Merge "Update seapp_contexts documentation comments."
diff --git a/Android.mk b/Android.mk
index df4a004..5f59e19 100644
--- a/Android.mk
+++ b/Android.mk
@@ -52,11 +52,17 @@
# - compile output binary policy file
PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
+ifneq ( ,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
+PLAT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
+endif
PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
+ifneq ( ,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
+PLAT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+endif
PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
-PRODUCT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-PRODUCT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
+PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
# TODO(b/119305624): Currently if the device doesn't have a product partition,
# we install product sepolicy into /system/product. We do that because bits of
@@ -1197,8 +1203,8 @@
# plat_sepolicy - the current platform policy only, built into a policy binary.
# TODO - this currently excludes partner extensions, but support should be added
# to enable partners to add their own compatibility mapping
-BASE_PLAT_PUBLIC_POLICY := $(PLAT_PUBLIC_POLICY)
-BASE_PLAT_PRIVATE_POLICY := $(PLAT_PRIVATE_POLICY)
+BASE_PLAT_PUBLIC_POLICY := $(filter-out $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR), $(PLAT_PUBLIC_POLICY))
+BASE_PLAT_PRIVATE_POLICY := $(filter-out $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR), $(PLAT_PRIVATE_POLICY))
base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 9c96f19..e46c4ef 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -20,7 +20,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
-neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:file read;
+neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
@@ -334,3 +334,13 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
+
+# TODO(b/113362644): remove open permission from these domains.
+# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
+#neverallow {
+# all_untrusted_apps
+# TODO(b/113362644): route mediaprovider to ashmemd
+# -mediaprovider
+# -untrusted_app_25
+# -untrusted_app_27
+#} ashmem_device:chr_file open;
diff --git a/private/app_zygote.te b/private/app_zygote.te
index aa5be4c..e221666 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -100,6 +100,7 @@
neverallow app_zygote {
service_manager_type
-activity_service
+ -ashmem_device_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/ashmemd.te b/private/ashmemd.te
new file mode 100644
index 0000000..08df515
--- /dev/null
+++ b/private/ashmemd.te
@@ -0,0 +1,9 @@
+typeattribute ashmemd coredomain;
+type ashmemd_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(ashmemd)
+
+binder_use(ashmemd)
+add_service(ashmemd, ashmem_device_service)
+
+allow ashmemd ashmem_device:chr_file rw_file_perms;
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 924726c..c989825 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -20,6 +20,8 @@
app_prediction_service
app_zygote
app_zygote_tmpfs
+ ashmemd
+ ashmem_device_service
biometric_service
bpf_progs_loaded_prop
bugreport_service
@@ -107,6 +109,7 @@
system_event_log_tags_file
system_lmk_prop
system_suspend_hwservice
+ system_suspend_control_service
staging_data_file
task_profiles_file
testharness_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 9899d02..ebad8e7 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -188,3 +188,18 @@
full_treble_only(`
neverallow coredomain tee_device:chr_file { open read append write ioctl };
')
+
+# Allow access to ashmemd to request /dev/ashmem fds.
+allow {
+ coredomain
+ -init
+ -iorapd
+ -perfprofd
+} ashmem_device_service:service_manager find;
+
+binder_call({
+ coredomain
+ -init
+ -iorapd
+ -perfprofd
+}, ashmemd)
diff --git a/private/file_contexts b/private/file_contexts
index b793e82..0c37525 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -186,6 +186,7 @@
/system(/.*)? u:object_r:system_file:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/ashmemd u:object_r:ashmemd_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index 7aa28aa..9dbe923 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -3,3 +3,6 @@
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_allocator_default)
+
+# To talk to ashmemd
+binder_use(hal_allocator_default)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 017f46b..8a0f96b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -90,10 +90,12 @@
# b/17487348
# Isolated apps can only access three services,
-# activity_service, display_service and webviewupdate_service.
+# activity_service, display_service, webviewupdate_service, and
+# ashmem_device_service.
neverallow isolated_app {
service_manager_type
-activity_service
+ -ashmem_device_service
-display_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index aea2faa..61fdaab 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -32,6 +32,13 @@
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
+# Allow otapreopt_chroot to bind-mount Bionic artifacts from the Runtime APEX
+# into /postinstall/bionic/.
+allow otapreopt_chroot postinstall_file:file mounton;
+# Allow otapreopt_chroot to read the /postinstall/system/bin/linker(64) symlink to
+# /postinstall/bionic/bin/linker(64) when executing /postinstall/system/bin/otapreopt.
+allow otapreopt_chroot postinstall_file:lnk_file read;
+
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
allow otapreopt_chroot block_device:dir r_dir_perms;
diff --git a/private/service.te b/private/service.te
index 89664e4..1bec3ce 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,3 +1,4 @@
+type ashmem_device_service, app_api_service, service_manager_type;
type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 965304c..1462033 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -10,6 +10,7 @@
app_binding u:object_r:app_binding_service:s0
app_prediction u:object_r:app_prediction_service:s0
apexservice u:object_r:apex_service:s0
+ashmem_device_service u:object_r:ashmem_device_service:s0
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
@@ -182,6 +183,7 @@
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
+suspend_control u:object_r:system_suspend_control_service:s0
system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 49b5498..2cf5ea7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -53,6 +53,12 @@
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
+# Allow setup of tcp keepalive offload. This gives system_server the permission to
+# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
+# be granted individually, except for a small set of safe values whitelisted in
+# public/domain.te.
+allow system_server appdomain:tcp_socket ioctl;
+
# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:global_capability_class_set {
@@ -991,6 +997,9 @@
allow system_server apex_service:service_manager find;
allow system_server apexd:binder call;
+# Allow system server to communicate to system-suspend's control interface
+allow system_server system_suspend_control_service:service_manager find;
+
# Allow the system server to read files under /data/apex. The system_server
# needs these privileges to compare file signatures while processing installs.
#
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 7cccbac..5e669c7 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -56,3 +56,7 @@
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 0c9c684..7427b68 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -36,3 +36,7 @@
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 2c44627..2d07ecd 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -176,3 +176,9 @@
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
+
+# Allow access to ashmemd to request /dev/ashmem fds.
+binder_call(untrusted_app_all, ashmemd)
+
+# TODO(b/113362644): audit apps directly using /dev/ashmem and emit error
+# message with info on how to fix that.
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index f9deff0..95affef 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -111,6 +111,7 @@
neverallow webview_zygote {
service_manager_type
-activity_service
+ -ashmem_device_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/zygote.te b/private/zygote.te
index 9bf6ef9..ccb18fe 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -100,7 +100,7 @@
# TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
# (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
# sdcardfs simply wraps files stored under /data/media.)
-allow zygote { sdcardfs media_rw_data_file }:dir { search mounton };
+allow zygote { sdcardfs media_rw_data_file vfat }:dir { search mounton };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
diff --git a/public/app.te b/public/app.te
index 75f521e..ee9b8cf 100644
--- a/public/app.te
+++ b/public/app.te
@@ -357,6 +357,8 @@
allow appdomain system_server_tmpfs:file { getattr map read write };
allow appdomain zygote_tmpfs:file { map read };
+# Allow vendor apps access to ashmemd to request /dev/ashmem fds.
+binder_call({ appdomain -coredomain }, ashmemd)
###
### Neverallow rules
diff --git a/public/ashmemd.te b/public/ashmemd.te
new file mode 100644
index 0000000..542f093
--- /dev/null
+++ b/public/ashmemd.te
@@ -0,0 +1 @@
+type ashmemd, domain;
diff --git a/public/domain.te b/public/domain.te
index e086ace..265e4ab 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -64,7 +64,19 @@
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
-allow domain ashmem_device:chr_file rw_file_perms;
+allow {
+ domain
+ # TODO(b/113362644): route coredomain to ashmemd
+ #-coredomain
+ -ephemeral_app
+ # TODO(b/113362644): remove open permission from these domains.
+ #-isolated_app
+ #-untrusted_app_all
+} ashmem_device:chr_file rw_file_perms;
+
+# Allow using fds to /dev/ashmem.
+allow domain ashmemd:fd use;
+
# /dev/binder can be accessed by non-vendor domains and by apps
allow {
coredomain
@@ -1308,7 +1320,10 @@
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix dumpstate
-neverallow { domain -init -vendor_init -dumpstate } debugfs:file no_rw_file_perms;
+neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
+
+# Do not allow executable files in debugfs.
+neverallow domain debugfs_type:file { execute execute_no_trans };
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 0991bed..3e18b5d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -232,6 +232,9 @@
vr_hwc_service
}:service_manager find;
+# Most of these are neverallowed.
+dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
+
allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;
diff --git a/public/e2fs.te b/public/e2fs.te
index 601af16..1a2024e 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -7,6 +7,7 @@
allow e2fs block_device:dir search;
allow e2fs userdata_block_device:blk_file rw_file_perms;
allow e2fs metadata_block_device:blk_file rw_file_perms;
+allow e2fs dm_device:blk_file rw_file_perms;
allowxperm e2fs { userdata_block_device metadata_block_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
};
diff --git a/public/hal_system_suspend.te b/public/hal_system_suspend.te
index 21c6cb6..13fb654 100644
--- a/public/hal_system_suspend.te
+++ b/public/hal_system_suspend.te
@@ -1,3 +1,4 @@
+binder_use(hal_system_suspend_server)
binder_call(hal_system_suspend_client, hal_system_suspend_server)
binder_call(hal_system_suspend_server, hal_system_suspend_client)
@@ -5,6 +6,7 @@
# system_suspend_hwservice have hal_system_suspend_client attribute. For that
# reason we don't use hal_attribute_hwservice macro here.
add_hwservice(hal_system_suspend_server, system_suspend_hwservice)
+add_service(hal_system_suspend_server, system_suspend_control_service)
allow hal_system_suspend_client system_suspend_hwservice:hwservice_manager find;
allow hal_system_suspend_server sysfs_power:file rw_file_perms;
diff --git a/public/installd.te b/public/installd.te
index ccf28ec..e767b25 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -166,4 +166,10 @@
# only system_server, installd and dumpstate may interact with installd over binder
neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
neverallow { domain -system_server -dumpstate } installd:binder call;
-neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
+neverallow installd {
+ domain
+ -ashmemd
+ -system_server
+ -servicemanager
+ userdebug_or_eng(`-su')
+}:binder call;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 2fac3e3..b525737 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -8,7 +8,7 @@
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
-allow postinstall_dexopt postinstall_file:dir { getattr search };
+allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
diff --git a/public/service.te b/public/service.te
index ad5fc0a..3d5b41c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -29,6 +29,7 @@
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
+type system_suspend_control_service, service_manager_type;
type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
diff --git a/public/vold.te b/public/vold.te
index 14286c4..41df2b1 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -285,6 +285,7 @@
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
neverallow vold {
domain
+ -ashmemd
-hal_health_storage_server
-hal_keymaster_server
-hal_system_suspend_server