Merge "Fix SELinux denials for protected content playback"
diff --git a/domain.te b/domain.te
index 78f1dea..9398172 100644
--- a/domain.te
+++ b/domain.te
@@ -278,7 +278,7 @@
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
#
# Assert that, to the extent possible, we're not loading executable content from
@@ -398,6 +398,7 @@
-postinstall_dexopt
-cppreopts
-dex2oat
+ -otapreopt_slot
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -408,6 +409,7 @@
-cppreopts
-dex2oat
-zygote
+ -otapreopt_slot
} dalvikcache_data_file:dir no_w_dir_perms;
# Only system_server should be able to send commands via the zygote socket
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 6943ffd..c5d9888 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -14,7 +14,7 @@
# Inherit or receive open files from others.
allow domain_deprecated system_server:fd use;
-auditallow { domain_deprecated -appdomain -mediaextractor -mediaserver -netd -surfaceflinger } system_server:fd use;
+auditallow { domain_deprecated -appdomain -mediaserver -netd -surfaceflinger } system_server:fd use;
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
@@ -83,7 +83,7 @@
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
-r_dir_file({ domain_deprecated -isolated_app }, sysfs)
+r_dir_file(domain_deprecated, sysfs)
r_dir_file(domain_deprecated, inotify)
r_dir_file(domain_deprecated, cgroup)
allow domain_deprecated proc_meminfo:file r_file_perms;
@@ -96,9 +96,9 @@
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
auditallow domain_deprecated inotify:dir r_dir_perms;
auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -init -logd -mediaextractor -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
+auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
+auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
+auditallow { domain_deprecated -appdomain -init -logd -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
diff --git a/file_contexts b/file_contexts
index 719c3d9..ed8c5e1 100644
--- a/file_contexts
+++ b/file_contexts
@@ -172,6 +172,7 @@
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
+/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
diff --git a/ioctl_defines b/ioctl_defines
index b1752bf..a1cd0b9 100644
--- a/ioctl_defines
+++ b/ioctl_defines
@@ -681,8 +681,6 @@
define(`BR_SPAWN_LOOPER', `0x0000720d')
define(`BR_FINISHED', `0x0000720e')
define(`BR_FAILED_REPLY', `0x00007211')
-define(`PPPIOCDISCONN', `0x00007439')
-define(`PPPIOCXFERUNIT', `0x0000744e')
define(`MEYEIOC_STILLCAPT', `0x000076c4')
define(`ASHMEM_GET_SIZE', `0x00007704')
define(`ASHMEM_GET_PROT_MASK', `0x00007706')
@@ -1166,22 +1164,6 @@
define(`IXJCTL_INTERCOM_START', `0x400471fd')
define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
-define(`PPPIOCATTCHAN', `0x40047438')
-define(`PPPIOCCONNECT', `0x4004743a')
-define(`PPPIOCSMRRU', `0x4004743b')
-define(`PPPIOCDETACH', `0x4004743c')
-define(`PPPIOCATTACH', `0x4004743d')
-define(`PPPIOCSDEBUG', `0x40047440')
-define(`PPPIOCSMAXCID', `0x40047451')
-define(`PPPIOCSMRU', `0x40047452')
-define(`PPPIOCSRASYNCMAP', `0x40047454')
-define(`PPPIOCSASYNCMAP', `0x40047457')
-define(`PPPIOCSFLAGS', `0x40047459')
-define(`PPPIOCBUNDLE', `0x40047481')
-define(`PPPIOCSMPFLAGS', `0x40047483')
-define(`PPPIOCSMPMTU', `0x40047484')
-define(`PPPIOCSMPMRU', `0x40047485')
-define(`PPPIOCSCOMPRESSOR', `0x40047487')
define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
define(`FS_IOC32_SETVERSION', `0x40047602')
@@ -1304,7 +1286,6 @@
define(`IXJCTL_CIDCW', `0x400871d9')
define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
define(`IXJCTL_SIGCTL', `0x400871e9')
-define(`PPPIOCSNPMODE', `0x4008744b')
define(`FS_IOC_SETVERSION', `0x40087602')
define(`ASHMEM_SET_SIZE', `0x40087703')
define(`ASHMEM_SET_PROT_MASK', `0x40087705')
@@ -1453,9 +1434,6 @@
define(`FE_SET_PROPERTY', `0x40106f52')
define(`CA_SET_DESCR', `0x40106f86')
define(`PPSETTIME', `0x40107096')
-define(`PPPIOCSACTIVE', `0x40107446')
-define(`PPPIOCSPASS', `0x40107447')
-define(`PPPIOCSCOMPRESS', `0x4010744d')
define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
define(`GENWQE_WRITE_REG64', `0x4010a51f')
define(`GENWQE_WRITE_REG32', `0x4010a521')
@@ -1530,7 +1508,6 @@
define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
define(`OSD_SEND_CMD', `0x40206fa0')
define(`RTC_PLL_SET', `0x40207012')
-define(`PPPIOCSXASYNCMAP', `0x4020744f')
define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
@@ -1875,14 +1852,6 @@
define(`BR_ACQUIRE_RESULT', `0x80047204')
define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
-define(`PPPIOCGCHAN', `0x80047437')
-define(`PPPIOCGDEBUG', `0x80047441')
-define(`PPPIOCGMRU', `0x80047453')
-define(`PPPIOCGRASYNCMAP', `0x80047455')
-define(`PPPIOCGUNIT', `0x80047456')
-define(`PPPIOCGASYNCMAP', `0x80047458')
-define(`PPPIOCGFLAGS', `0x8004745a')
-define(`PPPIOCGMPFLAGS', `0x80047482')
define(`FS_IOC32_GETVERSION', `0x80047601')
define(`MEYEIOC_STILLJCAPT', `0x800476c5')
define(`OSIOCGNETADDR', `0x800489e1')
@@ -2015,8 +1984,6 @@
define(`BR_ACQUIRE', `0x80107208')
define(`BR_RELEASE', `0x80107209')
define(`BR_DECREFS', `0x8010720a')
-define(`PPPIOCGIDLE', `0x8010743f')
-define(`PPPIOCGIFNAME', `0x80107488')
define(`GENWQE_READ_REG64', `0x8010a51e')
define(`GENWQE_READ_REG32', `0x8010a520')
define(`GENWQE_READ_REG16', `0x8010a522')
@@ -2054,7 +2021,6 @@
define(`AUDIO_GET_STATUS', `0x80206f0a')
define(`VIDEO_GET_EVENT', `0x80206f1c')
define(`RTC_PLL_GET', `0x80207011')
-define(`PPPIOCGXASYNCMAP', `0x80207450')
define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
@@ -2093,12 +2059,10 @@
define(`JSIOCGAXMAP', `0x80406a32')
define(`BR_TRANSACTION', `0x80407202')
define(`BR_REPLY', `0x80407203')
-define(`PPPIOCGCOMPRESSORS', `0x80407486')
define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
define(`GET_ARRAY_INFO', `0x80480911')
-define(`PPPIOCGL2TPSTATS', `0x80487436')
define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
define(`KVM_SET_PIT', `0x8048ae66')
define(`GSMIOC_GETCONF', `0x804c4700')
@@ -2213,7 +2177,6 @@
define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
define(`MGSL_IOCWAITEVENT', `0xc0046d08')
-define(`PPPIOCNEWUNIT', `0xc004743e')
define(`TOSH_SMM', `0xc0047490')
define(`MEYEIOC_SYNC', `0xc00476c3')
define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
@@ -2273,7 +2236,6 @@
define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
-define(`PPPIOCGNPMODE', `0xc008744c')
define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
@@ -2616,7 +2578,6 @@
define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
-define(`PPPIOCGCALLINFO', `0xc0887480')
define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
define(`SNDCTL_SYNTH_ID', `0xc08c5114')
define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
@@ -2692,3 +2653,42 @@
define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
+define(`PPPIOCGL2TPSTATS', `0x7436')
+define(`PPPIOCGCHAN', `0x7437')
+define(`PPPIOCATTCHAN', `0x7438')
+define(`PPPIOCDISCONN', `0x7439')
+define(`PPPIOCCONNECT', `0x743a')
+define(`PPPIOCSMRRU', `0x743b')
+define(`PPPIOCDETACH', `0x743c')
+define(`PPPIOCATTACH', `0x743d')
+define(`PPPIOCNEWUNIT', `0x743e')
+define(`PPPIOCGIDLE', `0x743f')
+define(`PPPIOCSDEBUG', `0x7440')
+define(`PPPIOCGDEBUG', `0x7441')
+define(`PPPIOCSACTIVE', `0x7446')
+define(`PPPIOCSPASS', `0x7447')
+define(`PPPIOCSNPMODE', `0x744b')
+define(`PPPIOCGNPMODE', `0x744c')
+define(`PPPIOCSCOMPRESS', `0x744d')
+define(`PPPIOCXFERUNIT', `0x744e')
+define(`PPPIOCSXASYNCMAP', `0x744f')
+define(`PPPIOCGXASYNCMAP', `0x7450')
+define(`PPPIOCSMAXCID', `0x7451')
+define(`PPPIOCSMRU', `0x7452')
+define(`PPPIOCGMRU', `0x7453')
+define(`PPPIOCSRASYNCMAP', `0x7454')
+define(`PPPIOCGRASYNCMAP', `0x7455')
+define(`PPPIOCGUNIT', `0x7456')
+define(`PPPIOCSASYNCMAP', `0x7457')
+define(`PPPIOCGASYNCMAP', `0x7458')
+define(`PPPIOCSFLAGS', `0x7459')
+define(`PPPIOCGFLAGS', `0x745a')
+define(`PPPIOCGCALLINFO', `0x7480')
+define(`PPPIOCBUNDLE', `0x7481')
+define(`PPPIOCGMPFLAGS', `0x7482')
+define(`PPPIOCSMPFLAGS', `0x7483')
+define(`PPPIOCSMPMTU', `0x7484')
+define(`PPPIOCSMPMRU', `0x7485')
+define(`PPPIOCGCOMPRESSORS', `0x7486')
+define(`PPPIOCSCOMPRESSOR', `0x7487')
+define(`PPPIOCGIFNAME', `0x7488')
diff --git a/ioctl_macros b/ioctl_macros
index d4ef2a6..122e1f0 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -46,3 +46,17 @@
# commonly used TTY ioctls
define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
+
+# point to point ioctls
+define(`ppp_ioctls', `{
+PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
+PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
+PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
+PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
+PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
+PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
+PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
+PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
+PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
+PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
+}')
diff --git a/mediaextractor.te b/mediaextractor.te
index 7b873d6..fe87447 100644
--- a/mediaextractor.te
+++ b/mediaextractor.te
@@ -1,5 +1,5 @@
# mediaextractor - multimedia daemon
-type mediaextractor, domain, domain_deprecated;
+type mediaextractor, domain;
type mediaextractor_exec, exec_type, file_type;
typeattribute mediaextractor mlstrustedsubject;
diff --git a/otapreopt_chroot.te b/otapreopt_chroot.te
index 3f42670..fcba7b1 100644
--- a/otapreopt_chroot.te
+++ b/otapreopt_chroot.te
@@ -7,6 +7,10 @@
allow otapreopt_chroot postinstall_file:dir { search mounton };
allow otapreopt_chroot self:capability { sys_admin sys_chroot };
+# This is required to mount /vendor.
+allow otapreopt_chroot block_device:dir search;
+allow otapreopt_chroot labeledfs:filesystem mount;
+
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/otapreopt_slot.te b/otapreopt_slot.te
new file mode 100644
index 0000000..2f4da0a
--- /dev/null
+++ b/otapreopt_slot.te
@@ -0,0 +1,28 @@
+# otapreopt_slot
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+type otapreopt_slot, domain, mlstrustedsubject;
+type otapreopt_slot_exec, exec_type, file_type;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(otapreopt_slot)
+
+# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
+# the directory afterwards. For logging of aggregate size, we need getattr.
+allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
+allow otapreopt_slot ota_data_file:file { getattr };
+
+# Delete old content of the dalvik-cache.
+allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
+allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
+allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow otapreopt_slot shell_exec:file rx_file_perms;
+
+# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
+# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
+allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/toolbox.te b/toolbox.te
index 55de7eb..7767079 100644
--- a/toolbox.te
+++ b/toolbox.te
@@ -1,7 +1,7 @@
# Any toolbox command run by init.
# At present, the only known usage is for running mkswap via fs_mgr.
# Do NOT use this domain for toolbox when run by any other domain.
-type toolbox, domain, domain_deprecated;
+type toolbox, domain;
type toolbox_exec, exec_type, file_type;
init_daemon_domain(toolbox)
diff --git a/zygote.te b/zygote.te
index 41b8c07..9ce5a4e 100644
--- a/zygote.te
+++ b/zygote.te
@@ -89,31 +89,6 @@
allow zygote tmpfs:dir r_dir_perms;
###
-### A/B OTA
-###
-
-# The zygote is responsible for detecting A/B OTA artifacts and moving them into
-# the actual dalvik-cache.
-
-# Allow zygote access to files in /data/ota.
-# This includes reading symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot
-# images, where the oat file is symlinked to the original file in /system.
-r_dir_file(zygote, ota_data_file)
-
-# The zygote renames the OTA dalvik-cache to the regular dalvik-cache.
-allow zygote ota_data_file:dir { rw_dir_perms rename reparent };
-
-# And needs to relabel the entries, so as to have the dalvikcache_data_file label.
-allow zygote ota_data_file:{ dir file lnk_file } relabelfrom;
-allow zygote dalvikcache_data_file:{ dir file lnk_file } relabelto;
-
-# The zygote also cleans up the now-empty dalvik-cache directory after an OTA.
-# In case something goes wrong in relabelling, we also need to be able to delete the files that
-# have already been moved.
-allow zygote ota_data_file:dir rmdir;
-allow zygote ota_data_file:{ file lnk_file } unlink;
-
-###
### neverallow rules
###