Merge "Allow init to set context for super_block_device"
diff --git a/Android.bp b/Android.bp
index eeca38d..2934cd9 100644
--- a/Android.bp
+++ b/Android.bp
@@ -92,6 +92,24 @@
// top_half: "29.0.ignore.cil",
}
+prebuilt_etc {
+ name: "28.0.compat.cil",
+ src: "private/compat/28.0/28.0.compat.cil",
+ sub_dir: "selinux/mapping",
+}
+
+prebuilt_etc {
+ name: "27.0.compat.cil",
+ src: "private/compat/27.0/27.0.compat.cil",
+ sub_dir: "selinux/mapping",
+}
+
+prebuilt_etc {
+ name: "26.0.compat.cil",
+ src: "private/compat/26.0/26.0.compat.cil",
+ sub_dir: "selinux/mapping",
+}
+
se_filegroup {
name: "file_contexts_files",
srcs: ["file_contexts"],
diff --git a/Android.mk b/Android.mk
index 4e4a641..55a2f81 100644
--- a/Android.mk
+++ b/Android.mk
@@ -202,6 +202,7 @@
LOCAL_REQUIRED_MODULES += \
plat_mapping_file \
$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+ $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_sepolicy.cil \
plat_sepolicy_and_mapping.sha256 \
secilc \
@@ -235,6 +236,7 @@
LOCAL_REQUIRED_MODULES += \
sepolicy_tests \
$(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+ $(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
endif
endif
@@ -1284,13 +1286,18 @@
# given release version.
version_under_treble_tests := 26.0
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-
version_under_treble_tests := 27.0
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-
version_under_treble_tests := 28.0
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+version_under_treble_tests := 26.0
+include $(LOCAL_PATH)/compat.mk
+version_under_treble_tests := 27.0
+include $(LOCAL_PATH)/compat.mk
+version_under_treble_tests := 28.0
+include $(LOCAL_PATH)/compat.mk
+
BASE_PLAT_PUBLIC_POLICY :=
BASE_PLAT_PRIVATE_POLICY :=
base_plat_policy.conf :=
diff --git a/compat.mk b/compat.mk
new file mode 100644
index 0000000..b4f8de0
--- /dev/null
+++ b/compat.mk
@@ -0,0 +1,40 @@
+version := $(version_under_treble_tests)
+
+include $(CLEAR_VARS)
+#################################
+# build this target to ensure the compat permissions files all build against the current policy
+#
+LOCAL_MODULE := $(version)_compat_test
+LOCAL_REQUIRED_MODULES := $(version).compat.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+all_cil_files := \
+ $(built_plat_cil) \
+ $(built_plat_mapping_cil) \
+ $(built_pub_vers_cil) \
+ $(built_vendor_cil) \
+ $(ALL_MODULES.$(version).compat.cil.BUILT) \
+
+ifdef HAS_PRODUCT_SEPOLICY
+all_cil_files += \
+ $(built_product_cil) \
+ $(built_product_mapping_cil) \
+
+endif
+
+ifdef BOARD_ODM_SEPOLICY_DIRS
+all_cil_files += $(built_odm_cil)
+endif
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
+ @mkdir -p $(dir $@)
+ $(hide) $< -m -N -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
+ $(hide) mv $@.tmp $@
+
+all_cil_files :=
+version :=
+version_under_treble_tests :=
diff --git a/prebuilts/api/28.0/private/atrace.te b/prebuilts/api/28.0/private/atrace.te
index 1b86d3e..630935d 100644
--- a/prebuilts/api/28.0/private/atrace.te
+++ b/prebuilts/api/28.0/private/atrace.te
@@ -22,8 +22,6 @@
binder_use(atrace)
allow atrace healthd:binder call;
allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-
get_prop(atrace, hwservicemanager_prop)
allow atrace {
diff --git a/prebuilts/api/28.0/private/init.te b/prebuilts/api/28.0/private/init.te
index e9959d3..8ba050f 100644
--- a/prebuilts/api/28.0/private/init.te
+++ b/prebuilts/api/28.0/private/init.te
@@ -20,3 +20,6 @@
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
')
+
+# Allow the BoringSSL self test to request a reboot upon failure
+set_prop(init, powerctl_prop)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 8c91561..be0a598 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -234,73 +234,22 @@
# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
neverallow all_untrusted_apps {
hwservice_manager_type
- -same_process_hwservice
- -coredomain_hwservice
+ -fwk_bufferhub_hwservice
+ -hal_cas_hwservice
-hal_codec2_hwservice
-hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
- -hal_omx_hwservice
- -hal_cas_hwservice
+ -hal_graphics_mapper_hwservice
-hal_neuralnetworks_hwservice
+ -hal_omx_hwservice
+ -hal_renderscript_hwservice
+ -hidl_allocator_hwservice
+ -hidl_manager_hwservice
+ -hidl_memory_hwservice
+ -hidl_token_hwservice
-untrusted_app_visible_hwservice_violators
}:hwservice_manager find;
-# Make sure that the following services are never accessible by untrusted_apps
-neverallow all_untrusted_apps {
- default_android_hwservice
- hal_atrace_hwservice
- hal_audio_hwservice
- hal_authsecret_hwservice
- hal_bluetooth_hwservice
- hal_bootctl_hwservice
- hal_camera_hwservice
- hal_confirmationui_hwservice
- hal_contexthub_hwservice
- hal_drm_hwservice
- hal_dumpstate_hwservice
- hal_fingerprint_hwservice
- hal_gatekeeper_hwservice
- hal_gnss_hwservice
- hal_graphics_composer_hwservice
- hal_health_hwservice
- hal_input_classifier_hwservice
- hal_ir_hwservice
- hal_keymaster_hwservice
- hal_light_hwservice
- hal_memtrack_hwservice
- hal_nfc_hwservice
- hal_oemlock_hwservice
- hal_power_hwservice
- hal_power_stats_hwservice
- hal_secure_element_hwservice
- hal_sensors_hwservice
- hal_telephony_hwservice
- hal_thermal_hwservice
- hal_tv_cec_hwservice
- hal_tv_input_hwservice
- hal_usb_hwservice
- hal_vibrator_hwservice
- hal_vr_hwservice
- hal_weaver_hwservice
- hal_wifi_hwservice
- hal_wifi_offload_hwservice
- hal_wifi_supplicant_hwservice
- hidl_base_hwservice
- system_net_netd_hwservice
- thermalcallback_hwservice
-}:hwservice_manager find;
-# HwBinder services offered by core components (as opposed to vendor components)
-# are considered somewhat safer due to point #2 above.
-neverallow all_untrusted_apps {
- coredomain_hwservice
- -same_process_hwservice
- -fwk_bufferhub_hwservice # Designed for use by any domain
- -hidl_allocator_hwservice # Designed for use by any domain
- -hidl_manager_hwservice # Designed for use by any domain
- -hidl_memory_hwservice # Designed for use by any domain
- -hidl_token_hwservice # Designed for use by any domain
-}:hwservice_manager find;
-
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
diff --git a/private/atrace.te b/private/atrace.te
index 0cdd35a..8de1826 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -28,6 +28,7 @@
allow atrace healthd:binder call;
allow atrace surfaceflinger:binder call;
allow atrace system_server:binder call;
+allow atrace cameraserver:binder call;
get_prop(atrace, hwservicemanager_prop)
diff --git a/private/bpfloader.te b/private/bpfloader.te
index d9b29ce..00d4c79 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -17,8 +17,8 @@
###
### Neverallow rules
###
-neverallow { domain -bpfloader } *:bpf prog_load;
-neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
+neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+neverallow { domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
diff --git a/private/clatd.te b/private/clatd.te
index 5ba0fc5..0fa774a 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -1 +1,36 @@
-typeattribute clatd coredomain;
+# 464xlat daemon
+type clatd, domain, coredomain;
+type clatd_exec, system_file_type, exec_type, file_type;
+
+net_domain(clatd)
+
+r_dir_file(clatd, proc_net_type)
+userdebug_or_eng(`
+ auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
+# Access objects inherited from netd.
+allow clatd netd:fd use;
+allow clatd netd:fifo_file { read write };
+# TODO: Check whether some or all of these sockets should be close-on-exec.
+allow clatd netd:netlink_kobject_uevent_socket { read write };
+allow clatd netd:netlink_nflog_socket { read write };
+allow clatd netd:netlink_route_socket { read write };
+allow clatd netd:udp_socket { read write };
+allow clatd netd:unix_stream_socket { read write };
+allow clatd netd:unix_dgram_socket { read write };
+
+allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
+
+# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
+# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
+# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
+# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
+# so we permit any requests we see from clatd asking for this capability.
+# See https://android-review.googlesource.com/127940 and
+# https://b.corp.google.com/issues/21736319
+allow clatd self:global_capability_class_set ipc_lock;
+
+allow clatd self:netlink_route_socket nlmsg_write;
+allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
+allow clatd tun_device:chr_file rw_file_perms;
diff --git a/private/compat/26.0/26.0.compat.cil b/private/compat/26.0/26.0.compat.cil
new file mode 100644
index 0000000..9031d15
--- /dev/null
+++ b/private/compat/26.0/26.0.compat.cil
@@ -0,0 +1,4 @@
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
+(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
diff --git a/private/compat/27.0/27.0.compat.cil b/private/compat/27.0/27.0.compat.cil
new file mode 100644
index 0000000..9031d15
--- /dev/null
+++ b/private/compat/27.0/27.0.compat.cil
@@ -0,0 +1,4 @@
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
+(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index e34cdb8..d8bc4c3 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1379,6 +1379,7 @@
( proc
proc_fs_verity
proc_keys
+ proc_lowmemorykiller
proc_pressure_cpu
proc_pressure_io
proc_pressure_mem
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
new file mode 100644
index 0000000..9031d15
--- /dev/null
+++ b/private/compat/28.0/28.0.compat.cil
@@ -0,0 +1,4 @@
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
+(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index f07103d..efdbd5d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -47,6 +47,7 @@
device_config_sys_traced_prop
dnsresolver_service
dynamic_android_service
+ dynamic_system_prop
face_service
face_vendor_data_file
fastbootd
diff --git a/private/genfs_contexts b/private/genfs_contexts
index af3d8b9..cc00c2f 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -13,6 +13,7 @@
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
+genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
genfscon proc /modules u:object_r:proc_modules:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index ebfff76..9e17d06 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -31,6 +31,10 @@
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
+# Needed for dumpstate to dumpsys gpu.
+allow gpuservice dumpstate:fd use;
+allow gpuservice dumpstate:fifo_file write;
+
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/private/netd.te b/private/netd.te
index 4c129b7..41473b7 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -5,8 +5,9 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-# Allow netd to start clatd in its own domain
+# Allow netd to start clatd in its own domain and kill it
domain_auto_trans(netd, clatd_exec, clatd)
+allow netd clatd:process signal;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
diff --git a/private/priv_app.te b/private/priv_app.te
index c5251a9..35ad8c2 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -162,6 +162,9 @@
# profileable/debuggable.
can_profile_heap(priv_app)
+# Allow priv_apps to check whether Dynamic System Update is enabled
+get_prop(priv_app, dynamic_system_prop)
+
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
@@ -170,6 +173,7 @@
dontaudit priv_app proc:file read;
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
+dontaudit priv_app proc_net:file read;
dontaudit priv_app proc_stat:file read;
dontaudit priv_app proc_version:file read;
dontaudit priv_app sysfs:dir read;
diff --git a/private/property_contexts b/private/property_contexts
index da09b82..dd08c32 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -59,6 +59,7 @@
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
ro.sys.safemode u:object_r:safemode_prop:s0
persist.sys.audit_safemode u:object_r:safemode_prop:s0
persist.service. u:object_r:system_prop:s0
diff --git a/private/system_app.te b/private/system_app.te
index d71ef72..e8627151 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -49,6 +49,8 @@
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
auditallow system_app exported_system_radio_prop:property_service set;
+# Allow Settings to enable Dynamic System Update
+set_prop(system_app, dynamic_system_prop)
# ctl interface
set_prop(system_app, ctl_default_prop)
diff --git a/private/system_server.te b/private/system_server.te
index 14c6dd6..4bf8f8e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -123,6 +123,10 @@
allow system_server mediaserver:process { getsched setsched };
allow system_server bootanim:process { getsched setsched };
+# Set scheduling info for psi monitor thread.
+# TODO: delete this line b/131761776
+allow system_server kernel:process { getsched setsched };
+
# Allow system_server to write to /proc/<pid>/*
allow system_server domain:file w_file_perms;
@@ -644,6 +648,9 @@
allow system_server system_file:dir r_dir_perms;
allow system_server system_file:lnk_file r_file_perms;
+# ART locks profile files.
+allow system_server system_file:file lock;
+
# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
allow system_server gps_control:file rw_file_perms;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index e6df48d..348d3ce 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -32,3 +32,5 @@
system_data_file
vold_data_file
}:file { getattr unlink };
+
+dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/public/clatd.te b/public/clatd.te
deleted file mode 100644
index 7d3d40e..0000000
--- a/public/clatd.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# 464xlat daemon
-type clatd, domain;
-type clatd_exec, system_file_type, exec_type, file_type;
-
-net_domain(clatd)
-
-r_dir_file(clatd, proc_net_type)
-userdebug_or_eng(`
- auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
-
-allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:global_capability_class_set ipc_lock;
-
-allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
-allow clatd tun_device:chr_file rw_file_perms;
-allowxperm clatd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index 62e1a32..d189c89 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -15,11 +15,11 @@
# Inherit and use open files from netd.
allow dnsmasq netd:fd use;
-allow dnsmasq netd:fifo_file { read write };
+allow dnsmasq netd:fifo_file { getattr read write };
# TODO: Investigate whether these inherited sockets should be closed on exec.
allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
allow dnsmasq netd:netlink_nflog_socket { read write };
allow dnsmasq netd:netlink_route_socket { read write };
-allow dnsmasq netd:unix_stream_socket { read write };
+allow dnsmasq netd:unix_stream_socket { getattr read write };
allow dnsmasq netd:unix_dgram_socket { read write };
allow dnsmasq netd:udp_socket { read write };
diff --git a/public/domain.te b/public/domain.te
index a415646..bfc1860 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -742,16 +742,6 @@
});
')
- # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
-full_treble_only(`
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -netdomain
- -socket_between_core_and_vendor_violators
- }, netd);
-')
-
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
full_treble_only(`
neverallow {
diff --git a/public/file.te b/public/file.te
index d906b7f..536179b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -32,6 +32,7 @@
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
+type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
type proc_misc, fs_type, proc_type;
diff --git a/public/init.te b/public/init.te
index 87e8901..86e0d32 100644
--- a/public/init.te
+++ b/public/init.te
@@ -485,9 +485,9 @@
allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
allow init self:global_capability_class_set net_raw;
-# This line seems suspect, as it should not really need to
-# set scheduling parameters for a kernel domain task.
-allow init kernel:process setsched;
+# Set scheduling info for psi monitor thread.
+# TODO: delete or revise this line b/131761776
+allow init kernel:process { getsched setsched };
# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
diff --git a/public/lmkd.te b/public/lmkd.te
index 51d1aa2..c90987b 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -23,6 +23,7 @@
# setsched and send kill signals
allow lmkd appdomain:process { setsched sigkill };
+# TODO: delete this line b/131761776
allow lmkd kernel:process { setsched };
# Clean up old cgroups
@@ -47,6 +48,9 @@
# reboot because orderly shutdown may not be possible.
allow lmkd proc_sysrq:file rw_file_perms;
+# Read /proc/lowmemorykiller
+allow lmkd proc_lowmemorykiller:file r_file_perms;
+
# Read /proc/meminfo
allow lmkd proc_meminfo:file r_file_perms;
diff --git a/public/mtp.te b/public/mtp.te
index c744343..add63c0 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -5,7 +5,7 @@
net_domain(mtp)
# pptp policy
-allow mtp self:socket create_socket_perms_no_ioctl;
+allow mtp self:{ socket pppox_socket } create_socket_perms_no_ioctl;
allow mtp self:global_capability_class_set net_raw;
allow mtp ppp:process signal;
allow mtp vpn_data_file:dir search;
diff --git a/public/netd.te b/public/netd.te
index c4a9136..c15a03b 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -19,6 +19,11 @@
# for netd to operate.
dontaudit netd self:global_capability_class_set fsetid;
+# Allow netd to open /dev/tun, set it up and pass it to clatd
+allow netd tun_device:chr_file rw_file_perms;
+allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allow netd self:tun_socket create;
+
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow netd self:netlink_route_socket nlmsg_write;
allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
@@ -57,8 +62,8 @@
r_dir_file(netd, cgroup_bpf)
-allow netd fs_bpf:dir create_dir_perms;
-allow netd fs_bpf:file create_file_perms;
+allow netd fs_bpf:dir search;
+allow netd fs_bpf:file { read write setattr };
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
@@ -76,9 +81,6 @@
# Allow netd to spawn dnsmasq in it's own domain
allow netd dnsmasq:process signal;
-# Allow netd to start clatd in its own domain
-allow netd clatd:process signal;
-
set_prop(netd, ctl_mdnsd_prop)
set_prop(netd, netd_stable_secret_prop)
@@ -151,9 +153,6 @@
-netutils_wrapper
} dnsresolver_service:service_manager find;
-# only netd can create the bpf maps
-neverallow { domain -netd } netd:bpf { map_create };
-
# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
diff --git a/public/ppp.te b/public/ppp.te
index 0fc3bee..b736def 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -7,11 +7,11 @@
r_dir_file(ppp, proc_net_type)
-allow ppp mtp:socket rw_socket_perms;
+allow ppp mtp:{ socket pppox_socket } rw_socket_perms;
# ioctls needed for VPN.
allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
-allowxperm ppp mtp:socket ioctl ppp_ioctls;
+allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls;
allow ppp mtp:unix_dgram_socket rw_socket_perms;
allow ppp ppp_device:chr_file rw_file_perms;
diff --git a/public/property.te b/public/property.te
index a5b5e95..8cb19fb 100644
--- a/public/property.te
+++ b/public/property.te
@@ -43,6 +43,7 @@
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
type dumpstate_prop, property_type, core_property_type;
+type dynamic_system_prop, property_type;
type exported_secure_prop, property_type;
type ffs_prop, property_type, core_property_type;
type fingerprint_prop, property_type, core_property_type;
@@ -423,6 +424,7 @@
-device_config_runtime_native_prop
-device_config_media_native_prop
-device_config_sys_traced_prop
+ -dynamic_system_prop
-gsid_prop
-heapprofd_enabled_prop
-heapprofd_prop
diff --git a/public/property_contexts b/public/property_contexts
index 0884f87..d79c615 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -209,9 +209,8 @@
ro.boot.vbmeta.avb_version u:object_r:exported2_default_prop:s0 exact string
ro.boot.verifiedbootstate u:object_r:exported2_default_prop:s0 exact string
ro.boot.veritymode u:object_r:exported2_default_prop:s0 exact string
-ro.bootimage.build.date u:object_r:exported2_default_prop:s0 exact string
-ro.bootimage.build.date.utc u:object_r:exported2_default_prop:s0 exact int
-ro.bootimage.build.fingerprint u:object_r:exported2_default_prop:s0 exact string
+ro.boot.dynamic_partitions u:object_r:exported_default_prop:s0 exact string
+ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string
ro.bootloader u:object_r:exported2_default_prop:s0 exact string
ro.build.date u:object_r:exported2_default_prop:s0 exact string
ro.build.date.utc u:object_r:exported2_default_prop:s0 exact int
@@ -270,7 +269,12 @@
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+ro.bootimage.build.date u:object_r:exported_default_prop:s0 exact string
+ro.bootimage.build.date.utc u:object_r:exported_default_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
+ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
+ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
ro.carrier u:object_r:exported_default_prop:s0 exact string
ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
diff --git a/public/shell.te b/public/shell.te
index 42a19b0..56196c3 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -80,6 +80,8 @@
set_prop(shell, heapprofd_enabled_prop)
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
+# Allow shell to enable Dynamic System Update
+set_prop(shell, dynamic_system_prop)
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
diff --git a/public/su.te b/public/su.te
index 346b1fe..a2f435e 100644
--- a/public/su.te
+++ b/public/su.te
@@ -51,6 +51,7 @@
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;
dontaudit su domain:bpf *;
+ dontaudit su unlabeled:vsock_socket *;
# VTS tests run in the permissive su domain on debug builds, but the HALs
# being tested run in enforcing mode. Because hal_foo_server is enforcing
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index 0209678..a55a921 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -378,7 +378,7 @@
{
const char *keyword = "neverallow";
size_t keyword_size = strlen(keyword), len;
- struct avrule *neverallows = NULL, *avrule;
+ struct avrule *neverallows = NULL, *avrule = NULL;
char *p, *start;
int result;
diff --git a/tools/sepolicy-analyze/sepolicy-analyze.c b/tools/sepolicy-analyze/sepolicy-analyze.c
index b4571a6..1b7bcdb 100644
--- a/tools/sepolicy-analyze/sepolicy-analyze.c
+++ b/tools/sepolicy-analyze/sepolicy-analyze.c
@@ -50,7 +50,7 @@
if (argc < 3)
usage(argv[0]);
policy = argv[1];
- if(load_policy(policy, &policydb, &pf))
+ if(!load_policy(policy, &policydb, &pf))
exit(1);
for(i = 0; i < NUM_COMPONENTS; i++) {
if (!strcmp(analyze_components[i].key, argv[2])) {
diff --git a/tools/sepolicy-analyze/utils.c b/tools/sepolicy-analyze/utils.c
index 5e52f59..af93f71 100644
--- a/tools/sepolicy-analyze/utils.c
+++ b/tools/sepolicy-analyze/utils.c
@@ -22,28 +22,26 @@
(policydb, key->target_class, perms));
}
-int load_policy(char *filename, policydb_t * policydb, struct policy_file *pf)
+bool load_policy(char *filename, policydb_t * policydb, struct policy_file *pf)
{
- int fd;
+ int fd = -1;
struct stat sb;
- void *map;
- int ret;
+ void *map = MAP_FAILED;
+ bool ret = false;
fd = open(filename, O_RDONLY);
if (fd < 0) {
fprintf(stderr, "Can't open '%s': %s\n", filename, strerror(errno));
- return 1;
+ goto cleanup;
}
if (fstat(fd, &sb) < 0) {
fprintf(stderr, "Can't stat '%s': %s\n", filename, strerror(errno));
- close(fd);
- return 1;
+ goto cleanup;
}
map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
if (map == MAP_FAILED) {
fprintf(stderr, "Can't mmap '%s': %s\n", filename, strerror(errno));
- close(fd);
- return 1;
+ goto cleanup;
}
policy_file_init(pf);
@@ -52,17 +50,21 @@
pf->len = sb.st_size;
if (policydb_init(policydb)) {
fprintf(stderr, "Could not initialize policydb!\n");
- close(fd);
- munmap(map, sb.st_size);
- return 1;
+ goto cleanup;
}
- ret = policydb_read(policydb, pf, 0);
- if (ret) {
+ if (policydb_read(policydb, pf, 0)) {
fprintf(stderr, "error(s) encountered while parsing configuration\n");
- close(fd);
- munmap(map, sb.st_size);
- return 1;
+ goto cleanup;
}
- return 0;
+ ret = true;
+
+cleanup:
+ if (map != MAP_FAILED) {
+ munmap(map, sb.st_size);
+ }
+ if (fd >= 0) {
+ close(fd);
+ }
+ return ret;
}
diff --git a/tools/sepolicy-analyze/utils.h b/tools/sepolicy-analyze/utils.h
index 83f5a78..cef6ca3 100644
--- a/tools/sepolicy-analyze/utils.h
+++ b/tools/sepolicy-analyze/utils.h
@@ -11,6 +11,6 @@
void display_allow(policydb_t *policydb, avtab_key_t *key, int idx, uint32_t perms);
-int load_policy(char *filename, policydb_t * policydb, struct policy_file *pf);
+bool load_policy(char *filename, policydb_t * policydb, struct policy_file *pf);
#endif /* UTILS_H */