Merge "Gives recovery-persist access to /cache/recovery"
diff --git a/private/access_vectors b/private/access_vectors
index 898c884..57ab3a8 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -330,6 +330,11 @@
getrlimit
}
+class process2
+{
+ nnp_transition
+ nosuid_transition
+}
#
# Define the access vector interpretation for ipc-related objects
diff --git a/private/app.te b/private/app.te
index f3e1e2a..d739239 100644
--- a/private/app.te
+++ b/private/app.te
@@ -2,6 +2,10 @@
# Read system properties managed by zygote.
allow appdomain zygote_tmpfs:file read;
+# Read from (but not create) system_server buffers transferred through
+# ashmem, e.g. battery stats.
+allow appdomain system_server_tmpfs:file read;
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c2ef14c..1c1deb0 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -266,7 +266,10 @@
# Untrusted apps are not allowed to find mediaextractor update service.
neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
-# Untrusted apps are not allowed to use the signature|privileged|development
-# android.permission.READ_LOGS permission, so they may not read dropbox files.
-# Access to the the dropbox directory is covered by a neverallow for domain.
-neverallow all_untrusted_apps dropbox_data_file:file *;
+# Access to /proc/tty/drivers, to allow apps to determine if they
+# are running in an emulated environment.
+# b/33214085 b/33814662 b/33791054 b/33211769
+# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
+# This will go away in a future Android release
+neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
+neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
diff --git a/private/atrace.te b/private/atrace.te
index 630935d..1b86d3e 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -22,6 +22,8 @@
binder_use(atrace)
allow atrace healthd:binder call;
allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+
get_prop(atrace, hwservicemanager_prop)
allow atrace {
diff --git a/private/bpfloader.te b/private/bpfloader.te
index bcfbf39..0b33811 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -19,7 +19,11 @@
allow bpfloader netd:bpf { map_read map_write };
allow bpfloader self:bpf { prog_load prog_run };
-# Neverallow rules
+dontaudit bpfloader self:global_capability_class_set sys_admin;
+
+###
+### Neverallow rules
+###
neverallow { domain -bpfloader } *:bpf prog_load;
neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
@@ -27,4 +31,5 @@
# only system_server, netd and bpfloader can read/write the bpf maps
neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
-dontaudit bpfloader self:global_capability_class_set sys_admin;
+# No domain should be allowed to ptrace bpfloader
+neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
diff --git a/private/bug_map b/private/bug_map
index 523db53..4235591 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,8 +1,4 @@
cppreopts cppreopts capability 79414024
-dexoptanalyzer apk_data_file file 77853712
-dexoptanalyzer app_data_file file 77853712
-dexoptanalyzer app_data_file lnk_file 77853712
-dexoptanalyzer system_data_file lnk_file 77853712
dnsmasq netd fifo_file 77868789
dnsmasq netd unix_stream_socket 77868789
init app_data_file file 77873135
@@ -24,17 +20,8 @@
netd untrusted_app unix_stream_socket 77870037
netd untrusted_app_25 unix_stream_socket 77870037
netd untrusted_app_27 unix_stream_socket 77870037
-otapreopt_chroot postinstall_file lnk_file 75287236
platform_app nfc_data_file dir 74331887
-postinstall postinstall capability 77958490
-postinstall_dexopt postinstall_dexopt capability 77958490
-postinstall_dexopt user_profile_data_file file 77958490
-profman apk_data_file dir 77922323
-radio statsdw_socket sock_file 78456764
-statsd hal_health_default binder 77919007
-storaged storaged capability 77634061
system_server crash_dump process 73128755
-system_server logd_socket sock_file 64734187
system_server sdcardfs file 77856826
system_server storage_stub_file dir 112609936
system_server zygote process 77856826
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 41979af..9242070 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -6,6 +6,7 @@
( activity_task_service
adb_service
adbd_exec
+ app_binding_service
atrace
binder_calls_stats_service
biometric_prompt_service
@@ -61,7 +62,7 @@
hal_codec2_hwservice
hal_confirmationui_hwservice
hal_evs_hwservice
- hal_health_filesystem_hwservice
+ hal_health_storage_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_secure_element_hwservice
@@ -81,6 +82,7 @@
llkd_exec
llkd_prop
llkd_tmpfs
+ looper_stats_service
lowpan_device
lowpan_prop
lowpan_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 278d605..6b5a71d 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattributeset new_objects
( activity_task_service
adb_service
+ app_binding_service
atrace
binder_calls_stats_service
biometric_prompt_service
@@ -55,7 +56,7 @@
hal_codec2_hwservice
hal_confirmationui_hwservice
hal_evs_hwservice
- hal_health_filesystem_hwservice
+ hal_health_storage_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
hal_system_suspend_default
@@ -71,6 +72,7 @@
llkd_exec
llkd_prop
llkd_tmpfs
+ looper_stats_service
lowpan_device
lowpan_prop
lowpan_service
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 6a79c75..87078a6 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -5,10 +5,11 @@
(typeattributeset new_objects
( activity_task_service
adb_service
+ app_binding_service
biometric_prompt_service
fastbootd
color_display_service
- hal_health_filesystem_hwservice
+ hal_health_storage_hwservice
hal_system_suspend_default
hal_system_suspend_default_exec
hal_system_suspend_default_tmpfs
@@ -16,6 +17,7 @@
llkd_exec
llkd_prop
llkd_tmpfs
+ looper_stats_service
mnt_product_file
overlayfs_file
recovery_socket
diff --git a/private/crash_dump.te b/private/crash_dump.te
index aabff29..831ff04 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -17,6 +17,13 @@
allow crash_dump { llkd logd }:process { ptrace signal sigchld sigstop sigkill };
')
+###
+### neverallow assertions
+###
+
+# ptrace neverallow assertions are spread throughout the other policy
+# files, so we avoid adding redundant assertions here
+
neverallow crash_dump {
bpfloader
init
@@ -29,6 +36,6 @@
ueventd
vendor_init
vold
-}:process { ptrace signal sigstop sigkill };
+}:process { signal sigstop sigkill };
neverallow crash_dump self:process ptrace;
diff --git a/private/domain.te b/private/domain.te
index 5c6fec8..5fcc1fd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1,6 +1,8 @@
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
-domain_auto_trans(domain, crash_dump_exec, crash_dump);
+# We do not apply this to the su domain to avoid interfering with
+# tests (b/114136122)
+domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 2c2a62f..b3db3d4 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -8,9 +8,6 @@
# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
allow dumpstate system_file:file lock;
-# TODO: deal with tmpfs_domain pub/priv split properly
-allow dumpstate dumpstate_tmpfs:file execute;
-
# systrace support - allow atrace to run
allow dumpstate debugfs_tracing:dir r_dir_perms;
allow dumpstate debugfs_tracing:file rw_file_perms;
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 508d925..9af432d 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -27,7 +27,7 @@
android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
-android.hardware.health.filesystem::IFileSystem u:object_r:hal_health_filesystem_hwservice:s0
+android.hardware.health.storage::IStorage u:object_r:hal_health_storage_hwservice:s0
android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
diff --git a/private/llkd.te b/private/llkd.te
index 73e3f58..3f84eb6 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -8,7 +8,7 @@
allow llkd self:global_capability_class_set kill;
userdebug_or_eng(`
allow llkd self:global_capability_class_set sys_ptrace;
- allow llkd self:global_capability_class_set dac_override;
+ allow llkd self:global_capability_class_set { dac_override dac_read_search };
')
# llkd optionally locks itself in memory, to prevent it from being
@@ -22,9 +22,12 @@
userdebug_or_eng(`
allow llkd {
domain
+ -kernel
-keystore
-init
-llkd
+ -ueventd
+ -vendor_init
}:process ptrace;
')
diff --git a/private/platform_app.te b/private/platform_app.te
index eec503a..1ee65d3 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -27,9 +27,6 @@
allow platform_app media_rw_data_file:dir create_dir_perms;
allow platform_app media_rw_data_file:file create_file_perms;
-# Read access to FDs from the DropboxManagerService.
-allow platform_app dropbox_data_file:file { getattr read };
-
# Write to /cache.
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
diff --git a/private/policy_capabilities b/private/policy_capabilities
index ab55c15..9290e3a 100644
--- a/private/policy_capabilities
+++ b/private/policy_capabilities
@@ -11,3 +11,10 @@
# to the rawip_socket class.
policycap extended_socket_class;
+# Enable NoNewPrivileges support. Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
+#
+# Checks enabled;
+# process2: nnp_transition, nosuid_transition
+#
+policycap nnp_nosuid_transition;
diff --git a/private/priv_app.te b/private/priv_app.te
index f24afc0..101c448 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -54,9 +54,6 @@
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
-# Read access to FDs from the DropboxManagerService.
-allow priv_app dropbox_data_file:file { getattr read };
-
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index c21d49f..418150e 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -112,7 +112,7 @@
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/security_classes b/private/security_classes
index 251b721..e0007d1 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -130,6 +130,8 @@
class qipcrtr_socket
class smc_socket
+class process2
+
# Property service
class property_service # userspace
diff --git a/private/service_contexts b/private/service_contexts
index 804385e..e6f8ce7 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -7,6 +7,7 @@
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
+app_binding u:object_r:app_binding_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
@@ -81,6 +82,7 @@
launcherapps u:object_r:launcherapps_service:s0
location u:object_r:location_service:s0
lock_settings u:object_r:lock_settings_service:s0
+looper_stats u:object_r:looper_stats_service:s0
media.aaudio u:object_r:audioserver_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
diff --git a/private/storaged.te b/private/storaged.te
index b7321fd..8f70531 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -48,7 +48,7 @@
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
-dontaudit storaged self:global_capability_class_set dac_override;
+dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };
# For collecting bugreports.
allow storaged dumpstate:fifo_file write;
diff --git a/private/system_app.te b/private/system_app.te
index 7a7411f..4ed1982 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -24,9 +24,6 @@
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
-# Read access to FDs from the DropboxManagerService.
-allow system_app dropbox_data_file:file { getattr read };
-
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 750ee3e..7c81c45 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -650,6 +650,7 @@
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
+allow system_server thermal_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server vold_service:service_manager find;
@@ -880,7 +881,8 @@
neverallow system_server dex2oat_exec:file no_x_file_perms;
# system_server should never execute or load executable shared libraries
-# in /data
+# in /data. Executable files in /data are a persistence vector.
+# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
neverallow system_server data_file_type:file no_x_file_perms;
# The only block device system_server should be accessing is
@@ -889,6 +891,8 @@
neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
# system_server should never use JIT functionality
+# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
+# in the section titled "A Short ROP Chain" for why.
neverallow system_server self:process execmem;
neverallow system_server ashmem_device:chr_file execute;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index ef5a396..83dbe45 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -57,6 +57,15 @@
# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
allow atrace traced_probes:fd use;
+# Allow traced_probes to access /proc files for system stats.
+# Note: trace data is NOT exposed to anything other than shell and privileged
+# system apps that have access to the traced consumer socket.
+allow traced_probes {
+ proc_meminfo
+ proc_vmstat
+ proc_stat
+}:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 0a11558..0d062e9 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -7,7 +7,7 @@
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
system_data_file
diff --git a/private/zygote.te b/private/zygote.te
index 3a8e793..91c9230 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -7,7 +7,7 @@
read_runtime_log_tags(zygote)
# Override DAC on files and switch uid/gid.
-allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
+allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
# Drop capabilities from bounding set.
allow zygote self:global_capability_class_set setpcap;
@@ -43,7 +43,9 @@
allow zygote resourcecache_data_file:file create_file_perms;
# When WITH_DEXPREOPT is true, the zygote does not load executable content from
-# /data/dalvik-cache.
+# /data/dalvik-cache. Executable files loaded from /data is a persistence vector
+# we want to avoid. See
+# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
# Execute idmap and dex2oat within zygote's own domain.
diff --git a/public/app.te b/public/app.te
index 932116e..62a63cd 100644
--- a/public/app.te
+++ b/public/app.te
@@ -350,6 +350,9 @@
# Allow apps to run with asanwrapper.
with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+# Read access to FDs from the DropboxManagerService.
+allow appdomain dropbox_data_file:file { getattr read };
+
###
### Neverallow rules
###
diff --git a/public/attributes b/public/attributes
index c8db1fd..ecfe373 100644
--- a/public/attributes
+++ b/public/attributes
@@ -184,6 +184,11 @@
attribute system_writes_vendor_properties_violators;
expandattribute system_writes_vendor_properties_violators false;
+# All system domains which violate the requirement of not writing to
+# /mnt/vendor/*. Must not be used on devices launched with P or later.
+attribute system_writes_mnt_vendor_violators;
+expandattribute system_writes_mnt_vendor_violators false;
+
# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
# absolutely necessary. It is a temporary allowance to aid the
@@ -253,7 +258,7 @@
hal_attribute(graphics_allocator);
hal_attribute(graphics_composer);
hal_attribute(health);
-hal_attribute(health_filesystem);
+hal_attribute(health_storage);
hal_attribute(ir);
hal_attribute(keymaster);
hal_attribute(light);
diff --git a/public/crash_dump.te b/public/crash_dump.te
index cd1e5a8..65e6a65 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -46,7 +46,9 @@
# Append to tombstone files.
allow crash_dump tombstone_data_file:file { append getattr };
-read_logd(crash_dump)
+# crash_dump writes out logcat logs at the bottom of tombstones,
+# which is super useful in some cases.
+unix_socket_connect(crash_dump, logdr, logd)
# Crash dump is not intended to access the following data types. Since these
# are WAI, suppress the denials to clean up the logs.
diff --git a/public/device.te b/public/device.te
index c68b515..1ab08b4 100644
--- a/public/device.te
+++ b/public/device.te
@@ -80,18 +80,23 @@
type frp_block_device, dev_type;
# System block device mounted on /system.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
type system_block_device, dev_type;
# Recovery block device.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
type recovery_block_device, dev_type;
# boot block device.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
type boot_block_device, dev_type;
# Userdata block device mounted on /data.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
type userdata_block_device, dev_type;
# Cache block device mounted on /cache.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
type cache_block_device, dev_type;
# Block device for any swap partition.
@@ -100,9 +105,11 @@
# Metadata block device used for encryption metadata.
# Assign this type to the partition specified by the encryptable=
# mount option in your fstab file in the entry for userdata.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
type metadata_block_device, dev_type;
# The 'misc' partition used by recovery and A/B.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
type misc_block_device, dev_type;
# 'super' partition to be used for logical partitioning.
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index 3aaefd3..e97e964 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -6,7 +6,7 @@
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:global_capability_class_set dac_override;
+allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
diff --git a/public/domain.te b/public/domain.te
index a865bd8..1f38b73 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -394,12 +394,11 @@
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-# No domain should be allowed to ptrace init.
-neverallow * init:process ptrace;
-
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
+# Nobody is allowed to make binder calls into init.
+# Only servicemanager may transfer binder references to init
+# vendor_init shouldn't use binder at all.
+neverallow * init:binder ~{ transfer };
+neverallow { domain -servicemanager } init:binder { transfer };
neverallow * vendor_init:binder *;
# Don't allow raw read/write/open access to block_device
@@ -423,12 +422,14 @@
#
# Assert that, to the extent possible, we're not loading executable content from
# outside the rootfs or /system partition except for a few whitelisted domains.
+# Executable files loaded from /data is a persistence vector
+# we want to avoid. See
+# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
#
neverallow {
domain
-appdomain
with_asan(`-asan_extract')
- -dumpstate
-shell
userdebug_or_eng(`-su')
-webview_zygote
@@ -588,6 +589,7 @@
-vold
-e2fs
-fsck
+ -fastbootd
} metadata_block_device:blk_file { append link rename write open read ioctl lock };
# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
@@ -1375,29 +1377,36 @@
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
-neverallow {
- domain
- -dnsmasq
- -dumpstate
- -init
- -installd
- -install_recovery
- userdebug_or_eng(`-llkd')
- -lmkd
- -netd
- -perfprofd
- -postinstall_dexopt
- -recovery
- -sdcardd
- -tee
- -ueventd
- -uncrypt
- -vendor_init
- -vold
- -vold_prepare_subdirs
- -zygote
-} self:global_capability_class_set dac_override;
-neverallow { domain -traced_probes } self:global_capability_class_set dac_read_search;
+define(`dac_override_allowed', `{
+ dnsmasq
+ dumpstate
+ init
+ installd
+ install_recovery
+ userdebug_or_eng(`llkd')
+ lmkd
+ netd
+ perfprofd
+ postinstall_dexopt
+ recovery
+ sdcardd
+ tee
+ ueventd
+ uncrypt
+ vendor_init
+ vold
+ vold_prepare_subdirs
+ zygote
+}')
+neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
+# Since the kernel checks dac_read_search before dac_override, domains that
+# have dac_override should also have dac_read_search to eliminate spurious
+# denials. Some domains have dac_read_search without having dac_override, so
+# this list should be a superset of the one above.
+neverallow ~{
+ dac_override_allowed
+ traced_probes
+} self:global_capability_class_set dac_read_search;
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
@@ -1432,6 +1441,7 @@
-init
-ueventd
-vold
+ -system_writes_mnt_vendor_violators
} mnt_vendor_file:dir *;
# Only apps are allowed access to vendor public libraries.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 9187f33..295217d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -33,7 +33,7 @@
allow dumpstate system_file:dir r_dir_perms;
# Create and write into /data/anr/
-allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
allow dumpstate anr_data_file:file create_file_perms;
@@ -137,13 +137,6 @@
# For running am and similar framework commands.
# Run /system/bin/app_process.
allow dumpstate zygote_exec:file rx_file_perms;
-# Dalvik Compiler JIT.
-allow dumpstate ashmem_device:chr_file execute;
-allow dumpstate self:process execmem;
-# For art.
-allow dumpstate dalvikcache_data_file:dir { search getattr };
-allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
-allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
# For Bluetooth
allow dumpstate bluetooth_data_file:dir search;
@@ -271,6 +264,12 @@
# newer kernels (e.g. 4.4) have a new class for sockets
allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
+# Allow dumpstate to run ss
+allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
+
+# For when dumpstate runs df
+dontaudit dumpstate mnt_vendor_file:dir search;
+
# Allow dumpstate to kill vendor dumpstate service by init
set_prop(dumpstate, ctl_dumpstate_prop)
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 1d39d50..a1c407b 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -39,8 +39,24 @@
allow fastbootd dm_device:blk_file rw_file_perms;
allow fastbootd super_block_device:blk_file rw_file_perms;
- allow fastbootd system_block_device:blk_file rw_file_perms;
- allow fastbootd boot_block_device:blk_file rw_file_perms;
+ allow fastbootd {
+ boot_block_device
+ metadata_block_device
+ system_block_device
+ userdata_block_device
+ }:blk_file { w_file_perms getattr ioctl };
+
+ allowxperm fastbootd {
+ boot_block_device
+ metadata_block_device
+ system_block_device
+ userdata_block_device
+ }:blk_file ioctl { BLKGETSIZE64 };
+
+ allowxperm fastbootd {
+ metadata_block_device
+ userdata_block_device
+ }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
allow fastbootd misc_block_device:blk_file rw_file_perms;
diff --git a/public/hal_health_filesystem.te b/public/hal_health_filesystem.te
deleted file mode 100644
index 4d02adc..0000000
--- a/public/hal_health_filesystem.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_health_filesystem_client, hal_health_filesystem_server)
-binder_call(hal_health_filesystem_server, hal_health_filesystem_client)
-
-hal_attribute_hwservice(hal_health_filesystem, hal_health_filesystem_hwservice)
diff --git a/public/hal_health_storage.te b/public/hal_health_storage.te
new file mode 100644
index 0000000..61e609b
--- /dev/null
+++ b/public/hal_health_storage.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_storage_client, hal_health_storage_server)
+binder_call(hal_health_storage_server, hal_health_storage_client)
+
+hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice)
diff --git a/public/hwservice.te b/public/hwservice.te
index 2153547..3e3a6c8 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -24,7 +24,7 @@
type hal_graphics_composer_hwservice, hwservice_manager_type;
type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
type hal_health_hwservice, hwservice_manager_type;
-type hal_health_filesystem_hwservice, hwservice_manager_type;
+type hal_health_storage_hwservice, hwservice_manager_type;
type hal_ir_hwservice, hwservice_manager_type;
type hal_keymaster_hwservice, hwservice_manager_type;
type hal_light_hwservice, hwservice_manager_type;
diff --git a/public/init.te b/public/init.te
index d3a3b1f..36d9800 100644
--- a/public/init.te
+++ b/public/init.te
@@ -105,7 +105,7 @@
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:global_capability_class_set dac_override;
+allow init self:global_capability_class_set { dac_override dac_read_search };
# Set system clock.
allow init self:global_capability_class_set sys_time;
@@ -512,6 +512,9 @@
allow init vold_metadata_file:dir create_dir_perms;
allow init vold_metadata_file:file getattr;
+# Allow init to use binder
+binder_use(init);
+
###
### neverallow rules
###
@@ -538,3 +541,6 @@
# Init should not access sysfs node that are not explicitly labeled.
neverallow init sysfs:file { open read write };
+
+# No domain should be allowed to ptrace init.
+neverallow * init:process ptrace;
diff --git a/public/install_recovery.te b/public/install_recovery.te
index ab68838..24819c2 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,7 +2,7 @@
type install_recovery, domain;
type install_recovery_exec, exec_type, file_type;
-allow install_recovery self:global_capability_class_set dac_override;
+allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
# /system/bin/install-recovery.sh is a shell script.
# Needs to execute /system/bin/sh
diff --git a/public/installd.te b/public/installd.te
index 8d7301b..12495c4 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -2,7 +2,7 @@
type installd, domain;
type installd_exec, exec_type, file_type;
typeattribute installd mlstrustedsubject;
-allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
diff --git a/public/kernel.te b/public/kernel.te
index af02c7e..3a440eb 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -81,6 +81,21 @@
# Access to /data/misc/vold/virtual_disk.
allow kernel vold_data_file:file read;
+# Allow the first-stage init (which is running in the kernel domain) to execute the
+# dynamic linker when it re-executes /init to switch into the second stage.
+# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
+# before the domain is switched to the target domain. So, we need to allow the kernel
+# domain (the source domain) to execute the dynamic linker (system_file type).
+# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
+# kernel older than 4.8.
+allow kernel system_file:file execute;
+# The label for the dynamic linker is rootfs in the recovery partition. This is because
+# the recovery partition which is rootfs does not support xattr and thus labeling can't be
+# done at build-time. All files are by default labeled as rootfs upon booting.
+recovery_only(`
+ allow kernel rootfs:file execute;
+')
+
###
### neverallow rules
###
@@ -104,17 +119,5 @@
# on files being accessed.
neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
-# Allow the first-stage init (which is running in the kernel domain) to execute the
-# dynamic linker when it re-executes /init to switch into the second stage.
-# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
-# before the domain is switched to the target domain. So, we need to allow the kernel
-# domain (the source domain) to execute the dynamic linker (system_file type).
-# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
-# kernel older than 4.8.
-allow kernel system_file:file execute;
-# The label for the dynamic linker is rootfs in the recovery partition. This is because
-# the recovery partition which is rootfs does not support xattr and thus labeling can't be
-# done at build-time. All files are by default labeled as rootfs upon booting.
-recovery_only(`
- allow kernel rootfs:file execute;
-')
+# Nobody should be ptracing kernel threads
+neverallow * kernel:process ptrace;
diff --git a/public/lmkd.te b/public/lmkd.te
index a82e0a0..2eb2cca 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -2,7 +2,7 @@
type lmkd, domain, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
-allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
+allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
# lmkd locks itself in memory, to prevent it from being
# swapped out and unable to kill other memory hogs.
diff --git a/public/netd.te b/public/netd.te
index 1315398..a4a65a9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -61,7 +61,7 @@
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
-allow netd self:global_capability_class_set { dac_override chown };
+allow netd self:global_capability_class_set { dac_override dac_read_search chown };
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
diff --git a/public/perfprofd.te b/public/perfprofd.te
index 83a1319..f780a0d 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -23,7 +23,7 @@
# perfprofd reads a config file from /data/data/com.google.android.gms/files
allow perfprofd { privapp_data_file app_data_file }:file r_file_perms;
allow perfprofd { privapp_data_file app_data_file }:dir search;
- allow perfprofd self:global_capability_class_set { dac_override };
+ allow perfprofd self:global_capability_class_set { dac_override dac_read_search };
# perfprofd opens a file for writing in /data/misc/perfprofd
allow perfprofd perfprofd_data_file:file create_file_perms;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index ffd8bc5..8b6d6cc 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,7 @@
type postinstall_dexopt, domain;
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
diff --git a/public/profman.te b/public/profman.te
index 3f03486..364e9f7 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -2,24 +2,24 @@
type profman, domain;
type profman_exec, exec_type, file_type;
-allow profman user_profile_data_file:file { getattr read write lock };
+allow profman user_profile_data_file:file { getattr read write lock map };
# Dumping profile info opens the application APK file for pretty printing.
-allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { getattr read };
+allow profman asec_apk_file:file { read map };
+allow profman apk_data_file:file { getattr read map };
allow profman apk_data_file:dir { getattr read search };
-allow profman oemfs:file { read };
+allow profman oemfs:file { read map };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-allow profman tmpfs:file { read };
-allow profman profman_dump_data_file:file { write };
+allow profman tmpfs:file { read map };
+allow profman profman_dump_data_file:file { write map };
allow profman installd:fd use;
# Allow profman to analyze profiles for the secondary dex files. These
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
-allow profman { privapp_data_file app_data_file }:file { getattr read write lock };
+allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
allow profman { privapp_data_file app_data_file }:dir { getattr read search };
###
diff --git a/public/property_contexts b/public/property_contexts
index 565b829..9dd6501 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -66,6 +66,7 @@
keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
+media.stagefright.thumbnail.prefer_hw_codecs u:object_r:exported3_default_prop:s0 exact bool
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
@@ -102,7 +103,9 @@
ro.config.ringtone u:object_r:exported2_config_prop:s0 exact string
ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
+ro.crypto.allow_encrypt_override u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
@@ -112,6 +115,9 @@
ro.lmk.downgrade_pressure u:object_r:exported3_default_prop:s0 exact int
ro.lmk.kill_heaviest_task u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
+ro.minui.default_rotation u:object_r:exported3_default_prop:s0 exact string
+ro.minui.overscan_percent u:object_r:exported3_default_prop:s0 exact int
+ro.minui.pixel_format u:object_r:exported3_default_prop:s0 exact string
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
diff --git a/public/recovery.te b/public/recovery.te
index 317cf32..9db6f5e 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -15,6 +15,7 @@
allow recovery self:global_capability_class_set {
chown
dac_override
+ dac_read_search
fowner
setuid
setgid
@@ -108,9 +109,6 @@
# Reboot the device
set_prop(recovery, powerctl_prop)
- # Start/stop adbd via ctl.start adbd
- set_prop(recovery, ctl_adbd_prop)
-
# Read serial number of the device from system properties
get_prop(recovery, serialno_prop)
diff --git a/public/runas.te b/public/runas.te
index 053a87f..6c5de7c 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -18,7 +18,7 @@
allow runas system_data_file:lnk_file read;
# run-as checks and changes to the app data dir.
-dontaudit runas self:global_capability_class_set dac_override;
+dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
allow runas app_data_file:dir { getattr search };
# run-as switches to the app UID/GID.
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 4a88f54..6749d16 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -10,7 +10,7 @@
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
allow sdcardd sdcard_type:dir create_dir_perms;
allow sdcardd sdcard_type:file create_file_perms;
diff --git a/public/service.te b/public/service.te
index 9349051..850e22f 100644
--- a/public/service.te
+++ b/public/service.te
@@ -41,6 +41,7 @@
type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type adb_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type app_binding_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -98,6 +99,7 @@
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type lock_settings_service, system_api_service, system_server_service, service_manager_type;
+type looper_stats_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 8fe1fea..8e58e42 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -8,3 +8,4 @@
# Needs to contact the "webviewupdate" and "activity" services
allow shared_relro activity_service:service_manager find;
allow shared_relro webviewupdate_service:service_manager find;
+allow shared_relro package_service:service_manager find;
diff --git a/public/thermalserviced.te b/public/thermalserviced.te
index f47f544..90140b2 100644
--- a/public/thermalserviced.te
+++ b/public/thermalserviced.te
@@ -10,3 +10,4 @@
hal_client_domain(thermalserviced, hal_thermal)
binder_call(thermalserviced, platform_app)
+binder_call(thermalserviced, system_server)
diff --git a/public/tombstoned.te b/public/tombstoned.te
index 0e585b6..9c75c97 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te
@@ -11,12 +11,7 @@
allow tombstoned tombstone_data_file:dir rw_dir_perms;
allow tombstoned tombstone_data_file:file { create_file_perms link };
-# TODO: Remove append / write permissions. They were temporarily
-# granted due to a bug which appears to have been fixed.
-allow tombstoned anr_data_file:file { append write };
-auditallow tombstoned anr_data_file:file { append write };
-
# Changes for the new stack dumping mechanism. Each trace goes into a
# separate file, and these files are managed by tombstoned.
allow tombstoned anr_data_file:dir rw_dir_perms;
-allow tombstoned anr_data_file:file { create getattr open link unlink };
+allow tombstoned anr_data_file:file { append create getattr open link unlink };
diff --git a/public/ueventd.te b/public/ueventd.te
index 4f68318..0863302 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -5,7 +5,7 @@
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
@@ -70,3 +70,6 @@
# Only relabelto as we would never want to relabelfrom kmem_device or port_device
neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
+
+# Nobody should be able to ptrace ueventd
+neverallow * ueventd:process ptrace;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 3674980..a0fb372 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -2,7 +2,7 @@
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
-allow uncrypt self:global_capability_class_set dac_override;
+allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
userdebug_or_eng(`
# For debugging, allow /data/local/tmp access
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 19d906b..e28ce1c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -22,7 +22,7 @@
allow vendor_init configfs:{ file lnk_file } create_file_perms;
# Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:global_capability_class_set dac_override;
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
@@ -229,3 +229,6 @@
# Init never adds or uses services via service_manager.
neverallow vendor_init service_manager_type:service_manager { add find };
neverallow vendor_init servicemanager:service_manager list;
+
+# vendor_init should never be ptraced
+neverallow * vendor_init:process ptrace;
diff --git a/public/vold.te b/public/vold.te
index e40c251..2097392 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -79,7 +79,7 @@
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
-allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# TODO(b/80418809): remove direct access to private app data
userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:dir search;')
@@ -166,8 +166,8 @@
# talk to keymaster
hal_client_domain(vold, hal_keymaster)
-# talk to health filesystem HAL
-hal_client_domain(vold, hal_health_filesystem)
+# talk to health storage HAL
+hal_client_domain(vold, hal_health_storage)
# Access userdata block device.
allow vold userdata_block_device:blk_file rw_file_perms;
@@ -268,7 +268,7 @@
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
neverallow vold {
domain
- -hal_health_filesystem_server
+ -hal_health_storage_server
-hal_keymaster_server
-hal_system_suspend_server
-healthd
diff --git a/tools/sepolicy_cleanup_check.sh b/tools/sepolicy_cleanup_check.sh
new file mode 100755
index 0000000..9def7e0
--- /dev/null
+++ b/tools/sepolicy_cleanup_check.sh
@@ -0,0 +1,114 @@
+#!/bin/bash
+
+# This script uses some heuristics to suggest potential ways to clean up SELinux policy.
+# As these are heuristics, not everything it outputs is an error.
+# It is better to run this on device-specific policy rather than core policy.
+# It requires a device connected to adb.
+# Usage:
+# ./sepolicy_cleanup_check.sh <sepolicy source path> [serial]
+
+if [[ $# -lt 1 ]]; then
+ echo "Usage: $0 <sepolicy source path> [serial]"
+ exit
+fi
+
+sedir=$1
+shift
+
+adb_cmd="adb"
+if [[ $# -eq 1 ]]; then
+ adb_cmd="$adb_cmd -s $1"
+ shift
+fi
+
+$adb_cmd shell id &>/dev/null
+if [[ $? -ne 0 ]]; then
+ echo "Please plug in a device and/or specify a serial"
+ adb devices
+ exit
+fi
+
+echo "Warning: this file uses heuristics, so all of its outputs are not necessarily errors."
+echo "For example, when run on core policy, it will likely find many things that do not exist on a given device but might exist on others."
+
+echo
+echo "Scanning for labels that are not assigned to any files."
+# Find all types.
+grep -r "^type " --exclude=\*.go $sedir --exclude=\*_macros | sed 's/^.*:.*type \([^,]*\)*.*$/\1/' | sort | uniq | while read -r type; do
+ # Find types that are not referenced in *_contexts.
+ if [[ `find $sedir -name "*_contexts" -not -path "*prebuilts*" -exec grep $type '{}' \; |wc -l` -eq 0 ]]; then
+ echo "None for $type"
+ grep -r $type --exclude-dir=prebuilts --exclude=\*.cil $sedir
+ fi
+done
+
+echo
+echo "Scanning for executables that don't exist."
+# Find executable types.
+grep -r "^type .*exec_type" --exclude=\*.go $sedir | sed 's/^.*:.*type \([^,]*\)*.*$/\1/' | sort | uniq | while read -r type; do
+ path_line=`grep -r $type --include=\*_contexts $sedir`
+ # Note that this only examines one entry, even if multiple executables have the same label.
+ # But the file_contexts scan below covers that case.
+ path=`echo $path_line | sed 's/^.*:[^\/]*\([^ ]*\) .*$/\1/'`
+ # Replace character classes and + with *.
+ path=`echo $path | sed 's/\[[^]]*\]/*/' | sed 's/+/*/'`
+ # Check whether the file exists.
+ if [ -n "`$adb_cmd shell ls -lZ $path < /dev/null |& grep "No such file or directory"`" ]; then
+ echo "$path does not exist"
+ fi
+done
+
+echo
+echo "Scanning genfs_contexts for files that don't exist."
+# Find files in genfs_contexts.
+find $sedir -name genfs_contexts -exec grep "^genfscon " '{}' \; | cut -d' ' -f2,3 | sort | uniq | while read -r file_line; do
+ # Extract the full path.
+ path=`echo $file_line | sed 's/rootfs //' | sed 's/sysfs /\/sys/' | sed 's/proc /\/proc/' | sed 's/debugfs /\/sys\/kernel\/debug/' | sed 's/tracefs /\/sys\/kernel\/debug\/tracing/'`
+ # Skip things whose prefix we don't recognize.
+ if [[ $path = *" "* ]]; then
+ continue
+ fi
+ # Check whether the file exists.
+ if [ -n "`$adb_cmd shell ls -lZ $path < /dev/null |& grep "No such file or directory"`" ]; then
+ echo "$path does not exist"
+ fi
+done
+
+echo
+echo "Scanning file_contexts for files that don't exist."
+# Find files in file_contexts.
+find $sedir -name file_contexts -not -path "*prebuilts*" -exec grep "^/" '{}' \; | cut -d' ' -f1 | cut -f1 | sort | uniq | while read -r path; do
+ # Replace (/.*)? with *
+ # Replace (64)? with ??
+ # Replace (vendor|system/vendor) with /vendor
+ # Replace character classes and + with *.
+ # Replace captures.
+ # Replace \. with .
+ # Replace .* with *
+ # Replace ** with *
+ path=`echo "$path" | sed 's/(\/\.\*)?$//' | sed 's/(64)?/??/' | sed 's/\(vendor|system\/vendor\)/vendor/' | sed 's/\[[^]]*\]/*/' | sed 's/+/*/' | sed 's/(\([^)]*\))/\1/' | sed 's/\\\././g' | sed 's/\.\*/\*/g' | sed 's/\*\*/\*/g'`
+ # Check whether the file exists.
+ if [ -n "`$adb_cmd shell ls -lZ "$path" < /dev/null |& grep "No such file or directory"`" ]; then
+ echo "$path does not exist"
+ fi
+done
+
+echo
+echo "Scanning for rules that are defined in the wrong file."
+echo "That is, rules that do not contain the name of the file."
+# Find .te files.
+find $sedir -name "*.te" -not -path "*prebuilts*" | while read -r file; do
+ filename=`basename $file`
+ filename="${filename%.*}"
+ # Look for lines that don't have the filename in them.
+ lines=$(grep "^[^# }']" $file | grep -v $filename | grep -v "^userdebug_or_eng(\`$" | grep -v "^type " | grep "[,)]" | grep -v "^define(")
+ if [[ -n "$lines" ]]; then
+ echo "$file:"
+ echo "$lines"
+ fi
+done
+
+echo
+echo "Scanning for rules that use the wrong file/dir macros."
+grep -r ":file.*_dir_perms" --exclude=\*_macros $sedir
+grep -r ":dir.*_file_perms" --exclude=\*_macros $sedir
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 5529a7e..5fb18bf 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -85,11 +85,19 @@
$(treble_sepolicy_tests_$(version)): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
$(treble_sepolicy_tests_$(version)): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
$(treble_sepolicy_tests_$(version)): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
-ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
-$(treble_sepolicy_tests_$(version)): PRIVATE_FAKE_TREBLE := --fake-treble
-else
$(treble_sepolicy_tests_$(version)): PRIVATE_FAKE_TREBLE :=
-endif
+ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
+ifdef PRODUCT_SHIPPING_API_LEVEL
+# These requirements were originally added in Android Oreo. Devices
+# launching after this should not distinguish between
+# PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE since this could
+# lead to release problems where they think they pass this test but
+# fail it when it actually gets runned for compliance.
+ifeq ($(call math_gt_or_eq,$(PRODUCT_SHIPPING_API_LEVEL),26),)
+$(treble_sepolicy_tests_$(version)): PRIVATE_FAKE_TREBLE := --fake-treble
+endif # if PRODUCT_SHIPPING_API_LEVEL < 26 (Android Oreo)
+endif # PRODUCT_SHIPPING_API_LEVEL defined
+endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
$(treble_sepolicy_tests_$(version)): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
$(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
$(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
diff --git a/vendor/bug_map b/vendor/bug_map
deleted file mode 100644
index ef56ca6..0000000
--- a/vendor/bug_map
+++ /dev/null
@@ -1 +0,0 @@
-surfaceflinger mediacodec binder 77924251
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 9728b7c..c4e6648 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -26,7 +26,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.2-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.filesystem@1\.0-service u:object_r:hal_health_filesystem_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 0dc2170..82cbf8e 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -6,3 +6,5 @@
hal_client_domain(hal_audio_default, hal_allocator)
+# allow audioserver to call hal_audio dump with its own fd to retrieve status
+allow hal_audio_default audioserver:fifo_file write;
diff --git a/vendor/hal_health_filesystem_default.te b/vendor/hal_health_filesystem_default.te
deleted file mode 100644
index b680a25..0000000
--- a/vendor/hal_health_filesystem_default.te
+++ /dev/null
@@ -1,6 +0,0 @@
-type hal_health_filesystem_default, domain;
-hal_server_domain(hal_health_filesystem_default, hal_health_filesystem)
-
-type hal_health_filesystem_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_health_filesystem_default)
-
diff --git a/vendor/hal_health_storage_default.te b/vendor/hal_health_storage_default.te
new file mode 100644
index 0000000..37b3e24
--- /dev/null
+++ b/vendor/hal_health_storage_default.te
@@ -0,0 +1,6 @@
+type hal_health_storage_default, domain;
+hal_server_domain(hal_health_storage_default, hal_health_storage)
+
+type hal_health_storage_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_health_storage_default)
+