Merge "init: allow init to restorecon on block devices and their symlinks"
diff --git a/private/app.te b/private/app.te
index b009d98..98fcce0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -86,9 +86,9 @@
allow appdomain oemfs:file rx_file_perms;
# Execute the shell or other system executables.
-allow appdomain shell_exec:file rx_file_perms;
-allow appdomain system_file:file rx_file_perms;
-allow appdomain toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
# Renderscript needs the ability to read directories on /system
r_dir_file(appdomain, system_file)
@@ -232,7 +232,7 @@
# logd access
read_logd(appdomain)
-control_logd(appdomain)
+control_logd({ appdomain -ephemeral_app untrusted_v2_app })
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index a881d52..565936a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -5,30 +5,27 @@
# Only allow domains in AOSP to use the untrusted_app_all attribute.
neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
+define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app }')
# Receive or send uevent messages.
-neverallow { untrusted_app_all ephemeral_app isolated_app } domain:netlink_kobject_uevent_socket *;
+neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
-neverallow { untrusted_app_all ephemeral_app isolated_app } domain:netlink_socket *;
+neverallow all_untrusted_apps domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow { untrusted_app_all ephemeral_app isolated_app } debugfs_type:file read;
+neverallow all_untrusted_apps debugfs_type:file read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
# services.
-neverallow { untrusted_app_all ephemeral_app isolated_app } service_manager_type:service_manager add;
+neverallow all_untrusted_apps service_manager_type:service_manager add;
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
-neverallow { untrusted_app_all ephemeral_app isolated_app } property_socket:sock_file write;
-neverallow { untrusted_app_all ephemeral_app isolated_app } init:unix_stream_socket connectto;
-neverallow { untrusted_app_all ephemeral_app isolated_app } property_type:property_service set;
-
-# b/34115651 - net.dns* properties read
-# This will go away in a future Android release
-neverallow { appdomain -untrusted_app_25 } net_dns_prop:file r_file_perms;
+neverallow all_untrusted_apps property_socket:sock_file write;
+neverallow all_untrusted_apps init:unix_stream_socket connectto;
+neverallow all_untrusted_apps property_type:property_service set;
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
@@ -38,7 +35,7 @@
# permission only makes sense within a domain (hence should
# never be granted to any other domain within mlstrustedsubject)
# and an untrusted app is allowed fork permission to itself.
-neverallow { untrusted_app_all ephemeral_app isolated_app } mlstrustedsubject:process fork;
+neverallow all_untrusted_apps mlstrustedsubject:process fork;
# Do not allow untrusted apps to hard link to any files.
# In particular, if an untrusted app links to other app data
@@ -46,16 +43,16 @@
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure untrusted apps never have this
# capability.
-neverallow { untrusted_app_all ephemeral_app isolated_app } file_type:file link;
+neverallow all_untrusted_apps file_type:file link;
# Do not allow untrusted apps to access network MAC address file
-neverallow { untrusted_app_all ephemeral_app isolated_app } sysfs_mac_address:file no_rw_file_perms;
+neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
-neverallowxperm { untrusted_app_all ephemeral_app isolated_app } domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-neverallow { untrusted_app_all ephemeral_app isolated_app } *:{ netlink_route_socket netlink_selinux_socket } ioctl;
-neverallow { untrusted_app_all ephemeral_app isolated_app } *:{
+neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow all_untrusted_apps *:{
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
@@ -66,15 +63,15 @@
} *;
# Do not allow untrusted apps access to /cache
-neverallow { untrusted_app_all ephemeral_app isolated_app } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow { untrusted_app_all ephemeral_app isolated_app } { cache_file cache_recovery_file }:file ~{ read getattr };
+neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr };
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.
-neverallow { untrusted_app_all ephemeral_app isolated_app } {
+neverallow all_untrusted_apps {
fs_type
-fuse # sdcard
-sdcardfs # sdcard
@@ -92,12 +89,12 @@
}:dir_file_class_set { create unlink };
# Do not allow untrusted apps to directly open tun_device
-neverallow { untrusted_app_all ephemeral_app isolated_app } tun_device:chr_file open;
+neverallow all_untrusted_apps tun_device:chr_file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-neverallow { untrusted_app_all ephemeral_app isolated_app } anr_data_file:file ~{ open append };
-neverallow { untrusted_app_all ephemeral_app isolated_app } anr_data_file:dir ~search;
+neverallow all_untrusted_apps anr_data_file:file ~{ open append };
+neverallow all_untrusted_apps anr_data_file:dir ~search;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
-neverallow { untrusted_app_all ephemeral_app isolated_app } proc:file { no_rw_file_perms no_x_file_perms };
+neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
diff --git a/private/hal_bluetooth_default.te b/private/hal_bluetooth_default.te
index 4fcb322..d22015b 100644
--- a/private/hal_bluetooth_default.te
+++ b/private/hal_bluetooth_default.te
@@ -4,11 +4,6 @@
type hal_bluetooth_default_exec, exec_type, file_type;
init_daemon_domain(hal_bluetooth_default)
-# VTS tests need to be able to toggle rfkill
-userdebug_or_eng(`
- allow hal_bluetooth_default self:capability net_admin;
-')
-
# Logging for backward compatibility
allow hal_bluetooth_default bluetooth_data_file:dir ra_dir_perms;
allow hal_bluetooth_default bluetooth_data_file:file create_file_perms;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ee2740a..15a019c 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -1,6 +1,7 @@
# Input selectors:
# isSystemServer (boolean)
# isEphemeralApp (boolean)
+# isV2App (boolean)
# isOwner (boolean)
# user (string)
# seinfo (string)
@@ -11,6 +12,7 @@
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
+# isV2App=true will match apps in the v2 app sandbox.
# isOwner=true will only match for the owner/primary user.
# isOwner=false will only match for secondary users.
# If unspecified, the entry can match either case.
@@ -29,16 +31,17 @@
# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
# (1) isSystemServer=true before isSystemServer=false.
# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
-# (3) Specified isOwner= before unspecified isOwner= boolean.
-# (4) Specified user= string before unspecified user= string.
-# (5) Fixed user= string before user= prefix (i.e. ending in *).
-# (6) Longer user= prefix before shorter user= prefix.
-# (7) Specified seinfo= string before unspecified seinfo= string.
+# (3) Specified isV2App= before unspecified isV2App= boolean.
+# (4) Specified isOwner= before unspecified isOwner= boolean.
+# (5) Specified user= string before unspecified user= string.
+# (6) Fixed user= string before user= prefix (i.e. ending in *).
+# (7) Longer user= prefix before shorter user= prefix.
+# (8) Specified seinfo= string before unspecified seinfo= string.
# ':' character is reserved and may not be used.
-# (8) Specified name= string before unspecified name= string.
-# (9) Specified path= string before unspecified path= string.
-# (10) Specified isPrivApp= before unspecified isPrivApp= boolean.
-# (11) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
+# (9) Specified name= string before unspecified name= string.
+# (10) Specified path= string before unspecified path= string.
+# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
#
# Outputs:
@@ -100,7 +103,8 @@
user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
+user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
+user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 3b01c0b..6f46793 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -103,6 +103,7 @@
nfc u:object_r:nfc_service:s0
notification u:object_r:notification_service:s0
otadexopt u:object_r:otadexopt_service:s0
+overlay u:object_r:overlay_service:s0
package u:object_r:package_service:s0
permission u:object_r:permission_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index e23a33c..5db6850 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -170,7 +170,6 @@
binder_call(system_server, binderservicedomain)
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
-binder_call(system_server, hal_fingerprint)
binder_call(system_server, gatekeeperd)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
@@ -183,7 +182,7 @@
hwallocator_use(system_server)
binder_call(system_server, hal_boot)
binder_call(system_server, hal_contexthub)
-binder_call(system_server, hal_fingerprint)
+hal_client_domain(system_server, hal_fingerprint)
binder_call(system_server, hal_gnss);
binder_call(system_server, hal_ir)
binder_call(system_server, hal_light)
@@ -194,8 +193,7 @@
binder_call(system_server, hal_usb)
binder_call(system_server, hal_vibrator)
binder_call(system_server, hal_vr)
-binder_call(system_server, hal_wifi)
-binder_call(system_server, hal_drm)
+hal_client_domain(system_server, hal_wifi)
binder_call(system_server, wpa)
# Talk to tombstoned to get ANR traces.
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index ead9a16..2f4a1a4 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -21,3 +21,7 @@
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 4f92649..cba0161 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -24,6 +24,10 @@
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app_25)
+
# b/34115651 - net.dns* properties read
# This will go away in a future Android release
get_prop(untrusted_app_25, net_dns_prop)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 7d6bee5..0315252 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -17,10 +17,6 @@
### seapp_contexts.
###
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app)
-
# Legacy text relocations
allow untrusted_app_all apk_data_file:file execmod;
diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te
new file mode 100644
index 0000000..df37fdd
--- /dev/null
+++ b/private/untrusted_v2_app.te
@@ -0,0 +1,39 @@
+###
+### Untrusted v2 sandbox apps.
+###
+app_domain(untrusted_v2_app)
+net_domain(untrusted_v2_app)
+bluetooth_domain(untrusted_v2_app)
+
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_v2_app system_app_data_file:file { read write getattr };
+
+# Access to /data/media.
+allow untrusted_v2_app media_rw_data_file:dir create_dir_perms;
+allow untrusted_v2_app media_rw_data_file:file create_file_perms;
+
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_v2_app mnt_media_rw_file:dir search;
+
+# allow cts to query all services
+allow untrusted_v2_app servicemanager:service_manager list;
+
+allow untrusted_v2_app audioserver_service:service_manager find;
+allow untrusted_v2_app cameraserver_service:service_manager find;
+allow untrusted_v2_app drmserver_service:service_manager find;
+allow untrusted_v2_app mediaserver_service:service_manager find;
+allow untrusted_v2_app mediaextractor_service:service_manager find;
+allow untrusted_v2_app mediacodec_service:service_manager find;
+allow untrusted_v2_app mediametrics_service:service_manager find;
+allow untrusted_v2_app mediadrmserver_service:service_manager find;
+allow untrusted_v2_app nfc_service:service_manager find;
+allow untrusted_v2_app radio_service:service_manager find;
+allow untrusted_v2_app surfaceflinger_service:service_manager find;
+# TODO: potentially provide a tighter list of services here
+allow untrusted_v2_app app_api_service:service_manager find;
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow untrusted_v2_app self:process ptrace;
diff --git a/public/attributes b/public/attributes
index 5c43d5e..d418375 100644
--- a/public/attributes
+++ b/public/attributes
@@ -135,8 +135,14 @@
attribute hal_configstore;
attribute hal_contexthub;
attribute hal_drm;
+attribute hal_drm_client;
+attribute hal_drm_server;
attribute hal_dumpstate;
+attribute hal_dumpstate_client;
+attribute hal_dumpstate_server;
attribute hal_fingerprint;
+attribute hal_fingerprint_client;
+attribute hal_fingerprint_server;
attribute hal_gatekeeper;
attribute hal_gnss;
attribute hal_graphics_allocator;
@@ -155,3 +161,5 @@
attribute hal_vibrator;
attribute hal_vr;
attribute hal_wifi;
+attribute hal_wifi_client;
+attribute hal_wifi_server;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2ba0e58..1b8538c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -89,10 +89,8 @@
# Vibrate the device after we are done collecting the bugreport
# For binderized mode:
-hwbinder_use(dumpstate)
-binder_call(dumpstate, hal_dumpstate)
+hal_client_domain(dumpstate, hal_dumpstate)
binder_call(dumpstate, hal_vibrator)
-binder_call(dumpstate, hwservicemanager)
# For passthrough mode:
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
@@ -195,6 +193,10 @@
### neverallow rules
###
+# dumpstate has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow dumpstate *:process ptrace;
+
# only system_server, dumpstate and shell can find the dumpstate service
neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 207f718..e9679de 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -4,6 +4,9 @@
wakelock_use(hal_bluetooth);
+# The HAL toggles rfkill to power the chip off/on.
+allow hal_bluetooth self:capability net_admin;
+
# bluetooth factory file accesses.
r_dir_file(hal_bluetooth, bluetooth_efs_file)
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 02b8e77..d9386fd 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -13,6 +13,8 @@
# Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
+# Allow hal_camera to use fence FD from surface owned by application
+allow hal_camera appdomain:fd use;
###
### neverallow rules
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 79b385f..05fe347 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -1,5 +1,6 @@
-## call into system_server process (for invoking callbacks)
-binder_call(hal_drm, mediadrmserver)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_drm_client, hal_drm_server)
+binder_call(hal_drm_server, hal_drm_client)
# Required by Widevine DRM (b/22990512)
allow hal_drm self:process execmem;
@@ -50,4 +51,4 @@
neverallow hal_drm { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
-neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
\ No newline at end of file
+neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 55e3463..d5723b9 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -1,5 +1,6 @@
-# call into dumpstate process (callbacks)
-binder_call(hal_dumpstate, dumpstate)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_dumpstate_client, hal_dumpstate_server)
+binder_call(hal_dumpstate_server, hal_dumpstate_client)
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 8405a7e..580ef37 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -1,22 +1,15 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_fingerprint_client, hal_fingerprint_server)
+binder_call(hal_fingerprint_server, hal_fingerprint_client)
+
# allow HAL module to read dir contents
allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
# allow HAL module to read/write/unlink contents of this dir
allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
-# Need to add auth tokens to KeyStore
-use_keystore(hal_fingerprint)
-allow hal_fingerprint keystore:keystore_key add_auth;
-
-# For permissions checking
-binder_call(hal_fingerprint, system_server);
-allow hal_fingerprint permission_service:service_manager find;
-
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
-# Allow fingerprint to find and call keystore binder interfaces
-binder_use(hal_fingerprint);
-
r_dir_file(hal_fingerprint, cgroup)
r_dir_file(hal_fingerprint, sysfs)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 960f1ac..edd30fb 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -1,5 +1,6 @@
-## call into system_server process (for invoking callbacks)
-binder_call(hal_wifi, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_wifi_client, hal_wifi_server)
+binder_call(hal_wifi_server, hal_wifi_client)
r_dir_file(hal_wifi, proc_net)
r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/idmap.te b/public/idmap.te
index 1ab497e..61f1e1c 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -8,3 +8,4 @@
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
+allow idmap apk_data_file:dir search;
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index 8835585..9eb597c 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -9,7 +9,7 @@
binder_call(mediadrmserver, binderservicedomain)
binder_call(mediadrmserver, appdomain)
binder_service(mediadrmserver)
-binder_call(mediadrmserver, hal_drm)
+hal_client_domain(mediadrmserver, hal_drm)
add_service(mediadrmserver, mediadrmserver_service)
allow mediadrmserver mediaserver_service:service_manager find;
@@ -17,56 +17,6 @@
allow mediadrmserver processinfo_service:service_manager find;
allow mediadrmserver surfaceflinger_service:service_manager find;
-### Rules needed when DRM HAL runs inside mediadrmserver process.
-### These rules should eventually be granted only when needed.
-# Required by Widevine DRM (b/22990512)
-allow mediadrmserver self:process execmem;
-
-# System file accesses.
-allow mediadrmserver system_file:dir r_dir_perms;
-allow mediadrmserver system_file:file r_file_perms;
-allow mediadrmserver system_file:lnk_file r_file_perms;
-
-# Read files already opened under /data.
-allow mediadrmserver system_data_file:dir { search getattr };
-allow mediadrmserver system_data_file:file { getattr read };
-allow mediadrmserver system_data_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(mediadrmserver, cgroup)
-allow mediadrmserver cgroup:dir { search write };
-allow mediadrmserver cgroup:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow mediadrmserver ion_device:chr_file rw_file_perms;
-allow mediadrmserver hal_graphics_allocator:fd use;
-
-# Allow access to app_data and media_data_files
-allow mediadrmserver media_data_file:dir create_dir_perms;
-allow mediadrmserver media_data_file:file create_file_perms;
-allow mediadrmserver media_data_file:file { getattr read };
-
-allow mediadrmserver tee_device:chr_file rw_file_perms;
-
-# XXX Label with a specific type?
-allow mediadrmserver sysfs:file r_file_perms;
-
-# Connect to tee service.
-allow mediadrmserver tee:unix_stream_socket connectto;
-
-# only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-# Permit reading device's serial number from system properties
-get_prop(mediadrmserver, serialno_prop)
-###
-
-### Rules needed when DRM HAL runs outside of mediadrmserver process.
-### These rules should eventually be granted only when needed.
-hwbinder_use(mediadrmserver)
-###
-
###
### neverallow rules
###
diff --git a/public/racoon.te b/public/racoon.te
index 476981e..d5d5a4e 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -15,7 +15,7 @@
allow racoon self:key_socket create_socket_perms_no_ioctl;
allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:capability { net_admin net_bind_service net_raw setuid };
+allow racoon self:capability { net_admin net_bind_service net_raw };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
diff --git a/public/service.te b/public/service.te
index 7ef27118..c8cd4de 100644
--- a/public/service.te
+++ b/public/service.te
@@ -96,6 +96,7 @@
type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
+type overlay_service, system_server_service, service_manager_type;
type package_service, app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index a98ba7e..5eca15a 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -164,7 +164,6 @@
# hal_impl_domain(hal_foo_default, hal_foo)
#
define(`hal_impl_domain', `
-print(`deprecated: hal_impl_domain($1, $2) Please use hal_server_domain($1, $2) instead.');
typeattribute $1 halserverdomain;
ifelse($2, `', `', `typeattribute $1 $2;')
')
diff --git a/public/untrusted_v2_app.te b/public/untrusted_v2_app.te
new file mode 100644
index 0000000..ac82f15
--- /dev/null
+++ b/public/untrusted_v2_app.te
@@ -0,0 +1,5 @@
+###
+### Untrusted v2 sandbox apps.
+###
+
+type untrusted_v2_app, domain;
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 96b9ebf..c23c1f6 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -204,6 +204,7 @@
/*Inputs*/
{ .name = "isSystemServer", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isEphemeralApp", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isV2App", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isOwner", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "user", .dir = dir_in, },
{ .name = "seinfo", .dir = dir_in, },
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index 74875af..eba763a 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -1,5 +1,5 @@
type hal_drm_default, domain;
-hal_impl_domain(hal_drm_default, hal_drm)
+hal_server_domain(hal_drm_default, hal_drm)
type hal_drm_default_exec, exec_type, file_type;
init_daemon_domain(hal_drm_default)
diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te
index 2b371b9..fa772e1 100644
--- a/vendor/hal_dumpstate_default.te
+++ b/vendor/hal_dumpstate_default.te
@@ -1,5 +1,5 @@
type hal_dumpstate_default, domain;
-hal_impl_domain(hal_dumpstate_default, hal_dumpstate)
+hal_server_domain(hal_dumpstate_default, hal_dumpstate)
type hal_dumpstate_default_exec, exec_type, file_type;
init_daemon_domain(hal_dumpstate_default)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index c392a85..2b9001e 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -1,5 +1,5 @@
type hal_fingerprint_default, domain;
-hal_impl_domain(hal_fingerprint_default, hal_fingerprint)
+hal_server_domain(hal_fingerprint_default, hal_fingerprint)
type hal_fingerprint_default_exec, exec_type, file_type;
init_daemon_domain(hal_fingerprint_default)
diff --git a/vendor/hal_wifi_default.te b/vendor/hal_wifi_default.te
index 5946ba4..7c3949e 100644
--- a/vendor/hal_wifi_default.te
+++ b/vendor/hal_wifi_default.te
@@ -1,5 +1,5 @@
type hal_wifi_default, domain;
-hal_impl_domain(hal_wifi_default, hal_wifi)
+hal_server_domain(hal_wifi_default, hal_wifi)
type hal_wifi_default_exec, exec_type, file_type;
init_daemon_domain(hal_wifi_default)