Merge "SE Linux policies for OemLockService" into oc-dev
diff --git a/Android.mk b/Android.mk
index da58e53..03970b7 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,36 +1,28 @@
LOCAL_PATH:= $(call my-dir)
-include $(CLEAR_VARS)
-LOCAL_MODULE := selinux_policy
-LOCAL_MODULE_TAGS := optional
-# Include SELinux policy. We do this here because different modules
-# need to be included based on the value of PRODUCT_FULL_TREBLE. This
-# type of conditional inclusion cannot be done in top-level files such
-# as build/target/product/embedded.mk.
-# This conditional inclusion closely mimics the conditional logic
-# inside init/init.cpp for loading SELinux policy from files.
-ifeq ($(PRODUCT_FULL_TREBLE),true)
-# Use split SELinux policy
-LOCAL_REQUIRED_MODULES += \
- mapping_sepolicy.cil \
- nonplat_sepolicy.cil \
- plat_sepolicy.cil \
- plat_sepolicy.cil.sha256 \
- secilc \
- nonplat_file_contexts \
- plat_file_contexts
+# PLATFORM_SEPOLICY_VERSION is a number of the form "NN.m" with "NN" mapping to
+# PLATFORM_SDK_VERSION and "m" as a minor number which allows for SELinux
+# changes independent of PLATFORM_SDK_VERSION. This value will be set to
+# 10000.0 to represent tip-of-tree development that is inherently unstable and
+# thus designed not to work with any shipping vendor policy. This is similar in
+# spirit to how DEFAULT_APP_TARGET_SDK is set.
+# The minor version ('m' component) must be updated every time a platform release
+# is made which breaks compatibility with the previous platform sepolicy version,
+# not just on every increase in PLATFORM_SDK_VERSION. The minor version should
+# be reset to 0 on every bump of the PLATFORM_SDK_VERSION.
+sepolicy_major_vers := 25
+sepolicy_minor_vers := 0
-# Include precompiled policy, unless told otherwise
-ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat.sha256
+ifneq ($(sepolicy_major_vers), $(PLATFORM_SDK_VERSION))
+$(error sepolicy_major_version does not match PLATFORM_SDK_VERSION, please update.)
endif
-
-else
-# Use monolithic SELinux policy
-LOCAL_REQUIRED_MODULES += sepolicy \
- file_contexts.bin
+ifneq (REL,$(PLATFORM_VERSION_CODENAME))
+ sepolicy_major_vers := 10000
+ sepolicy_minor_vers := 0
endif
-include $(BUILD_PHONY_PACKAGE)
+PLATFORM_SEPOLICY_VERSION := $(join $(addsuffix .,$(sepolicy_major_vers)), $(sepolicy_minor_vers))
+sepolicy_major_vers :=
+sepolicy_minor_vers :=
include $(CLEAR_VARS)
# SELinux policy version.
@@ -93,24 +85,18 @@
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
# TODO: move to README when doing the README update and finalizing versioning.
-# BOARD_SEPOLICY_VERS should contain the platform version identifier
-# corresponding to the platform on which the non-platform policy is to be
-# based. If unspecified, this will build against the current public platform
-# policy in tree.
-# BOARD_SEPOLICY_VERS_DIR should contain the public platform policy which
-# is associated with the given BOARD_SEPOLICY_VERS. The policy therein will be
-# versioned according to the BOARD_SEPOLICY_VERS identifier and included as
-# part of the non-platform policy to ensure removal of access in future
-# platform policy does not break non-platform policy.
+# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy
+# version identifier corresponding to the sepolicy on which the non-platform
+# policy is to be based. If unspecified, this will build against the current
+# public platform policy in tree
ifndef BOARD_SEPOLICY_VERS
$(warning BOARD_SEPOLICY_VERS not specified, assuming current platform version)
-BOARD_SEPOLICY_VERS := current
-BOARD_SEPOLICY_VERS_DIR := $(PLAT_PUBLIC_POLICY)
-else
-ifndef BOARD_SEPOLICY_VERS_DIR
-$(error BOARD_SEPOLICY_VERS_DIR not specified for versioned sepolicy.)
+# The default platform policy version.
+BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
endif
-endif
+
+
+platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
###########################################################
# Compute policy files to be used in policy build.
@@ -172,6 +158,40 @@
with_asan := true
endif
+include $(CLEAR_VARS)
+LOCAL_MODULE := selinux_policy
+LOCAL_MODULE_TAGS := optional
+# Include SELinux policy. We do this here because different modules
+# need to be included based on the value of PRODUCT_FULL_TREBLE. This
+# type of conditional inclusion cannot be done in top-level files such
+# as build/target/product/embedded.mk.
+# This conditional inclusion closely mimics the conditional logic
+# inside init/init.cpp for loading SELinux policy from files.
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+
+# Use split SELinux policy
+LOCAL_REQUIRED_MODULES += \
+ $(platform_mapping_file) \
+ nonplat_sepolicy.cil \
+ plat_sepolicy.cil \
+ plat_and_mapping_sepolicy.cil.sha256 \
+ secilc \
+ nonplat_file_contexts \
+ plat_file_contexts \
+ plat_sepolicy_vers.txt
+
+# Include precompiled policy, unless told otherwise
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
+endif
+
+else
+# Use monolithic SELinux policy
+LOCAL_REQUIRED_MODULES += sepolicy \
+ file_contexts.bin
+endif
+include $(BUILD_PHONY_PACKAGE)
+
##################################
# reqd_policy_mask - a policy.conf file which contains only the bare minimum
# policy necessary to use checkpolicy. This bare-minimum policy needs to be
@@ -217,7 +237,7 @@
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
+$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
@@ -310,20 +330,7 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := plat_sepolicy.cil.sha256
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_plat_cil)
- sha256sum $^ | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := mapping_sepolicy.cil
+LOCAL_MODULE := plat_sepolicy_vers.txt
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -331,15 +338,31 @@
include $(BUILD_SYSTEM)/base_rules.mk
+$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) :
+ mkdir -p $(dir $@)
+ echo $(PRIVATE_PLAT_SEPOL_VERS) > $@
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := $(platform_mapping_file)
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
# auto-generate the mapping file for current platform policy, since it needs to
# track platform policy development
-current_mapping.cil := $(intermediates)/mapping/current.cil
-$(current_mapping.cil) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil
+$(current_mapping.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
$(current_mapping.cil) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-ifeq ($(BOARD_SEPOLICY_VERS), current)
+
+ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
mapping_policy_nvr := $(current_mapping.cil)
else
mapping_policy_nvr := $(addsuffix /$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)/mapping)
@@ -357,6 +380,19 @@
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil)
+ cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := nonplat_sepolicy.cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -377,7 +413,7 @@
$(nonplat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
@@ -438,16 +474,17 @@
$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc \
$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) \
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
#################################
-# SHA-256 digest of the plat_sepolicy.cil file against which precompiled_policy was built.
+# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
+# which precompiled_policy was built.
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.plat.sha256
+LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -455,9 +492,9 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILE := $(built_plat_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil)
- sha256sum $(PRIVATE_CIL_FILE) | cut -d' ' -f1 > $@
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_mapping_cil)
+ cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
#################################
include $(CLEAR_VARS)
@@ -505,43 +542,15 @@
include $(BUILD_SYSTEM)/base_rules.mk
-plat_pub_policy.recovery.conf := $(intermediates)/plat_pub_policy.recovery.conf
-$(plat_pub_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(plat_pub_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(plat_pub_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(plat_pub_policy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(plat_pub_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_pub_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
-$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
- @mkdir -p $(dir $@)
- $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_recovery=true \
- -s $^ > $@
-
-plat_pub_policy.recovery.cil := $(intermediates)/plat_pub_policy.recovery.cil
-$(plat_pub_policy.recovery.cil): PRIVATE_POL_CONF := $(plat_pub_policy.recovery.conf)
-$(plat_pub_policy.recovery.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(plat_pub_policy.recovery.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(plat_pub_policy.recovery.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
- $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
-
-plat_pub_policy.recovery.conf :=
-
-plat_policy.recovery.conf := $(intermediates)/plat_policy.recovery.conf
-$(plat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(plat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(plat_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(plat_policy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(plat_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
+$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
@@ -553,84 +562,10 @@
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-plat_policy_nvr.recovery := $(intermediates)/plat_policy_nvr.recovery.cil
-$(plat_policy_nvr.recovery): $(plat_policy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
-
-plat_policy.recovery.conf :=
-
-# auto-generate the mapping file for current platform policy, since it needs to
-# track platform policy development
-current_mapping.recovery.cil := $(intermediates)/mapping/current.recovery.cil
-$(current_mapping.recovery.cil) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(current_mapping.recovery.cil) : $(plat_pub_policy.recovery.cil) $(HOST_OUT_EXECUTABLES)/version_policy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-
-ifeq ($(BOARD_SEPOLICY_VERS), current)
-mapping_policy_nvr.recovery := $(current_mapping.recovery.cil)
-else
-mapping_policy_nvr.recovery := $(addsuffix /$(BOARD_SEPOLICY_VERS).recovery.cil, \
-$(PLAT_PRIVATE_POLICY)/mapping)
-endif
-
-current_mapping.recovery.cil :=
-
-# nonplat_policy.recovery.conf - A combination of the non-platform private,
-# vendor and the exported platform policy associated with the version the
-# non-platform policy targets. This needs attributization and to be combined
-# with the platform-provided policy. Like plat_pub_policy.recovery.conf, this
-# needs to make use of the reqd_policy_mask files from private policy in order
-# to use checkpolicy.
-nonplat_policy.recovery.conf := $(intermediates)/nonplat_policy.recovery.conf
-$(nonplat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(nonplat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(nonplat_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(nonplat_policy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(nonplat_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
-$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
- @mkdir -p $(dir $@)
- $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_recovery=true \
- -s $^ > $@
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-nonplat_policy_raw.recovery := $(intermediates)/nonplat_policy_raw.recovery.cil
-$(nonplat_policy_raw.recovery): PRIVATE_POL_CONF := $(nonplat_policy.recovery.conf)
-$(nonplat_policy_raw.recovery): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(nonplat_policy_raw.recovery): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.recovery.conf) \
-$(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
- $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
-
-nonplat_policy_nvr.recovery := $(intermediates)/nonplat_policy_nvr.recovery.cil
-$(nonplat_policy_nvr.recovery) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(nonplat_policy_nvr.recovery) : PRIVATE_TGT_POL := $(nonplat_policy_raw.recovery)
-$(nonplat_policy_nvr.recovery) : $(plat_pub_policy.recovery.cil) $(nonplat_policy_raw.recovery) \
-$(HOST_OUT_EXECUTABLES)/version_policy
- @mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
-
-nonplat_policy.recovery.conf :=
-nonplat_policy_raw.recovery :=
-
-all_cil_files.recovery := \
- $(plat_policy_nvr.recovery) \
- $(mapping_policy_nvr.recovery) \
- $(nonplat_policy_nvr.recovery) \
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files.recovery)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files.recovery)
- @mkdir -p $(dir $@)
- $(hide) $< -M true -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
echo "==========" 1>&2; \
@@ -641,13 +576,12 @@
fi
$(hide) mv $@.tmp $@
-all_cil_files.recovery :=
-plat_pub_policy.recovery.cil :=
-plat_policy_nvr.recovery :=
-mapping_policy_nvr.recovery :=
-nonplat_policy_nvr.recovery :=
+sepolicy.recovery.conf :=
##################################
+# SELinux policy embedded into CTS.
+# CTS checks neverallow rules of this policy against the policy of the device under test.
+##################################
include $(CLEAR_VARS)
LOCAL_MODULE := general_sepolicy.conf
@@ -667,28 +601,10 @@
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=false \
+ -D target_full_treble=cts \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-built_general_sepolicy.conf := $(LOCAL_BUILT_MODULE)
-exp_sepolicy_build_files :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy.general
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf)
-$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null
-
-built_general_sepolicy := $(LOCAL_BUILT_MODULE)
-
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
#
@@ -923,8 +839,6 @@
$(plat_property_contexts.tmp): $(plat_pcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
-
-
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
@mkdir -p $(dir $@)
@@ -937,7 +851,6 @@
##################################
include $(CLEAR_VARS)
-
LOCAL_MODULE := nonplat_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -986,7 +899,6 @@
##################################
include $(CLEAR_VARS)
-
LOCAL_MODULE := nonplat_property_contexts.recovery
LOCAL_MODULE_STEM := nonplat_property_contexts
LOCAL_MODULE_CLASS := ETC
@@ -1067,6 +979,101 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := plat_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+plat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_PRIVATE_POLICY))
+
+plat_hwservice_contexts.tmp := $(intermediates)/plat_hwservice_contexts.tmp
+$(plat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(plat_hwsvcfiles)
+$(plat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_hwservice_contexts.tmp): $(plat_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(plat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+plat_hwsvcfiles :=
+plat_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := nonplat_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+nonplat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+nonplat_hwservice_contexts.tmp := $(intermediates)/nonplat_hwservice_contexts.tmp
+$(nonplat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_hwsvcfiles)
+$(nonplat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_hwservice_contexts.tmp): $(nonplat_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(nonplat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+nonplat_hwsvcfiles :=
+nonplat_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := vndservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
+$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
+$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vndservice_contexts.tmp): $(vnd_svcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
+
+vnd_svcfiles :=
+vndservice_contexts.tmp :=
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := plat_mac_permissions.xml
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1133,8 +1140,6 @@
build_policy :=
built_plat_fc :=
built_nonplat_fc :=
-built_general_sepolicy :=
-built_general_sepolicy.conf :=
built_nl :=
built_plat_cil :=
built_mapping_cil :=
diff --git a/CleanSpec.mk b/CleanSpec.mk
index 4962149..0933115 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -65,4 +65,9 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/property_contexts)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_property_contexts)
+
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/mapping_sepolicy.cil)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_sepolicy.cil.sha256)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/precompiled_sepolicy.plat.sha256)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/mapping_sepolicy.cil)
diff --git a/private/access_vectors b/private/access_vectors
index c4f13bb..6b08d9e 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -668,6 +668,20 @@
list
}
+class hwservice_manager
+{
+ add
+ find
+ list
+}
+
+class vndservice_manager
+{
+ add
+ find
+ list
+}
+
class keystore_key
{
get_state
@@ -688,6 +702,7 @@
clear_uid
add_auth
user_changed
+ gen_unique_id
}
class drmservice {
diff --git a/private/adbd.te b/private/adbd.te
index eb6ae32..b402335 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -103,6 +103,8 @@
allow adbd service_contexts_file:file r_file_perms;
allow adbd file_contexts_file:file r_file_perms;
allow adbd seapp_contexts_file:file r_file_perms;
+allow adbd property_contexts_file:file r_file_perms;
+allow adbd sepolicy_file:file r_file_perms;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/app.te b/private/app.te
index 81de403..c3f44dd 100644
--- a/private/app.te
+++ b/private/app.te
@@ -93,6 +93,27 @@
# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir r_dir_perms;
allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
diff --git a/private/asan_extract.te b/private/asan_extract.te
new file mode 100644
index 0000000..1c20d78
--- /dev/null
+++ b/private/asan_extract.te
@@ -0,0 +1,8 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# asan_extract to occur.
+with_asan(`
+typeattribute asan_extract coredomain;
+init_daemon_domain(asan_extract)
+')
diff --git a/private/audioserver.te b/private/audioserver.te
index 61ccefc..b5bfe39 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -13,6 +13,9 @@
binder_service(audioserver)
hal_client_domain(audioserver, hal_allocator)
+# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
+r_dir_file(audioserver, system_file)
+
hal_client_domain(audioserver, hal_audio)
userdebug_or_eng(`
diff --git a/private/bluetooth.te b/private/bluetooth.te
index b0048aa..d05a21f 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -49,10 +49,6 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
-# TODO(b/36613472): Remove this once bluetooth daemon does not communicate with rild over sockets
-# Bluetooth Sim Access Profile Socket to the RIL
-unix_socket_connect(bluetooth, sap_uim, rild)
-
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
diff --git a/private/domain.te b/private/domain.te
index 6f8814e..d37a0bd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -13,3 +13,6 @@
-system_server
userdebug_or_eng(`-perfprofd')
} self:capability sys_ptrace;
+
+# Limit ability to generate hardware unique device ID attestations to priv_apps
+neverallow { domain -priv_app } *:keystore_key gen_unique_id;
diff --git a/private/drmserver.te b/private/drmserver.te
index 45663bb..afe4f0a 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -3,3 +3,5 @@
init_daemon_domain(drmserver)
type_transition drmserver apk_data_file:sock_file drmserver_socket;
+
+typeattribute drmserver_socket coredomain_socket;
diff --git a/private/file_contexts b/private/file_contexts
index 6687144..c31ec06 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -51,7 +51,10 @@
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
+/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vndservice_contexts u:object_r:vndservice_contexts_file:s0
##########################
# Devices
@@ -115,7 +118,6 @@
/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/sap_uim_socket[0-9] u:object_r:sap_uim_socket:s0
/dev/socket/cryptd u:object_r:vold_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
@@ -144,7 +146,6 @@
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/tegra.* u:object_r:video_device:s0
-/dev/tf_driver u:object_r:tee_device:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
@@ -173,6 +174,7 @@
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
/system/bin/toybox -- u:object_r:toolbox_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
+/system/bin/logcatd -- u:object_r:logcat_exec:s0
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/run-as -- u:object_r:runas_exec:s0
/system/bin/bootanimation u:object_r:bootanim_exec:s0
@@ -215,7 +217,6 @@
/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
/system/bin/pppd u:object_r:ppp_exec:s0
-/system/bin/tf_daemon u:object_r:tee_exec:s0
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
@@ -249,27 +250,46 @@
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/vr_wm u:object_r:vr_wm_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
#############################
# Vendor files
#
-/vendor(/.*)? u:object_r:system_file:s0
-/vendor/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
+/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
+/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+
+/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+
+/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+
+# TODO: b/36790901 move this to /vendor/etc
+/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+
+# HAL location
+/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+
/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
#############################
# OEM and ODM files
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index 5813d32..d35cd3c 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -1,4 +1,5 @@
-/data/lib(/.*)? u:object_r:system_file:s0
-/data/lib64(/.*)? u:object_r:system_file:s0
-/data/vendor/lib(/.*)? u:object_r:system_file:s0
-/data/vendor/lib64(/.*)? u:object_r:system_file:s0
+/data/asan/system/lib(/.*)? u:object_r:system_file:s0
+/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
+/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
+/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
+/system/bin/asan_extract u:object_r:asan_extract_exec:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
new file mode 100644
index 0000000..9330041
--- /dev/null
+++ b/private/hwservice_contexts
@@ -0,0 +1,2 @@
+android.hardware.camera.provider::ICameraProvider u:object_r:hw_camera_provider_ICameraProvider:s0
+* u:object_r:default_android_hwservice:s0
diff --git a/private/init.te b/private/init.te
index fb4335a..f84d87e 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
domain_trans(init, rootfs, modprobe)
+domain_trans(init, toolbox_exec, modprobe)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
diff --git a/private/priv_app.te b/private/priv_app.te
index e9741b7..f157073 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -92,6 +92,10 @@
binder_call(priv_app, update_engine)
allow priv_app update_engine_service:service_manager find;
+# Allow GMS core to communicate with dumpsys storaged.
+binder_call(priv_app, storaged)
+allow priv_app storaged_service:service_manager find;
+
# Allow Phone to read/write cached ringtones (opened by system).
allow priv_app ringtone_file:file { getattr read write };
@@ -115,6 +119,9 @@
# TODO: narrow this to just MediaProvider
allow priv_app mnt_media_rw_file:dir search;
+# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
+allow priv_app keystore:keystore_key gen_unique_id;
+
read_runtime_log_tags(priv_app)
###
diff --git a/private/property_contexts b/private/property_contexts
index c205e59..4c27b35 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -57,7 +57,6 @@
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
-persist.hal.binderization u:object_r:hal_binderization_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
@@ -112,3 +111,6 @@
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
+
+# ASAN install trigger
+asan.restore_reboot u:object_r:asan_reboot_prop:s0
diff --git a/private/security_classes b/private/security_classes
index a202c5d..5685bd6 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -134,6 +134,12 @@
# Service manager
class service_manager # userspace
+# hardware service manager # userspace
+class hwservice_manager
+
+# vendor service manager # userspace
+class vndservice_manager
+
# Keystore Key
class keystore_key # userspace
diff --git a/private/service_contexts b/private/service_contexts
index b00579a..8ba1b0c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -66,6 +66,7 @@
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
+ipsec u:object_r:ipsec_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
isms u:object_r:radio_service:s0
@@ -74,6 +75,7 @@
launcherapps u:object_r:launcherapps_service:s0
location u:object_r:location_service:s0
lock_settings u:object_r:lock_settings_service:s0
+media.aaudio u:object_r:audioserver_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
media.camera u:object_r:cameraserver_service:s0
@@ -158,6 +160,7 @@
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vr_window_manager u:object_r:vr_window_manager_service:s0
+vr_hwc u:object_r:vr_hwc_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
diff --git a/private/shell.te b/private/shell.te
index aab0a15..c24bfd3 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -10,3 +10,6 @@
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
+
+# allow shell to call dumpsys storaged
+binder_call(shell, storaged)
diff --git a/private/storaged.te b/private/storaged.te
index 3dbabf6..96433b3 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -21,6 +21,15 @@
allow storaged debugfs_mmc:file r_file_perms;
')
+# Needed to provide debug dump output via dumpsys pipes.
+allow storaged shell:fd use;
+allow storaged shell:fifo_file write;
+
+# Needed for GMScore to call dumpsys storaged
+allow storaged priv_app:fd use;
+allow storaged app_data_file:file write;
+allow storaged permission_service:service_manager find;
+
# Binder permissions
add_service(storaged, storaged_service)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index f143580..9f5e4fa 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -60,7 +60,6 @@
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
-allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index 1e2245f..02e6101 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -31,7 +31,6 @@
# Write to properties
set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
-set_prop(system_app, hal_binderization_prop)
set_prop(system_app, system_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
@@ -57,7 +56,7 @@
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service }:service_manager find;
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
allow system_app keystore:keystore_key {
get_state
diff --git a/private/system_server.te b/private/system_server.te
index ddeeb1b..2711a8c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -18,6 +18,10 @@
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file { r_file_perms execute };
+userdebug_or_eng(`
+ # Report dalvikcache_data_file:file execute violations.
+ auditallow system_server dalvikcache_data_file:file execute;
+')
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
@@ -183,6 +187,8 @@
hal_client_domain(system_server, hal_sensors)
binder_call(system_server, hal_thermal)
hal_client_domain(system_server, hal_thermal)
+hal_client_domain(system_server, hal_tv_cec)
+hal_client_domain(system_server, hal_tv_input)
binder_call(system_server, hal_usb)
hal_client_domain(system_server, hal_usb)
binder_call(system_server, hal_vibrator)
@@ -190,6 +196,7 @@
binder_call(system_server, hal_vr)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_wifi)
+
hal_client_domain(system_server, hal_wifi_supplicant)
# Talk to tombstoned to get ANR traces.
@@ -287,6 +294,12 @@
allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;
+# Access /vendor/app
+r_dir_file(system_server, vendor_app_file)
+
+# Access /vendor/app
+r_dir_file(system_server, vendor_overlay_file)
+
# Manage /data/app-private.
allow system_server apk_private_data_file:dir create_dir_perms;
allow system_server apk_private_data_file:file create_file_perms;
@@ -445,9 +458,6 @@
allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
-# Allow abstract socket connection
-allow system_server rild:unix_stream_socket connectto;
-
# BackupManagerService needs to manipulate backup data files
allow system_server cache_backup_file:dir rw_dir_perms;
allow system_server cache_backup_file:file create_file_perms;
diff --git a/private/tee.te b/private/tee.te
deleted file mode 100644
index c29bee6..0000000
--- a/private/tee.te
+++ /dev/null
@@ -1,5 +0,0 @@
-init_daemon_domain(tee)
-
-# TODO(b/36714625, b/36715266): Remove this once drmserver, mediaserver, and surfaceflinger no
-# longer communicate with tee daemon over sockets
-typeattribute tee socket_between_core_and_vendor_violators;
diff --git a/private/vr_hwc.te b/private/vr_hwc.te
new file mode 100644
index 0000000..51d2420
--- /dev/null
+++ b/private/vr_hwc.te
@@ -0,0 +1,4 @@
+typeattribute vr_hwc coredomain;
+
+# Daemon started by init.
+init_daemon_domain(vr_hwc)
diff --git a/private/zygote.te b/private/zygote.te
index 15fd951..daabbc0 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -51,6 +51,9 @@
allow zygote idmap_exec:file rx_file_perms;
allow zygote dex2oat_exec:file rx_file_perms;
+# Allow apps access to /vendor/overlay
+r_dir_file(zygote, vendor_overlay_file)
+
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
diff --git a/public/asan_extract.te b/public/asan_extract.te
new file mode 100644
index 0000000..6d0de6c
--- /dev/null
+++ b/public/asan_extract.te
@@ -0,0 +1,36 @@
+# asan_extract
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+with_asan(`
+ type asan_extract, domain, coredomain;
+ type asan_extract_exec, exec_type, file_type;
+
+ # Allow asan_extract to execute itself using #!/system/bin/sh
+ allow asan_extract shell_exec:file rx_file_perms;
+
+ # We execute log, rm, gzip and tar.
+ allow asan_extract toolbox_exec:file rx_file_perms;
+ allow asan_extract system_file:file execute_no_trans;
+
+ # asan_extract deletes old /data/lib.
+ allow asan_extract system_file:dir { open read remove_name rmdir write };
+ allow asan_extract system_file:file unlink;
+
+ # asan_extract untars ASAN libraries into /data.
+ allow asan_extract system_data_file:dir create_dir_perms ;
+ allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
+
+ # Relabel the libraries with restorecon.
+ allow asan_extract file_contexts_file:file r_file_perms;
+ allow asan_extract system_data_file:{ dir file } relabelfrom;
+ allow asan_extract system_file:dir { relabelto setattr };
+ allow asan_extract system_file:file relabelto;
+
+ # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
+ allow asan_extract system_data_file:file execute;
+
+ # We use asan.restore_reboot to signal a reboot is required.
+ set_prop(asan_extract, asan_reboot_prop)
+')
diff --git a/public/attributes b/public/attributes
index d9d123f..e120c8f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -41,10 +41,17 @@
attribute data_file_type;
# All types in /data, not in /data/vendor
attribute core_data_file_type;
+# All types in /vendor
+attribute vendor_file_type;
+
# All vendor domains which violate the requirement of not accessing
# data outside /data/vendor.
# TODO(b/34980020): Remove this once there are no violations
attribute coredata_in_vendor_violators;
+# All core domains which violate the requirement of not accessing vendor
+# owned data.
+# TODO(b/34980020): Remove this once there are no violations
+attribute vendordata_in_core_violators;
# All types use for sysfs files.
attribute sysfs_type;
@@ -88,11 +95,18 @@
# services which export only system_api
attribute system_api_service;
-# All types used for services managed by service_manager.
+# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute service_manager_type;
+# All types used for services managed by hwservicemanager
+attribute hwservice_manager_type;
+
+# All types used for services managed by vndservicemanager
+attribute vndservice_manager_type;
+
+
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
@@ -124,6 +138,9 @@
# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+
# All vendor domains which violate the requirement of not using Binder
# TODO(b/35870313): Remove this once there are no violations
attribute binder_in_vendor_violators;
@@ -211,6 +228,12 @@
attribute hal_thermal;
attribute hal_thermal_client;
attribute hal_thermal_server;
+attribute hal_tv_cec;
+attribute hal_tv_cec_client;
+attribute hal_tv_cec_server;
+attribute hal_tv_input;
+attribute hal_tv_input_client;
+attribute hal_tv_input_server;
attribute hal_usb;
attribute hal_usb_client;
attribute hal_usb_server;
@@ -223,6 +246,18 @@
attribute hal_wifi;
attribute hal_wifi_client;
attribute hal_wifi_server;
+attribute hal_wifi_keystore;
+attribute hal_wifi_keystore_client;
+attribute hal_wifi_keystore_server;
attribute hal_wifi_supplicant;
attribute hal_wifi_supplicant_client;
attribute hal_wifi_supplicant_server;
+
+# HwBinder services offered across the core-vendor boundary
+#
+# We annotate server domains with x_server to loosen the coupling between
+# system and vendor images. For example, it should be possible to move a service
+# from one core domain to another, without having to update the vendor image
+# which contains clients of this service.
+
+attribute wifi_keystore_service_server;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index d1b55cf..46083f5 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -8,6 +8,8 @@
binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera)
+allow cameraserver hw_camera_provider_ICameraProvider:hwservice_manager find;
+
hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index a0e278a..ee617a1 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -34,6 +34,9 @@
# Read APK files.
r_dir_file(crash_dump, apk_data_file);
+# Read all /vendor
+r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 6421d93..2fb2336 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -3,6 +3,11 @@
type dex2oat_exec, exec_type, file_type;
r_dir_file(dex2oat, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read };
allow dex2oat tmpfs:file { read getattr };
@@ -13,6 +18,9 @@
allow dex2oat dalvikcache_data_file:lnk_file read;
allow dex2oat installd:fd use;
+# Acquire advisory lock on /system/framework/arm/*
+allow dex2oat system_file:file lock;
+
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
# locked APKs.
diff --git a/public/dhcp.te b/public/dhcp.te
index 6b9fb4a..c18b08d 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,6 +1,5 @@
type dhcp, domain, domain_deprecated;
type dhcp_exec, exec_type, file_type;
-type dhcp_data_file, file_type, data_file_type;
net_domain(dhcp)
diff --git a/public/domain.te b/public/domain.te
index bd5cb89..9c591db 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -102,12 +102,53 @@
allow domain system_file:file { execute read open getattr };
allow domain system_file:lnk_file { getattr read };
+# Make sure system/vendor split doesn not affect non-treble
+# devices
+not_full_treble(`
+ allow domain vendor_file_type:dir { search getattr };
+ allow domain vendor_file_type:file { execute read open getattr };
+ allow domain vendor_file_type:lnk_file { getattr read };
+')
+
+# All domains are allowed to open and read directories
+# that contain HAL implementations (e.g. passthrough
+# HALs require clients to have these permissions)
+allow domain vendor_hal_file:dir r_dir_perms;
+
+# Everyone can read and execute all same process HALs
+allow domain same_process_hal_file:dir r_dir_perms;
+allow domain same_process_hal_file:file { execute read open getattr };
+
+# Any process can load vndk-sp libraries, which are system libraries
+# used by same process HALs
+allow domain vndk_sp_file:dir r_dir_perms;
+allow domain vndk_sp_file:file { execute read open getattr };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr };
+
+full_treble_only(`
+ # Allow all domains to be able to follow /system/vendor symlink
+ allow domain vendor_file:lnk_file { getattr open read };
+
+ # This is required to be able to search & read /vendor/lib64
+ # in order to lookup vendor libraries. The execute permission
+ # for coredomains is granted *only* for same process HALs
+ allow domain vendor_file:dir { getattr search };
+
+ # Allow reading and executing out of /vendor to all vendor domains
+ allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+ allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
+ allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+')
+
# read any sysfs symlinks
allow domain sysfs:lnk_file read;
# libc references /data/misc/zoneinfo for timezone related information
-not_full_treble(`r_dir_file(domain, zoneinfo_data_file)')
-r_dir_file({ coredomain appdomain }, zoneinfo_data_file)
+# This directory is considered to be a VNDK-stable
+r_dir_file(domain, zoneinfo_data_file)
# Lots of processes access current CPU information
r_dir_file(domain, sysfs_devices_system_cpu)
@@ -171,6 +212,15 @@
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+# TODO(b/34454312) remove this when the correct policy is in place
+allow domain default_android_hwservice:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };
+
###
### neverallow rules
###
@@ -300,13 +350,21 @@
neverallow {
domain
-appdomain
+ with_asan(`-asan_extract')
-dumpstate
-shell
userdebug_or_eng(`-su')
-system_server
-webview_zygote
-zygote
-} { file_type -system_file -exec_type -postinstall_file }:file execute;
+} {
+ file_type
+ -system_file
+ -vendor_file_type
+ -exec_type
+ -postinstall_file
+}:file execute;
+
neverallow {
domain
-appdomain # for oemfs
@@ -335,14 +393,22 @@
neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-# Only recovery should be doing writes to /system
-neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
- { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
+# Only recovery should be doing writes to /system & /vendor
+neverallow {
+ domain
+ -recovery
+ with_asan(`-asan_extract')
+} {
+ system_file
+ vendor_file_type
+ exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } system_file:dir_file_class_set mounton;
+neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -491,7 +557,10 @@
-coredomain
-appdomain
-coredata_in_vendor_violators
- } core_data_file_type:{
+ }
+ core_data_file_type
+ -zoneinfo_data_file # Stable API provided by libc
+ :{
file_class_set
} ~{ append getattr ioctl read write };
# do not allow vendor component access to coredomains data directories.
@@ -502,13 +571,36 @@
-coredomain
-appdomain
-coredata_in_vendor_violators
- } { core_data_file_type -system_data_file }:dir *;
+ } {
+ core_data_file_type
+ -system_data_file
+ -zoneinfo_data_file # Stable API provided by libc
+ }:dir *;
neverallow {
domain
-coredomain
-appdomain
-coredata_in_vendor_violators
} system_data_file:dir ~search;
+ # do not allow coredomains to directly access vendor data. Exempt init
+ # because it is responsible for dir/file creation in init.rc scripts.
+ # Also exempt halclientdomain to exclude rules for passthrough mode.
+ neverallow {
+ coredomain
+ -halclientdomain
+ -init
+ -vendordata_in_core_violators
+ } {
+ data_file_type
+ -core_data_file_type
+ }:file_class_set ~{ append getattr ioctl read write };
+ # do not allow coredomain to access vendor data directories.
+ neverallow {
+ coredomain
+ -halclientdomain
+ -init
+ -vendordata_in_core_violators
+ } { data_file_type -core_data_file_type }:dir *;
')
# On full TREBLE devices, socket communications between core components and vendor components are
@@ -554,6 +646,88 @@
-netdomain
-socket_between_core_and_vendor_violators
}, netd);
+
+ # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # appdomain restrictions below
+ -socket_between_core_and_vendor_violators
+ } {
+ coredomain_socket
+ core_data_file_type
+ unlabeled # used only by core domains
+ }:sock_file ~{ append getattr ioctl read write };
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ coredomain_socket
+ unlabeled # used only by core domains
+ core_data_file_type
+ -app_data_file
+ -pdx_socket # used by VR layer
+ }:sock_file ~{ append getattr ioctl read write };
+
+ # Core domains are not permitted to create/open sockets owned by vendor domains
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -socket_between_core_and_vendor_violators
+ } {
+ file_type
+ dev_type
+ -coredomain_socket
+ -core_data_file_type
+ -unlabeled
+ }:sock_file ~{ append getattr ioctl read write };
+')
+
+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+ # Limit access to /vendor/app
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ -postinstall_dexopt
+ -system_server
+ } vendor_app_file:dir { open read getattr search };
+
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ -postinstall_dexopt
+ -system_server
+ } vendor_app_file:{ file lnk_file } r_file_perms;
+
+ # Limit access to /vendor/overlay
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -system_server
+ -zygote
+ } vendor_overlay_file:dir { getattr open read search };
+
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -system_server
+ -zygote
+ } vendor_overlay_file:{ file lnk_file } r_file_perms;
')
# Only authorized processes should be writing to files in /data/dalvik-cache
@@ -677,6 +851,7 @@
-system_app
-init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
+ with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
# to installd
@@ -774,6 +949,7 @@
userdebug_or_eng(`-uncrypt')
} shell_data_file:file open;
+
# servicemanager is the only process which handles list request
neverallow * ~servicemanager:service_manager list;
@@ -833,7 +1009,7 @@
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
-neverallow * ~{ system_file rootfs }:system module_load;
+neverallow * ~{ system_file vendor_file rootfs }:system module_load;
# Only allow filesystem caps to be set at build time or
# during upgrade by recovery.
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index aa6ec4e..9777753 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -71,7 +71,6 @@
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
-allow domain_deprecated system_file:file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
@@ -86,14 +85,6 @@
-vold
-zygote
} system_file:dir { open read ioctl lock }; # search getattr in domain
-auditallow {
- domain_deprecated
- -appdomain
- -rild
- -surfaceflinger
- -system_server
- -zygote
-} system_file:file { ioctl lock }; # read open getattr in domain
')
# Read files already opened under /data.
diff --git a/public/drmserver.te b/public/drmserver.te
index 825e828..f752c13 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -31,7 +31,6 @@
# Clearly, /data/app is the most logical place to create a socket. Not.
allow drmserver apk_data_file:dir rw_dir_perms;
allow drmserver drmserver_socket:sock_file create_file_perms;
-allow drmserver tee:unix_stream_socket connectto;
# Delete old socket file if present.
allow drmserver apk_data_file:sock_file unlink;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 9b54329..bfbb43b 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -170,7 +170,7 @@
allow dumpstate misc_logd_file:file r_file_perms;
')
-allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index d7a82bc..35bbd6d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -78,8 +78,29 @@
# File types
type unlabeled, file_type;
+
# Default type for anything under /system.
type system_file, file_type;
+
+# Default type for directories search for
+# HAL implementations
+type vendor_hal_file, vendor_file_type, file_type;
+# Default type for under /vendor or /system/vendor
+type vendor_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/app
+type vendor_app_file, vendor_file_type, file_type;
+# Default type for everything under /vendor/etc/
+type vendor_configs_file, vendor_file_type, file_type;
+# Default type for all *same process* HALs.
+# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
+type same_process_hal_file, vendor_file_type, file_type;
+# Default type for vndk-sp libs. /vendor/lib/vndk-sp
+type vndk_sp_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/framework
+type vendor_framework_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/overlay
+type vendor_overlay_file, vendor_file_type, file_type;
+
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
@@ -135,6 +156,8 @@
type preloads_data_file, file_type, data_file_type, core_data_file_type;
# /data/preloads/media
type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
@@ -224,35 +247,34 @@
type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Socket types
-type adbd_socket, file_type;
-type bluetooth_socket, file_type;
-type dnsproxyd_socket, file_type, mlstrustedobject;
-type dumpstate_socket, file_type;
-type fwmarkd_socket, file_type, mlstrustedobject;
-type lmkd_socket, file_type;
-type logd_socket, file_type, mlstrustedobject;
-type logdr_socket, file_type, mlstrustedobject;
-type logdw_socket, file_type, mlstrustedobject;
-type mdns_socket, file_type;
-type mdnsd_socket, file_type, mlstrustedobject;
-type misc_logd_file, file_type;
-type mtpd_socket, file_type;
-type netd_socket, file_type;
-type pdx_socket, file_type, mlstrustedobject;
-type property_socket, file_type, mlstrustedobject;
-type racoon_socket, file_type;
+type adbd_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, coredomain_socket;
+type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
+type dumpstate_socket, file_type, coredomain_socket;
+type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
+type lmkd_socket, file_type, coredomain_socket;
+type logd_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type mdns_socket, file_type, coredomain_socket;
+type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
+type misc_logd_file, coredomain_socket, file_type;
+type mtpd_socket, file_type, coredomain_socket;
+type netd_socket, file_type, coredomain_socket;
+type pdx_socket, file_type, coredomain_socket, mlstrustedobject;
+type property_socket, file_type, coredomain_socket, mlstrustedobject;
+type racoon_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
-type system_wpa_socket, file_type;
-type system_ndebug_socket, file_type, mlstrustedobject;
-type tombstoned_crash_socket, file_type, mlstrustedobject;
-type tombstoned_intercept_socket, file_type;
-type uncrypt_socket, file_type;
-type vold_socket, file_type;
-type webview_zygote_socket, file_type;
+type system_wpa_socket, file_type, coredomain_socket;
+type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type uncrypt_socket, file_type, coredomain_socket;
+type vold_socket, file_type, coredomain_socket;
+type webview_zygote_socket, file_type, coredomain_socket;
type wpa_socket, file_type;
-type zygote_socket, file_type;
-type sap_uim_socket, file_type;
+type zygote_socket, file_type, coredomain_socket;
# UART (for GPS) control proc file
type gps_control, file_type;
@@ -274,6 +296,12 @@
# service_contexts file
type service_contexts_file, file_type;
+# hwservice_contexts file
+type hwservice_contexts_file, file_type;
+
+# vndservice_contexts file
+type vndservice_contexts_file, file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index b05239b..a00bf9f 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,6 +2,8 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
+add_hwservice(hal_camera_server, hw_camera_provider_ICameraProvider)
+
# access /data/misc/camera
allow hal_camera camera_data_file:dir create_dir_perms;
allow hal_camera camera_data_file:file create_file_perms;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 05fe347..a773dd5 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -34,8 +34,6 @@
allow hal_drm sysfs:file r_file_perms;
-# Connect to tee service.
-allow hal_drm tee:unix_stream_socket connectto;
allow hal_drm tee_device:chr_file rw_file_perms;
# only allow unprivileged socket ioctl commands
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index d50812c..afcd0bd 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,6 +2,4 @@
binder_call(hal_keymaster_client, hal_keymaster_server)
allow hal_keymaster tee_device:chr_file rw_file_perms;
-allow hal_keymaster tee:unix_stream_socket connectto;
-
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 0d6dfe0..567b0be 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -3,3 +3,7 @@
# Allow sensor hals to access ashmem memory allocated by apps
allow hal_sensors { appdomain -isolated_app }:fd use;
+
+# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
+# fd is passed in from framework sensorservice HAL.
+allow hal_sensors hal_allocator:fd use;
diff --git a/public/hal_tv_cec.te b/public/hal_tv_cec.te
new file mode 100644
index 0000000..aa85b92
--- /dev/null
+++ b/public/hal_tv_cec.te
@@ -0,0 +1,3 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_cec_client, hal_tv_cec_server)
+binder_call(hal_tv_cec_server, hal_tv_cec_client)
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
new file mode 100644
index 0000000..5276ddf
--- /dev/null
+++ b/public/hal_tv_input.te
@@ -0,0 +1,3 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_input_client, hal_tv_input_server)
+binder_call(hal_tv_input_server, hal_tv_input_client)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index ed10f8d..49ce4fa 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -23,17 +23,6 @@
allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
-# TODO(b/34131400): Use hwbinder to access keystore.
-use_keystore(hal_wifi_supplicant)
-binder_use(hal_wifi_supplicant)
-
-# WPA (wifi) has a restricted set of permissions from the default.
-allow hal_wifi_supplicant keystore:keystore_key {
- get
- sign
- verify
-};
-
# Allow wpa_cli to work. wpa_cli creates a socket in
# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
userdebug_or_eng(`
diff --git a/public/hwservice.te b/public/hwservice.te
new file mode 100644
index 0000000..cf59629
--- /dev/null
+++ b/public/hwservice.te
@@ -0,0 +1,2 @@
+type default_android_hwservice, hwservice_manager_type;
+type hw_camera_provider_ICameraProvider, hwservice_manager_type;
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index 77074f4..1ffd2a6 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -2,9 +2,6 @@
type hwservicemanager, domain, mlstrustedsubject;
type hwservicemanager_exec, exec_type, file_type;
-# serving android.hidl.manager@1.0 and android.hidl.token@1.0
-typeattribute hwservicemanager halserverdomain;
-
# Note that we do not use the binder_* macros here.
# hwservicemanager provides name service (aka context manager)
# for hwbinder.
@@ -18,6 +15,8 @@
# Scan through /system/lib64/hw looking for installed HALs
allow hwservicemanager system_file:dir r_dir_perms;
-# TODO once hwservicemanager checks whether HALs are
-# allowed to register a certain service, add policy here
-# for allowing to check SELinux permissions.
+# Read hwservice_contexts
+allow hwservicemanager hwservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(hwservicemanager)
diff --git a/public/idmap.te b/public/idmap.te
index 61f1e1c..1c32f8f 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -9,3 +9,9 @@
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
+
+# Allow apps access to /vendor/app
+r_dir_file(idmap, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(idmap, vendor_overlay_file)
diff --git a/public/init.te b/public/init.te
index 4af41ec..0deb8cd 100644
--- a/public/init.te
+++ b/public/init.te
@@ -60,7 +60,7 @@
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file postinstall_mnt_dir }:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
@@ -127,6 +127,7 @@
-misc_logd_file
-system_app_data_file
-system_file
+ -vendor_file_type
}:dir { create search getattr open read setattr ioctl };
allow init {
@@ -138,6 +139,7 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:dir { write add_name remove_name rmdir relabelfrom };
@@ -151,6 +153,7 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:file { create getattr open read write setattr relabelfrom unlink };
@@ -163,6 +166,7 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -175,12 +179,13 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow init cache_file:lnk_file r_file_perms;
-allow init { file_type -system_file -exec_type }:dir_file_class_set relabelto;
+allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
@@ -384,6 +389,7 @@
allow init misc_block_device:blk_file w_file_perms;
r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
allow init proc_meminfo:file r_file_perms;
allow init system_data_file:file { getattr read };
diff --git a/public/installd.te b/public/installd.te
index a85edff..774ba49 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -27,6 +27,8 @@
r_dir_file(installd, rootfs)
# Scan through APKs in /system/app and /system/priv-app
r_dir_file(installd, system_file)
+# Scan through APKs in /vendor/app
+r_dir_file(installd, vendor_app_file)
# Get file context
allow installd file_contexts_file:file r_file_perms;
# Get seapp_context
diff --git a/public/keystore.te b/public/keystore.te
index 55cafc5..378949a 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -10,6 +10,10 @@
# talk to keymaster
hal_client_domain(keystore, hal_keymaster)
+# Offer the Wifi Keystore HwBinder service
+hwbinder_use(keystore)
+typeattribute keystore wifi_keystore_service_server;
+
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 721f624..b8cde80 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -1,6 +1,6 @@
# mediacodec - audio and video codecs live here
type mediacodec, domain;
-type mediacodec_exec, exec_type, file_type;
+type mediacodec_exec, exec_type, vendor_file_type, file_type;
typeattribute mediacodec mlstrustedsubject;
diff --git a/public/mediametrics.te b/public/mediametrics.te
index ce2dab7..4c10d87 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -14,6 +14,9 @@
r_dir_file(mediametrics, cgroup)
allow mediametrics proc_meminfo:file r_file_perms;
+# allows interactions with dumpsys to GMScore
+allow mediametrics app_data_file:file write;
+
###
### neverallow rules
###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 93f1548..01cc4d8 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -67,9 +67,6 @@
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
-# Allow abstract socket connection
-allow mediaserver rild:unix_stream_socket { connectto read write setopt };
-
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
unix_socket_connect(mediaserver, drmserver, drmserver)
@@ -78,9 +75,6 @@
# but seems appropriate for all devices.
unix_socket_connect(mediaserver, bluetooth, bluetooth)
-# Connect to tee service.
-allow mediaserver tee:unix_stream_socket connectto;
-
add_service(mediaserver, mediaserver_service)
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
diff --git a/public/modprobe.te b/public/modprobe.te
index 0fc173d..24a6b3b 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -6,3 +6,5 @@
allow modprobe rootfs:system module_load;
allow modprobe rootfs:file r_file_perms;
')
+allow modprobe { system_file vendor_file }:system module_load;
+r_dir_file(modprobe, { system_file vendor_file })
diff --git a/public/netd.te b/public/netd.te
index 81f4af4..3a48cd3 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -29,6 +29,9 @@
allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;
+# Acquire advisory lock on /system/etc/xtables.lock
+allow netd system_file:file lock;
+
r_dir_file(netd, proc_net)
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net:file rw_file_perms;
@@ -80,6 +83,9 @@
} { read write getattr setattr getopt setopt };
allow netd netdomain:fd use;
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
###
### Neverallow rules
###
diff --git a/public/otapreopt_slot.te b/public/otapreopt_slot.te
index 5f037c5..6551864 100644
--- a/public/otapreopt_slot.te
+++ b/public/otapreopt_slot.te
@@ -11,6 +11,8 @@
# the directory afterwards. For logging of aggregate size, we need getattr.
allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
+# (du follows symlinks)
+allow otapreopt_slot ota_data_file:lnk_file read;
# Delete old content of the dalvik-cache.
allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 76001f7..b66c927 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -17,6 +17,8 @@
# Read app data (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, apk_data_file)
+# Read vendor app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_app_file)
# Access to app oat directory.
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
diff --git a/public/property.te b/public/property.te
index a3f5a1e..d6fa868 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,3 +1,4 @@
+type asan_reboot_prop, property_type;
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
type bluetooth_prop, property_type;
@@ -43,7 +44,6 @@
type shell_prop, property_type, core_property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
-type hal_binderization_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
diff --git a/public/recovery.te b/public/recovery.te
index d6aef1c..784596d 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -92,6 +92,10 @@
allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
+ # Read /sys/class/thermal/*/temp for thermal info.
+ allow recovery sysfs_thermal:dir search;
+ allow recovery sysfs_thermal:file r_file_perms;
+
# Read files on /oem.
r_dir_file(recovery, oemfs);
diff --git a/public/service.te b/public/service.te
index 9c52e92..efd4c86 100644
--- a/public/service.te
+++ b/public/service.te
@@ -28,6 +28,7 @@
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vr_window_manager_service, service_manager_type;
+type vr_hwc_service, service_manager_type;
# system_server_services broken down
type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -45,7 +46,7 @@
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type contexthub_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type contexthub_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -59,7 +60,7 @@
type coverage_service, system_server_service, service_manager_type;
type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_policy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type device_policy_service, app_api_service, system_server_service, service_manager_type;
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
@@ -70,8 +71,8 @@
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type ethernet_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type fingerprint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ethernet_service, app_api_service, system_server_service, service_manager_type;
+type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
@@ -80,6 +81,7 @@
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -119,19 +121,19 @@
type serial_service, system_api_service, system_server_service, service_manager_type;
type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type shortcut_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type shortcut_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type trust_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type;
type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type usb_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 7ad32fc..bba9c6e 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -12,6 +12,8 @@
allow servicemanager { domain -init }:binder transfer;
# Access to all (system and vendor) service_contexts
+# TODO(b/36866029) access to nonplat_service_contexts
+# should not be allowed on full treble devices
allow servicemanager service_contexts_file:file r_file_perms;
# Check SELinux permissions.
diff --git a/public/shell.te b/public/shell.te
index 0e55f84..fd0f2ef 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -64,8 +64,6 @@
userdebug_or_eng(`set_prop(shell, log_prop)')
# logpersist script
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-# hal binderization
-userdebug_or_eng(`set_prop(shell, hal_binderization_prop)')
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
@@ -82,12 +80,13 @@
# don't allow shell to access GateKeeper service
# TODO: why is this so broad? Tightening candidate? It needs at list:
# - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service }:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
allow shell dumpstate:binder call;
# allow shell to get information from hwservicemanager
# for instance, listing hardware services with lshal
hwbinder_use(shell)
+allow shell hwservicemanager:hwservice_manager list;
# allow shell to look through /proc/ for ps, top, netstat
r_dir_file(shell, proc)
@@ -147,6 +146,13 @@
#
allow shell dev_type:blk_file getattr;
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell seapp_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/public/su.te b/public/su.te
index 8cb386d..77fd071 100644
--- a/public/su.te
+++ b/public/su.te
@@ -10,6 +10,9 @@
# Add su to various domains
net_domain(su)
+ # grant su access to vndbinder
+ vndbinder_use(su)
+
dontaudit su self:capability_class_set *;
dontaudit su kernel:security *;
dontaudit su kernel:system *;
@@ -34,7 +37,11 @@
dontaudit su property_type:property_service *;
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
+ dontaudit su hwservice_manager_type:hwservice_manager *;
+ dontaudit su vndservice_manager_type:vndservice_manager *;
dontaudit su servicemanager:service_manager list;
+ dontaudit su hwservicemanager:hwservice_manager list;
+ dontaudit su vndservicemanager:vndservice_manager list;
dontaudit su keystore:keystore_key *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
diff --git a/public/te_macros b/public/te_macros
index 57a038a..beec546 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -175,12 +175,16 @@
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;
-# TODO(b/34170079): Make the inclusion of the rules below conditional,
-# once we know at build time whether a HAL is going to run in
-# passthrough or binderized mode.
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
+')
')
#####################################
@@ -197,6 +201,8 @@
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
')
#####################################
@@ -282,13 +288,6 @@
allow hwservicemanager $1:dir search;
allow hwservicemanager $1:file { read open };
allow hwservicemanager $1:process getattr;
-# TODO(b/34274385): hals wait for data to be mounted so they can
-# start only if persist.hal.binderization is enabled. (for dogfood
-# stability). getService must also check for data to be mounted
-# if the vintf promises the hal will be registered over hwbinder.
-get_prop($1, hal_binderization_prop)
-get_prop($1, persistent_properties_ready_prop)
-get_prop($1, vold_prop)
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
@@ -390,7 +389,12 @@
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
-define(`full_treble_only', ifelse(target_full_treble, `true', $1, ))
+define(`full_treble_only', ifelse(target_full_treble, `true', $1,
+ifelse(target_full_treble, `cts',
+# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+, )))
#####################################
# Not full TREBLE
@@ -498,6 +502,16 @@
neverallow { domain -$1 } $2:service_manager add;
')
+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+ allow $1 $2:hwservice_manager { add find };
+ neverallow { domain -$1 } $2:hwservice_manager add;
+')
+
##########################################
# print a message with a trailing newline
# print(`args')
diff --git a/public/tee.te b/public/tee.te
index 84e6492..f023d5c 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -1,20 +1,7 @@
##
# trusted execution environment (tee) daemon
#
-type tee, domain, domain_deprecated;
-type tee_exec, exec_type, file_type;
+type tee, domain;
+
+# Device(s) for communicating with the TEE
type tee_device, dev_type;
-
-allow tee self:capability { dac_override };
-allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir rw_dir_perms;
-allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket create_socket_perms_no_ioctl;
-allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow tee ion_device:chr_file r_file_perms;
-r_dir_file(tee, sysfs_type)
-
-# TODO(b/36720355): Remove this once tee no longer access non-vendor files
-typeattribute tee coredata_in_vendor_violators;
-allow tee system_data_file:file { getattr read };
-allow tee system_data_file:lnk_file r_file_perms;
diff --git a/public/ueventd.te b/public/ueventd.te
index 512b019..8ec667e 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -29,6 +29,9 @@
# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, vendor_file)
+
# Get file contexts for new device nodes
allow ueventd file_contexts_file:file r_file_perms;
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 8c8e9a9..4d4e1f9 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -12,5 +12,8 @@
# Read all blocks in dm wrapped system partition.
allow update_verifier dm_device:blk_file r_file_perms;
+# Allow update_verifier to reboot the device.
+set_prop(update_verifier, powerctl_prop)
+
# Use Boot Control HAL
hal_client_domain(update_verifier, hal_bootctl)
diff --git a/public/vdc.te b/public/vdc.te
index 67fb7a3..53d7bbe 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -22,3 +22,6 @@
# vdc can be invoked with logwrapper, so let it write to pty
allow vdc devpts:chr_file rw_file_perms;
+
+# vdc writes directly to kmsg during the boot process
+allow vdc kmsg_device:chr_file w_file_perms;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
new file mode 100644
index 0000000..b0d3ad9
--- /dev/null
+++ b/public/vr_hwc.te
@@ -0,0 +1,29 @@
+type vr_hwc, domain;
+type vr_hwc_exec, exec_type, file_type;
+
+# Get buffer metadata.
+hal_client_domain(vr_hwc, hal_graphics_allocator)
+
+binder_use(vr_hwc)
+binder_service(vr_hwc)
+
+binder_call(vr_hwc, surfaceflinger)
+binder_call(vr_hwc, vr_wm)
+
+add_service(vr_hwc, vr_hwc_service)
+
+# Hosts the VR HWC implementation and provides a simple Binder interface for VR
+# Window Manager to receive the layers/buffers.
+hwbinder_use(vr_hwc)
+
+# Load vendor libraries.
+allow vr_hwc system_file:dir r_dir_perms;
+
+allow vr_hwc ion_device:chr_file r_file_perms;
+
+# Allow connection to VR DisplayClient to get the primary display metadata
+# (ie: size).
+use_pdx(vr_hwc, surfaceflinger)
+
+# Limit access so only vr_wm can connect.
+neverallow { domain -vr_hwc -vr_wm } vr_hwc_service:service_manager find;
diff --git a/public/vr_wm.te b/public/vr_wm.te
index deedb0a..1e48609 100644
--- a/public/vr_wm.te
+++ b/public/vr_wm.te
@@ -4,18 +4,15 @@
hal_client_domain(vr_wm, hal_graphics_allocator)
binder_use(vr_wm)
-binder_call(vr_wm, surfaceflinger)
binder_call(vr_wm, virtual_touchpad)
+binder_call(vr_wm, vr_hwc)
allow vr_wm virtual_touchpad_service:service_manager find;
+allow vr_wm vr_hwc_service:service_manager find;
binder_service(vr_wm)
add_service(vr_wm, vr_window_manager_service)
-# Hosts the VR HWC implementation and provides a simple Binder interface for VR
-# Window Manager to receive the layers/buffers.
-hwbinder_use(vr_wm)
-
# Load vendor libraries.
allow vr_wm system_file:dir r_dir_perms;
diff --git a/public/wificond.te b/public/wificond.te
index dd22d26..c91053e 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -7,10 +7,6 @@
add_service(wificond, wificond_service)
-# wificond writes firmware paths to this file.
-# wificond also changes the owership of this file on startup.
-allow wificond sysfs_wlan_fwpath:file { w_file_perms setattr };
-
set_prop(wificond, wifi_prop)
set_prop(wificond, ctl_default_prop)
@@ -31,14 +27,8 @@
allow wificond wifi_data_file:dir rw_dir_perms;
allow wificond wifi_data_file:file create_file_perms;
-# wificond drops root shortly after starting
-# wificond changes the ownership of some files before dropping root
-allow wificond self:capability { setuid setgid setpcap chown };
-
-# wificond cleans up sockets created by wpa_supplicant and framework
-allow wificond wpa_socket:dir rw_dir_perms;
-allow wificond system_wpa_socket:sock_file unlink;
-allow wificond wpa_socket:sock_file unlink;
+# allow wificond to check permission for dumping logs
+allow wificond permission_service:service_manager find;
# dumpstate support
allow wificond dumpstate:fd use;
diff --git a/tools/checkfc.c b/tools/checkfc.c
index 8a28f3c..9cbd912 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -15,12 +15,16 @@
static const char * const CHECK_FC_ASSERT_ATTRS[] = { "fs_type", "dev_type", "file_type", NULL };
static const char * const CHECK_PC_ASSERT_ATTRS[] = { "property_type", NULL };
static const char * const CHECK_SC_ASSERT_ATTRS[] = { "service_manager_type", NULL };
+static const char * const CHECK_HW_SC_ASSERT_ATTRS[] = { "hwservice_manager_type", NULL };
+static const char * const CHECK_VND_SC_ASSERT_ATTRS[] = { "vndservice_manager_type", NULL };
typedef enum filemode filemode;
enum filemode {
filemode_file_contexts = 0,
filemode_property_contexts,
- filemode_service_contexts
+ filemode_service_contexts,
+ filemode_hw_service_contexts,
+ filemode_vendor_service_contexts
};
static struct {
@@ -55,6 +59,10 @@
return CHECK_PC_ASSERT_ATTRS;
case filemode_service_contexts:
return CHECK_SC_ASSERT_ATTRS;
+ case filemode_hw_service_contexts:
+ return CHECK_HW_SC_ASSERT_ATTRS;
+ case filemode_vendor_service_contexts:
+ return CHECK_VND_SC_ASSERT_ATTRS;
}
/* die on invalid parameters */
fprintf(stderr, "Error: Invalid mode of operation: %d\n", mode);
@@ -185,10 +193,13 @@
}
static void usage(char *name) {
- fprintf(stderr, "usage1: %s [-p|-s] [-e] sepolicy context_file\n\n"
+ fprintf(stderr, "usage1: %s [-l|-p|-s|-v] [-e] sepolicy context_file\n\n"
"Parses a context file and checks for syntax errors.\n"
- "The context_file is assumed to be a file_contexts file\n"
- "unless the -p or -s option is used to indicate the property or service backend respectively.\n"
+ "If -p is specified, the property backend is used.\n"
+ "If -s is specified, the service backend is used to verify binder services.\n"
+ "If -l is specified, the service backend is used to verify hwbinder services.\n"
+ "If -v is specified, the service backend is used to verify vndbinder services.\n"
+ "Otherwise, context_file is assumed to be a file_contexts file\n"
"If -e is specified, then the context_file is allowed to be empty.\n\n"
"usage2: %s -c file_contexts1 file_contexts2\n\n"
@@ -332,7 +343,7 @@
filemode mode = filemode_file_contexts;
- while ((c = getopt(argc, argv, "cpse")) != -1) {
+ while ((c = getopt(argc, argv, "clpsve")) != -1) {
switch (c) {
case 'c':
compare = true;
@@ -348,6 +359,14 @@
mode = filemode_service_contexts;
backend = SELABEL_CTX_ANDROID_SERVICE;
break;
+ case 'l':
+ mode = filemode_hw_service_contexts;
+ backend = SELABEL_CTX_ANDROID_SERVICE;
+ break;
+ case 'v':
+ mode = filemode_vendor_service_contexts;
+ backend = SELABEL_CTX_ANDROID_SERVICE;
+ break;
case 'h':
default:
usage(argv[0]);
diff --git a/tools/sepolicy-analyze/README b/tools/sepolicy-analyze/README
index d18609a..fdee588 100644
--- a/tools/sepolicy-analyze/README
+++ b/tools/sepolicy-analyze/README
@@ -65,6 +65,10 @@
Displays the types associated with the specified attribute name.
+ sepolicy-analyze out/target/product/<board>/root/sepolicy attribute -r <name>
+
+ Displays the attributes associated with the specified type name.
+
NEVERALLOW CHECKING (neverallow)
sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \
[-w] [-d] [-f neverallows.conf] | [-n "neverallow string"]
diff --git a/tools/sepolicy-analyze/attribute.c b/tools/sepolicy-analyze/attribute.c
index 474bda2..ae98aa9 100644
--- a/tools/sepolicy-analyze/attribute.c
+++ b/tools/sepolicy-analyze/attribute.c
@@ -1,39 +1,81 @@
+#include <getopt.h>
+
#include "attribute.h"
void attribute_usage() {
- fprintf(stderr, "\tattribute <attribute-name>\n");
+ fprintf(stderr, "\tattribute <name> [-r|--reverse]\n");
}
-static int list_attribute(policydb_t * policydb, char *name)
-{
- struct type_datum *attr;
+static void retrieve_mapping(policydb_t *policydb, struct type_datum *dat, char *name, int reverse) {
struct ebitmap_node *n;
unsigned int bit;
- attr = hashtab_search(policydb->p_types.table, name);
- if (!attr) {
+ if (reverse) {
+ ebitmap_for_each_bit(&policydb->type_attr_map[dat->s.value - 1], n, bit) {
+ if (!ebitmap_node_get_bit(n, bit))
+ continue;
+ if (!strcmp(policydb->p_type_val_to_name[bit], name))
+ continue;
+ printf("%s\n", policydb->p_type_val_to_name[bit]);
+ }
+ } else {
+ ebitmap_for_each_bit(&policydb->attr_type_map[dat->s.value - 1], n, bit) {
+ if (!ebitmap_node_get_bit(n, bit))
+ continue;
+ printf("%s\n", policydb->p_type_val_to_name[bit]);
+ }
+ }
+}
+
+static int list_attribute(policydb_t *policydb, char *name, int reverse)
+{
+ struct type_datum *dat;
+
+ dat = hashtab_search(policydb->p_types.table, name);
+ if (!dat) {
fprintf(stderr, "%s is not defined in this policy.\n", name);
return -1;
}
- if (attr->flavor != TYPE_ATTRIB) {
- fprintf(stderr, "%s is a type not an attribute in this policy.\n", name);
- return -1;
+ if (reverse) {
+ if (dat->flavor != TYPE_TYPE) {
+ fprintf(stderr, "%s is an attribute not a type in this policy.\n", name);
+ return -1;
+ }
+ } else {
+ if (dat->flavor != TYPE_ATTRIB) {
+ fprintf(stderr, "%s is a type not an attribute in this policy.\n", name);
+ return -1;
+ }
}
-
- ebitmap_for_each_bit(&policydb->attr_type_map[attr->s.value - 1], n, bit) {
- if (!ebitmap_node_get_bit(n, bit))
- continue;
- printf("%s\n", policydb->p_type_val_to_name[bit]);
- }
+ retrieve_mapping(policydb, dat, name, reverse);
return 0;
}
int attribute_func (int argc, char **argv, policydb_t *policydb) {
- if (argc != 2) {
+ int reverse = 0;
+ char ch;
+
+ struct option attribute_options[] = {
+ {"reverse", no_argument, NULL, 'r'},
+ {NULL, 0, NULL, 0}
+ };
+
+ while ((ch = getopt_long(argc, argv, "r", attribute_options, NULL)) != -1) {
+ switch (ch) {
+ case 'r':
+ reverse = 1;
+ break;
+ default:
+ USAGE_ERROR = true;
+ return -1;
+ }
+ }
+
+ if (argc != 2 && !(reverse && argc == 3)) {
USAGE_ERROR = true;
return -1;
}
- return list_attribute(policydb, argv[1]);
+ return list_attribute(policydb, argv[optind], reverse);
}
diff --git a/tools/version_policy.c b/tools/version_policy.c
index 74c9c73..24b2a3c 100644
--- a/tools/version_policy.c
+++ b/tools/version_policy.c
@@ -87,6 +87,7 @@
char *base = NULL;
char *tgt_policy = NULL;
char *num = NULL;
+ char *dot;
char *output = NULL;
struct cil_db *base_db = NULL;
struct cil_db *out_db = NULL;
@@ -138,6 +139,13 @@
usage(argv[0]);
}
+ /* policy language doesn't like '.', so replace them with '_' in mapping version */
+ dot = num;
+ while ((dot = strchr(dot, '.')) != NULL) {
+ *dot = '_';
+ ++dot;
+ }
+
if (mapping && tgt_policy) {
fprintf(stderr, "Please select only one mode between --mapping and --tgt_policy\n");
usage(argv[0]);
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 763a945..ac5d1d0 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -25,6 +25,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.0-service u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
@@ -32,6 +34,14 @@
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
+
+#############################
+# Same process HALs installed by platform into /vendor
+#
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/gralloc\.default\.so u:object_r:same_process_hal_file:s0
+
#############################
# Data files
#
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 79c0814..a10a6cf 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -1,7 +1,7 @@
type hal_audio_default, domain;
hal_server_domain(hal_audio_default, hal_audio)
-type hal_audio_default_exec, exec_type, file_type;
+type hal_audio_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_audio_default)
hal_client_domain(hal_audio_default, hal_allocator)
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index e32770d..01d60db 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -1,5 +1,5 @@
type hal_bluetooth_default, domain;
hal_server_domain(hal_bluetooth_default, hal_bluetooth)
-type hal_bluetooth_default_exec, exec_type, file_type;
+type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bluetooth_default)
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index 9986fb5..ca30e58 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -2,5 +2,5 @@
type hal_bootctl_default, domain;
hal_server_domain(hal_bootctl_default, hal_bootctl)
-type hal_bootctl_default_exec, exec_type, file_type;
+type hal_bootctl_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bootctl_default)
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 449f159..60b6a5c 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -1,7 +1,7 @@
type hal_camera_default, domain;
hal_server_domain(hal_camera_default, hal_camera)
-type hal_camera_default_exec, exec_type, file_type;
+type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_camera_default)
# TODO (b/36601397) move hal_camera's data file to
diff --git a/vendor/hal_configstore_default.te b/vendor/hal_configstore_default.te
index e8930ca..cc61a16 100644
--- a/vendor/hal_configstore_default.te
+++ b/vendor/hal_configstore_default.te
@@ -1,5 +1,5 @@
type hal_configstore_default, domain;
hal_server_domain(hal_configstore_default, hal_configstore)
-type hal_configstore_default_exec, exec_type, file_type;
+type hal_configstore_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_configstore_default)
diff --git a/vendor/hal_contexthub_default.te b/vendor/hal_contexthub_default.te
index 67dd530..b29808d 100644
--- a/vendor/hal_contexthub_default.te
+++ b/vendor/hal_contexthub_default.te
@@ -1,5 +1,5 @@
type hal_contexthub_default, domain;
hal_server_domain(hal_contexthub_default, hal_contexthub)
-type hal_contexthub_default_exec, exec_type, file_type;
+type hal_contexthub_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_contexthub_default)
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index ad1762f..3aeec06 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -1,7 +1,7 @@
type hal_drm_default, domain;
hal_server_domain(hal_drm_default, hal_drm)
-type hal_drm_default_exec, exec_type, file_type;
+type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_default)
allow hal_drm_default mediacodec:fd use;
diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te
index fa772e1..6fbf40f 100644
--- a/vendor/hal_dumpstate_default.te
+++ b/vendor/hal_dumpstate_default.te
@@ -1,5 +1,5 @@
type hal_dumpstate_default, domain;
hal_server_domain(hal_dumpstate_default, hal_dumpstate)
-type hal_dumpstate_default_exec, exec_type, file_type;
+type hal_dumpstate_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_dumpstate_default)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 5f5de7e..322c104 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -1,7 +1,7 @@
type hal_fingerprint_default, domain;
hal_server_domain(hal_fingerprint_default, hal_fingerprint)
-type hal_fingerprint_default_exec, exec_type, file_type;
+type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_fingerprint_default)
# TODO (b/36644492) move hal_fingerprint's data file to
diff --git a/vendor/hal_gatekeeper_default.te b/vendor/hal_gatekeeper_default.te
index d48af16..a3654cc 100644
--- a/vendor/hal_gatekeeper_default.te
+++ b/vendor/hal_gatekeeper_default.te
@@ -1,5 +1,5 @@
type hal_gatekeeper_default, domain;
hal_server_domain(hal_gatekeeper_default, hal_gatekeeper)
-type hal_gatekeeper_default_exec, exec_type, file_type;
+type hal_gatekeeper_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_gatekeeper_default);
diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te
index 18da090..4c40617 100644
--- a/vendor/hal_gnss_default.te
+++ b/vendor/hal_gnss_default.te
@@ -1,7 +1,7 @@
type hal_gnss_default, domain;
hal_server_domain(hal_gnss_default, hal_gnss)
-type hal_gnss_default_exec, exec_type, file_type;
+type hal_gnss_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_gnss_default)
# Read access to system files for HALs in
diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te
index f47a604..5afa2b5 100644
--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
@@ -1,5 +1,5 @@
type hal_graphics_allocator_default, domain;
hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
-type hal_graphics_allocator_default_exec, exec_type, file_type;
+type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_allocator_default)
diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te
index b65b8fe..47343d9 100644
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@@ -1,5 +1,5 @@
type hal_graphics_composer_default, domain;
hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)
-type hal_graphics_composer_default_exec, exec_type, file_type;
+type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_composer_default)
diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te
index 3add20b..9b2b921 100644
--- a/vendor/hal_health_default.te
+++ b/vendor/hal_health_default.te
@@ -2,5 +2,5 @@
type hal_health_default, domain;
hal_server_domain(hal_health_default, hal_health)
-type hal_health_default_exec, exec_type, file_type;
+type hal_health_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_health_default)
diff --git a/vendor/hal_ir_default.te b/vendor/hal_ir_default.te
index e43bf07..943aab0 100644
--- a/vendor/hal_ir_default.te
+++ b/vendor/hal_ir_default.te
@@ -1,5 +1,5 @@
type hal_ir_default, domain;
hal_server_domain(hal_ir_default, hal_ir)
-type hal_ir_default_exec, exec_type, file_type;
+type hal_ir_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_ir_default)
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 32df262..82a5a20 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -1,5 +1,5 @@
type hal_keymaster_default, domain;
hal_server_domain(hal_keymaster_default, hal_keymaster)
-type hal_keymaster_default_exec, exec_type, file_type;
+type hal_keymaster_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_keymaster_default)
diff --git a/vendor/hal_light_default.te b/vendor/hal_light_default.te
index 8c1bfb6..c7fa9a1 100644
--- a/vendor/hal_light_default.te
+++ b/vendor/hal_light_default.te
@@ -1,5 +1,5 @@
type hal_light_default, domain;
hal_server_domain(hal_light_default, hal_light)
-type hal_light_default_exec, exec_type, file_type;
+type hal_light_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_light_default)
diff --git a/vendor/hal_memtrack_default.te b/vendor/hal_memtrack_default.te
index 0e3ba21..c547699 100644
--- a/vendor/hal_memtrack_default.te
+++ b/vendor/hal_memtrack_default.te
@@ -1,5 +1,5 @@
type hal_memtrack_default, domain;
hal_server_domain(hal_memtrack_default, hal_memtrack)
-type hal_memtrack_default_exec, exec_type, file_type;
+type hal_memtrack_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_memtrack_default)
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index eb2bd81..2f1c092 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -1,9 +1,11 @@
type hal_nfc_default, domain;
hal_server_domain(hal_nfc_default, hal_nfc)
-type hal_nfc_default_exec, exec_type, file_type;
+type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_nfc_default)
# TODO (b/36645109) Remove hal_nfc's access to the nfc app's
-# data type. Remove coredata_in_vendor_violators attribute.
+# data type. Remove coredata_in_vendor_violators and
+# socket_between_core_and_vendor_violators attribute associations below.
typeattribute hal_nfc_default coredata_in_vendor_violators;
+typeattribute hal_nfc_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te
index 47065ea..3be4f22 100644
--- a/vendor/hal_power_default.te
+++ b/vendor/hal_power_default.te
@@ -1,5 +1,5 @@
type hal_power_default, domain;
hal_server_domain(hal_power_default, hal_power)
-type hal_power_default_exec, exec_type, file_type;
+type hal_power_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_power_default)
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index b4c9a86..5ba4aab 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -1,5 +1,5 @@
type hal_sensors_default, domain;
hal_server_domain(hal_sensors_default, hal_sensors)
-type hal_sensors_default_exec, exec_type, file_type;
+type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_sensors_default)
diff --git a/vendor/hal_thermal_default.te b/vendor/hal_thermal_default.te
index 9a777e0..73b2eff 100644
--- a/vendor/hal_thermal_default.te
+++ b/vendor/hal_thermal_default.te
@@ -1,5 +1,5 @@
type hal_thermal_default, domain;
hal_server_domain(hal_thermal_default, hal_thermal)
-type hal_thermal_default_exec, exec_type, file_type;
+type hal_thermal_default_exec, exec_type, vendor_file_type, vendor_file_type, file_type;
init_daemon_domain(hal_thermal_default)
diff --git a/vendor/hal_tv_cec_default.te b/vendor/hal_tv_cec_default.te
new file mode 100644
index 0000000..080e73b
--- /dev/null
+++ b/vendor/hal_tv_cec_default.te
@@ -0,0 +1,5 @@
+type hal_tv_cec_default, domain;
+hal_server_domain(hal_tv_cec_default, hal_tv_cec)
+
+type hal_tv_cec_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_cec_default)
diff --git a/vendor/hal_tv_input_default.te b/vendor/hal_tv_input_default.te
new file mode 100644
index 0000000..12d9743
--- /dev/null
+++ b/vendor/hal_tv_input_default.te
@@ -0,0 +1,6 @@
+type hal_tv_input_default, domain;
+hal_server_domain(hal_tv_input_default, hal_tv_input)
+
+type hal_tv_input_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_input_default)
+
diff --git a/vendor/hal_usb_default.te b/vendor/hal_usb_default.te
index cc28a65..5642a2a 100644
--- a/vendor/hal_usb_default.te
+++ b/vendor/hal_usb_default.te
@@ -1,5 +1,5 @@
type hal_usb_default, domain;
hal_server_domain(hal_usb_default, hal_usb)
-type hal_usb_default_exec, exec_type, file_type;
+type hal_usb_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_usb_default)
diff --git a/vendor/hal_vibrator_default.te b/vendor/hal_vibrator_default.te
index 8bc8a72..6c10d8a 100644
--- a/vendor/hal_vibrator_default.te
+++ b/vendor/hal_vibrator_default.te
@@ -1,5 +1,5 @@
type hal_vibrator_default, domain;
hal_server_domain(hal_vibrator_default, hal_vibrator)
-type hal_vibrator_default_exec, exec_type, file_type;
+type hal_vibrator_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_vibrator_default)
diff --git a/vendor/hal_vr_default.te b/vendor/hal_vr_default.te
index 7475524..6a60192 100644
--- a/vendor/hal_vr_default.te
+++ b/vendor/hal_vr_default.te
@@ -1,5 +1,5 @@
type hal_vr_default, domain;
hal_server_domain(hal_vr_default, hal_vr)
-type hal_vr_default_exec, exec_type, file_type;
+type hal_vr_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_vr_default)
diff --git a/vendor/hal_wifi_default.te b/vendor/hal_wifi_default.te
index 7c3949e..75a9842 100644
--- a/vendor/hal_wifi_default.te
+++ b/vendor/hal_wifi_default.te
@@ -1,5 +1,5 @@
type hal_wifi_default, domain;
hal_server_domain(hal_wifi_default, hal_wifi)
-type hal_wifi_default_exec, exec_type, file_type;
+type hal_wifi_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_wifi_default)
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 1ee95bb..c2bdc73 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -1,15 +1,17 @@
# wpa supplicant or equivalent
type hal_wifi_supplicant_default, domain;
hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)
-type hal_wifi_supplicant_default_exec, exec_type, file_type;
+type hal_wifi_supplicant_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_wifi_supplicant_default)
net_domain(hal_wifi_supplicant_default)
# Create a socket for receiving info from wpa
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
-# TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
-typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
+# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
+hwbinder_use(hal_wifi_supplicant_default)
+binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
+
# TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor
# Remove coredata_in_vendor_violators attribute.
# wpa supplicant or equivalent
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
index e7d8308..d20581e 100644
--- a/vendor/hostapd.te
+++ b/vendor/hostapd.te
@@ -1,6 +1,6 @@
# userspace wifi access points
type hostapd, domain;
-type hostapd_exec, exec_type, file_type;
+type hostapd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hostapd)
diff --git a/vendor/rild.te b/vendor/rild.te
index 69c5c39..ea9109b 100644
--- a/vendor/rild.te
+++ b/vendor/rild.te
@@ -1,6 +1,6 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
-type rild_exec, exec_type, file_type;
+type rild_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(rild)
# TODO(b/36613472), TODO(b/36718031): Remove this once rild no longer
diff --git a/vendor/tee.te b/vendor/tee.te
new file mode 100644
index 0000000..e5e8b2d
--- /dev/null
+++ b/vendor/tee.te
@@ -0,0 +1,21 @@
+##
+# trusted execution environment (tee) daemon
+#
+typeattribute tee domain_deprecated;
+
+type tee_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(tee)
+
+allow tee self:capability { dac_override };
+allow tee tee_device:chr_file rw_file_perms;
+allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:file create_file_perms;
+allow tee self:netlink_socket create_socket_perms_no_ioctl;
+allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow tee ion_device:chr_file r_file_perms;
+r_dir_file(tee, sysfs_type)
+
+# TODO(b/36720355): Remove this once tee no longer access non-vendor files
+typeattribute tee coredata_in_vendor_violators;
+allow tee system_data_file:file { getattr read };
+allow tee system_data_file:lnk_file r_file_perms;
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index dff18ce..f956af8 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -1,5 +1,5 @@
# vndservicemanager - the Binder context manager for vendor processes
-type vndservicemanager_exec, exec_type, file_type;
+type vndservicemanager_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vndservicemanager);
@@ -10,5 +10,8 @@
allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+# Read vndservice_contexts
+allow vndservicemanager vndservice_contexts_file:file r_file_perms;
+
# Check SELinux permissions.
selinux_check_access(vndservicemanager)