Merge "Allow system apps to read log props."
diff --git a/private/audioserver.te b/private/audioserver.te
index 9119daa..b6deb28 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -29,6 +29,7 @@
')
add_service(audioserver, audioserver_service)
+allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver permission_service:service_manager find;
@@ -45,6 +46,17 @@
# For A2DP bridge which is loaded directly into audioserver
unix_socket_connect(audioserver, bluetooth, bluetooth)
+# Allow shell commands from ADB for CTS testing/dumping
+allow audioserver adbd:fd use;
+allow audioserver adbd:unix_stream_socket { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow audioserver su:fd use;
+ allow audioserver su:fifo_file { read write };
+ allow audioserver su:unix_stream_socket { read write };
+')
+
###
### neverallow rules
###
diff --git a/private/coredomain.te b/private/coredomain.te
index 244c83c..c8f2b1d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,2 +1,17 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, exported_pm_prop)
+
+full_treble_only(`
+neverallow {
+ coredomain
+ -init
+ -vendor_init
+
+ # generic access to sysfs_type
+ -ueventd
+ -vold
+ -priv_app
+ -storaged
+ -system_app
+} sysfs_leds:file *;
+')
diff --git a/private/domain.te b/private/domain.te
index c022564..6fef279 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -49,7 +49,6 @@
coredomain
-fsck
-init
- -shell
-ueventd
-vendor_init
} device:{ blk_file file } no_rw_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 9909e06..ec52d56 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -122,11 +122,14 @@
allow priv_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(priv_app, traced_producer, traced)
-# suppress denials when safetynet scans /system
+# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
+dontaudit priv_app proc_version:file read;
+dontaudit priv_app wifi_prop:file read;
+dontaudit priv_app net_dns_prop:file read;
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/property_contexts b/private/property_contexts
index bf95b02..ecde9d3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -122,9 +122,13 @@
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
-# Common vendor default properties.
+# Common default properties for vendor and odm.
+init.svc.odm. u:object_r:vendor_default_prop:s0
init.svc.vendor. u:object_r:vendor_default_prop:s0
ro.hardware. u:object_r:vendor_default_prop:s0
+ro.odm. u:object_r:vendor_default_prop:s0
ro.vendor. u:object_r:vendor_default_prop:s0
+odm. u:object_r:vendor_default_prop:s0
+persist.odm. u:object_r:vendor_default_prop:s0
persist.vendor. u:object_r:vendor_default_prop:s0
vendor. u:object_r:vendor_default_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 92988b4..62f3a86 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -280,7 +280,6 @@
r_dir_file(system_server, sysfs_wakeup_reasons)
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_devices_system_cpu:file w_file_perms;
allow system_server sysfs_mac_address:file r_file_perms;
allow system_server sysfs_power:dir search;
allow system_server sysfs_power:file rw_file_perms;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 0dd4a80..ebf0992 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -17,6 +17,8 @@
allow cameraserver hal_graphics_composer:fd use;
add_service(cameraserver, cameraserver_service)
+
+allow cameraserver activity_service:service_manager find;
allow cameraserver appops_service:service_manager find;
allow cameraserver audioserver_service:service_manager find;
allow cameraserver batterystats_service:service_manager find;
@@ -47,3 +49,14 @@
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Allow shell commands from ADB for CTS testing/dumping
+allow cameraserver adbd:fd use;
+allow cameraserver adbd:unix_stream_socket { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow cameraserver su:fd use;
+ allow cameraserver su:fifo_file { read write };
+ allow cameraserver su:unix_stream_socket { read write };
+')
diff --git a/public/charger.te b/public/charger.te
index 33f3254..7145548 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -6,10 +6,12 @@
allow charger kmsg_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
-allow charger sysfs_type:dir search;
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
+# Allow to read /sys/class/power_supply directory
+allow charger sysfs_type:dir r_dir_perms;
+
allow charger self:global_capability_class_set { sys_tty_config };
allow charger self:global_capability_class_set sys_boot;
diff --git a/public/domain.te b/public/domain.te
index d458510..76318ec 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -892,6 +892,25 @@
-crash_dump_exec
-netutils_wrapper_exec
}:file { entrypoint execute execute_no_trans };
+
+ # Do not allow system components to execute files from vendor
+ # except for the ones whitelisted here.
+ neverallow {
+ coredomain
+ -init
+ -system_executes_vendor_violators
+ -vendor_init
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vndk_sp_file
+ -vendor_app_file
+ }:file execute;
+
+ neverallow {
+ coredomain
+ -system_executes_vendor_violators
+ } vendor_file_type:file execute_no_trans;
')
# Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/public/property_contexts b/public/property_contexts
index e5772e5..2596161 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -198,6 +198,7 @@
aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int
gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
+rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string