Merge "Label APEX files correctly when TARGET_FLATTEN_APEX=true"
diff --git a/private/cameraserver.te b/private/cameraserver.te
index c16c132..ef44bfa 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -1,3 +1,4 @@
typeattribute cameraserver coredomain;
init_daemon_domain(cameraserver)
+tmpfs_domain(cameraserver)
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index d489e73..c762fbb 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -22,7 +22,6 @@
biometric_service
bpf_progs_loaded_prop
bugreport_service
- cameraserver_data_file
content_capture_service
content_suggestions_service
cpu_variant_prop
@@ -32,7 +31,7 @@
device_config_input_native_boot_prop
device_config_netd_native_prop
device_config_reset_performed_prop
- device_config_runtime_prop
+ device_config_runtime_native_prop
device_config_service
face_service
face_vendor_data_file
@@ -82,6 +81,7 @@
network_stack_tmpfs
overlayfs_file
permissionmgr_service
+ postinstall_apex_mnt_dir
recovery_socket
role_service
rs
diff --git a/private/file_contexts b/private/file_contexts
index af9572d..eb45401 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -28,6 +28,7 @@
/config u:object_r:rootfs:s0
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
/proc u:object_r:rootfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
@@ -456,7 +457,6 @@
/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
-/data/misc/cameraserver(/.*)? u:object_r:cameraserver_data_file:s0
/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 608ed9e..aea2faa 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -23,10 +23,14 @@
# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
allow otapreopt_chroot tmpfs:filesystem mount;
-# Allow otapreopt_chroot to manipulate the tmpfs filesystem mounted in /postinstall/apex.
-allow otapreopt_chroot tmpfs:dir create_dir_perms;
+# Allow otapreopt_chroot to restore the security context of /postinstall/apex.
+allow otapreopt_chroot tmpfs:dir relabelfrom;
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto;
+
+# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
-allow otapreopt_chroot tmpfs:dir mounton;
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
diff --git a/private/property_contexts b/private/property_contexts
index 303832d..74134ac 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -172,7 +172,7 @@
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
-persist.device_config.runtime. u:object_r:device_config_runtime_prop:s0
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
apexd. u:object_r:apexd_prop:s0
persist.apexd. u:object_r:apexd_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 1893494..1003994 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -585,7 +585,7 @@
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
set_prop(system_server, device_config_activity_manager_native_boot_prop)
-set_prop(system_server, device_config_runtime_prop)
+set_prop(system_server, device_config_runtime_native_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -948,7 +948,7 @@
device_config_activity_manager_native_boot_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
- device_config_runtime_prop
+ device_config_runtime_native_prop
}:property_service set;
# system_server should never be executing dex2oat. This is either
diff --git a/private/traced.te b/private/traced.te
index fb8465c..a3c5d8b 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -23,6 +23,7 @@
# directly into that (rather than returning the trace contents over the socket).
allow traced perfetto:fd use;
allow traced shell:fd use;
+allow traced shell:fifo_file { read write };
allow traced perfetto_traces_data_file:file { read write };
# Allow traceur to pass open file descriptors to traced, so traced can directly
diff --git a/private/zygote.te b/private/zygote.te
index 073b7f8..9f8a348 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -126,8 +126,8 @@
get_prop(zygote, overlay_prop)
get_prop(zygote, exported_overlay_prop)
-# Allow the zygote to access feature flag properties.
-get_prop(zygote, device_config_runtime_prop)
+# Allow the zygote to access the runtime feature flag properties.
+get_prop(zygote, device_config_runtime_native_prop)
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index fee4bdb..f4eed48 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -1,6 +1,7 @@
# cameraserver - camera daemon
type cameraserver, domain;
type cameraserver_exec, system_file_type, exec_type, file_type;
+type cameraserver_tmpfs, file_type;
binder_use(cameraserver)
binder_call(cameraserver, binderservicedomain)
@@ -62,11 +63,6 @@
hal_client_domain(cameraserver, hal_omx)
hal_client_domain(cameraserver, hal_allocator)
-userdebug_or_eng(`
- allow cameraserver cameraserver_data_file:dir { add_name write search remove_name };
- allow cameraserver cameraserver_data_file:file { create write open read unlink };
-')
-
# Allow shell commands from ADB for CTS testing/dumping
userdebug_or_eng(`
allow cameraserver su:fd use;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 7ae1b34..1ea0420 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -53,7 +53,7 @@
allow dex2oat postinstall_file:file { execute getattr open };
# Allow dex2oat access to /postinstall/apex.
-allow dex2oat tmpfs:dir search;
+allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/public/file.te b/public/file.te
index e0f67a4..a264c91 100644
--- a/public/file.te
+++ b/public/file.te
@@ -281,6 +281,8 @@
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
type postinstall_file, file_type;
+# /postinstall/apex: Mount point used for APEX images within /postinstall.
+type postinstall_apex_mnt_dir, file_type;
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
@@ -291,7 +293,6 @@
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
type camera_data_file, file_type, data_file_type, core_data_file_type;
-type cameraserver_data_file, file_type, data_file_type, core_data_file_type;
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
type incident_data_file, file_type, data_file_type, core_data_file_type;
type keychain_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index 5070393..b189b0a 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -4,7 +4,7 @@
set_prop(flags_health_check, device_config_boot_count_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
-set_prop(flags_health_check, device_config_runtime_prop)
+set_prop(flags_health_check, device_config_runtime_native_prop)
set_prop(flags_health_check, device_config_input_native_boot_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 46a02dd..2fac3e3 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -13,8 +13,8 @@
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
-# Read data from /postinstall/apex.
-allow postinstall_dexopt tmpfs:dir { read search };
+# Allow access to /postinstall/apex.
+allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
# here and having to relabel the directory.
diff --git a/public/property.te b/public/property.te
index 04ee593..ffd8d95 100644
--- a/public/property.te
+++ b/public/property.te
@@ -33,7 +33,7 @@
type device_config_reset_performed_prop, property_type;
type device_config_input_native_boot_prop, property_type;
type device_config_netd_native_prop, property_type;
-type device_config_runtime_prop, property_type;
+type device_config_runtime_native_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
@@ -406,7 +406,7 @@
-device_config_boot_count_prop
-device_config_input_native_boot_prop
-device_config_netd_native_prop
- -device_config_runtime_prop
+ -device_config_runtime_native_prop
-heapprofd_enabled_prop
-heapprofd_prop
-hwservicemanager_prop
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a468dd9..94f6a25 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -179,7 +179,7 @@
-device_config_reset_performed_prop
-device_config_input_native_boot_prop
-device_config_netd_native_prop
- -device_config_runtime_prop
+ -device_config_runtime_native_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop