Merge "Test that /proc files have proc_type attribute."
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 78c1b86..f998e55 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -36,6 +36,10 @@
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
+# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
+# but otherwise disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
@@ -58,7 +62,10 @@
neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
# Do not allow any write access to files in /sys
-neverallow all_untrusted_apps sysfs_type:file no_w_file_perms;
+neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
+
+# Apps may never access the default sysfs label.
+neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
@@ -119,9 +126,12 @@
proc_loadavg
proc_mounts
proc_pagetypeinfo
+ proc_stat
proc_swaps
+ proc_uptime
proc_version
proc_vmallocinfo
+ proc_vmstat
}:file { no_rw_file_perms no_x_file_perms };
# Avoid all access to kernel configuration
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 0804851..403fde7 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -37,6 +37,7 @@
exported2_system_prop
exported2_vold_prop
exported3_default_prop
+ exported3_radio_prop
exported3_system_prop
fs_bpf
hal_authsecret_hwservice
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 297c5ee..09ffe56 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -20,6 +20,7 @@
exported2_system_prop
exported2_vold_prop
exported3_default_prop
+ exported3_radio_prop
exported3_system_prop
exported_config_prop
exported_dalvik_prop
diff --git a/private/perfprofd.te b/private/perfprofd.te
index 9c249fd..4da5410 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -2,3 +2,7 @@
typeattribute perfprofd coredomain;
init_daemon_domain(perfprofd)
')
+
+# Only servicemanager, statsd, su and systemserver can communicate.
+neverallow { domain userdebug_or_eng(`-statsd') } perfprofd:binder call;
+neverallow perfprofd { domain userdebug_or_eng(`-servicemanager -statsd -su -system_server') }:binder call;
diff --git a/private/statsd.te b/private/statsd.te
index c63cba9..dfec7a4 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -30,6 +30,9 @@
binder_call(statsd, appdomain)
binder_call(statsd, healthd)
binder_call(statsd, incidentd)
+userdebug_or_eng(`
+ binder_call(statsd, perfprofd)
+')
binder_call(statsd, statscompanion_service)
binder_call(statsd, system_server)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 5918f63..5d0461d 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -124,3 +124,12 @@
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
+
+# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
+dontaudit untrusted_app_all net_dns_prop:file read;
+
+# These have been disallowed since Android O.
+# For P, we assume that apps are safely handling the denial.
+dontaudit untrusted_app_all proc_stat:file read;
+dontaudit untrusted_app_all proc_vmstat:file read;
+dontaudit untrusted_app_all proc_uptime:file read;
diff --git a/public/domain.te b/public/domain.te
index f602d08..0027efa 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -95,6 +95,7 @@
get_prop(domain, exported2_system_prop)
get_prop(domain, exported2_vold_prop)
get_prop(domain, exported3_default_prop)
+ get_prop(domain, exported3_radio_prop)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
')
@@ -108,6 +109,7 @@
get_prop({coredomain appdomain shell}, exported2_system_prop)
get_prop({coredomain appdomain shell}, exported2_vold_prop)
get_prop({coredomain appdomain shell}, exported3_default_prop)
+ get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
userdebug_or_eng(`
get_prop(su, core_property_type)
@@ -119,6 +121,7 @@
get_prop(su, exported2_system_prop)
get_prop(su, exported2_vold_prop)
get_prop(su, exported3_default_prop)
+ get_prop(su, exported3_radio_prop)
get_prop(su, exported3_system_prop)
')
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
@@ -1330,3 +1333,12 @@
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
+
+# These are only needed in permissive mode - in enforcing mode the
+# directory write check fails and so these are never attempted.
+userdebug_or_eng(`
+ dontaudit domain proc_type:dir add_name;
+ dontaudit domain sysfs_type:dir add_name;
+ dontaudit domain proc_type:file create;
+ dontaudit domain sysfs_type:file create;
+')
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 86f41cb..31859aa 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -27,6 +27,7 @@
set_prop(hal_telephony_server, radio_prop)
set_prop(hal_telephony_server, exported_radio_prop)
set_prop(hal_telephony_server, exported2_radio_prop)
+set_prop(hal_telephony_server, exported3_radio_prop)
allow hal_telephony_server tty_device:chr_file rw_file_perms;
diff --git a/public/healthd.te b/public/healthd.te
index 50952d5..87217d5 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -7,6 +7,8 @@
# Read access to pseudo filesystems.
allow healthd sysfs_type:dir search;
+# Allow to read /sys/class/power_supply directory.
+allow healthd sysfs:dir r_dir_perms;
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
diff --git a/public/perfprofd.te b/public/perfprofd.te
index d4062aa..494e75b 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -113,9 +113,5 @@
# Allow perfprofd to submit to dropbox.
allow perfprofd dropbox_service:service_manager find;
- allow perfprofd system_server:binder call;
-
- # Only servicemanager, su and systemserver can communicate.
- neverallow domain perfprofd:binder call;
- neverallow perfprofd { domain -servicemanager -su -system_server }:binder call;
+ binder_call(perfprofd, system_server)
')
diff --git a/public/property.te b/public/property.te
index a099e87..64f309d 100644
--- a/public/property.te
+++ b/public/property.te
@@ -73,6 +73,7 @@
type exported2_system_prop, property_type;
type exported2_vold_prop, property_type;
type exported3_default_prop, property_type;
+type exported3_radio_prop, property_type;
type exported3_system_prop, property_type;
type vendor_default_prop, property_type;
@@ -164,6 +165,7 @@
} {
exported_radio_prop
exported2_radio_prop
+ exported3_radio_prop
radio_prop
}:property_service set;
diff --git a/public/property_contexts b/public/property_contexts
index 5dcffb3..17a0a33 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -1,6 +1,5 @@
# vendor-init-readable
persist.radio.airplane_mode_on u:object_r:exported2_radio_prop:s0 exact int
-persist.radio.multisim.config u:object_r:exported2_radio_prop:s0 exact string
# vendor-init-settable
af.fast_track_multiplier u:object_r:exported3_default_prop:s0 exact int
@@ -67,6 +66,7 @@
persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
diff --git a/public/radio.te b/public/radio.te
index 4998a61..8fb5ad6 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -21,6 +21,7 @@
set_prop(radio, radio_prop)
set_prop(radio, exported_radio_prop)
set_prop(radio, exported2_radio_prop)
+set_prop(radio, exported3_radio_prop)
set_prop(radio, net_radio_prop)
# ctl interface
diff --git a/public/te_macros b/public/te_macros
index 0e8dcf4..2cb1975 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -566,6 +566,7 @@
allow keystore $1:process getattr;
allow $1 keystore_service:service_manager find;
binder_call($1, keystore)
+ binder_call(keystore, $1)
')
###########################################
diff --git a/public/vendor_init.te b/public/vendor_init.te
index dd7479f..6a13f69 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -172,6 +172,7 @@
set_prop(vendor_init, exported2_system_prop)
set_prop(vendor_init, exported2_vold_prop)
set_prop(vendor_init, exported3_default_prop)
+set_prop(vendor_init, exported3_radio_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)