Merge "Allow lazy wifi HAL to run"
diff --git a/Android.mk b/Android.mk
index 7b39fc1..df4a004 100644
--- a/Android.mk
+++ b/Android.mk
@@ -173,6 +173,19 @@
SHAREDLIB_EXT=so
endif
+# Convert a file_context file for a non-flattened APEX into a file for
+# flattened APEX. /system/apex/<apex_name> path is prepended to the original paths
+# $(1): path to the input file_contexts file for non-flattened APEX
+# $(2): name of the APEX
+# $(3): path to the generated file_contexs file for flattened APEX
+# $(4): variable where $(3) is added to
+define build_flattened_apex_file_contexts
+$(4) += $(3)
+$(3): PRIVATE_APEX_PATH := /system/apex/$(subst .,\\.,$(2))
+$(3): $(1)
+ $(hide) awk '/object_r/{printf("$$(PRIVATE_APEX_PATH)%s\n",$$$$0)}' $$< > $$@
+endef
+
#################################
include $(CLEAR_VARS)
@@ -1029,6 +1042,14 @@
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
+ifeq ($(TARGET_FLATTEN_APEX),true)
+ apex_fc_files := $(wildcard $(LOCAL_PATH)/apex/*-file_contexts)
+ $(foreach _input,$(apex_fc_files),\
+ $(eval _output := $(intermediates)/$(notdir $(_input))-flattened)\
+ $(eval _apex_name := $(patsubst %-file_contexts,%,$(notdir $(_input))))\
+ $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_name),$(_output),local_fc_files))\
+ )
+endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
diff --git a/file_contexts.mk b/file_contexts.mk
index 58ecd87..267b68f 100644
--- a/file_contexts.mk
+++ b/file_contexts.mk
@@ -14,6 +14,14 @@
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
+ifeq ($(TARGET_FLATTEN_APEX),true)
+ apex_fc_files := $(wildcard $(LOCAL_PATH)/apex/*-file_contexts)
+ $(foreach _input,$(apex_fc_files),\
+ $(eval _output := $(intermediates)/$(notdir $(_input))-flattened)\
+ $(eval _apex_name := $(patsubst %-file_contexts,%,$(notdir $(_input))))\
+ $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_name),$(_output),local_fc_files))\
+ )
+endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(local_fcfiles_with_nl)
diff --git a/private/app.te b/private/app.te
index 4e433eb..1ef415a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -1,15 +1,3 @@
-# TODO: deal with tmpfs_domain pub/priv split properly
-# Read system properties managed by zygote.
-allow appdomain zygote_tmpfs:file read;
-
-# Read from (but not create) system_server buffers transferred through
-# ashmem, e.g. battery stats.
-allow appdomain system_server_tmpfs:file read;
-
-# Get info from priv_app through ashmem, such as contact
-# info etc.
-allow appdomain priv_app_tmpfs:file read;
-
# Allow apps to read the Test Harness Mode property. This property is used in
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
diff --git a/private/cameraserver.te b/private/cameraserver.te
index c16c132..ef44bfa 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -1,3 +1,4 @@
typeattribute cameraserver coredomain;
init_daemon_domain(cameraserver)
+tmpfs_domain(cameraserver)
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index d43705f..42f18a0 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -7,8 +7,6 @@
( new_objects
activity_task_service
adb_service
- app_binding_service
- app_prediction_service
apex_data_file
apex_mnt_dir
apex_key_file
@@ -17,12 +15,14 @@
apexd_exec
apexd_prop
apexd_tmpfs
+ appdomain_tmpfs
+ app_binding_service
+ app_prediction_service
app_zygote
app_zygote_tmpfs
biometric_service
bpf_progs_loaded_prop
bugreport_service
- cameraserver_data_file
content_capture_service
content_suggestions_service
cpu_variant_prop
@@ -32,7 +32,9 @@
device_config_input_native_boot_prop
device_config_netd_native_prop
device_config_reset_performed_prop
+ device_config_runtime_native_prop
device_config_service
+ dynamic_android_service
face_service
face_vendor_data_file
fastbootd
@@ -47,6 +49,7 @@
external_vibrator_service
hal_atrace_hwservice
hal_face_hwservice
+ hal_graphics_composer_server_tmpfs
hal_health_storage_hwservice
hal_input_classifier_hwservice
hal_power_stats_hwservice
@@ -81,6 +84,7 @@
network_stack_tmpfs
overlayfs_file
permissionmgr_service
+ postinstall_apex_mnt_dir
recovery_socket
role_service
rs
diff --git a/private/coredomain.te b/private/coredomain.te
index db62cb9..9899d02 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -90,6 +90,7 @@
# /proc
neverallow {
coredomain
+ -init
-vold
} proc:file no_rw_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index af9572d..d206f2d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -28,6 +28,7 @@
/config u:object_r:rootfs:s0
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
/proc u:object_r:rootfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
@@ -39,6 +40,10 @@
/etc u:object_r:rootfs:s0
/sdcard u:object_r:rootfs:s0
+/bionic(/.*)? u:object_r:system_file:s0
+/bionic/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/bionic/bin/linker(64)? u:object_r:system_linker_exec:s0
+
# SELinux policy files
/vendor_file_contexts u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
@@ -250,6 +255,7 @@
/system/bin/healthd u:object_r:healthd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
@@ -456,7 +462,6 @@
/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
-/data/misc/cameraserver(/.*)? u:object_r:cameraserver_data_file:s0
/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 207e652..859293d 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -14,6 +14,7 @@
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
+android.hardware.bluetooth.audio::IBluetoothAudioProvidersFactory u:object_r:hal_audio_hwservice:s0
android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadio u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index eb90cdc..2e654d6 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -2,3 +2,6 @@
init_daemon_domain(mediaextractor)
tmpfs_domain(mediaextractor)
+allow mediaextractor appdomain_tmpfs:file { getattr map read write };
+allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
+allow mediaextractor system_server_tmpfs:file { getattr map read write };
diff --git a/private/mls b/private/mls
index 421b046..9690440 100644
--- a/private/mls
+++ b/private/mls
@@ -57,14 +57,14 @@
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
- ( (t2 != app_data_file and t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+ ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
# For symlinks in app_data_file, require equivalence in order to manipulate or follow (read).
mlsconstrain { lnk_file } { open setattr unlink link rename read }
( (t2 != app_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
# For priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
# TODO: Migrate to equivalence when it's no longer needed.
mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+ ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
#
# Constraints for file types other than app data files.
@@ -76,7 +76,7 @@
(t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
@@ -84,7 +84,7 @@
(t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
diff --git a/private/netd.te b/private/netd.te
index 92b124f..0421d4a 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -16,3 +16,7 @@
# Allow netd to write to statsd.
unix_socket_send(netd, statsdw, statsd)
+
+# Allow netd to send callbacks to network_stack
+binder_call(netd, network_stack)
+
diff --git a/private/network_stack.te b/private/network_stack.te
index 9d2f2fb..4b88756 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -17,6 +17,9 @@
# The DhcpClient uses packet_sockets
allow network_stack self:packet_socket create_socket_perms_no_ioctl;
+# Monitor neighbors via netlink.
+allow network_stack self:netlink_route_socket nlmsg_write;
+
allow network_stack app_api_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack radio_service:service_manager find;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 608ed9e..aea2faa 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -23,10 +23,14 @@
# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
allow otapreopt_chroot tmpfs:filesystem mount;
-# Allow otapreopt_chroot to manipulate the tmpfs filesystem mounted in /postinstall/apex.
-allow otapreopt_chroot tmpfs:dir create_dir_perms;
+# Allow otapreopt_chroot to restore the security context of /postinstall/apex.
+allow otapreopt_chroot tmpfs:dir relabelfrom;
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto;
+
+# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
-allow otapreopt_chroot tmpfs:dir mounton;
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
diff --git a/private/platform_app.te b/private/platform_app.te
index 1ee65d3..7e190c9 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -84,6 +84,9 @@
# allow platform apps to connect to the property service
set_prop(platform_app, test_boot_reason_prop)
+# allow platform apps to create symbolic link
+allow platform_app app_data_file:lnk_file create_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/property_contexts b/private/property_contexts
index 3296a04..74134ac 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -172,6 +172,7 @@
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
apexd. u:object_r:apexd_prop:s0
persist.apexd. u:object_r:apexd_prop:s0
diff --git a/private/runas_app.te b/private/runas_app.te
index 638702c..525aea1 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -14,4 +14,4 @@
r_dir_file(runas_app, untrusted_app_all)
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
-allow runas_app untrusted_app_all:process ptrace;
+allow runas_app untrusted_app_all:process { ptrace signal sigstop };
diff --git a/private/service.te b/private/service.te
index 84e524d..89664e4 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,3 +1,4 @@
+type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 82abfbc..965304c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -57,6 +57,7 @@
drm.drmManager u:object_r:drmserver_service:s0
dropbox u:object_r:dropbox_service:s0
dumpstate u:object_r:dumpstate_service:s0
+dynamic_android u:object_r:dynamic_android_service:s0
econtroller u:object_r:radio_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 36e784f..b1aa775 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -4,6 +4,7 @@
type surfaceflinger_exec, system_file_type, exec_type, file_type;
init_daemon_domain(surfaceflinger)
+tmpfs_domain(surfaceflinger)
typeattribute surfaceflinger mlstrustedsubject;
typeattribute surfaceflinger display_service_server;
@@ -13,6 +14,7 @@
# Perform HwBinder IPC.
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
+typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
diff --git a/private/system_server.te b/private/system_server.te
index 6fa2ae6..2a79460 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -13,6 +13,7 @@
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server zygote_tmpfs:file read;
+allow system_server appdomain_tmpfs:file { getattr map read write };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
@@ -585,6 +586,7 @@
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
set_prop(system_server, device_config_activity_manager_native_boot_prop)
+set_prop(system_server, device_config_runtime_native_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -680,9 +682,10 @@
allow system_server drmserver_service:service_manager find;
allow system_server dumpstate_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;
-allow system_server hal_fingerprint_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
allow system_server gpu_service:service_manager find;
+allow system_server gsi_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
allow system_server idmap_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server installd_service:service_manager find;
@@ -947,6 +950,7 @@
device_config_activity_manager_native_boot_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
+ device_config_runtime_native_prop
}:property_service set;
# system_server should never be executing dex2oat. This is either
diff --git a/private/traced.te b/private/traced.te
index fb8465c..a3c5d8b 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -23,6 +23,7 @@
# directly into that (rather than returning the trace contents over the socket).
allow traced perfetto:fd use;
allow traced shell:fd use;
+allow traced shell:fifo_file { read write };
allow traced perfetto_traces_data_file:file { read write };
# Allow traceur to pass open file descriptors to traced, so traced can directly
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 712a360..2c44627 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -112,6 +112,10 @@
# b/123297648
allow untrusted_app_all runas_app:unix_stream_socket connectto;
+# Untrusted apps need to be able to send a SIGCHLD to runas_app
+# when running under a debugger (b/123612207)
+allow untrusted_app_all runas_app:process sigchld;
+
# Cts: HwRngTest
allow untrusted_app_all sysfs_hwrandom:dir search;
allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index e23f36e..9f8a348 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -126,6 +126,9 @@
get_prop(zygote, overlay_prop)
get_prop(zygote, exported_overlay_prop)
+# Allow the zygote to access the runtime feature flag properties.
+get_prop(zygote, device_config_runtime_native_prop)
+
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
diff --git a/public/app.te b/public/app.te
index 18603b6..75f521e 100644
--- a/public/app.te
+++ b/public/app.te
@@ -6,6 +6,7 @@
### extend from this policy. Only policies which should apply to ALL
### zygote spawned apps should be added here.
###
+type appdomain_tmpfs, file_type;
# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;
@@ -351,6 +352,12 @@
# Read access to FDs from the DropboxManagerService.
allow appdomain dropbox_data_file:file { getattr read };
+# Read tmpfs types from these processes.
+allow appdomain audioserver_tmpfs:file { getattr map read write };
+allow appdomain system_server_tmpfs:file { getattr map read write };
+allow appdomain zygote_tmpfs:file { map read };
+
+
###
### Neverallow rules
###
diff --git a/public/bluetooth.te b/public/bluetooth.te
index 28a169f..9b3442a 100644
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
@@ -1,3 +1,2 @@
# bluetooth subsystem
type bluetooth, domain;
-type bluetooth_tmpfs, file_type;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index fee4bdb..f4eed48 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -1,6 +1,7 @@
# cameraserver - camera daemon
type cameraserver, domain;
type cameraserver_exec, system_file_type, exec_type, file_type;
+type cameraserver_tmpfs, file_type;
binder_use(cameraserver)
binder_call(cameraserver, binderservicedomain)
@@ -62,11 +63,6 @@
hal_client_domain(cameraserver, hal_omx)
hal_client_domain(cameraserver, hal_allocator)
-userdebug_or_eng(`
- allow cameraserver cameraserver_data_file:dir { add_name write search remove_name };
- allow cameraserver cameraserver_data_file:file { create write open read unlink };
-')
-
# Allow shell commands from ADB for CTS testing/dumping
userdebug_or_eng(`
allow cameraserver su:fd use;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 7ae1b34..1ea0420 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -53,7 +53,7 @@
allow dex2oat postinstall_file:file { execute getattr open };
# Allow dex2oat access to /postinstall/apex.
-allow dex2oat tmpfs:dir search;
+allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/public/domain.te b/public/domain.te
index 1816c81..03e745c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -125,6 +125,9 @@
allow domain system_linker_exec:file { execute read open getattr map };
allow domain system_linker_config_file:file r_file_perms;
allow domain system_lib_file:file { execute read open getattr map };
+# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
+allow domain system_linker_exec:lnk_file { read open getattr };
+allow domain system_lib_file:lnk_file { read open getattr };
allow domain system_event_log_tags_file:file r_file_perms;
@@ -1253,6 +1256,7 @@
-dumpstate
-init
-installd
+ -simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
} shell_data_file:dir { open search };
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index 5993c0b..dc39a22 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -12,4 +12,3 @@
### PackageManager flags an app as ephemeral at install time.
type ephemeral_app, domain;
-type ephemeral_app_tmpfs, file_type;
diff --git a/public/file.te b/public/file.te
index e0f67a4..a264c91 100644
--- a/public/file.te
+++ b/public/file.te
@@ -281,6 +281,8 @@
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
type postinstall_file, file_type;
+# /postinstall/apex: Mount point used for APEX images within /postinstall.
+type postinstall_apex_mnt_dir, file_type;
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
@@ -291,7 +293,6 @@
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
type camera_data_file, file_type, data_file_type, core_data_file_type;
-type cameraserver_data_file, file_type, data_file_type, core_data_file_type;
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
type incident_data_file, file_type, data_file_type, core_data_file_type;
type keychain_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index 835a82a..b189b0a 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -4,6 +4,7 @@
set_prop(flags_health_check, device_config_boot_count_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
+set_prop(flags_health_check, device_config_runtime_native_prop)
set_prop(flags_health_check, device_config_input_native_boot_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index e10daf9..cb4a130 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -1,6 +1,12 @@
+type hal_graphics_composer_server_tmpfs, file_type;
+attribute hal_graphics_composer_client_tmpfs;
+expandattribute hal_graphics_composer_client_tmpfs true;
+
# HwBinder IPC from client to server, and callbacks
binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
+allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
diff --git a/public/init.te b/public/init.te
index 63edb20..a089c8c 100644
--- a/public/init.te
+++ b/public/init.te
@@ -70,6 +70,9 @@
# Call mount(2).
allow init self:global_capability_class_set sys_admin;
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
@@ -84,8 +87,14 @@
# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;
+# Mount Bionic libraries and dynamic linkers
allow init system_lib_file:file mounton;
allow init system_linker_exec:file mounton;
+# The mount points under /bionic are rootfs in recovery mode. Init should
+# be able to bind-mount the bootstrap Bionic to the mount points.
+recovery_only(`
+ allow init rootfs:file mounton;
+')
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
@@ -304,6 +313,7 @@
')
allow init {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_cmdline
proc_diskstats
proc_kmsg # Open /proc/kmsg for logd service.
diff --git a/public/isolated_app.te b/public/isolated_app.te
index 584d743..a907dac 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -7,4 +7,3 @@
###
type isolated_app, domain;
-type isolated_app_tmpfs, file_type;
diff --git a/public/mediaprovider.te b/public/mediaprovider.te
index 90eb053..24170a5 100644
--- a/public/mediaprovider.te
+++ b/public/mediaprovider.te
@@ -4,4 +4,3 @@
###
type mediaprovider, domain;
-type mediaprovider_tmpfs, file_type;
diff --git a/public/netd.te b/public/netd.te
index 72d8483..a3e6464 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -144,7 +144,7 @@
# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
-neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
+neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
diff --git a/public/network_stack.te b/public/network_stack.te
index 61a40b0..feff664 100644
--- a/public/network_stack.te
+++ b/public/network_stack.te
@@ -1,3 +1,2 @@
# Network stack service app
type network_stack, domain;
-type network_stack_tmpfs, file_type;
diff --git a/public/nfc.te b/public/nfc.te
index 5c1aa24..e3a03e7 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -1,3 +1,2 @@
# nfc subsystem
type nfc, domain;
-type nfc_tmpfs, file_type;
diff --git a/public/platform_app.te b/public/platform_app.te
index b7d783d..9b1faf0 100644
--- a/public/platform_app.te
+++ b/public/platform_app.te
@@ -3,4 +3,3 @@
###
type platform_app, domain;
-type platform_app_tmpfs, file_type;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 46a02dd..2fac3e3 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -13,8 +13,8 @@
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
-# Read data from /postinstall/apex.
-allow postinstall_dexopt tmpfs:dir { read search };
+# Allow access to /postinstall/apex.
+allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
# here and having to relabel the directory.
diff --git a/public/priv_app.te b/public/priv_app.te
index 7c7dd12..0761fc3 100644
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -3,4 +3,3 @@
###
type priv_app, domain;
-type priv_app_tmpfs, file_type;
diff --git a/public/property.te b/public/property.te
index 379c4d3..ffd8d95 100644
--- a/public/property.te
+++ b/public/property.te
@@ -33,6 +33,7 @@
type device_config_reset_performed_prop, property_type;
type device_config_input_native_boot_prop, property_type;
type device_config_netd_native_prop, property_type;
+type device_config_runtime_native_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
@@ -405,6 +406,7 @@
-device_config_boot_count_prop
-device_config_input_native_boot_prop
-device_config_netd_native_prop
+ -device_config_runtime_native_prop
-heapprofd_enabled_prop
-heapprofd_prop
-hwservicemanager_prop
diff --git a/public/radio.te b/public/radio.te
index bbaa752..8a8bef3 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -1,6 +1,5 @@
# phone subsystem
type radio, domain, mlstrustedsubject;
-type radio_tmpfs, file_type;
net_domain(radio)
bluetooth_domain(radio)
diff --git a/public/runas_app.te b/public/runas_app.te
index ff03940..cdaa799 100644
--- a/public/runas_app.te
+++ b/public/runas_app.te
@@ -1,2 +1 @@
type runas_app, domain;
-type runas_app_tmpfs, file_type;
diff --git a/public/secure_element.te b/public/secure_element.te
index 985c66d..4ce6714 100644
--- a/public/secure_element.te
+++ b/public/secure_element.te
@@ -1,3 +1,2 @@
# secure_element subsystem
type secure_element, domain;
-type secure_element_tmpfs, file_type;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 422a375..8e58e42 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,6 +1,5 @@
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;
-type shared_relro_tmpfs, file_type;
# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir rw_dir_perms;
diff --git a/public/shell.te b/public/shell.te
index 1c30d7a..7201df0 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -1,7 +1,6 @@
# Domain for shell processes spawned by ADB or console service.
type shell, domain, mlstrustedsubject;
type shell_exec, system_file_type, exec_type, file_type;
-type shell_tmpfs, file_type;
# Create and use network sockets.
net_domain(shell)
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index cabf04b..9f8e6e4 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te
@@ -25,6 +25,14 @@
# determine which domain to transition to.
allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
+# simpleperf_app_runner passes pipe fds.
+allow simpleperf_app_runner shell:fifo_file read;
+
+# simpleperf_app_runner checks shell data paths.
+# simpleperf_app_runner passes shell data fds.
+allow simpleperf_app_runner shell_data_file:dir { getattr search };
+allow simpleperf_app_runner shell_data_file:file { getattr write };
+
###
### neverallow rules
###
diff --git a/public/su.te b/public/su.te
index 41ae4ef..e09248b 100644
--- a/public/su.te
+++ b/public/su.te
@@ -1,7 +1,6 @@
# All types must be defined regardless of build variant to ensure
# policy compilation succeeds with userdebug/user combination at boot
type su, domain;
-type su_tmpfs, file_type;
# File types must be defined for file_contexts.
type su_exec, system_file_type, exec_type, file_type;
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
index ae00287..c1e4844 100644
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -1,2 +1,3 @@
# surfaceflinger - display compositor service
type surfaceflinger, domain;
+type surfaceflinger_tmpfs, file_type;
diff --git a/public/system_app.te b/public/system_app.te
index da781bc..023058e 100644
--- a/public/system_app.te
+++ b/public/system_app.te
@@ -5,4 +5,3 @@
###
type system_app, domain;
-type system_app_tmpfs, file_type;
diff --git a/public/system_server.te b/public/system_server.te
index aa9c6c1..ff18bdf 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -3,4 +3,4 @@
# Most of the framework services run in this process.
#
type system_server, domain;
-type system_server_tmpfs, file_type;
+type system_server_tmpfs, file_type, mlstrustedobject;
diff --git a/public/te_macros b/public/te_macros
index 4195b88..6541525 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -168,10 +168,9 @@
# Allow a base set of permissions required for all apps.
define(`app_domain', `
typeattribute $1 appdomain;
-# Label ashmem objects with our own unique type.
-tmpfs_domain($1)
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file execute;
+# Label tmpfs objects for all apps.
+type_transition $1 tmpfs:file appdomain_tmpfs;
+allow $1 appdomain_tmpfs:file { execute getattr map read write };
neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 3396570..0bce885 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -1,5 +1,4 @@
type traceur_app, domain;
-type traceur_app_tmpfs, file_type;
allow traceur_app servicemanager:service_manager list;
allow traceur_app hwservicemanager:hwservice_manager list;
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 3843f55..5289bf9 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -19,6 +19,3 @@
type untrusted_app, domain;
type untrusted_app_27, domain;
type untrusted_app_25, domain;
-type untrusted_app_tmpfs, file_type;
-type untrusted_app_27_tmpfs, file_type;
-type untrusted_app_25_tmpfs, file_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index d9dc72f..94f6a25 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -179,6 +179,7 @@
-device_config_reset_performed_prop
-device_config_input_native_boot_prop
-device_config_netd_native_prop
+ -device_config_runtime_native_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te
index 72d781d..7dcd2b2 100644
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@@ -3,6 +3,8 @@
type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_composer_default)
+type_transition hal_graphics_composer_default tmpfs:file hal_graphics_composer_server_tmpfs;
+allow hal_graphics_composer_default hal_graphics_composer_server_tmpfs:file { getattr map read write };
# b/68864350
dontaudit hal_graphics_composer_default unlabeled:dir search;