Merge "netutils_wrapper: suppress sysfs denials"
diff --git a/Android.bp b/Android.bp
index eeb6f6c..256262b 100644
--- a/Android.bp
+++ b/Android.bp
@@ -12,6 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
+
se_filegroup {
name: "26.0.board.compat.map",
srcs: [
diff --git a/Android.mk b/Android.mk
index bb6cb53..ab88003 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,12 +1,9 @@
LOCAL_PATH:= $(call my-dir)
include $(LOCAL_PATH)/definitions.mk
+include $(LOCAL_PATH)/policy_version.mk
include $(CLEAR_VARS)
-# SELinux policy version.
-# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
-# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 30
MLS_SENS=1
MLS_CATS=1024
diff --git a/PREUPLOAD.cfg b/PREUPLOAD.cfg
index 4ff0f5e..ccb3a50 100644
--- a/PREUPLOAD.cfg
+++ b/PREUPLOAD.cfg
@@ -1,3 +1,4 @@
[Hook Scripts]
whitespace = tools/whitespace.sh ${PREUPLOAD_FILES}
aosp_hook = ${REPO_ROOT}/frameworks/base/tools/aosp/aosp_sha.sh ${PREUPLOAD_COMMIT} "."
+policy_version_check = tools/policy_version_check.sh
diff --git a/policy_version.mk b/policy_version.mk
new file mode 100644
index 0000000..e6bb747
--- /dev/null
+++ b/policy_version.mk
@@ -0,0 +1,4 @@
+# SELinux policy version.
+# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
+# Must be within the compatibility range reported by checkpolicy -V.
+POLICYVERS ?= 30
diff --git a/private/app_zygote.te b/private/app_zygote.te
index e221666..e44c1be 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -152,6 +152,7 @@
# neverallow rules for Bluetooth-related data files are listed above.
neverallow app_zygote {
bluetooth_a2dp_offload_prop
+ bluetooth_audio_hal_prop
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;
diff --git a/private/atrace.te b/private/atrace.te
index 7979fa1..0cdd35a 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -45,6 +45,7 @@
-dumpstate_service
-installd_service
-vold_service
+ -lpdump_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
diff --git a/private/audioserver.te b/private/audioserver.te
index 1e8b90b..07051af 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -42,6 +42,7 @@
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
+set_prop(audioserver, bluetooth_audio_hal_prop)
set_prop(audioserver, bluetooth_prop)
set_prop(audioserver, exported_bluetooth_prop)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index fcbd509..b96fc58 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -41,6 +41,7 @@
# Allow write access to bluetooth specific properties
set_prop(bluetooth, bluetooth_a2dp_offload_prop)
+set_prop(bluetooth, bluetooth_audio_hal_prop)
set_prop(bluetooth, bluetooth_prop)
set_prop(bluetooth, exported_bluetooth_prop)
set_prop(bluetooth, pan_result_prop)
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 29efc22..a102ab0 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1581,7 +1581,8 @@
(typeattributeset system_boot_reason_prop_28_0 (system_boot_reason_prop))
(typeattributeset system_data_file_28_0
( dropbox_data_file
- system_data_file))
+ system_data_file
+ packages_list_file))
(typeattributeset system_file_28_0
( system_file
system_asan_options_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 18fe4cd..f4e2cd4 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -23,7 +23,9 @@
app_zygote_tmpfs
ashmemd
ashmem_device_service
+ attention_service
biometric_service
+ bluetooth_audio_hal_prop
bpf_progs_loaded_prop
bugreport_service
cgroup_desc_file
@@ -82,6 +84,10 @@
llkd_prop
llkd_tmpfs
looper_stats_service
+ lpdumpd
+ lpdumpd_exec
+ lpdumpd_prop
+ lpdump_service
iorapd
iorapd_exec
iorapd_data_file
@@ -107,6 +113,7 @@
runas_app
runas_app_tmpfs
runtime_service
+ sdcard_block_device
sensor_privacy_service
server_configurable_flags_data_file
simpleperf_app_runner
diff --git a/private/coredomain.te b/private/coredomain.te
index ebad8e7..169f6b2 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -58,6 +58,7 @@
-idmap
-init
-installd
+ -postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-app_zygote
@@ -74,6 +75,7 @@
-idmap
-init
-installd
+ -postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-app_zygote
diff --git a/private/crash_dump.te b/private/crash_dump.te
index adc46a1..f130327 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -1,7 +1,7 @@
typeattribute crash_dump coredomain;
# Crash dump does not need to access devices passed across exec().
-dontaudit crash_dump dev_type:chr_file { read write };
+dontaudit crash_dump { devpts dev_type }:chr_file { read write };
allow crash_dump {
domain
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 47c78a0..7907f6c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -42,11 +42,10 @@
# Allow dex2oat to use file descriptors from otapreopt.
allow dex2oat postinstall_dexopt:fd use;
-allow dex2oat postinstall_file:dir { getattr search };
+# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
+allow dex2oat postinstall_file:dir r_dir_perms;
allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file { getattr read };
-
-# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
allow dex2oat postinstall_file:file read;
# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index ab24120..59554c8 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -17,6 +17,7 @@
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
allow dexoptanalyzer installd:fd use;
+allow dexoptanalyzer installd:fifo_file { getattr write };
# Allow reading secondary dex files that were reported by the app to the
# package manager.
diff --git a/private/domain.te b/private/domain.te
index 537e61b..037a7d5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -76,7 +76,7 @@
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
-allow domain mini-keyctl:key search;
+allow domain fsverity_init:key search;
# For testing purposes, allow access to keys installed with su.
userdebug_or_eng(`
allow domain su:key search;
@@ -279,4 +279,36 @@
neverallow ~{
dac_override_allowed
traced_probes
+ userdebug_or_eng(`heapprofd')
} self:global_capability_class_set dac_read_search;
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow {
+ domain
+ -apexd
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -init
+ -kernel
+ -otapreopt_chroot
+ -recovery
+ -update_engine
+ -vold
+ -zygote
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain')
+ -kernel
+ -gsid
+ -init
+ -recovery
+ -ueventd
+ -healthd
+ -uncrypt
+ -tee
+ -hal_bootctl_server
+} self:global_capability_class_set sys_rawio;
diff --git a/private/file_contexts b/private/file_contexts
index a3723e2..cd1df0a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -191,7 +191,9 @@
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/init u:object_r:init_exec:s0
-/system/bin/mini-keyctl -- u:object_r:mini-keyctl_exec:s0
+# TODO(/123600489): merge mini-keyctl into toybox
+/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
+/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
@@ -262,6 +264,7 @@
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/lpdumpd u:object_r:lpdumpd_exec:s0
/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
@@ -418,6 +421,7 @@
# propagate to the "Expanded data files" section.
#
/data(/.*)? u:object_r:system_data_file:s0
+/data/system/packages\.list u:object_r:packages_list_file:s0
/data/.layout_version u:object_r:install_data_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
new file mode 100644
index 0000000..c6a5edd
--- /dev/null
+++ b/private/fsverity_init.te
@@ -0,0 +1,25 @@
+type fsverity_init, domain, coredomain;
+type fsverity_init_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(fsverity_init)
+
+# Allow this shell script to run and execute toybox
+allow fsverity_init shell_exec:file rx_file_perms;
+allow fsverity_init toolbox_exec:file rx_file_perms;
+
+# Allow to read /proc/keys for searching key id.
+allow fsverity_init proc_keys:file r_file_perms;
+
+# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
+dontaudit fsverity_init init:key view;
+dontaudit fsverity_init vold:key view;
+allow fsverity_init kernel:key { view search write setattr };
+allow fsverity_init fsverity_init:key { view search write };
+
+# Allow init to write to /proc/sys/fs/verity/require_signatures
+allow fsverity_init proc_fs_verity:file w_file_perms;
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit fsverity_init kernel:system module_request;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index def17aa..656c2e3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -245,7 +245,7 @@
genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
@@ -261,19 +261,19 @@
genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/gsid.te b/private/gsid.te
index 62ac06b..5dcf746 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -22,17 +22,39 @@
# file names.
allow gsid sysfs_dm:dir r_dir_perms;
+# Needed to read fstab, which is used to validate that system verity does not
+# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
+# to get the A/B slot suffix).
+allow gsid proc_cmdline:file r_file_perms;
+allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
+allow gsid sysfs_dt_firmware_android:file r_file_perms;
+
# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
allow gsid block_device:dir r_dir_perms;
# liblp queries these block alignment properties.
-allowxperm gsid userdata_block_device:blk_file ioctl {
+allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
BLKIOMIN
BLKALIGNOFF
};
+# When installing images to an sdcard, gsid needs to be able to stat() the
+# block device. gsid also calls realpath() to remove symlinks.
+allow gsid mnt_media_rw_file:dir r_dir_perms;
+
+# When installing images to an sdcard, gsid must bypass sdcardfs and install
+# directly to vfat, which supports the FIBMAP ioctl.
+allow gsid vfat:dir rw_dir_perms;
+allow gsid vfat:file create_file_perms;
+allow gsid sdcard_block_device:blk_file r_file_perms;
+# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
+# requirement, but the kernel does not implement FIEMAP support for VFAT.
+allow gsid self:global_capability_class_set sys_rawio;
+
# gsi_tool passes the system image over the adb connection, via stdin.
allow gsid adbd:fd use;
+# Needed when running gsi_tool through "su root" rather than adb root.
+allow gsid adbd:unix_stream_socket rw_socket_perms;
neverallow { domain -gsid -init } gsid_prop:property_service set;
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 1339673..5330c58 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -42,12 +42,23 @@
# When handling profiling for all processes, heapprofd needs to read
# executables/libraries/etc to do stack unwinding.
userdebug_or_eng(`
+ r_dir_file(heapprofd, nativetest_data_file)
r_dir_file(heapprofd, system_file_type)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
+ # Some dex files are not world-readable.
+ # We are still constrained by the SELinux rules above.
+ allow heapprofd self:global_capability_class_set dac_read_search;
')
+# This is going to happen on user but is benign because central heapprofd
+# does not actually need these permission.
+# If the dac_read_search capability check is rejected, the kernel then tries
+# to perform a dac_override capability check, so we need to dontaudit that
+# as well.
+dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override };
+
never_profile_heap(`{
bpfloader
init
diff --git a/private/incidentd.te b/private/incidentd.te
index ad6fbf3..6f10955 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -151,6 +151,7 @@
-dumpstate
-incident
-incidentd
+ -priv_app
-statsd
-system_app
-system_server
diff --git a/private/kernel.te b/private/kernel.te
index a4e6ebe..207800e 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,3 +1,8 @@
typeattribute kernel coredomain;
domain_auto_trans(kernel, init_exec, init)
+
+# Allow the kernel to read otapreopt_chroot's file descriptors and files under
+# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
+allow kernel otapreopt_chroot:fd use;
+allow kernel postinstall_file:file read;
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
new file mode 100644
index 0000000..458a8f1
--- /dev/null
+++ b/private/lpdumpd.te
@@ -0,0 +1,41 @@
+type lpdumpd, domain, coredomain;
+type lpdumpd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(lpdumpd)
+
+# Allow lpdumpd to register itself as a service.
+binder_use(lpdumpd)
+add_service(lpdumpd, lpdump_service)
+
+# Allow lpdumpd to find the super partition block device.
+allow lpdumpd block_device:dir r_dir_perms;
+
+# Allow lpdumpd to read super partition metadata.
+allow lpdumpd super_block_device_type:blk_file r_file_perms;
+
+# Allow lpdumpd to read fstab.
+allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
+allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
+
+# Triggered when lpdumpd tries to read default fstab.
+dontaudit lpdumpd metadata_file:dir r_dir_perms;
+dontaudit lpdumpd metadata_file:file r_file_perms;
+dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms;
+dontaudit lpdumpd gsi_metadata_file:file r_file_perms;
+
+### Neverallow rules
+
+# Disallow other domains to get lpdump_service and call lpdumpd.
+neverallow {
+ domain
+ -dumpstate
+ -lpdumpd
+ -shell
+} lpdump_service:service_manager find;
+
+neverallow {
+ domain
+ -dumpstate
+ -lpdumpd
+ -shell
+} lpdumpd:binder call;
diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
deleted file mode 100644
index 53dbfce..0000000
--- a/private/mini_keyctl.te
+++ /dev/null
@@ -1,17 +0,0 @@
-type mini-keyctl, domain, coredomain;
-type mini-keyctl_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(mini-keyctl)
-
-allow mini-keyctl proc_keys:file r_file_perms;
-
-# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
-dontaudit mini-keyctl init:key view;
-dontaudit mini-keyctl vold:key view;
-allow mini-keyctl kernel:key { view search write setattr };
-allow mini-keyctl mini-keyctl:key { view search write };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit mini-keyctl kernel:system module_request;
diff --git a/private/network_stack.te b/private/network_stack.te
index 4435a7a..b214538 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -24,5 +24,7 @@
allow network_stack dnsresolver_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack radio_service:service_manager find;
+allow network_stack radio_data_file:dir create_dir_perms;
+allow network_stack radio_data_file:file create_file_perms;
binder_call(network_stack, netd);
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index aea2faa..e2bc33e 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,38 @@
-typeattribute otapreopt_chroot coredomain;
+# otapreopt_chroot executable
+type otapreopt_chroot, domain, coredomain;
+type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
+
+# Chroot preparation and execution.
+# We need to create an unshared mount namespace, and then mount /data.
+allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
+
+# This is required to mount /vendor and mount/unmount ext4 images from
+# APEX packages in /postinstall/apex.
+allow otapreopt_chroot block_device:dir search;
+allow otapreopt_chroot labeledfs:filesystem { mount unmount };
+# This is required for dynamic partitions.
+allow otapreopt_chroot dm_device:chr_file rw_file_perms;
+
+# This is required to unmount flattened APEX packages under
+# /postinstall/system/apex (which are bind-mounted in /postinstall/apex).
+allow otapreopt_chroot postinstall_file:filesystem unmount;
+# Mounting /vendor can have this side-effect. Ignore denial.
+dontaudit otapreopt_chroot kernel:process setsched;
+
+# Allow otapreopt_chroot to read SELinux policy files.
+allow otapreopt_chroot file_contexts_file:file r_file_perms;
+
+# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
+allow otapreopt_chroot postinstall_file:dir r_dir_perms;
+# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
+get_prop(otapreopt_chroot, apexd_prop)
+
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
@@ -35,3 +69,6 @@
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
allow otapreopt_chroot block_device:dir r_dir_perms;
+
+# Allow to access the linker through the symlink.
+allow otapreopt_chroot postinstall_file:lnk_file r_file_perms;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index c0836ec..fd370c2 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -7,7 +7,12 @@
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
+# - Case where dex2oat is in a non-flattened APEX, which has retained
+# the correct type (`dex2oat_exec`).
domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
+# - Case where dex2oat is in a flattened APEX, which has been tagged
+# with the `postinstall_file` type by update_engine.
+domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
@@ -27,6 +32,8 @@
r_dir_file(postinstall_dexopt, apk_data_file)
# Read vendor app data (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, vendor_app_file)
+# Read vendor overlay files (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_overlay_file)
# Access to app oat directory.
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
diff --git a/private/priv_app.te b/private/priv_app.te
index ad39eb1..c5251a9 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -30,7 +30,10 @@
allow priv_app privapp_data_file:lnk_file create_file_perms;
+# Priv apps can find services that expose both @SystemAPI and normal APIs.
allow priv_app app_api_service:service_manager find;
+allow priv_app system_api_service:service_manager find;
+
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
@@ -46,11 +49,10 @@
allow priv_app radio_service:service_manager find;
allow priv_app recovery_service:service_manager find;
allow priv_app stats_service:service_manager find;
-allow priv_app system_api_service:service_manager find;
-allow priv_app gpu_service:service_manager find;
# Allow privileged apps to interact with gpuservice
binder_call(priv_app, gpuservice)
+allow priv_app gpu_service:service_manager find;
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
@@ -150,6 +152,12 @@
allow priv_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(priv_app, traced_producer, traced)
+# Allow priv_apps to request and collect incident reports.
+# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
+allow priv_app incident_service:service_manager find;
+binder_call(priv_app, incidentd)
+allow priv_app incidentd:fifo_file { read write };
+
# Allow heap profiling if the app opts in by being marked
# profileable/debuggable.
can_profile_heap(priv_app)
diff --git a/private/property_contexts b/private/property_contexts
index 3261014..3622d12 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -23,6 +23,7 @@
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
+sys.lpdumpd u:object_r:lpdumpd_prop:s0
sys.powerctl u:object_r:powerctl_prop:s0
sys.usb.ffs. u:object_r:ffs_prop:s0
service. u:object_r:system_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 628b7d6..cbbdd64 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -146,7 +146,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack levelFrom=all
+user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
diff --git a/private/service.te b/private/service.te
index 1bec3ce..e597f5b 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,4 +1,5 @@
type ashmem_device_service, app_api_service, service_manager_type;
+type attention_service, system_server_service, service_manager_type;
type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index baead30..de56972 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -15,6 +15,7 @@
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
+attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
autofill u:object_r:autofill_service:s0
backup u:object_r:backup_service:s0
@@ -102,6 +103,7 @@
location u:object_r:location_service:s0
lock_settings u:object_r:lock_settings_service:s0
looper_stats u:object_r:looper_stats_service:s0
+lpdump_service u:object_r:lpdump_service:s0
media.aaudio u:object_r:audioserver_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
diff --git a/private/shell.te b/private/shell.te
index 0d1cf03..02b01f5 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -70,3 +70,7 @@
# Renderscript host side tests depend on being able to execute
# /system/bin/bcc (b/126388046)
allow shell rs_exec:file rx_file_perms;
+
+# Allow shell to start and comminicate with lpdumpd.
+set_prop(shell, lpdumpd_prop);
+binder_call(shell, lpdumpd)
diff --git a/private/storaged.te b/private/storaged.te
index 0e31483..3ed24b2 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -12,6 +12,7 @@
# Read /data/system/packages.list
allow storaged system_data_file:file r_file_perms;
+allow storaged packages_list_file:file r_file_perms;
# Store storaged proto file
allow storaged storaged_data_file:dir rw_dir_perms;
diff --git a/private/system_app.te b/private/system_app.te
index 38e7938..05831a3 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -32,6 +32,7 @@
# Write to properties
set_prop(system_app, bluetooth_a2dp_offload_prop)
+set_prop(system_app, bluetooth_audio_hal_prop)
set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
@@ -79,6 +80,7 @@
-installd_service
-iorapd_service
-ipmemorystore_service
+ -lpdump_service
-netd_service
-system_suspend_control_service
-virtual_touchpad_service
diff --git a/private/system_server.te b/private/system_server.te
index ab4a07c..6dcecad 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -357,6 +357,7 @@
# Manage system data files.
allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms;
+allow system_server packages_list_file:file create_file_perms;
allow system_server keychain_data_file:dir create_dir_perms;
allow system_server keychain_data_file:file create_file_perms;
allow system_server keychain_data_file:lnk_file create_file_perms;
@@ -412,6 +413,10 @@
allow system_server su:fifo_file append;
')
+# Allow system_server to read pipes from incidentd (used to deliver incident reports
+# to dropbox)
+allow system_server incidentd:fifo_file read;
+
# Read /data/misc/incidents - only read. The fd will be sent over binder,
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
@@ -521,6 +526,10 @@
# Also used for measuring disk usage.
allow system_server media_rw_data_file:file { getattr read write append };
+# System server needs to setfscreate to packages_list_file when writing
+# /data/system/packages.list
+allow system_server system_server:process setfscreate;
+
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
@@ -1015,6 +1024,9 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+# Read/Write /proc/pressure/memory
+allow system_server proc_pressure_mem:file rw_file_perms;
+
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index bd7b2c0..ad9fb44 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -7,6 +7,13 @@
allow system_server_startup self:process execmem;
allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
+# Allow to pick up integrity-checked artifacts from the dalvik cache.
+allow system_server_startup dalvikcache_data_file:dir r_dir_perms;
+allow system_server_startup dalvikcache_data_file:file { r_file_perms execute };
+
+# While doing the above, will touch the apex mount dir.
+allow system_server_startup mnt_expand_file:dir getattr;
+
# Allow system_server_startup to run setcon() and enter the
# system_server domain
allow system_server_startup self:process setcurrent;
diff --git a/private/system_suspend.te b/private/system_suspend.te
index e93a73d..961cd67 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -10,6 +10,11 @@
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;
+# TODO(b/128923994): remove once all debugging info moves to SystemSuspend.
+# Access to /sys/power/{ wake_lock, wake_unlock } suspend blocker interface.
+allow system_suspend self:global_capability2_class_set block_suspend;
+allow system_suspend sysfs_wake_lock:file rw_file_perms;
+
neverallow {
domain
-atrace # tracing
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 95affef..4630c35 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -143,6 +143,7 @@
# neverallow rules for Bluetooth-related data files are listed above.
neverallow webview_zygote {
bluetooth_a2dp_offload_prop
+ bluetooth_audio_hal_prop
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 29d61b4..759fc34 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -44,11 +44,10 @@
allow zygote resourcecache_data_file:dir rw_dir_perms;
allow zygote resourcecache_data_file:file create_file_perms;
-# When WITH_DEXPREOPT is true, the zygote does not load executable content from
-# /data/dalvik-cache. Executable files loaded from /data is a persistence vector
-# we want to avoid. See
-# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
-allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
+# For updateability, the zygote may fetch the current boot
+# classpath from the dalvik cache. Integrity of the files
+# is ensured by fsverity protection (checked in art_apex_boot_integrity).
+allow zygote dalvikcache_data_file:file execute;
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
@@ -104,6 +103,9 @@
allow zygote { sdcard_type media_rw_data_file }:dir { create_dir_perms mounton };
allow zygote { sdcard_type media_rw_data_file }:file { create_file_perms };
+# Allow zygote to expand app files while preloading libraries
+allow zygote mnt_expand_file:dir getattr;
+
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
@@ -165,6 +167,7 @@
# Do not allow access to Bluetooth-related system properties and files
neverallow zygote {
bluetooth_a2dp_offload_prop
+ bluetooth_audio_hal_prop
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;
diff --git a/public/app.te b/public/app.te
index ee9b8cf..e26ec0a 100644
--- a/public/app.te
+++ b/public/app.te
@@ -564,7 +564,7 @@
appdomain
-bluetooth
-system_app
-} { bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
+} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
diff --git a/public/attributes b/public/attributes
index 4cae0ff..dbb9356 100644
--- a/public/attributes
+++ b/public/attributes
@@ -308,3 +308,6 @@
attribute mediaswcodec_server;
attribute system_suspend_server;
attribute camera_service_server;
+
+# All types used for super partition block devices.
+attribute super_block_device_type;
diff --git a/public/device.te b/public/device.te
index 57b0503..e20a68b 100644
--- a/public/device.te
+++ b/public/device.te
@@ -104,4 +104,9 @@
type misc_block_device, dev_type;
# 'super' partition to be used for logical partitioning.
-type super_block_device, dev_type;
+type super_block_device, super_block_device_type, dev_type;
+
+# sdcard devices; normally vold uses the vold_block_device label and creates a
+# separate device node. gsid, however, accesses the original devide node
+# created through uevents, so we use a separate label.
+type sdcard_block_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index a91cf40..5a964c9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -349,20 +349,6 @@
-vold
} self:global_capability_class_set mknod;
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
-neverallow {
- domain
- userdebug_or_eng(`-domain')
- -kernel
- -init
- -recovery
- -ueventd
- -healthd
- -uncrypt
- -tee
- -hal_bootctl_server
-} self:global_capability_class_set sys_rawio;
-
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow * self:memprotect mmap_zero;
@@ -449,22 +435,6 @@
# Rather force a relabel to a more specific type.
neverallow domain device:chr_file { open read write };
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow {
- domain
- -apexd
- recovery_only(`userdebug_or_eng(`-fastbootd')')
- -init
- -kernel
- -otapreopt_chroot
- -recovery
- -update_engine
- -vold
- -zygote
-} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
@@ -659,6 +629,11 @@
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} binder_device:chr_file rw_file_perms;
')
+
+# libcutils can probe for /dev/binder permissions with access(). Ignore
+# generated denials. See b/129073672 for details.
+dontaudit domain binder_device:chr_file audit_access;
+
full_treble_only(`
neverallow {
domain
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 0bd6f83..2d5e240 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -127,6 +127,7 @@
binder_call(dumpstate, { appdomain netd wificond })
hal_client_domain(dumpstate, hal_dumpstate)
+hal_client_domain(dumpstate, hal_wifi)
hal_client_domain(dumpstate, hal_graphics_allocator)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 99ccd8c..8ebe387 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -16,7 +16,7 @@
allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
# Log to serial
- allow fastbootd kmsg_device:chr_file { open write };
+ allow fastbootd kmsg_device:chr_file { open getattr write };
# battery info
allow fastbootd sysfs_batteryinfo:file r_file_perms;
@@ -45,7 +45,7 @@
allow fastbootd dm_device:chr_file rw_file_perms;
allow fastbootd dm_device:blk_file rw_file_perms;
- allow fastbootd super_block_device:blk_file rw_file_perms;
+ allow fastbootd super_block_device_type:blk_file rw_file_perms;
allow fastbootd {
boot_block_device
metadata_block_device
@@ -60,10 +60,7 @@
allow fastbootd gsi_metadata_file:dir r_dir_perms;
allow fastbootd gsi_metadata_file:file rw_file_perms;
- allowxperm fastbootd {
- system_block_device
- super_block_device
- }:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+ allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
allowxperm fastbootd {
metadata_block_device
@@ -86,6 +83,11 @@
# Refined manipulation of /mnt/scratch, without these perms resorts
# to deleting scratch partition when partition(s) are flashed.
allow fastbootd self:process setfscreate;
+ allow fastbootd cache_file:dir search;
+ allow fastbootd proc_filesystems:file { getattr open read };
+ allow fastbootd self:capability sys_rawio;
+ dontaudit fastbootd kernel:system module_request;
+ allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
allow fastbootd {
system_file_type
diff --git a/public/file.te b/public/file.te
index 883f4a3..ccf6d85 100644
--- a/public/file.te
+++ b/public/file.te
@@ -221,6 +221,10 @@
type coredump_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
+# Type for /data/system/packages.list.
+# TODO(b/129332765): Narrow down permissions to this.
+# Find out users of system_data_file that should be granted only this.
+type packages_list_file, file_type, data_file_type, core_data_file_type;
# Default type for anything under /data/vendor{_ce,_de}.
type vendor_data_file, file_type, data_file_type;
# Unencrypted data
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 9ffb769..a1c098f 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -35,3 +35,4 @@
neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
get_prop(hal_audio, bluetooth_a2dp_offload_prop)
+get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 09c3ce6..97177ba 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -21,6 +21,7 @@
# Allow write access to bluetooth-specific properties
set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop)
+set_prop(hal_bluetooth, bluetooth_audio_hal_prop)
set_prop(hal_bluetooth, bluetooth_prop)
set_prop(hal_bluetooth, exported_bluetooth_prop)
diff --git a/public/hal_broadcastradio.te b/public/hal_broadcastradio.te
index 5653afa..84a2597 100644
--- a/public/hal_broadcastradio.te
+++ b/public/hal_broadcastradio.te
@@ -1,3 +1,4 @@
binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
+binder_call(hal_broadcastradio_server, hal_broadcastradio_client)
hal_attribute_hwservice(hal_broadcastradio, hal_broadcastradio_hwservice)
diff --git a/public/hal_health.te b/public/hal_health.te
index 019b523..dc7d083 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -21,7 +21,7 @@
wakelock_use(hal_health_server)
# Write to /dev/kmsg
-allow hal_health_server kmsg_device:chr_file w_file_perms;
+allow hal_health_server kmsg_device:chr_file { getattr w_file_perms };
# Allow to use timerfd to wake itself up periodically to send health info.
allow hal_health_server self:capability2 wake_alarm;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 805adaf..ecc1359 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -23,9 +23,9 @@
allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
allow hal_wifi proc_modules:file { getattr open read };
+# Allow hal_wifi to send dump info to dumpstate
+allow hal_wifi dumpstate:fifo_file write;
# allow hal_wifi to write into /data/vendor/tombstones/wifi
-userdebug_or_eng(`
- allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
- allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
-')
+allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
+allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
diff --git a/public/init.te b/public/init.te
index f5f42e7..177005f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -11,7 +11,7 @@
#
# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
-allow init kmsg_device:chr_file { write relabelto };
+allow init kmsg_device:chr_file { getattr write relabelto };
# /dev/kmsg_debug
userdebug_or_eng(`
allow init kmsg_debug_device:chr_file { write relabelto };
@@ -529,9 +529,6 @@
# Allow init to write to /proc/sys/vm/overcommit_memory
allow init proc_overcommit_memory:file { write };
-# Allow init to write to /proc/sys/fs/verity/require_signatures
-allow init proc_fs_verity:file w_file_perms;
-
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
@@ -556,6 +553,9 @@
# Allow calls from init to apexd
allow init apexd:binder call;
+# Allow init to touch PSI monitors
+allow init proc_pressure_mem:file { rw_file_perms setattr };
+
###
### neverallow rules
###
diff --git a/public/kernel.te b/public/kernel.te
index 3ffb5ce..50e72c2 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -88,12 +88,6 @@
allow kernel apex_data_file:file read;
allow kernel staging_data_file:file read;
-# Likewise, allow the kernel to read otapreopt_chroot's file descriptors and
-# files under /postinstall, as it uses apexd logic to mount APEX packages in
-# /postinstall/apex.
-allow kernel otapreopt_chroot:fd use;
-allow kernel postinstall_file:file read;
-
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
diff --git a/public/lmkd.te b/public/lmkd.te
index 518fb8f..51d1aa2 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -23,6 +23,7 @@
# setsched and send kill signals
allow lmkd appdomain:process { setsched sigkill };
+allow lmkd kernel:process { setsched };
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
diff --git a/public/logd.te b/public/logd.te
index 6aac302..57e29d9 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -11,8 +11,9 @@
allow logd self:global_capability2_class_set syslog;
allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
allow logd kernel:system syslog_read;
-allow logd kmsg_device:chr_file w_file_perms;
+allow logd kmsg_device:chr_file { getattr w_file_perms };
allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd packages_list_file:file r_file_perms;
allow logd pstorefs:dir search;
allow logd pstorefs:file r_file_perms;
userdebug_or_eng(`
@@ -58,7 +59,7 @@
neverallow logd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
+neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
# Only init is allowed to enter the logd domain via exec()
neverallow { domain -init } logd:process transition;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index ee2d2ec..77aefe1 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -127,6 +127,9 @@
allow mediaserver system_server:fd use;
+# b/120491318 allow mediaserver to access void:fd
+allow mediaserver vold:fd use;
+
hal_client_domain(mediaserver, hal_allocator)
###
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
deleted file mode 100644
index a8d5fda..0000000
--- a/public/otapreopt_chroot.te
+++ /dev/null
@@ -1,29 +0,0 @@
-# otapreopt_chroot executable
-type otapreopt_chroot, domain;
-type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
-
-# Chroot preparation and execution.
-# We need to create an unshared mount namespace, and then mount /data.
-allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
-
-# This is required to mount /vendor and mount/unmount ext4 images from
-# APEX packages in /postinstall/apex.
-allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem { mount unmount };
-# Mounting /vendor can have this side-effect. Ignore denial.
-dontaudit otapreopt_chroot kernel:process setsched;
-
-# Allow otapreopt_chroot to read SELinux policy files.
-allow otapreopt_chroot file_contexts_file:file r_file_perms;
-
-# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
-allow otapreopt_chroot postinstall_file:dir r_dir_perms;
-# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
-get_prop(otapreopt_chroot, apexd_prop)
-
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
-allow otapreopt_chroot postinstall:fd use;
-allow otapreopt_chroot update_engine:fd use;
-allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/public/property.te b/public/property.te
index c2b65f0..473baa2 100644
--- a/public/property.te
+++ b/public/property.te
@@ -2,6 +2,7 @@
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
type bluetooth_a2dp_offload_prop, property_type;
+type bluetooth_audio_hal_prop, property_type;
type bluetooth_prop, property_type;
type bpf_progs_loaded_prop, property_type;
type bootloader_boot_reason_prop, property_type;
@@ -57,6 +58,7 @@
type log_prop, property_type, log_property_type;
type log_tag_prop, property_type, log_property_type;
type lowpan_prop, property_type;
+type lpdumpd_prop, property_type;
type mmc_prop, property_type;
type net_dns_prop, property_type;
type net_radio_prop, property_type, core_property_type;
@@ -351,6 +353,7 @@
-apexd_prop
-audio_prop
-bluetooth_a2dp_offload_prop
+ -bluetooth_audio_hal_prop
-bluetooth_prop
-bootloader_boot_reason_prop
-boottime_prop
@@ -428,6 +431,7 @@
-logd_prop
-logpersistd_logging_prop
-lowpan_prop
+ -lpdumpd_prop
-mmc_prop
-net_dns_prop
-net_radio_prop
diff --git a/public/property_contexts b/public/property_contexts
index 4216116..3ac4673 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -12,6 +12,7 @@
dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.boot-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.boot-image u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
@@ -71,6 +72,7 @@
media.stagefright.thumbnail.prefer_hw_codecs u:object_r:exported3_default_prop:s0 exact bool
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
@@ -375,3 +377,4 @@
ro.surface_flinger.display_primary_green u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
+ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/runas.te b/public/runas.te
index b1daa31..356a019 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -13,6 +13,7 @@
# run-as reads package information.
allow runas system_data_file:file r_file_perms;
allow runas system_data_file:lnk_file getattr;
+allow runas packages_list_file:file r_file_perms;
# The app's data dir may be accessed through a symlink.
allow runas system_data_file:lnk_file read;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 6d9edfa..83c1840 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -20,6 +20,7 @@
# Read /data/system/packages.list.
allow sdcardd system_data_file:file r_file_perms;
+allow sdcardd packages_list_file:file r_file_perms;
# Read /data/.layout_version
allow sdcardd install_data_file:file r_file_perms;
diff --git a/public/service.te b/public/service.te
index 852e3df..a6385b8 100644
--- a/public/service.te
+++ b/public/service.te
@@ -16,6 +16,7 @@
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type keystore_service, service_manager_type;
+type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
@@ -130,7 +131,7 @@
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type package_native_service, system_server_service, service_manager_type;
+type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index 9f8e6e4..b7ff7a0 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te
@@ -9,6 +9,7 @@
# simpleperf_app_runner reads package information.
allow simpleperf_app_runner system_data_file:file r_file_perms;
allow simpleperf_app_runner system_data_file:lnk_file getattr;
+allow simpleperf_app_runner packages_list_file:file r_file_perms;
# The app's data dir may be accessed through a symlink.
allow simpleperf_app_runner system_data_file:lnk_file read;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 7ded147..4dea890 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -14,6 +14,7 @@
-installd_service
-ipmemorystore_service
-iorapd_service
+ -lpdump_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/public/update_engine.te b/public/update_engine.te
index 6521726..7bcaca6 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -13,7 +13,7 @@
# denial.
dontaudit update_engine self:global_capability_class_set fsetid;
-allow update_engine kmsg_device:chr_file w_file_perms;
+allow update_engine kmsg_device:chr_file { getattr w_file_perms };
allow update_engine update_engine_exec:file rx_file_perms;
wakelock_use(update_engine);
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index b55f4bc..a326d4c 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -63,13 +63,10 @@
allow update_engine_common dm_device:blk_file rw_file_perms;
# read / write metadata on super device to resize partitions
-allow update_engine_common super_block_device:blk_file rw_file_perms;
+allow update_engine_common super_block_device_type:blk_file rw_file_perms;
# ioctl on super device to get block device alignment and alignment offset
-allowxperm update_engine_common {
- system_block_device
- super_block_device
-}:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+allowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
# get physical block device to map logical partitions on device mapper
allow update_engine_common block_device:dir r_dir_perms;
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 0a9090c..8d40cdd 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -22,7 +22,7 @@
allow update_verifier dm_device:blk_file r_file_perms;
# Write to kernel message.
-allow update_verifier kmsg_device:chr_file w_file_perms;
+allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
# Allow update_verifier to reboot the device.
set_prop(update_verifier, powerctl_prop)
diff --git a/public/vdc.te b/public/vdc.te
index b59dcf6..e638e50 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -12,7 +12,7 @@
allow vdc devpts:chr_file rw_file_perms;
# vdc writes directly to kmsg during the boot process
-allow vdc kmsg_device:chr_file w_file_perms;
+allow vdc kmsg_device:chr_file { getattr w_file_perms };
# vdc talks to vold over Binder
binder_use(vdc)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index fd0d6e3..5a3e918 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -5,7 +5,7 @@
allow vendor_init init:unix_stream_socket { read write };
# Logging to kmsg
-allow vendor_init kmsg_device:chr_file { open write };
+allow vendor_init kmsg_device:chr_file { open getattr write };
# Mount on /dev/usb-ffs/adb.
allow vendor_init device:dir mounton;
@@ -213,6 +213,7 @@
allow vendor_init file_contexts_file:file r_file_perms;
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
+set_prop(vendor_init, bluetooth_audio_hal_prop)
set_prop(vendor_init, cpu_variant_prop)
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_audio_prop)
diff --git a/public/vold.te b/public/vold.te
index c7d69be..2a278eb 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -16,6 +16,7 @@
sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
sysfs_usb
sysfs_zram_uevent
+ sysfs_fs_f2fs
}:file w_file_perms;
r_dir_file(vold, rootfs)
diff --git a/tools/policy_version_check.sh b/tools/policy_version_check.sh
new file mode 100755
index 0000000..33ce861
--- /dev/null
+++ b/tools/policy_version_check.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+MK=$(awk -F= '/POLICYVERS/ { print $2 }' policy_version.mk | tr -d ' [:space:]')
+BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }')
+
+if [ "$MK" != "$BP" ]; then
+ echo "POLICYVERS in Android.mk must match DSEPOLICY_VERSION in Android.bp" 1>&2
+ exit 1
+fi
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index 25e6a0c..0209678 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -380,6 +380,7 @@
size_t keyword_size = strlen(keyword), len;
struct avrule *neverallows = NULL, *avrule;
char *p, *start;
+ int result;
p = text;
while (p < end) {
@@ -434,12 +435,19 @@
if (!neverallows)
goto err;
- return check_assertions(NULL, policydb, neverallows);
+ result = check_assertions(NULL, policydb, neverallows);
+ avrule_list_destroy(neverallows);
+ return result;
err:
if (errno == ENOMEM) {
fprintf(stderr, "Out of memory while parsing neverallow rules\n");
} else
fprintf(stderr, "Error while parsing neverallow rules\n");
+
+ avrule_list_destroy(neverallows);
+ if (avrule != neverallows)
+ avrule_destroy(avrule);
+
return -1;
}