prebuilts/api/34.0/public/hal_neverallows.te
@@ -83,7 +83,13 @@
halserverdomain
-hal_dumpstate_server
-hal_telephony_server
-} { file_type fs_type }:file execute_no_trans;
+} {
+ file_type
+ fs_type
+ # May invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
+}:file execute_no_trans;
# Do not allow a process other than init to transition into a HAL domain.
neverallow { domain -init } halserverdomain:process transition;
# Only allow transitioning to a domain by running its executable. Do not
diff --git a/private/aconfigd.te b/private/aconfigd.te
new file mode 100644
index 0000000..43a08ce
--- /dev/null
+++ b/private/aconfigd.te
@@ -0,0 +1,36 @@
+# aconfigd -- manager for aconfig flags
+type aconfigd, domain;
+type aconfigd_exec, exec_type, file_type, system_file_type;
+
+typeattribute aconfigd coredomain;
+
+init_daemon_domain(aconfigd)
+
+# only init is allowed to enter the aconfigd domain
+neverallow { domain -init } aconfigd:process transition;
+neverallow * aconfigd:process dyntransition;
+
+allow aconfigd metadata_file:dir search;
+
+allow aconfigd {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:dir create_dir_perms;
+
+allow aconfigd {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:file create_file_perms;
+
+allow aconfigd aconfigd_socket:sock_file rw_file_perms;
+
+# allow aconfigd to log to the kernel.
+allow aconfigd kmsg_device:chr_file w_file_perms;
+
+# allow aconfigd to read system/system_ext/product partition storage files
+allow aconfigd system_aconfig_storage_file:file r_file_perms;
+allow aconfigd system_aconfig_storage_file:dir r_dir_perms;
+
+# allow aconfigd to read vendor partition storage files
+allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
+allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;
diff --git a/private/app.te b/private/app.te
index 95b85db..b0b5dbb 100644
--- a/private/app.te
+++ b/private/app.te
@@ -464,6 +464,9 @@
# Allow apps to access shared memory file descriptor from the tuner HAL
allow {appdomain -isolated_app_all} hal_tv_tuner_server:fd use;
+# Allow app to access shared memory created by PowerHAL for FMQ use
+allow { appdomain -isolated_app_all } hal_power_server:fd use;
+
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app_all } hal_renderscript_hwservice:hwservice_manager find;
allow appdomain same_process_hal_file:file { execute read open getattr map };
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 015480a..5f835a4 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -46,4 +46,7 @@
profiling_service
aconfig_storage_metadata_file
aconfig_storage_flags_metadata_file
+ aconfigd
+ aconfigd_exec
+ aconfigd_socket
))
diff --git a/private/domain.te b/private/domain.te
index 59e30c8..4692eda 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -227,6 +227,7 @@
-ueventd
-mtectrl
-misctrl
+ -kcmdlinectrl
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
# Limit ability to ptrace or read sensitive /proc/pid files of processes
@@ -652,6 +653,7 @@
-vendor_task_profiles_file
-vendor_uuid_mapping_config_file
-vndk_sp_file
+ -vendor_aconfig_storage_file
}:file *;
')
@@ -805,6 +807,11 @@
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow { domain -init } mtectrl:process { dyntransition transition };
+neverallow { domain -init } kcmdlinectrl:process { dyntransition transition };
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
+
+# Do not allow write access to aconfig flag value files except init and aconfigd
+neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:file no_w_file_perms;
diff --git a/private/file.te b/private/file.te
index 24c118a..fed98f6 100644
--- a/private/file.te
+++ b/private/file.te
@@ -31,6 +31,9 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /system/etc/perfetto for perfetto configs
+type system_perfetto_config_file, file_type, system_file_type;
+
# /data/misc/uprobestats-configs for uprobestats configs
type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type;
@@ -148,3 +151,12 @@
# Type for /sys/devices/uprobe.
type sysfs_uprobe, fs_type, sysfs_type;
+
+# Type for aconfig daemon socket
+type aconfigd_socket, file_type, coredomain_socket;
+
+# Type for /(system|system_ext|product)/etc/aconfig
+type system_aconfig_storage_file, system_file_type, file_type;
+
+# Type for /vendor/etc/aconfig
+type vendor_aconfig_storage_file, vendor_file_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index b9d661a..621e377 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -155,6 +155,7 @@
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/aconfigd u:object_r:aconfigd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
@@ -288,6 +289,7 @@
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/wificond u:object_r:wificond_exec:s0
+/system/bin/ot-ctl u:object_r:ot_ctl_exec:s0
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
@@ -333,6 +335,7 @@
/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/mtectrl u:object_r:mtectrl_exec:s0
/system/bin/misctrl u:object_r:misctrl_exec:s0
+/system/bin/kcmdlinectrl u:object_r:kcmdlinectrl_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_perf u:object_r:traced_perf_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
@@ -357,6 +360,7 @@
/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
+/(system|system_ext|product)/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
@@ -364,6 +368,7 @@
/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/passwd u:object_r:system_passwd_file:s0
+/system/etc/perfetto(/.*)? u:object_r:system_perfetto_config_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+(\.compat)?\.cil u:object_r:sepolicy_file:s0
@@ -386,6 +391,7 @@
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
/system/bin/netbpfload u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
+/system/bin/aconfigd u:object_r:aconfigd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
@@ -428,6 +434,8 @@
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
+/(vendor|system/vendor)/etc/aconfig(/.*)? u:object_r:vendor_aconfig_storage_file:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e4baeee..5dfec4b 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -185,14 +185,10 @@
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
genfscon tracefs /trace u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/hyp u:object_r:debugfs_tracing:s0
genfscon tracefs /hyp u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
@@ -209,23 +205,6 @@
genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
-genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-
genfscon tracefs /events/header_page u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
@@ -244,14 +223,12 @@
genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
genfscon tracefs /synthetic_events u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/synthetic_events u:object_r:debugfs_tracing:s0
genfscon tracefs /events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
genfscon tracefs /events/synthetic/suspend_resume_minimal u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/synthetic/suspend_resume_minimal u:object_r:debugfs_tracing:s0
genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
+genfscon tracefs /buffer_percent u:object_r:debugfs_tracing:s0
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
@@ -318,72 +295,6 @@
genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/options/record-tgid u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_command/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_return/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
-
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
genfscon securityfs / u:object_r:securityfs:s0
diff --git a/private/kcmdlinectrl.te b/private/kcmdlinectrl.te
new file mode 100644
index 0000000..d569dc0
--- /dev/null
+++ b/private/kcmdlinectrl.te
@@ -0,0 +1,22 @@
+# kcmdlinectrl is a tool to have the bootloader send kernel commandline flags
+# for enabling dogfood features in the kernel
+type kcmdlinectrl, domain, coredomain;
+type kcmdlinectrl_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(kcmdlinectrl)
+
+# for setting kcmdline properties to match the bootloader state.
+set_prop(kcmdlinectrl, kcmdline_prop)
+
+# kcmdlinectrl communicates the request to the bootloader via the misc partition.
+# needs to write to update the request in misc partition, and read to sync
+# back to the property.
+allow kcmdlinectrl misc_block_device:blk_file rw_file_perms;
+allow kcmdlinectrl block_device:dir r_dir_perms;
+read_fstab(kcmdlinectrl)
+
+# bootloader_message tries to find the fstab in the device config path first,
+# but because we've already booted up we can use the ro.boot properties instead,
+# so we can just ignore the SELinux denial.
+dontaudit kcmdlinectrl sysfs_dt_firmware_android:dir search;
+dontaudit kcmdlinectrl vendor_property_type:file read;
diff --git a/private/ot_ctl.te b/private/ot_ctl.te
new file mode 100644
index 0000000..7325ce5
--- /dev/null
+++ b/private/ot_ctl.te
@@ -0,0 +1,12 @@
+#
+# ot-ctl is a command line tool for controlling ot-daemon
+#
+
+type ot_ctl, domain, coredomain;
+type ot_ctl_exec, exec_type, file_type, system_file_type;
+
+# ot-ctl is available in only userdebug or eng build
+userdebug_or_eng(`
+ # ot-ctl connects to ot-daemon via the socket
+ allow ot_ctl ot_daemon_socket:sock_file rw_file_perms;
+')
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 341fa9c..2fc74b5 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -39,3 +39,12 @@
# For collecting bugreports.
allow ot_daemon dumpstate:fd use;
allow ot_daemon dumpstate:fifo_file write;
+
+# ot-daemon socket is for only ot-daemon and ot-ctl
+neverallow {
+ domain
+ -ot_daemon
+ userdebug_or_eng(`-ot_ctl')
+ -init
+ -vendor_init
+} ot_daemon_socket:sock_file *;
diff --git a/private/perfetto.te b/private/perfetto.te
index d0088ef..616da39 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -40,6 +40,10 @@
allow perfetto perfetto_configs_data_file:dir r_dir_perms;
allow perfetto perfetto_configs_data_file:file r_file_perms;
+# Allow perfetto to read the trace config from /system/etc/perfetto.
+allow perfetto system_perfetto_config_file:dir r_dir_perms;
+allow perfetto system_perfetto_config_file:file r_file_perms;
+
# Allow perfetto to read the trace config from statsd, mm_events and shell
# (both root and non-root) on stdin and also to write the resulting trace to
# stdout.
diff --git a/private/platform_app.te b/private/platform_app.te
index cd95353..eb1a7c7 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -64,10 +64,24 @@
auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
')
+# Allow sharing traces to betterbug from /data/misc/wmtrace.
+userdebug_or_eng(`
+ allow platform_app trace_data_file:file create_file_perms;
+ allow platform_app trace_data_file:dir rw_dir_perms;
+')
+
# Allow writing and removing wmshell protolog in /data/misc/wmtrace.
userdebug_or_eng(`
allow platform_app wm_trace_data_file:dir rw_dir_perms;
- allow platform_app wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
+ allow platform_app wm_trace_data_file:file { getattr setattr create unlink rw_file_perms };
+')
+
+
+# To exec the perfetto cmdline client and pass it the trace config on
+# stdint through a pipe. Allow to access traced's privileged consumer socket.
+userdebug_or_eng(`
+ allow platform_app perfetto_exec:file rx_file_perms;
+ unix_socket_connect(platform_app, traced_consumer, traced);
')
allow platform_app audioserver_service:service_manager find;
diff --git a/private/postinstall.te b/private/postinstall.te
index 7060c59..92ddbbf 100644
--- a/private/postinstall.te
+++ b/private/postinstall.te
@@ -3,3 +3,6 @@
domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
allow postinstall rootfs:dir r_dir_perms;
+
+# Allow invoking `pm` shell commands.
+allow postinstall package_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index 536c9d4..f1ecfac 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -179,6 +179,9 @@
# allow privileged apps to read the device config flags.
get_prop(priv_app, device_config_aconfig_flags_prop)
+# allow privileged apps to read boot reason property
+get_prop(priv_app, system_boot_reason_prop)
+
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
diff --git a/private/property.te b/private/property.te
index 2d030ab..e06c7e7 100644
--- a/private/property.te
+++ b/private/property.te
@@ -24,6 +24,7 @@
system_internal_prop(init_service_status_private_prop)
system_internal_prop(init_storage_prop)
system_internal_prop(init_svc_debug_prop)
+system_internal_prop(kcmdline_prop)
system_internal_prop(keystore_crash_prop)
system_internal_prop(keystore_listen_prop)
system_internal_prop(last_boot_reason_prop)
@@ -492,6 +493,15 @@
neverallow {
domain
-init
+ -shell
+ -kcmdlinectrl
+} {
+ kcmdline_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
-system_server
-vendor_init
} zram_control_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 7e31dd7..cb22d64 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -893,6 +893,11 @@
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
persist.arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+# kcmdline props for dogfood experiments
+# All kcmdline properties share the kcmdline_prop context
+kcmdline.loaded u:object_r:kcmdline_prop:s0 exact bool
+kcmdline.binder u:object_r:kcmdline_prop:s0 exact enum c rust
+
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
# Settings system properties containing mutable "global" device settings.
diff --git a/private/shell.te b/private/shell.te
index 60684f4..2b7bd88 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -228,6 +228,9 @@
# Allow shell to write MTE properties even on user builds.
set_prop(shell, arm64_memtag_prop)
+# Allow shell to write kcmdline properties even on user builds.
+set_prop(shell, kcmdline_prop)
+
# Allow shell to read the dm-verity props on user builds.
get_prop(shell, verity_status_prop)
diff --git a/private/system_server.te b/private/system_server.te
index a1b7de3..886499e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1528,9 +1528,8 @@
neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
# Only system server should access /metadata/aconfig
-# TODO: add storage daemon to neverallow exception when it is introduced
-neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:dir *;
-neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
+neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
+neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
diff --git a/private/traced.te b/private/traced.te
index d4e5bec..796095f 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -28,6 +28,7 @@
# Allow traceur to pass open file descriptors to traced, so traced can directly
# write into the output file without doing roundtrips over IPC.
allow traced traceur_app:fd use;
+allow traced platform_app:fd use;
allow traced trace_data_file:file { read write };
# Allow perfetto to access the proxy service for notifying Traceur.
@@ -119,6 +120,7 @@
-traced
-dumpstate
-traceur_app
+ -platform_app
-shell
-system_server
-perfetto
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index dde98c0..45dc8a1 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -38,6 +38,9 @@
allow virtual_camera gpu_device:chr_file rw_file_perms;
allow virtual_camera gpu_device:dir r_dir_perms;
+# Allow virtual camera to use graphics composer fd-s (fences).
+allow virtual_camera hal_graphics_composer:fd use;
+
# For collecting bugreports.
allow virtual_camera dumpstate:fd use;
allow virtual_camera dumpstate:fifo_file write;
diff --git a/public/domain.te b/public/domain.te
index 996a149..0a2a5e5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -630,11 +630,6 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-# Do not allow write access to the general aconfig pb file and boot flag value files except init
-# TODO: need to add storage daemon into this exception list once it is created
-neverallow { domain -init } aconfig_storage_metadata_file:dir *;
-neverallow { domain -init } aconfig_storage_metadata_file:file no_w_file_perms;
-
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 0ee0c5f..211fbb7 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -29,10 +29,8 @@
allow hal_drm cgroup_v2:file w_file_perms;
# Allow dumpsys Widevine without root
-userdebug_or_eng(`
- allow hal_drm_server shell:fd use;
- allow hal_drm_server shell:fifo_file write;
-')
+allow hal_drm_server shell:fd use;
+allow hal_drm_server shell:fifo_file write;
# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 841576f..edd1c71 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -164,7 +164,7 @@
/(vendor|system/vendor)/lib(64)?/android\.hardware\.common-V2-ndk\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.common\.fmq-V1-ndk\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.allocator-V2-ndk\.so u:object_r:same_process_hal_file:s0
-/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common-V4-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common-V5-ndk\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.1\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.2\.so u:object_r:same_process_hal_file:s0