Merge changes from topic "artsrv-experiment-flag"
* changes:
Give art_boot explicit access to experiment flags.
Allow the ART boot oneshot service to configure ART config properties.
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index afd2396..881f7da 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -29,7 +29,7 @@
func init() {
ctx := android.InitRegistrationContext
ctx.RegisterModuleType("se_compat_cil", compatCilFactory)
- ctx.RegisterSingletonModuleType("se_compat_test", compatTestFactory)
+ ctx.RegisterParallelSingletonModuleType("se_compat_test", compatTestFactory)
}
// se_compat_cil collects and installs backwards compatibility cil files.
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index c5513d0..9ae7826 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -23,7 +23,7 @@
func init() {
ctx := android.InitRegistrationContext
- ctx.RegisterSingletonModuleType("se_freeze_test", freezeTestFactory)
+ ctx.RegisterParallelSingletonModuleType("se_freeze_test", freezeTestFactory)
}
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy. Additional directories can
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 7eac769..7eef4ea 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -267,12 +267,12 @@
"healthconnect": EXCEPTION_NO_FUZZER,
"ions": EXCEPTION_NO_FUZZER,
"idmap": EXCEPTION_NO_FUZZER,
- "incident": EXCEPTION_NO_FUZZER,
+ "incident": []string{"incidentd_service_fuzzer"},
"incidentcompanion": EXCEPTION_NO_FUZZER,
"inputflinger": EXCEPTION_NO_FUZZER,
"input_method": EXCEPTION_NO_FUZZER,
"input": EXCEPTION_NO_FUZZER,
- "installd": EXCEPTION_NO_FUZZER,
+ "installd": []string{"installd_service_fuzzer"},
"iphonesubinfo_msim": EXCEPTION_NO_FUZZER,
"iphonesubinfo2": EXCEPTION_NO_FUZZER,
"iphonesubinfo": EXCEPTION_NO_FUZZER,
@@ -302,12 +302,12 @@
"media.aaudio": EXCEPTION_NO_FUZZER,
"media.audio_flinger": EXCEPTION_NO_FUZZER,
"media.audio_policy": EXCEPTION_NO_FUZZER,
- "media.camera": EXCEPTION_NO_FUZZER,
+ "media.camera": []string{"camera_service_aidl_fuzzer"},
"media.camera.proxy": EXCEPTION_NO_FUZZER,
"media.log": EXCEPTION_NO_FUZZER,
"media.player": EXCEPTION_NO_FUZZER,
- "media.metrics": EXCEPTION_NO_FUZZER,
- "media.extractor": EXCEPTION_NO_FUZZER,
+ "media.metrics": []string{"mediametrics_aidl_fuzzer"},
+ "media.extractor": []string{"mediaextractor_service_fuzzer"},
"media.transcoding": EXCEPTION_NO_FUZZER,
"media.resource_manager": EXCEPTION_NO_FUZZER,
"media.resource_observer": EXCEPTION_NO_FUZZER,
@@ -410,8 +410,8 @@
"sdk_sandbox": EXCEPTION_NO_FUZZER,
"SurfaceFlinger": EXCEPTION_NO_FUZZER,
"SurfaceFlingerAIDL": EXCEPTION_NO_FUZZER,
- "suspend_control": EXCEPTION_NO_FUZZER,
- "suspend_control_internal": EXCEPTION_NO_FUZZER,
+ "suspend_control": []string{"suspend_service_fuzzer"},
+ "suspend_control_internal": []string{"suspend_service_internal_fuzzer"},
"system_config": EXCEPTION_NO_FUZZER,
"system_server_dumper": EXCEPTION_NO_FUZZER,
"system_update": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 1e8529b..c940eca 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -410,7 +410,7 @@
# Feature parity with Chromium LSM.
neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-neverallow { domain -init } proc:{ file dir } mounton;
+neverallow { domain -init } proc_type:{ file dir } mounton;
# Ensure that all types assigned to processes are included
# in the domain attribute, so that all allow and neverallow rules
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index a855509..4bd55cf 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -46,6 +46,10 @@
allow ueventd vendor_file:system module_load;
allow ueventd kernel:key search;
+# Query device-mapper to extract name/uuid in response to uevents.
+allow ueventd dm_device:chr_file rw_file_perms;
+allow ueventd self:capability sys_admin;
+
# ueventd is using bootstrap bionic
use_bootstrap_libs(ueventd)
diff --git a/private/app.te b/private/app.te
index 34cd2f0..754c802 100644
--- a/private/app.te
+++ b/private/app.te
@@ -48,11 +48,6 @@
get_prop(appdomain, persist_wm_debug_prop)
get_prop(appdomain, persist_sysui_builder_extras_prop)
-# Allow ART to be configurable via device_config properties
-# (ART "runs" inside the app process)
-get_prop(appdomain, device_config_runtime_native_prop)
-get_prop(appdomain, device_config_runtime_native_boot_prop)
-
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
get_prop(appdomain, traced_oome_heap_session_count_prop)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 79f925f..c73eefa 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -54,6 +54,7 @@
fuseblkd_untrusted_exec
fuseblkd
fuseblkd_exec
+ ota_build_prop
permissive_mte_prop
persist_sysui_builder_extras_prop
prng_seeder
@@ -61,7 +62,6 @@
remote_provisioning_service
rkpdapp
servicemanager_prop
- setupwizard_esim_prop
shutdown_checkpoints_system_data_file
snapuserd_log_data_file
stats_config_data_file
diff --git a/private/coredomain.te b/private/coredomain.te
index 8abc646..83930a5 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -14,7 +14,6 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
-get_prop(coredomain, setupwizard_esim_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
diff --git a/private/dex2oat.te b/private/dex2oat.te
index ea9ab9c..23f7444 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -110,4 +110,4 @@
# Neverallow #
##############
-neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
+neverallow dex2oat app_data_file_type:notdevfile_class_set open;
diff --git a/private/domain.te b/private/domain.te
index 08adeb8..f98a285 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -87,8 +87,13 @@
# Allow all domains to check whether MTE is set to permissive mode.
get_prop(domain, permissive_mte_prop);
+# Allow ART to be configurable via device_config properties
+# (ART "runs" inside the app process), and MTE bootloader override to be
+# observed by everything
get_prop(domain, device_config_memory_safety_native_boot_prop);
get_prop(domain, device_config_memory_safety_native_prop);
+get_prop(domain, device_config_runtime_native_boot_prop);
+get_prop(domain, device_config_runtime_native_prop);
# For now, everyone can access core property files
# Device specific properties are not granted by default
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 9f2b1d5..4e1417b 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -56,7 +56,7 @@
### neverallow rules
###
-neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
+neverallow ephemeral_app app_data_file_type:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
@@ -66,7 +66,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
+neverallow ephemeral_app debugfs_type:file read;
# execute gpu_device
neverallow ephemeral_app gpu_device:chr_file execute;
diff --git a/private/file_contexts b/private/file_contexts
index bb86761..c9c51e4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -263,6 +263,8 @@
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
/system/bin/performanced u:object_r:performanced_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
+/system/bin/drmserver32 u:object_r:drmserver_exec:s0
+/system/bin/drmserver64 u:object_r:drmserver_exec:s0
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 91418b5..39d0bbb 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -70,5 +70,6 @@
}')
full_treble_only(`
- neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
+ neverallow heapprofd vendor_file_type:file no_w_file_perms;
+ neverallow heapprofd { vendor_file_type -vndk_sp_file }:file no_x_file_perms;
')
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 0617a57..189d064 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -37,7 +37,7 @@
#####
# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
+neverallow isolated_app_all app_data_file_type:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
diff --git a/private/mediaserver.te b/private/mediaserver.te
index f44cbde..92ec40d 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -16,6 +16,9 @@
get_prop(mediaserver, drm_service_config_prop)
get_prop(mediaserver, media_config_prop)
+# Allow MediaCodec running on mediaserver to read media_native flags
+get_prop(mediaserver, device_config_media_native_prop)
+
# Allow mediaserver to start media.transcoding service via ctl.start.
set_prop(mediaserver, ctl_mediatranscoding_prop);
diff --git a/private/priv_app.te b/private/priv_app.te
index cfd8721..52077ef 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -218,7 +218,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
+neverallow priv_app debugfs_type:file read;
# Do not allow privileged apps to register services.
# Only trusted components of Android should be registering
@@ -262,10 +262,10 @@
# application home directories. Code loading across a security boundary
# is dangerous and allows a full compromise of a privileged process
# by an unprivileged process. b/112357170
-neverallow priv_app app_data_file:file no_x_file_perms;
+neverallow priv_app { app_data_file_type -privapp_data_file }:file no_x_file_perms;
-# Do not follow untrusted app provided symlinks
-neverallow priv_app app_data_file:lnk_file { open read getattr };
+# Do not follow any app provided symlinks
+neverallow priv_app { app_data_file_type -privapp_data_file }:lnk_file { open read getattr };
# Do not allow getting permission-protected network information from sysfs.
neverallow priv_app sysfs_net:file *;
diff --git a/private/property.te b/private/property.te
index 928f86c..35f9bc7 100644
--- a/private/property.te
+++ b/private/property.te
@@ -598,10 +598,6 @@
-init
} setupwizard_prop:property_service set;
-neverallow {
- domain
- -init
-} setupwizard_esim_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index 102c111..2399163 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -337,6 +337,7 @@
snapuserd.test.io_uring.force_disable u:object_r:snapuserd_prop:s0 exact bool
ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
+ro.vendor.build.ab_ota_partitions u:object_r:ota_build_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
ota.warm_reset u:object_r:ota_prop:s0
# The vbmeta digest for the inactive slot. It can be set after installing
@@ -1203,7 +1204,6 @@
ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
-ro.hardware.egl_legacy u:object_r:graphics_config_prop:s0 exact string
ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
@@ -1452,8 +1452,8 @@
partition.vendor.verified.root_digest u:object_r:verity_status_prop:s0 exact string
partition.odm.verified.root_digest u:object_r:verity_status_prop:s0 exact string
-ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_esim_prop:s0 exact string
ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
diff --git a/private/rs.te b/private/rs.te
index 268f040..a9b2edd 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -35,6 +35,6 @@
neverallow rs rs:capability_class_set *;
neverallow { domain -appdomain } rs:process { dyntransition transition };
neverallow rs { domain -crash_dump }:process { dyntransition transition };
-neverallow rs app_data_file:file_class_set ~r_file_perms;
+neverallow rs app_data_file_type:file_class_set ~r_file_perms;
# rs should never use network sockets
neverallow rs *:network_socket_class_set *;
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 6e7ba50..b4c655b 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -35,7 +35,7 @@
### neverallow rules
###
-neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
@@ -45,7 +45,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow sdk_sandbox_all debugfs:file read;
+neverallow sdk_sandbox_all debugfs_type:file read;
# execute gpu_device
neverallow sdk_sandbox_all gpu_device:chr_file execute;
@@ -66,8 +66,9 @@
neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
+# TODO(b/280514080): shell_data_file shouldn't be allowed here
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 640b054..c7e81cd 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -58,7 +58,7 @@
dontaudit traced_perf domain:process signal;
# Never allow access to app data files
-neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
+neverallow traced_perf app_data_file_type:file *;
# Never allow profiling privileged or otherwise incompatible domains.
# Corresponding allow-rule is in private/domain.te.
diff --git a/private/update_engine.te b/private/update_engine.te
index 8d6341c..c9511f7 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -14,6 +14,7 @@
# Allow to set the OTA related properties, e.g. ota.warm_reset.
set_prop(update_engine, ota_prop)
+get_prop(update_engine, ota_build_prop)
# Allow to get the DSU status
get_prop(update_engine, gsid_prop)
diff --git a/public/app.te b/public/app.te
index da59f32..a45149f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -89,7 +89,7 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to /system.
-neverallow appdomain system_file:dir_file_class_set
+neverallow appdomain system_file_type:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to entrypoint executables.
diff --git a/public/domain.te b/public/domain.te
index 56c3142..39cd5c2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1053,6 +1053,7 @@
neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
neverallow { domain -init } proc:{ file dir } mounton;
+neverallow { domain -init -zygote } proc_type:{ file dir } mounton;
# Ensure that all types assigned to processes are included
# in the domain attribute, so that all allow and neverallow rules
@@ -1285,3 +1286,7 @@
# Linux lockdown "integrity" level is enforced for user builds.
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
+
+# Allow everyone to read media server-configurable flags, so that libstagefright can be
+# configured using server-configurable flags
+get_prop(domain, device_config_media_native_prop)
diff --git a/public/init.te b/public/init.te
index a399b3a..c01dc93 100644
--- a/public/init.te
+++ b/public/init.te
@@ -660,7 +660,7 @@
# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
-neverallow init { app_data_file privapp_data_file }:lnk_file read;
+neverallow init app_data_file_type:lnk_file read;
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
diff --git a/public/logd.te b/public/logd.te
index 8187179..aaf3900 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -57,10 +57,15 @@
neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
# Write to /system.
-neverallow logd system_file:dir_file_class_set write;
+neverallow logd system_file_type:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
+neverallow logd {
+ app_data_file_type
+ system_data_file
+ packages_list_file
+ -shell_data_file # for bugreports
+}:dir_file_class_set write;
# Only init is allowed to enter the logd domain via exec()
neverallow { domain -init } logd:process transition;
diff --git a/public/logpersist.te b/public/logpersist.te
index c8e6af4..6c1c404 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -17,7 +17,7 @@
neverallow logpersist domain:process ptrace;
# Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+neverallow logpersist { app_data_file_type system_data_file }:dir_file_class_set write;
# Only init should be allowed to enter the logpersist domain via exec()
# Following is a list of debug domains we know that transition to logpersist
diff --git a/public/modprobe.te b/public/modprobe.te
index 2c7d64b..910aebd 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -4,6 +4,9 @@
allow modprobe proc_cmdline:file r_file_perms;
allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
+allow modprobe system_dlkm_file:dir search;
+allow modprobe system_dlkm_file:file r_file_perms;
+allow modprobe system_dlkm_file:system module_load;
recovery_only(`
allow modprobe rootfs:system module_load;
allow modprobe rootfs:file r_file_perms;
diff --git a/public/netd.te b/public/netd.te
index e3ea1cb..a5c27f9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -80,7 +80,7 @@
allow netd system_file:file lock;
# Allow netd to spawn dnsmasq in it's own domain
-allow netd dnsmasq:process signal;
+allow netd dnsmasq:process { sigkill signal };
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
@@ -129,7 +129,7 @@
neverallow netd { domain }:process ptrace;
# Write to /system.
-neverallow netd system_file:dir_file_class_set write;
+neverallow netd system_file_type:dir_file_class_set write;
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
diff --git a/public/profman.te b/public/profman.te
index 727daee..85cdc1e 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -28,4 +28,4 @@
### neverallow rules
###
-neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
+neverallow profman app_data_file_type:notdevfile_class_set open;
diff --git a/public/property.te b/public/property.te
index acb4033..c11264b 100644
--- a/public/property.te
+++ b/public/property.te
@@ -8,7 +8,6 @@
system_internal_prop(device_config_activity_manager_native_boot_prop)
system_internal_prop(device_config_boot_count_prop)
system_internal_prop(device_config_input_native_boot_prop)
-system_internal_prop(device_config_media_native_prop)
system_internal_prop(device_config_netd_native_prop)
system_internal_prop(device_config_reset_performed_prop)
system_internal_prop(firstboot_prop)
@@ -68,6 +67,7 @@
system_restricted_prop(composd_vm_art_prop)
system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_edgetpu_native_prop)
+system_restricted_prop(device_config_media_native_prop)
system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
@@ -88,7 +88,6 @@
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
-system_restricted_prop(setupwizard_esim_prop)
system_restricted_prop(servicemanager_prop)
system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
@@ -168,6 +167,7 @@
system_vendor_config_prop(mediadrm_config_prop)
system_vendor_config_prop(mm_events_config_prop)
system_vendor_config_prop(oem_unlock_prop)
+system_vendor_config_prop(ota_build_prop)
system_vendor_config_prop(packagemanager_config_prop)
system_vendor_config_prop(recovery_config_prop)
system_vendor_config_prop(recovery_usb_config_prop)
diff --git a/public/recovery_persist.te b/public/recovery_persist.te
index d4b4562..7224e87 100644
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -25,8 +25,8 @@
neverallow recovery_persist domain:process ptrace;
# Write to /system.
-neverallow recovery_persist system_file:dir_file_class_set write;
+neverallow recovery_persist system_file_type:dir_file_class_set write;
# Write to files in /data/data
-neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_persist { app_data_file_type system_data_file }:dir_file_class_set write;
diff --git a/public/recovery_refresh.te b/public/recovery_refresh.te
index d6870dc..d20cd44 100644
--- a/public/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -18,7 +18,7 @@
neverallow recovery_refresh domain:process ptrace;
# Write to /system.
-neverallow recovery_refresh system_file:dir_file_class_set write;
+neverallow recovery_refresh system_file_type:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_refresh { app_data_file_type system_data_file }:dir_file_class_set write;
diff --git a/public/ueventd.te b/public/ueventd.te
index 4e3c7c2..3135a7f 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -65,6 +65,13 @@
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
+# Query device-mapper to extract name/uuid in response to uevents.
+allow ueventd dm_device:chr_file rw_file_perms;
+allow ueventd self:capability sys_admin;
+
+# Allow ueventd to read apexd property
+get_prop(ueventd, apexd_prop)
+
#####
##### neverallow rules
#####
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 9dd9898..a9d1b5d 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -302,7 +302,7 @@
neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
-neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
+neverallow vendor_init app_data_file_type:lnk_file read;
neverallow vendor_init shell_data_file:lnk_file read;
# Init should not be creating subdirectories in /data/local/tmp
neverallow vendor_init shell_data_file:dir { write add_name remove_name };
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 0bcc998..c8ecc60 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -83,14 +83,16 @@
"""Returns error message if scontext can't read the target"""
match rule:
case AllowRead(tclass, scontext):
- te_rules = list(pol.QueryTERule(scontext=scontext,
- tcontext={tcontext},
- tclass={tclass},
- perms={'read'}))
- if len(te_rules) > 0:
- return [] # no errors
+ # Test every source in scontext(set)
+ for s in scontext:
+ te_rules = list(pol.QueryTERule(scontext={s},
+ tcontext={tcontext},
+ tclass={tclass},
+ perms={'read'}))
+ if len(te_rules) > 0:
+ return [] # no errors
- return [f"Error: {path}: {scontext} can't read. (tcontext={tcontext})"]
+ return [f"Error: {path}: {s} can't read. (tcontext={tcontext})"]
rules = [
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 9b427a0..9c87a00 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -93,6 +93,8 @@
self.assert_ok('./etc/linker.config.pb u:object_r:linkerconfig_file:s0')
self.assert_error('./etc/linker.config.pb u:object_r:vendor_file:s0',
r'Error: .*linkerconfig.* can\'t read')
+ self.assert_error('./ u:object_r:apex_data_file:s0',
+ r'Error: .*linkerconfig.* can\'t read')
if __name__ == '__main__':
unittest.main(verbosity=2)