Merge "crash_dump: Update prebuilts for API 33"
diff --git a/prebuilts/api/33.0/private/app.te b/prebuilts/api/33.0/private/app.te
index b7da601..86180b0 100644
--- a/prebuilts/api/33.0/private/app.te
+++ b/prebuilts/api/33.0/private/app.te
@@ -75,6 +75,11 @@
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+# allow apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow appdomain system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/prebuilts/api/33.0/private/gmscore_app.te b/prebuilts/api/33.0/private/gmscore_app.te
index 2198c15..8795798 100644
--- a/prebuilts/api/33.0/private/gmscore_app.te
+++ b/prebuilts/api/33.0/private/gmscore_app.te
@@ -5,11 +5,6 @@
app_domain(gmscore_app)
-# TODO(b/217368496): remove this.
-perfetto_producer(gmscore_app)
-can_profile_heap(gmscore_app)
-can_profile_perf(gmscore_app)
-
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/block/zram*/mm_stat
r_dir_file(gmscore_app, sysfs_zram)
diff --git a/prebuilts/api/33.0/private/platform_app.te b/prebuilts/api/33.0/private/platform_app.te
index b723633..6112ae0 100644
--- a/prebuilts/api/33.0/private/platform_app.te
+++ b/prebuilts/api/33.0/private/platform_app.te
@@ -113,10 +113,6 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(platform_app)
-can_profile_perf(platform_app)
-
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/prebuilts/api/33.0/private/surfaceflinger.te b/prebuilts/api/33.0/private/surfaceflinger.te
index 123fc69..bb16f20 100644
--- a/prebuilts/api/33.0/private/surfaceflinger.te
+++ b/prebuilts/api/33.0/private/surfaceflinger.te
@@ -74,13 +74,9 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Allow userspace tracing via perfetto.
+# Needed to register as a Perfetto producer.
perfetto_producer(surfaceflinger)
-# Allow to be profiled by performance tools.
-can_profile_heap(surfaceflinger)
-can_profile_perf(surfaceflinger)
-
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/prebuilts/api/33.0/private/system_app.te b/prebuilts/api/33.0/private/system_app.te
index 01956f4..77cca3d 100644
--- a/prebuilts/api/33.0/private/system_app.te
+++ b/prebuilts/api/33.0/private/system_app.te
@@ -176,10 +176,6 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(system_app)
-can_profile_perf(system_app)
-
###
### Neverallow rules
###
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index bb02047..0f72c7f 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -15,11 +15,6 @@
userfaultfd_use(system_server)
-# TODO(b/217368496): remove this.
-perfetto_producer(system_server)
-can_profile_heap(system_server)
-can_profile_perf(system_server)
-
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
diff --git a/private/app.te b/private/app.te
index 7033cb6..269609a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -44,6 +44,11 @@
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+# allow apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow appdomain system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 54cc916..ffb80c5 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -7,7 +7,7 @@
# These permissions are required to pin ebpf maps & programs.
allow bpfloader bpffs_type:dir { add_name create remove_name search write };
-allow bpfloader bpffs_type:file { create read rename setattr };
+allow bpfloader bpffs_type:file { create getattr read rename setattr };
allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
@@ -32,7 +32,7 @@
# TODO: get rid of init & vendor_init
neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
-neverallow { domain -bpfloader } bpffs_type:file { create rename };
+neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read;
neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read;
@@ -40,7 +40,7 @@
neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
-neverallow domain bpffs_type:file ~{ create map open read rename setattr write };
+neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 114c184..e2d16cc 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -5,11 +5,6 @@
app_domain(gmscore_app)
-# TODO(b/217368496): remove this.
-perfetto_producer(gmscore_app)
-can_profile_heap(gmscore_app)
-can_profile_perf(gmscore_app)
-
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
r_dir_file(gmscore_app, sysfs_net)
diff --git a/private/platform_app.te b/private/platform_app.te
index 972593f..f14e52d 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -112,10 +112,6 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(platform_app)
-can_profile_perf(platform_app)
-
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 123fc69..bb16f20 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -74,13 +74,9 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Allow userspace tracing via perfetto.
+# Needed to register as a Perfetto producer.
perfetto_producer(surfaceflinger)
-# Allow to be profiled by performance tools.
-can_profile_heap(surfaceflinger)
-can_profile_perf(surfaceflinger)
-
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_app.te b/private/system_app.te
index df03566..822fbb5 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -177,10 +177,6 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(system_app)
-can_profile_perf(system_app)
-
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index d3ad100..32b1abf 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -15,11 +15,6 @@
userfaultfd_use(system_server)
-# TODO(b/217368496): remove this.
-perfetto_producer(system_server)
-can_profile_heap(system_server)
-can_profile_perf(system_server)
-
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 9f19b3f..84c12d9 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -87,6 +87,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_neuralnetworks_server
hal_omx_server
hal_power_server
@@ -149,6 +150,7 @@
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
+dump_hal(hal_input_processor)
dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
dump_hal(hal_nfc)