Merge "MAC Anonymization: wificond SIOCSIFHWADDR sepolicy"
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index a587b4d..9d173be 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -123,7 +123,10 @@
(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
(typeattributeset dalvik_prop_26_0 (dalvik_prop))
(typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0 (debugfs))
+(typeattributeset debugfs_26_0
+ ( debugfs
+ debugfs_wakeup_sources
+ ))
(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
@@ -452,6 +455,7 @@
( proc
proc_abi
proc_asound
+ proc_buddyinfo
proc_cmdline
proc_dirty
proc_diskstats
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 7bab012..f6889ae 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -42,6 +42,8 @@
hal_tetheroffload_hwservice
hal_usb_gadget_hwservice
hal_wifi_offload_hwservice
+ incident_helper
+ incident_helper_exec
kmsg_debug_device
last_boot_reason_prop
mediaprovider_tmpfs
diff --git a/private/domain.te b/private/domain.te
index 8a41097..dae40d2 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -24,7 +24,6 @@
# /proc
neverallow {
coredomain
- -dumpstate
-vold
-vendor_init
} proc:file no_rw_file_perms;
@@ -32,7 +31,6 @@
# /sys
neverallow {
coredomain
- -dumpstate
-init
-ueventd
-vold
diff --git a/private/file_contexts b/private/file_contexts
index 2113945..9083b0c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -207,6 +207,7 @@
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
+/system/bin/incident_helper u:object_r:incident_helper_exec:s0
/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 1fddb6e..76f5bdd 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -3,6 +3,7 @@
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
@@ -127,6 +128,7 @@
genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
genfscon debugfs /tracing/events/sync/enable u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
diff --git a/private/incident.te b/private/incident.te
index b910dde..2038816 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -23,3 +23,5 @@
binder_call(incident, incidentd)
allow incident incidentd:fifo_file write;
+# only allow incident being called by shell
+neverallow { domain -su -shell -incident } incident_exec:file { execute execute_no_trans };
diff --git a/private/incident_helper.te b/private/incident_helper.te
new file mode 100644
index 0000000..e9bb511
--- /dev/null
+++ b/private/incident_helper.te
@@ -0,0 +1,13 @@
+typeattribute incident_helper coredomain;
+
+type incident_helper_exec, exec_type, file_type;
+
+# switch to incident_helper domain for incident_helper command
+domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
+
+# use pipe to transmit data from/to incidentd/incident_helper for parsing
+allow incident_helper { shell incident incidentd }:fd use;
+allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
+
+# only allow incidentd and shell to call incident_helper
+neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/private/incidentd.te b/private/incidentd.te
index 5810d9a..b885263 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -1,21 +1,16 @@
typeattribute incidentd coredomain;
+typeattribute incidentd mlstrustedsubject;
init_daemon_domain(incidentd)
type incidentd_exec, exec_type, file_type;
binder_use(incidentd)
wakelock_use(incidentd)
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-# TODO allow incidentd self:global_capability_class_set { setuid setgid sys_resource };
-
# Allow incidentd to scan through /proc/pid for all processes
r_dir_file(incidentd, domain)
-allow incidentd self:global_capability_class_set {
- # Send signals to processes
- kill
-};
+# Allow incidentd to kill incident_helper when timeout
+allow incidentd incident_helper:process sigkill;
# Allow executing files on system, such as:
# /system/bin/toolbox
@@ -24,6 +19,22 @@
allow incidentd system_file:file execute_no_trans;
allow incidentd toolbox_exec:file rx_file_perms;
+# section id 2001, allow reading /proc/pagetypeinfo
+allow incidentd proc_pagetypeinfo:file r_file_perms;
+
+# section id 2002, allow reading /d/wakeup_sources
+allow incidentd debugfs_wakeup_sources:file r_file_perms;
+
+# section id 2003, allow executing top
+allow incidentd proc_meminfo:file { open read };
+
+# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
+allow incidentd sysfs_devices_system_cpu:file r_file_perms;
+
+# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
+allow incidentd sysfs_batteryinfo:dir { search };
+allow incidentd sysfs_batteryinfo:file r_file_perms;
+
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
@@ -33,7 +44,7 @@
# Signal java processes to dump their stack and get the results
# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
-# TODO allow incidentd anr_data_file:dir rw_dir_perms;
+# TODO allow incidentd anr_data_file:dir create_dir_perms;
# TODO allow incidentd anr_data_file:file create_file_perms;
# Signal native processes to dump their stack.
@@ -52,7 +63,7 @@
}:process signal;
# Allow incidentd to make binder calls to any binder service
-binder_call(incidentd, binderservicedomain)
+binder_call(incidentd, system_server)
binder_call(incidentd, appdomain)
# Reading /proc/PID/maps of other processes
@@ -62,7 +73,7 @@
allow incidentd shell_exec:file rx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
-# TODO read_logd(incidentd)
+userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
diff --git a/private/system_server.te b/private/system_server.te
index 2054d99..035e8f1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -135,6 +135,7 @@
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
+allow system_server debugfs_wakeup_sources:file r_file_perms;
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 83c77b4..539e8bc 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -5,6 +5,6 @@
allow traceur_app debugfs_tracing:file rw_file_perms;
allow traceur_app debugfs_tracing_debug:file rw_file_perms;
allow traceur_app trace_data_file:file create_file_perms;
- allow traceur_app trace_data_file:dir { add_name search write };
+ allow traceur_app trace_data_file:dir { add_name getattr search write };
allow traceur_app atrace_exec:file rx_file_perms;
')
diff --git a/public/cameraserver.te b/public/cameraserver.te
index ebf0992..15a8244 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -53,6 +53,8 @@
# Allow shell commands from ADB for CTS testing/dumping
allow cameraserver adbd:fd use;
allow cameraserver adbd:unix_stream_socket { read write };
+allow cameraserver shell:fd use;
+allow cameraserver shell:unix_stream_socket { read write };
# Allow shell commands from ADB for CTS testing/dumping
userdebug_or_eng(`
diff --git a/public/domain.te b/public/domain.te
index cffe5cd..6a3d270 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -506,10 +506,12 @@
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
-neverallow { domain -init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } default_prop:property_service set;
+neverallow { domain -init -vendor_init } mmc_prop:property_service set;
compatible_property_only(`
+ neverallow { domain -init } default_prop:property_service set;
+ neverallow { domain -init } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
neverallow { domain -init -vendor_init } exported2_default_prop:property_service set;
neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3a9701d..5f6e5f7 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -82,8 +82,14 @@
# Connect to tombstoned to intercept dumps.
unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
-# TODO: added to match above sysfs rule. Remove me?
-allow dumpstate sysfs_usb:file w_file_perms;
+# Access to /sys
+allow dumpstate sysfs_type:dir r_dir_perms;
+
+allow dumpstate {
+ sysfs_dm
+ sysfs_usb
+ sysfs_zram
+}:file r_file_perms;
# Other random bits of data we want to collect
allow dumpstate qtaguid_proc:file r_file_perms;
@@ -113,8 +119,6 @@
hal_client_domain(dumpstate, hal_graphics_allocator)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
-# For passthrough mode:
-allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
# Reading /proc/PID/maps of other processes
allow dumpstate self:global_capability_class_set sys_ptrace;
@@ -153,15 +157,18 @@
# Read files in /proc
allow dumpstate {
+ proc_buddyinfo
proc_cmdline
proc_meminfo
+ proc_modules
proc_net
proc_pipe_conf
proc_pagetypeinfo
+ proc_qtaguid_stat
proc_version
proc_vmallocinfo
+ proc_vmstat
}:file r_file_perms;
-r_dir_file(dumpstate, proc)
# Read network state info files.
allow dumpstate net_data_file:dir search;
@@ -249,9 +256,6 @@
# use /dev/ion for screen capture
allow dumpstate ion_device:chr_file r_file_perms;
-# read default labeled files in /sys
-r_dir_file(dumpstate, sysfs)
-
# Allow dumpstate to run top
allow dumpstate proc_stat:file r_file_perms;
@@ -282,7 +286,3 @@
userdebug_or_eng(`-traceur_app')
-dumpstate
} dumpstate_service:service_manager find;
-
-# Dumpstate should not be writing to any generically labeled sysfs files.
-# Create a specific label for the file type
-neverallow dumpstate sysfs:file no_w_file_perms;
diff --git a/public/file.te b/public/file.te
index 91796c0..c6b2a79 100644
--- a/public/file.te
+++ b/public/file.te
@@ -16,6 +16,7 @@
type proc_bluetooth_writable, fs_type;
type proc_abi, fs_type;
type proc_asound, fs_type;
+type proc_buddyinfo, fs_type;
type proc_cmdline, fs_type;
type proc_cpuinfo, fs_type;
type proc_dirty, fs_type;
@@ -111,6 +112,7 @@
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
type pstorefs, fs_type;
diff --git a/public/incident_helper.te b/public/incident_helper.te
new file mode 100644
index 0000000..bca1018
--- /dev/null
+++ b/public/incident_helper.te
@@ -0,0 +1,5 @@
+# The incident_helper is called by incidentd and
+# can only read/write data from/to incidentd
+
+# incident_helper
+type incident_helper, domain;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 01e30a8..b1efe1d 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -218,6 +218,19 @@
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
+not_compatible_property(`
+ set_prop(vendor_init, {
+ property_type
+ -restorecon_prop
+ -netd_stable_secret_prop
+ -firstboot_prop
+ -pm_prop
+ -system_boot_reason_prop
+ -bootloader_boot_reason_prop
+ -last_boot_reason_prop
+ })
+')
+
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_config_prop)
set_prop(vendor_init, exported_dalvik_prop)