Merge "Adding sepolicy testcase for system_ext and product." into sc-dev
diff --git a/Android.bp b/Android.bp
index 0efd0fc..3afa1d1 100644
--- a/Android.bp
+++ b/Android.bp
@@ -701,6 +701,21 @@
additional_cil_files: ["private/technical_debt.cil"],
}
+// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
+se_policy_conf {
+ name: "userdebug_plat_sepolicy.conf",
+ srcs: [":se_build_files{.plat}"],
+ build_variant: "userdebug",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "userdebug_plat_sepolicy.cil",
+ src: ":userdebug_plat_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ debug_ramdisk: true,
+}
+
// system_ext_policy.conf - A combination of the private and public system_ext
// policy which will ship with the device. System_ext policy is not attributized
se_policy_conf {
@@ -844,6 +859,63 @@
vendor: true,
}
+soong_config_module_type {
+ name: "precompiled_sepolicy_defaults",
+ module_type: "prebuilt_defaults",
+ config_namespace: "ANDROID",
+ bool_variables: ["BOARD_USES_ODMIMAGE"],
+ properties: ["vendor", "device_specific"],
+}
+
+precompiled_sepolicy_defaults {
+ name: "precompiled_sepolicy",
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ },
+}
+
+//////////////////////////////////
+// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
+// which precompiled_policy was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy"],
+ name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+ filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+ src: ":plat_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+//////////////////////////////////
+// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
+// which precompiled_policy was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy"],
+ name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
+ filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
+ src: ":system_ext_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+//////////////////////////////////
+// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
+// which precompiled_policy was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy"],
+ name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
+ filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
+ src: ":product_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+
//////////////////////////////////
// SELinux policy embedded into CTS.
// CTS checks neverallow rules of this policy against the policy of the device under test.
diff --git a/Android.mk b/Android.mk
index 9573788..d9c5b3c 100644
--- a/Android.mk
+++ b/Android.mk
@@ -301,6 +301,11 @@
enforce_sysprop_owner := false
endif
+enforce_debugfs_restriction := false
+ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
+ enforce_debugfs_restriction := true
+endif
+
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined)
else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -631,6 +636,7 @@
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -648,6 +654,7 @@
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy_2.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -706,6 +713,7 @@
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -723,6 +731,7 @@
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy_2.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -795,55 +804,6 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := userdebug_plat_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf
-$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug
-$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(userdebug_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(userdebug_plat_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
- $(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
- $(hide) mv $@.tmp $@
-
-userdebug_plat_policy.conf :=
-
-#################################
-include $(CLEAR_VARS)
-
# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
@@ -875,6 +835,7 @@
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(vendor_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -938,6 +899,7 @@
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(odm_policy.conf): $(policy_files) $(M4)
@@ -1041,78 +1003,6 @@
#################################
#################################
-# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
-# which precompiled_policy was built.
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_plat_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_plat_mapping_cil)
- cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-# SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
-# which precompiled_policy was built.
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_system_ext_cil) $(built_system_ext_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_system_ext_cil) $(built_system_ext_mapping_cil)
- cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-# SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
-# which precompiled_policy was built.
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_product_cil) $(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_product_cil) $(built_product_mapping_cil)
- cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
-
-#################################
include $(CLEAR_VARS)
# build this target so that we can still perform neverallow checks
@@ -1204,6 +1094,7 @@
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
+$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy.recovery.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1441,6 +1332,7 @@
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1473,6 +1365,7 @@
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1715,6 +1608,7 @@
built_plat_sepolicy :=
treble_sysprop_neverallow :=
enforce_sysprop_owner :=
+enforce_debugfs_restriction :=
mapping_policy :=
my_target_arch :=
pub_policy.cil :=
diff --git a/apex/Android.bp b/apex/Android.bp
index 2ffaa9e..b5199f0 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -71,6 +71,13 @@
}
filegroup {
+ name: "com.android.compos-file_contexts",
+ srcs: [
+ "com.android.compos-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.conscrypt-file_contexts",
srcs: [
"com.android.conscrypt-file_contexts",
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 2533cac..d2a8626 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -2,7 +2,6 @@
# System files
#
(/.*)? u:object_r:system_file:s0
-/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
new file mode 100644
index 0000000..83b4b58
--- /dev/null
+++ b/apex/com.android.compos-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 5cc73f9..230fdc3 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -87,15 +87,6 @@
srcPaths := c.expandSeSources(ctx)
out := android.PathForModuleGen(ctx, c.Name())
-
- // TODO(b/183362912): Patch secilc to handle empty cil files.
- // Put a header so that the generated cil mustn't be empty.
- header := android.PathForModuleGen(ctx, c.Name()+"_header")
- rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().Text("echo").Flag(proptools.ShellEscape(";; " + c.stem())).Text(">").Output(header)
- rule.Build(c.Name()+"_header", "Generate cil header")
- srcPaths = append(android.Paths{header}, srcPaths...)
-
ctx.Build(pctx, android.BuildParams{
Rule: android.Cat,
Inputs: srcPaths,
diff --git a/build/soong/policy.go b/build/soong/policy.go
index d734c97..75fbdf1 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -135,6 +135,13 @@
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
}
+func (c *policyConf) enforceDebugfsRestrictions(ctx android.ModuleContext) string {
+ if c.cts() {
+ return "cts"
+ }
+ return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
+}
+
func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
conf := android.PathForModuleOut(ctx, "conf").OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
@@ -154,6 +161,7 @@
FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)).
FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
+ FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
Flag("-s").
Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
Text("> ").Output(conf)
@@ -317,7 +325,12 @@
conf := android.PathForModuleSrc(ctx, *c.properties.Src)
cil := c.compileConfToCil(ctx, conf)
- c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ if c.InstallInDebugRamdisk() {
+ // for userdebug_plat_sepolicy.cil
+ c.installPath = android.PathForModuleInstall(ctx)
+ } else {
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ }
c.installSource = cil
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index d7a0798..a9aed60 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -257,6 +257,10 @@
return false
}
+func (m *selinuxContextsModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
return m.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
}
diff --git a/definitions.mk b/definitions.mk
index 95f297b..63c4d94 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -15,6 +15,7 @@
-D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
+ -D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
$(PRIVATE_TGT_RECOVERY) \
-s $(PRIVATE_POLICY_FILES) > $@
endef
diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk
index 20ceaa7..e46f92a 100644
--- a/prebuilt_policy.mk
+++ b/prebuilt_policy.mk
@@ -61,6 +61,7 @@
$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
+$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
$(1): PRIVATE_POLICY_FILES := $$(policy_files)
$(1): $$(policy_files) $$(M4)
$$(transform-policy-to-conf)
@@ -239,7 +240,7 @@
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL) -t $@
+ -f $(PRIVATE_PLAT_CIL_FILES) -t $@
# Line markers (denoted by ;;) are malformed after above cmd. They are only
# used for debugging, so we remove them.
$(hide) grep -v ';;' $@ > $@.tmp
diff --git a/private/apexd.te b/private/apexd.te
index 862bab9..48fbcb8 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -187,6 +187,13 @@
# only apexd can write apex-info-list.xml
neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
+# Only apexd and init should be allowed to manage /apex mounts
+# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
+# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
+# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
+neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
+neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
+
# Allow for use in postinstall
allow apexd otapreopt_chroot:fd use;
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
diff --git a/private/artd.te b/private/artd.te
deleted file mode 100644
index a76074b..0000000
--- a/private/artd.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# art service daemon
-type artd, domain;
-type artd_exec, system_file_type, exec_type, file_type;
-
-# Allow artd to publish a binder service and make binder calls.
-binder_use(artd)
-add_service(artd, artd_service)
-allow artd dumpstate:fifo_file { getattr write };
-
-typeattribute artd coredomain;
-
-init_daemon_domain(artd)
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index ac3d463..9f40876 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -2012,6 +2012,7 @@
(typeattributeset surfaceflinger_tmpfs_30_0 (surfaceflinger_tmpfs))
(typeattributeset swap_block_device_30_0 (swap_block_device))
(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_features))
+(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_metrics))
(typeattributeset sysfs_android_usb_30_0 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_30_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_30_0 (sysfs_bluetooth_writable))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 6b33e25..f7c4dd1 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -17,9 +17,6 @@
app_hibernation_service
appcompat_data_file
arm64_memtag_prop
- artd
- artd_exec
- artd_service
authorization_service
bootanim_config_prop
camerax_extensions_prop
@@ -139,6 +136,7 @@
vcn_management_service
vd_device
vendor_kernel_modules
+ vendor_modprobe
vibrator_manager_service
virtualization_service
vpn_management_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 9fe82d3..b7f4f5d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -153,9 +153,11 @@
# debugfs
neverallow {
coredomain
- -dumpstate
- -init
- -system_server
+ no_debugfs_restriction(`
+ -dumpstate
+ -init
+ -system_server
+ ')
} debugfs:file no_rw_file_perms;
# tracefs
diff --git a/private/domain.te b/private/domain.te
index 9e2e033..b91d36d 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -359,7 +359,7 @@
neverallow {
domain
-apexd
- recovery_only(`userdebug_or_eng(`-fastbootd')')
+ recovery_only(`-fastbootd')
-init
-kernel
-otapreopt_chroot
@@ -367,7 +367,15 @@
-update_engine
-vold
-zygote
-} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+} { fs_type
+ -sdcard_type
+}:filesystem { mount remount relabelfrom relabelto };
+
+enforce_debugfs_restriction(`
+ neverallow {
+ domain userdebug_or_eng(`-init')
+ } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
+')
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
@@ -513,3 +521,21 @@
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
+
+# debugfs_kcov type is not included in this neverallow statement since the KCOV
+# tool uses it for kernel fuzzing.
+# vendor_modprobe is also exempted since the kernel modules it loads may create
+# debugfs files in its context.
+enforce_debugfs_restriction(`
+ neverallow {
+ domain
+ -vendor_modprobe
+ userdebug_or_eng(`
+ -init
+ -hal_dumpstate
+ ')
+ } { debugfs_type
+ userdebug_or_eng(`-debugfs_kcov')
+ -tracefs_type
+ }:file no_rw_file_perms;
+')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 13e3b4c..37a9a0c 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -53,8 +53,15 @@
netd
}:process signal;
+userdebug_or_eng(`
+ allow dumpstate keystore:process signal;
+')
+
# For collecting bugreports.
-allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+')
+
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 98eb23c..0174faa 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -38,4 +38,7 @@
# Get fastbootd protocol property
get_prop(fastbootd, fastbootd_protocol_prop)
+
+ # Mount /metadata to interact with Virtual A/B snapshots.
+ allow fastbootd labeledfs:filesystem { mount unmount };
')
diff --git a/private/file_contexts b/private/file_contexts
index b3b7789..4a4867b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -99,7 +99,7 @@
/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-secure u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index af1b692..3499aa0 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -142,6 +142,7 @@
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
+genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index a574eee..ef191a2 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -29,7 +29,9 @@
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
-allow incidentd debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow incidentd debugfs_wakeup_sources:file r_file_perms;
+')
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index fcc8734..0e4a50e 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -52,3 +52,5 @@
get_prop(mediaprovider_app, storage_config_prop)
get_prop(mediaprovider_app, drm_service_config_prop)
+
+allow mediaprovider_app gpu_device:dir search;
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 7fb8029..6fe460c 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -15,3 +15,6 @@
get_prop(mediaserver, drm_service_config_prop)
get_prop(mediaserver, media_config_prop)
+
+# Allow mediaserver to start media.transcoding service via ctl.start.
+set_prop(mediaserver, ctl_mediatranscoding_prop);
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 372bde6..2a43cf9 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -39,6 +39,14 @@
# allow mediatranscoding service write permission to statsd socket
unix_socket_send(mediatranscoding, statsdw, statsd)
+# Allow mediatranscoding to access the DMA-BUF system heap
+allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
+
+allow mediatranscoding gpu_device:dir search;
+
+# Allow mediatranscoding service to access media-related system properties
+get_prop(mediatranscoding, media_config_prop)
+
# mediatranscoding should never execute any executable without a
# domain transition
neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 1e6ba0f..5f81875 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -18,3 +18,5 @@
allow permissioncontroller_app incident_service:service_manager find;
binder_call(permissioncontroller_app, incidentd)
allow permissioncontroller_app incidentd:fifo_file { read write };
+
+allow permissioncontroller_app gpu_device:dir search;
diff --git a/private/property.te b/private/property.te
index 9f9ebbf..13aa7d0 100644
--- a/private/property.te
+++ b/private/property.te
@@ -35,6 +35,7 @@
system_internal_prop(userspace_reboot_test_prop)
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
+system_internal_prop(ctl_mediatranscoding_prop)
###
### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index ee4a665..74f3379 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -169,6 +169,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+# Restrict access to starting media.transcoding.
+ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0
+
# Restrict access to restart dumpstate
ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
@@ -313,8 +316,9 @@
audio.offload.video u:object_r:audio_config_prop:s0 exact bool
audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
-ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
-ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
+ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
+ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
+ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
@@ -351,6 +355,7 @@
dalvik.vm.dex2oat-swap u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat64.enabled u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dexopt.secondary u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.dexopt.thermal-cutoff u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.execution-mode u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.extra-opts u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.foreground-heap-growth-multiplier u:object_r:dalvik_config_prop:s0 exact string
@@ -395,6 +400,8 @@
dalvik.vm.method-trace-stream u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.profilebootclasspath u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.ps-min-save-period-ms u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.ps-resolved-classes-delay-ms u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
@@ -436,10 +443,12 @@
ro.hdmi.property_is_device_hdmi_cec_switch u:object_r:hdmi_config_prop:s0 exact bool
ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
+ro.hdmi.cec.source.playback_device_action_on_routing_control u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.cmdline u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
@@ -799,16 +808,22 @@
ro.vendor_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop
-ro.old_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.old_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
+ro.product.odm_dlkm.brand u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.device u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.manufacturer u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.model u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.name u:object_r:build_odm_prop:s0 exact string
+
+ro.odm_dlkm.build.date u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.date.utc u:object_r:build_odm_prop:s0 exact int
+ro.odm_dlkm.build.fingerprint u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.id u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.tags u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.type u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.release u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.release_or_codename u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.sdk u:object_r:build_odm_prop:s0 exact int
# enforces debugfs restrictions in non-user builds, set by /vendor/build.prop
ro.product.debugfs_restrictions.enabled u:object_r:debugfs_restriction_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index 0248cb6..df5769a 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -51,7 +51,6 @@
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
-artd u:object_r:artd_service:s0
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
diff --git a/private/storaged.te b/private/storaged.te
index b7d4ae9..bb39e5b 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -18,10 +18,12 @@
allow storaged storaged_data_file:dir rw_dir_perms;
allow storaged storaged_data_file:file create_file_perms;
-userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
+no_debugfs_restriction(`
+ userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
+ ')
')
# Needed to provide debug dump output via dumpsys pipes.
diff --git a/private/system_server.te b/private/system_server.te
index caf5208..c9f3f8e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -46,6 +46,9 @@
INCFS_IOCTL_GET_BLOCK_COUNT
};
+# For Incremental Service to check incfs metrics
+allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@@ -184,7 +187,9 @@
allow system_server stats_data_file:file unlink;
# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow system_server debugfs_wakeup_sources:file r_file_perms;
+')
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file r_file_perms;
@@ -314,6 +319,7 @@
drmserver
gpuservice
inputflinger
+ keystore
mediadrmserver
mediaextractor
mediametrics
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 2c4ee9d..730a45c 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -96,6 +96,9 @@
# On debug builds allow to ingest system logs into the trace.
userdebug_or_eng(`read_logd(traced_probes)')
+# Allow traced_probes to talk to statsd for logging metrics.
+unix_socket_send(traced_probes, statsdw, statsd)
+
###
### Neverallow rules
###
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index 8878acf..da98e2e 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -10,6 +10,6 @@
# wait_for_keymaster needs to find keystore and call methods with the returned
# binder reference.
-allow wait_for_keymaster servicemanager:binder call;
+binder_use(wait_for_keymaster)
allow wait_for_keymaster keystore_service:service_manager find;
-allow wait_for_keymaster keystore:binder call;
+binder_call(wait_for_keymaster, keystore)
diff --git a/public/attributes b/public/attributes
index c5a93c9..daef4bb 100644
--- a/public/attributes
+++ b/public/attributes
@@ -62,6 +62,9 @@
# All types use for debugfs files.
attribute debugfs_type;
+# All types used for tracefs files.
+attribute tracefs_type;
+
# Attribute used for all sdcards
attribute sdcard_type;
diff --git a/public/domain.te b/public/domain.te
index 8244b9c..d84abf1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,7 +66,7 @@
allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
-allow domain dmabuf_heap_device:dir search;
+allow domain dmabuf_heap_device:dir r_dir_perms;
allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 28bdb82..85a5796 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -113,10 +113,12 @@
}:file r_file_perms;
# Other random bits of data we want to collect
-allow dumpstate debugfs:file r_file_perms;
-auditallow dumpstate debugfs:file r_file_perms;
+no_debugfs_restriction(`
+ allow dumpstate debugfs:file r_file_perms;
+ auditallow dumpstate debugfs:file r_file_perms;
-allow dumpstate debugfs_mmc:file r_file_perms;
+ allow dumpstate debugfs_mmc:file r_file_perms;
+')
# df for
allow dumpstate {
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 72ba65c..e167a5e 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -48,7 +48,7 @@
# libfiemap.
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir { search getattr };
+ allow fastbootd metadata_file:dir { search getattr mounton };
allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
allow fastbootd gsi_metadata_file_type:file create_file_perms;
@@ -97,7 +97,6 @@
vendor_file_type
}:{ file lnk_file } unlink;
allow fastbootd tmpfs:dir rw_dir_perms;
- allow fastbootd labeledfs:filesystem { mount unmount };
# Fetch vendor_boot partition
allow fastbootd boot_block_device:blk_file r_file_perms;
')
diff --git a/public/file.te b/public/file.te
index c31bb9d..2250482 100644
--- a/public/file.te
+++ b/public/file.te
@@ -115,6 +115,7 @@
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type sysfs_fs_f2fs, sysfs_type, fs_type;
type sysfs_fs_incfs_features, sysfs_type, fs_type;
+type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
type fs_bpf, fs_type;
type fs_bpf_tethering, fs_type;
type configfs, fs_type;
@@ -144,14 +145,14 @@
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_instances, fs_type, debugfs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
type securityfs, fs_type;
type pstorefs, fs_type;
@@ -562,7 +563,7 @@
type vndservice_contexts_file, file_type;
# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
# kernel modules
type vendor_kernel_modules, vendor_file_type, file_type;
diff --git a/public/init.te b/public/init.te
index 893573e..ea5a979 100644
--- a/public/init.te
+++ b/public/init.te
@@ -162,7 +162,19 @@
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
-allow init fs_type:filesystem ~relabelto;
+allow init {
+ fs_type
+ enforce_debugfs_restriction(`-debugfs_type')
+}:filesystem ~relabelto;
+
+# Allow init to mount/unmount debugfs in non-user builds.
+enforce_debugfs_restriction(`
+ userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
+')
+
+# Allow init to mount tracefs in /sys/kernel/tracing
+allow init debugfs_tracing_debug:filesystem mount;
+
allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;
@@ -228,8 +240,11 @@
-system_file_type
-vendor_file_type
-vold_data_file
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
allow init {
file_type
-app_data_file
@@ -278,8 +293,8 @@
-privapp_data_file
}:dir_file_class_set relabelto;
-allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
@@ -300,6 +315,7 @@
-sdcard_type
-sysfs_type
-rootfs
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
diff --git a/public/recovery.te b/public/recovery.te
index 63ba3ee..3649888 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -32,7 +32,7 @@
# Mount filesystems.
allow recovery rootfs:dir mounton;
allow recovery tmpfs:dir mounton;
- allow recovery fs_type:filesystem ~relabelto;
+ allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
diff --git a/public/service.te b/public/service.te
index f03bb29..5442194 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,7 +1,6 @@
type aidl_lazy_test_service, service_manager_type;
type apc_service, service_manager_type;
type apex_service, service_manager_type;
-type artd_service, service_manager_type;
type audioserver_service, service_manager_type;
type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
@@ -118,7 +117,7 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
-type fwk_stats_service, system_server_service, service_manager_type;
+type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type gnss_time_update_service, system_server_service, service_manager_type;
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index b7ff7a0..2ed007e 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te
@@ -27,7 +27,8 @@
allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
# simpleperf_app_runner passes pipe fds.
-allow simpleperf_app_runner shell:fifo_file read;
+# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
+allow simpleperf_app_runner shell:fifo_file { read write };
# simpleperf_app_runner checks shell data paths.
# simpleperf_app_runner passes shell data fds.
diff --git a/public/te_macros b/public/te_macros
index 1ce5541..8d15d47 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -506,6 +506,23 @@
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
#####################################
+# enforce_debugfs_restriction
+# SELinux rules which apply to devices that enable debugfs restrictions.
+# The keyword "cts" is used to insert markers to only CTS test the neverallows
+# added by the macro for S-launch devices and newer.
+define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
+ifelse(target_enforce_debugfs_restriction, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# no_debugfs_restriction
+# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
+define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
+
+#####################################
# Compatible property only
# SELinux rules which apply only to devices with compatible property
#
diff --git a/public/vendor_init.te b/public/vendor_init.te
index ae523b9..7e96cb1 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -79,6 +79,7 @@
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -143,8 +144,11 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr map };
+allow vendor_init tracefs_type:file { open read setattr map };
+
allow vendor_init {
fs_type
-contextmount_type
diff --git a/public/vendor_modprobe.te b/public/vendor_modprobe.te
new file mode 100644
index 0000000..529c4aa
--- /dev/null
+++ b/public/vendor_modprobe.te
@@ -0,0 +1 @@
+type vendor_modprobe, domain;
diff --git a/vendor/vendor_modprobe.te b/vendor/vendor_modprobe.te
index 4628ecc..3f5918c 100644
--- a/vendor/vendor_modprobe.te
+++ b/vendor/vendor_modprobe.te
@@ -1,5 +1,3 @@
-type vendor_modprobe, domain;
-
# For the use of /vendor/bin/modprobe from vendor init.rc fragments
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)