Merge "Allow update_engine to scan /sys/fs and /sys/fs/f2fs."
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index f27b390..e5681de 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -126,6 +126,7 @@
userdata_sysdev
userspace_reboot_metadata_file
vcn_management_service
+ vendor_kernel_modules
vibrator_manager_service
virtualization_service
vpn_management_service
diff --git a/private/domain.te b/private/domain.te
index c73dbe0..d5c9193 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -498,3 +498,15 @@
-vendor_init
-dumpstate
} mm_events_config_prop:file no_rw_file_perms;
+
+# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
+# kernel traces. Addresses are not disclosed, they are repalced with symbol
+# names (if available). Traces don't disclose KASLR.
+neverallow {
+ domain
+ -init
+ userdebug_or_eng(`-profcollectd')
+ -vendor_init
+ -traced_probes
+ -traced_perf
+} proc_kallsyms:file { open read };
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index af94906..10de777 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -58,10 +58,6 @@
dontaudit gmscore_app mirror_data_file:dir search;
dontaudit gmscore_app mnt_vendor_file:dir search;
-# Don't audit memtrack hal denials (b/177664629)
-dontaudit gmscore_app hal_memtrack_hwservice:hwservice_manager find;
-dontaudit gmscore_app hal_memtrack_service:service_manager find;
-
# Access the network
net_domain(gmscore_app)
diff --git a/private/profcollectd.te b/private/profcollectd.te
index 24fb056..efde321 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -19,6 +19,10 @@
allow profcollectd system_file_type:file r_file_perms;
allow profcollectd vendor_file_type:file r_file_perms;
+ # Allow profcollectd to search for and read kernel modules.
+ allow profcollectd vendor_file:dir r_dir_perms;
+ allow profcollectd vendor_kernel_modules:file r_file_perms;
+
# Allow profcollectd to read system bootstrap libs.
allow profcollectd system_bootstrap_lib_file:dir search;
allow profcollectd system_bootstrap_lib_file:file r_file_perms;
@@ -45,4 +49,13 @@
# Allow profcollectd to publish a binder service and make binder calls.
binder_use(profcollectd)
add_service(profcollectd, profcollectd_service)
+
+ # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+ # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+ set_prop(profcollectd, lower_kptr_restrict_prop)
+ allow profcollectd proc_kallsyms:file r_file_perms;
+ allow profcollectd proc_modules:file r_file_perms;
+
+ # Allow profcollectd to read kernel build id.
+ allow profcollectd sysfs_kernel_notes:file r_file_perms;
')
diff --git a/private/property.te b/private/property.te
index 8565275..d6533e8 100644
--- a/private/property.te
+++ b/private/property.te
@@ -533,6 +533,7 @@
neverallow {
domain
-init
+ userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
} {
diff --git a/private/service_contexts b/private/service_contexts
index e47cd6e..a4179b5 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -124,7 +124,6 @@
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
-hint u:object_r:hint_service:s0
ions u:object_r:radio_service:s0
idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
@@ -198,6 +197,7 @@
package u:object_r:package_service:s0
package_native u:object_r:package_native_service:s0
people u:object_r:people_service:s0
+performance_hint u:object_r:hint_service:s0
permission u:object_r:permission_service:s0
permissionmgr u:object_r:permissionmgr_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
diff --git a/public/domain.te b/public/domain.te
index 0c37ee4..8244b9c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -446,17 +446,6 @@
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
-# kernel traces. Addresses are not disclosed, they are repalced with symbol
-# names (if available). Traces don't disclose KASLR.
-neverallow {
- domain
- -init
- -vendor_init
- -traced_probes
- -traced_perf
-} proc_kallsyms:file { open read };
-
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow * init:binder *;
diff --git a/public/file.te b/public/file.te
index c4c2a21..174a149 100644
--- a/public/file.te
+++ b/public/file.te
@@ -562,6 +562,9 @@
# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
+# kernel modules
+type vendor_kernel_modules, vendor_file_type, file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;