Merge "snapshotctl better logging"
diff --git a/private/apexd.te b/private/apexd.te
index 7f1d099..36b7999 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -45,7 +45,7 @@
# sys_admin is required to access the device-mapper and mount
# dac_override, chown, and fowner are needed for snapshot and restore
-allow apexd self:global_capability_class_set { sys_admin chown dac_override fowner };
+allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
@@ -139,6 +139,9 @@
# Allow apexd to read file contexts when performing restorecon of snapshots.
allow apexd file_contexts_file:file r_file_perms;
+# Allow apexd to execute toybox for snapshot & restore
+allow apexd toolbox_exec:file rx_file_perms;
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 00d4c79..34921e6 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -18,7 +18,7 @@
### Neverallow rules
###
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
+neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index cfd0c77..376c0a5 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -46,7 +46,6 @@
hal_vibrator_service
incfs
incremental_service
- incremental_root_file
init_perf_lsm_hooks_prop
init_svc_debug_prop
iorap_prefetcherd
diff --git a/private/coredomain.te b/private/coredomain.te
index 44052c3..0c84797 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -132,6 +132,7 @@
-init
-traced_probes
-shell
+ -system_server
-traceur_app
} debugfs_tracing:file no_rw_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index e3dad7b..0a0d3c9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -344,7 +344,6 @@
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
-/system/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_exec:s0
#############################
@@ -447,6 +446,8 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
+
#############################
# Vendor files from /(product|system/product)/vendor_overlay
#
@@ -490,7 +491,6 @@
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/gsi(/.*)? u:object_r:gsi_data_file:s0
/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
-/data/incremental(/.*)? u:object_r:incremental_root_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -608,6 +608,9 @@
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+# Incremental directories
+/data/incremental(/.*)? u:object_r:apk_data_file:s0
+
#############################
# Expanded data files
#
diff --git a/private/platform_app.te b/private/platform_app.te
index 3beec38..76eaae6 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,6 +68,7 @@
allow platform_app vr_manager_service:service_manager find;
allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
+allow platform_app platform_compat_service:service_manager find;
# Allow platform apps to interact with gpuservice
binder_call(platform_app, gpuservice)
diff --git a/private/system_server.te b/private/system_server.te
index be2eec6..2a07a1f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -896,6 +896,9 @@
allow system_server debugfs_wifi_tracing:dir search;
allow system_server debugfs_wifi_tracing:file rw_file_perms;
+# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
+allow system_server debugfs_tracing:file r_file_perms;
+
# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
# asanwrapper.
with_asan(`
@@ -905,10 +908,11 @@
')
# allow system_server to read the eBPF maps that stores the traffic stats information and update
-# the map after snapshot is recorded
+# the map after snapshot is recorded, and to read, update and run the maps and programs used for
+# time in state accounting
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
-allow system_server bpfloader:bpf { map_read map_write };
+allow system_server bpfloader:bpf { map_read map_write prog_run };
# ART Profiles.
# Allow system_server to open profile snapshots for read.
@@ -1122,3 +1126,8 @@
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
binder_cache_system_server_prop:property_service set;
+
+# Allow system server to attach BPF programs to tracepoints. Deny read permission so that
+# system_server cannot use this access to read perf event data like process stacks.
+allow system_server self:perf_event { open write cpu kernel };
+neverallow system_server self:perf_event ~{ open write cpu kernel };
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index c618253..969ab9c 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -64,8 +64,8 @@
# Directory listing in /system.
allow webview_zygote system_file:dir r_dir_perms;
-# Read system properties managed by zygote.
-allow webview_zygote zygote_tmpfs:file read;
+# Read and inspect temporary files (like system properties) managed by zygote.
+allow webview_zygote zygote_tmpfs:file { read getattr };
# Child of zygote.
allow webview_zygote zygote:fd use;
allow webview_zygote zygote:process sigchld;
diff --git a/public/app.te b/public/app.te
index e4eee82..b771b5f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -50,9 +50,6 @@
# child shell or gdbserver pty access for runas.
allow appdomain devpts:chr_file { getattr read write ioctl };
-# Allow appdomain to access app_api_service
-allow { appdomain -isolated_app } app_api_service:service_manager find;
-
# Use pipes and sockets provided by system_server via binder or local socket.
allow appdomain system_server:fd use;
allow appdomain system_server:fifo_file rw_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index f01b1dd..94b0e8d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -302,6 +302,7 @@
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
+ linkerconfig_file
mirror_data_file
}:dir getattr;
diff --git a/public/file.te b/public/file.te
index adb5766..4ede12d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -309,8 +309,6 @@
type staging_data_file, file_type, data_file_type, core_data_file_type;
# /vendor/apex
type vendor_apex_file, vendor_file_type, file_type;
-# /data/incremental
-type incremental_root_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
diff --git a/public/service.te b/public/service.te
index 9472f77..76e642d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,7 +101,7 @@
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
type bugreport_service, system_api_service, system_server_service, service_manager_type;
-type platform_compat_service, app_api_service, system_server_service, service_manager_type;
+type platform_compat_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/toolbox.te b/public/toolbox.te
index f4b164d..1dd06f9 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -27,3 +27,12 @@
allow toolbox system_data_root_file:dir { remove_name write };
allow toolbox system_data_file:dir { rmdir rw_dir_perms };
allow toolbox system_data_file:file { getattr unlink };
+
+# chattr +F and chattr +P /data/media in init
+allow toolbox media_rw_data_file:dir { r_dir_perms };
+allowxperm toolbox media_rw_data_file:dir ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
diff --git a/tools/sepolicy-analyze/Android.bp b/tools/sepolicy-analyze/Android.bp
new file mode 100644
index 0000000..ff40c16
--- /dev/null
+++ b/tools/sepolicy-analyze/Android.bp
@@ -0,0 +1,15 @@
+cc_binary_host {
+ name: "sepolicy-analyze",
+ defaults: ["sepolicy_tools_defaults"],
+
+ srcs: [
+ "sepolicy-analyze.c",
+ "dups.c",
+ "neverallow.c",
+ "perm.c",
+ "typecmp.c",
+ "booleans.c",
+ "attribute.c",
+ "utils.c",
+ ],
+}
diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk
deleted file mode 100644
index 56204a5..0000000
--- a/tools/sepolicy-analyze/Android.mk
+++ /dev/null
@@ -1,15 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-###################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy-analyze
-LOCAL_MODULE_TAGS := optional
-LOCAL_CFLAGS := -Wall -Werror
-LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c
-LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_CXX_STL := none
-
-LOCAL_COMPATIBILITY_SUITE := ats cts gts vts sts
-
-include $(BUILD_HOST_EXECUTABLE)